From eae24ca7a855d294d23d48298f924c1fe9fe2baa Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 01:13:52 +0000 Subject: [PATCH 01/12] Initial plan From e304842b57c8b8d703de5f69ca9abb49990f7235 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 02:07:51 +0000 Subject: [PATCH 02/12] feat: portable GH_AW_HOME for self-hosted runner support Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/constants/constants.go | 7 +++++-- pkg/workflow/prompt_constants.go | 2 +- pkg/workflow/setup_action_paths.go | 21 ++++++++++++++++++++- pkg/workflow/step_order_validation.go | 2 +- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 00fb81f4018..e0199031a70 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -435,9 +435,12 @@ const DefaultAlpineImage = "alpine:latest" // This image is built during workflow execution and includes the gh-aw binary and dependencies const DevModeGhAwImage = "localhost/gh-aw:dev" +// GhAwHomeDefault is the default value for GH_AW_HOME when the env var is not set +const GhAwHomeDefault = "/opt/gh-aw" + // DefaultGhAwMount is the mount path for the gh-aw directory in containerized MCP servers -// The gh-aw binary and supporting files are mounted read-only from /opt/gh-aw -const DefaultGhAwMount = "/opt/gh-aw:/opt/gh-aw:ro" +// Uses shell expansion so docker gets the resolved path at runtime +const DefaultGhAwMount = "\\${GH_AW_HOME:-/opt/gh-aw}:\\${GH_AW_HOME:-/opt/gh-aw}:ro" // DefaultGhBinaryMount is the mount path for the gh CLI binary in containerized MCP servers // The gh CLI is required for agentic-workflows MCP server to run gh commands diff --git a/pkg/workflow/prompt_constants.go b/pkg/workflow/prompt_constants.go index 2f9d9c39be4..90cde28df3d 100644 --- a/pkg/workflow/prompt_constants.go +++ b/pkg/workflow/prompt_constants.go @@ -4,7 +4,7 @@ import _ "embed" // Prompt file paths at runtime (copied by setup action to /opt/gh-aw/prompts) const ( - promptsDir = "/opt/gh-aw/prompts" + promptsDir = GhAwHome + "/prompts" prContextPromptFile = "pr_context_prompt.md" tempFolderPromptFile = "temp_folder_prompt.md" playwrightPromptFile = "playwright_prompt.md" diff --git a/pkg/workflow/setup_action_paths.go b/pkg/workflow/setup_action_paths.go index 16736ac89da..6c4e1e32ca1 100644 --- a/pkg/workflow/setup_action_paths.go +++ b/pkg/workflow/setup_action_paths.go @@ -1,5 +1,24 @@ package workflow +import "fmt" + +// GhAwHome is the shell expression for GH_AW_HOME. +// Use this in bash `run:` contexts where shell variable expansion occurs. +// The job-level env sets GH_AW_HOME to /opt/gh-aw by default. +const GhAwHome = "${GH_AW_HOME}" + +// GhAwHomeJS is the JavaScript expression for GH_AW_HOME. +// Use this inside require() or other JS expressions in github-script steps. +// The job-level env sets GH_AW_HOME to /opt/gh-aw by default. +const GhAwHomeJS = "process.env.GH_AW_HOME" + // SetupActionDestination is the path where the setup action copies script files // on the agent runner (e.g. /opt/gh-aw/actions). -const SetupActionDestination = "/opt/gh-aw/actions" +// This is a shell expression expanded at runtime. +const SetupActionDestination = GhAwHome + "/actions" + +// JsRequireGhAw generates a JavaScript require() argument expression for a file +// under GH_AW_HOME. The relativePath should be like "actions/foo.cjs". +func JsRequireGhAw(relativePath string) string { + return fmt.Sprintf("%s + '/%s'", GhAwHomeJS, relativePath) +} diff --git a/pkg/workflow/step_order_validation.go b/pkg/workflow/step_order_validation.go index 2a7fd1f94cb..e390d775f8c 100644 --- a/pkg/workflow/step_order_validation.go +++ b/pkg/workflow/step_order_validation.go @@ -180,7 +180,7 @@ func (t *StepOrderTracker) findUnscannablePaths(artifactUploads []StepRecord) [] func isPathScannedBySecretRedaction(path string) bool { // Paths must be under /tmp/gh-aw/ or /opt/gh-aw/ to be scanned // Accept both literal paths and environment variable references - if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") { + if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") && !strings.HasPrefix(path, "${GH_AW_HOME") { // Check if it's an environment variable that might resolve to /tmp/gh-aw/ or /opt/gh-aw/ // For now, we'll allow ${{ env.* }} patterns through as we can't resolve them at compile time // Assume environment variables that might contain /tmp/gh-aw or /opt/gh-aw paths are safe From d3ad8f245866ad365b6342f6b3913fc62a696e19 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 03:12:47 +0000 Subject: [PATCH 03/12] feat: replace hardcoded /opt/gh-aw/ paths with GH_AW_HOME env var for portability - Add GhAwHome, GhAwHomeJS, JsRequireGhAw() helpers to setup_action_paths.go - Add GhAwHomeDefault constant and update DefaultGhAwMount in constants.go - Add GH_AW_HOME to job-level env in all compiled jobs (always defaults to /opt/gh-aw) - Move GH_AW_SAFE_OUTPUTS/CONFIG/TOOLS_PATH from job env to $GITHUB_ENV step - Replace all hardcoded /opt/gh-aw/ paths with GhAwHome/${GH_AW_HOME} in Go source - Replace all JS require('/opt/gh-aw/...') with require(process.env.GH_AW_HOME + '...') - Update setup.sh to derive GH_AW_HOME from destination and export to $GITHUB_ENV - Update sh/*.sh scripts to use ${GH_AW_HOME:-/opt/gh-aw} fallback syntax - Remove destination: input from setup action invocations - Update compiler_safe_outputs_job.go step count for setup step without destination - Update all test assertions to use new path expressions - Update wasm golden test fixtures - Recompile all 166 workflow lock files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ace-editor.lock.yml | 89 ++++---- .../agent-performance-analyzer.lock.yml | 159 +++++++------ .../workflows/agent-persona-explorer.lock.yml | 156 +++++++------ .github/workflows/agentics-maintenance.yml | 44 ++-- .github/workflows/ai-moderator.lock.yml | 159 +++++++------ .github/workflows/archie.lock.yml | 151 ++++++------ .github/workflows/artifacts-summary.lock.yml | 131 ++++++----- .github/workflows/audit-workflows.lock.yml | 164 ++++++------- .github/workflows/auto-triage-issues.lock.yml | 145 ++++++------ .github/workflows/blog-auditor.lock.yml | 131 ++++++----- .github/workflows/bot-detection.lock.yml | 125 +++++----- .github/workflows/brave.lock.yml | 151 ++++++------ .../breaking-change-checker.lock.yml | 145 ++++++------ .github/workflows/changeset.lock.yml | 145 ++++++------ .../workflows/chroma-issue-indexer.lock.yml | 77 ++++--- .github/workflows/ci-coach.lock.yml | 144 ++++++------ .github/workflows/ci-doctor.lock.yml | 150 ++++++------ .../claude-code-user-docs-review.lock.yml | 136 +++++------ .../cli-consistency-checker.lock.yml | 131 ++++++----- .../workflows/cli-version-checker.lock.yml | 136 +++++------ .github/workflows/cloclo.lock.yml | 174 +++++++------- .../workflows/code-scanning-fixer.lock.yml | 166 +++++++------- .github/workflows/code-simplifier.lock.yml | 149 ++++++------ .../codex-github-remote-mcp-test.lock.yml | 71 +++--- .../commit-changes-analyzer.lock.yml | 129 ++++++----- .../constraint-solving-potd.lock.yml | 136 +++++------ .github/workflows/contribution-check.lock.yml | 131 ++++++----- .../workflows/copilot-agent-analysis.lock.yml | 148 ++++++------ .../copilot-cli-deep-research.lock.yml | 143 ++++++------ .../copilot-pr-merged-report.lock.yml | 160 +++++++------ .../copilot-pr-nlp-analysis.lock.yml | 156 +++++++------ .../copilot-pr-prompt-analysis.lock.yml | 150 ++++++------ .../copilot-session-insights.lock.yml | 154 +++++++------ .github/workflows/craft.lock.yml | 153 +++++++------ .../daily-architecture-diagram.lock.yml | 144 ++++++------ .../daily-assign-issue-to-user.lock.yml | 131 ++++++----- .github/workflows/daily-choice-test.lock.yml | 137 +++++------ .../workflows/daily-cli-performance.lock.yml | 169 +++++++------- .../workflows/daily-cli-tools-tester.lock.yml | 143 ++++++------ .github/workflows/daily-code-metrics.lock.yml | 154 +++++++------ .../workflows/daily-compiler-quality.lock.yml | 138 +++++------ .../daily-copilot-token-report.lock.yml | 156 +++++++------ .github/workflows/daily-doc-healer.lock.yml | 146 ++++++------ .github/workflows/daily-doc-updater.lock.yml | 142 ++++++------ .github/workflows/daily-fact.lock.yml | 129 ++++++----- .github/workflows/daily-file-diet.lock.yml | 141 ++++++------ .../workflows/daily-firewall-report.lock.yml | 156 +++++++------ .../workflows/daily-issues-report.lock.yml | 146 ++++++------ .../daily-malicious-code-scan.lock.yml | 123 +++++----- .../daily-mcp-concurrency-analysis.lock.yml | 142 ++++++------ .../daily-multi-device-docs-tester.lock.yml | 137 +++++------ .github/workflows/daily-news.lock.yml | 156 +++++++------ .../daily-observability-report.lock.yml | 145 ++++++------ .../daily-performance-summary.lock.yml | 176 +++++++------- .github/workflows/daily-regulatory.lock.yml | 163 ++++++------- .../daily-rendering-scripts-verifier.lock.yml | 162 ++++++------- .../workflows/daily-repo-chronicle.lock.yml | 144 ++++++------ .../daily-safe-output-optimizer.lock.yml | 156 +++++++------ .../daily-safe-outputs-conformance.lock.yml | 129 ++++++----- .../workflows/daily-secrets-analysis.lock.yml | 131 ++++++----- .../daily-security-red-team.lock.yml | 129 ++++++----- .github/workflows/daily-semgrep-scan.lock.yml | 133 ++++++----- .../daily-syntax-error-quality.lock.yml | 129 ++++++----- .../daily-team-evolution-insights.lock.yml | 129 ++++++----- .github/workflows/daily-team-status.lock.yml | 139 +++++------ .../daily-testify-uber-super-expert.lock.yml | 153 +++++++------ .../workflows/daily-workflow-updater.lock.yml | 137 +++++------ .github/workflows/dead-code-remover.lock.yml | 154 +++++++------ .github/workflows/deep-report.lock.yml | 164 ++++++------- .github/workflows/delight.lock.yml | 143 ++++++------ .github/workflows/dependabot-burner.lock.yml | 139 +++++------ .../workflows/dependabot-go-checker.lock.yml | 133 ++++++----- .github/workflows/dev-hawk.lock.yml | 147 ++++++------ .github/workflows/dev.lock.yml | 131 ++++++----- .../developer-docs-consolidator.lock.yml | 154 +++++++------ .github/workflows/dictation-prompt.lock.yml | 137 +++++------ .../workflows/discussion-task-miner.lock.yml | 141 ++++++------ .github/workflows/docs-noob-tester.lock.yml | 139 +++++------ .github/workflows/draft-pr-cleanup.lock.yml | 131 ++++++----- .../duplicate-code-detector.lock.yml | 133 ++++++----- .../example-permissions-warning.lock.yml | 75 +++--- .../example-workflow-analyzer.lock.yml | 139 +++++------ .github/workflows/firewall-escape.lock.yml | 160 +++++++------ .github/workflows/firewall.lock.yml | 75 +++--- .../workflows/functional-pragmatist.lock.yml | 139 +++++------ .../github-mcp-structural-analysis.lock.yml | 142 ++++++------ .../github-mcp-tools-report.lock.yml | 142 ++++++------ .../github-remote-mcp-auth-test.lock.yml | 133 ++++++----- .../workflows/glossary-maintainer.lock.yml | 162 +++++++------ .github/workflows/go-fan.lock.yml | 136 +++++------ .github/workflows/go-logger.lock.yml | 168 +++++++------- .../workflows/go-pattern-detector.lock.yml | 129 ++++++----- .github/workflows/gpclean.lock.yml | 140 ++++++------ .github/workflows/grumpy-reviewer.lock.yml | 158 +++++++------ .github/workflows/hourly-ci-cleaner.lock.yml | 143 ++++++------ .../workflows/instructions-janitor.lock.yml | 142 ++++++------ .github/workflows/issue-arborist.lock.yml | 127 +++++----- .github/workflows/issue-monster.lock.yml | 149 ++++++------ .github/workflows/issue-triage-agent.lock.yml | 127 +++++----- .github/workflows/jsweep.lock.yml | 146 ++++++------ .../workflows/layout-spec-maintainer.lock.yml | 139 +++++------ .github/workflows/lockfile-stats.lock.yml | 136 +++++------ .github/workflows/mcp-inspector.lock.yml | 166 +++++++------- .github/workflows/mergefest.lock.yml | 155 +++++++------ .github/workflows/metrics-collector.lock.yml | 103 +++++---- .../workflows/notion-issue-summary.lock.yml | 133 ++++++----- .github/workflows/org-health-report.lock.yml | 144 ++++++------ .github/workflows/pdf-summary.lock.yml | 160 +++++++------ .github/workflows/plan.lock.yml | 151 ++++++------ .github/workflows/poem-bot.lock.yml | 178 ++++++++------- .github/workflows/portfolio-analyst.lock.yml | 156 +++++++------ .../workflows/pr-nitpick-reviewer.lock.yml | 160 +++++++------ .github/workflows/pr-triage-agent.lock.yml | 143 ++++++------ .../prompt-clustering-analysis.lock.yml | 146 ++++++------ .github/workflows/python-data-charts.lock.yml | 156 +++++++------ .github/workflows/q.lock.yml | 176 +++++++------- .github/workflows/refiner.lock.yml | 147 ++++++------ .github/workflows/release.lock.yml | 139 +++++------ .../workflows/repo-audit-analyzer.lock.yml | 138 +++++------ .github/workflows/repo-tree-map.lock.yml | 133 ++++++----- .../repository-quality-improver.lock.yml | 138 +++++------ .github/workflows/research.lock.yml | 133 ++++++----- .github/workflows/safe-output-health.lock.yml | 146 ++++++------ .../schema-consistency-checker.lock.yml | 136 +++++------ .github/workflows/scout.lock.yml | 154 +++++++------ ...ecurity-alert-burndown.campaign.g.lock.yml | 141 ++++++------ .../workflows/security-compliance.lock.yml | 149 ++++++------ .github/workflows/security-review.lock.yml | 170 +++++++------- .../semantic-function-refactor.lock.yml | 129 ++++++----- .github/workflows/sergo.lock.yml | 136 +++++------ .../workflows/slide-deck-maintainer.lock.yml | 158 +++++++------ .github/workflows/smoke-agent.lock.yml | 151 ++++++------ .github/workflows/smoke-claude.lock.yml | 214 ++++++++--------- .github/workflows/smoke-codex.lock.yml | 182 ++++++++------- .github/workflows/smoke-copilot-arm.lock.yml | 216 +++++++++--------- .github/workflows/smoke-copilot.lock.yml | 216 +++++++++--------- .../smoke-create-cross-repo-pr.lock.yml | 155 +++++++------ .github/workflows/smoke-gemini.lock.yml | 180 ++++++++------- .github/workflows/smoke-multi-pr.lock.yml | 161 ++++++------- .github/workflows/smoke-project.lock.yml | 161 ++++++------- .github/workflows/smoke-temporary-id.lock.yml | 155 +++++++------ .github/workflows/smoke-test-tools.lock.yml | 151 ++++++------ .../smoke-update-cross-repo-pr.lock.yml | 158 +++++++------ .../workflows/smoke-workflow-call.lock.yml | 139 +++++------ .../workflows/stale-repo-identifier.lock.yml | 144 ++++++------ .../workflows/static-analysis-report.lock.yml | 146 ++++++------ .../workflows/step-name-alignment.lock.yml | 136 +++++------ .github/workflows/sub-issue-closer.lock.yml | 133 ++++++----- .github/workflows/super-linter.lock.yml | 140 ++++++------ .../workflows/technical-doc-writer.lock.yml | 168 +++++++------- .github/workflows/terminal-stylist.lock.yml | 133 ++++++----- .../test-create-pr-error-handling.lock.yml | 142 ++++++------ .github/workflows/test-dispatcher.lock.yml | 133 ++++++----- .../test-project-url-default.lock.yml | 133 ++++++----- .github/workflows/test-workflow.lock.yml | 75 +++--- .github/workflows/tidy.lock.yml | 161 ++++++------- .github/workflows/typist.lock.yml | 129 ++++++----- .../workflows/ubuntu-image-analyzer.lock.yml | 149 ++++++------ .github/workflows/unbloat-docs.lock.yml | 168 +++++++------- .github/workflows/video-analyzer.lock.yml | 133 ++++++----- .../weekly-editors-health-check.lock.yml | 147 ++++++------ .../workflows/weekly-issue-summary.lock.yml | 140 ++++++------ .../weekly-safe-outputs-spec-review.lock.yml | 137 +++++------ .github/workflows/workflow-generator.lock.yml | 163 ++++++------- .../workflow-health-manager.lock.yml | 151 ++++++------ .../workflows/workflow-normalizer.lock.yml | 143 ++++++------ .../workflow-skill-extractor.lock.yml | 133 ++++++----- actions/setup/setup.sh | 15 +- actions/setup/sh/start_mcp_gateway.sh | 14 +- actions/setup/sh/start_mcp_scripts_server.sh | 14 +- actions/setup/sh/start_safe_outputs_server.sh | 14 +- pkg/workflow/agentic_engine.go | 2 +- pkg/workflow/agentic_output_test.go | 8 +- pkg/workflow/agentic_workflow_test.go | 2 +- pkg/workflow/aw_info_tmp_test.go | 2 +- pkg/workflow/cache.go | 21 +- pkg/workflow/cache_memory_integration_test.go | 2 +- pkg/workflow/codex_engine_test.go | 2 +- pkg/workflow/compiler_activation_job.go | 1 + pkg/workflow/compiler_custom_actions_test.go | 2 +- pkg/workflow/compiler_main_job.go | 25 +- pkg/workflow/compiler_safe_outputs_job.go | 10 +- .../compiler_safe_outputs_specialized.go | 2 +- pkg/workflow/compiler_safe_outputs_steps.go | 10 +- .../compiler_safe_outputs_steps_test.go | 4 +- pkg/workflow/compiler_yaml.go | 10 +- pkg/workflow/compiler_yaml_ai_execution.go | 16 +- pkg/workflow/compiler_yaml_helpers.go | 8 +- pkg/workflow/compiler_yaml_main_job.go | 10 +- pkg/workflow/compiler_yaml_main_job_test.go | 2 +- pkg/workflow/copilot_engine_execution.go | 2 +- pkg/workflow/copilot_engine_installation.go | 2 +- pkg/workflow/copilot_installer.go | 2 +- pkg/workflow/copilot_installer_test.go | 12 +- pkg/workflow/detection_success_test.go | 2 +- pkg/workflow/docker.go | 2 +- pkg/workflow/docker_predownload_test.go | 4 +- pkg/workflow/engine_helpers_shared_test.go | 4 +- pkg/workflow/engine_includes_test.go | 2 +- pkg/workflow/firewall_version_pinning_test.go | 2 +- pkg/workflow/git_config_test.go | 2 +- pkg/workflow/git_configuration_steps.go | 2 +- pkg/workflow/importable_tools_test.go | 2 +- pkg/workflow/inference_access_error_test.go | 2 +- pkg/workflow/main_job_env_test.go | 7 +- pkg/workflow/maintenance_workflow.go | 44 ++-- pkg/workflow/mcp_config_builtin.go | 2 +- pkg/workflow/mcp_config_compilation_test.go | 2 +- pkg/workflow/mcp_config_refactor_test.go | 42 ++-- pkg/workflow/mcp_github_config.go | 2 +- pkg/workflow/mcp_renderer.go | 4 +- pkg/workflow/mcp_renderer_test.go | 4 +- pkg/workflow/mcp_scripts_generator.go | 2 +- pkg/workflow/mcp_scripts_generator_test.go | 2 +- pkg/workflow/mcp_scripts_mode_test.go | 2 +- pkg/workflow/mcp_scripts_parser.go | 2 +- pkg/workflow/mcp_setup_generator.go | 46 ++-- pkg/workflow/notify_comment.go | 9 +- pkg/workflow/pr.go | 8 +- pkg/workflow/pr_checkout_test.go | 4 +- pkg/workflow/prompts_test.go | 8 +- pkg/workflow/redact_secrets.go | 4 +- pkg/workflow/repo_memory.go | 11 +- pkg/workflow/repo_memory_integration_test.go | 4 +- pkg/workflow/repo_memory_test.go | 2 +- pkg/workflow/safe_jobs.go | 7 +- .../safe_outputs_mcp_integration_test.go | 8 +- pkg/workflow/secret_validation_test.go | 10 +- .../step_order_validation_integration_test.go | 6 +- pkg/workflow/step_order_validation_test.go | 2 +- pkg/workflow/step_summary_test.go | 4 +- pkg/workflow/temp_folder_test.go | 2 +- pkg/workflow/template.go | 4 +- pkg/workflow/template_rendering_test.go | 4 +- .../basic-copilot.golden | 81 ++++--- .../smoke-copilot.golden | 97 ++++---- .../with-imports.golden | 81 ++++--- pkg/workflow/threat_detection.go | 4 +- pkg/workflow/unified_prompt_step.go | 2 +- 239 files changed, 13070 insertions(+), 11728 deletions(-) diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index 7f8cd7ed68f..b49d8eade6d 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -51,6 +51,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -70,7 +72,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -117,9 +119,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -127,18 +129,18 @@ jobs: GH_AW_WORKFLOW_FILE: "ace-editor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -152,14 +154,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -203,9 +205,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -223,10 +225,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -247,11 +249,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -272,6 +274,7 @@ jobs: issues: read pull-requests: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: aceeditor outputs: inference_access_error: ${{ steps.detect-inference-error.outputs.inference_access_error || 'false' }} @@ -286,13 +289,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -306,9 +313,9 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -317,10 +324,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -345,7 +352,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -373,7 +380,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -406,7 +413,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -444,15 +451,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -462,7 +469,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -478,18 +485,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -567,7 +574,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -576,9 +583,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -587,8 +594,8 @@ jobs: GH_AW_COMMANDS: "[\"ace\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 99dcb1879cc..6881e1e09a9 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +88,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "agent-performance-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +122,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_discussion, missing_tool, missing_data, noop @@ -179,9 +181,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -204,10 +206,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -233,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -265,10 +267,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: agentperformanceanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,7 +289,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -325,7 +325,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -335,7 +339,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -358,14 +362,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -374,10 +378,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -391,26 +395,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":10},"create_discussion":{"expires":24,"max":2},"create_issue":{"expires":48,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Labels [\"cookie\"] will be automatically added.", @@ -642,7 +646,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -804,8 +808,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -816,7 +820,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -846,7 +850,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -893,7 +897,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -928,7 +932,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -966,15 +970,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -983,7 +987,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1002,9 +1006,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1028,18 +1032,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1119,9 +1123,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1169,9 +1173,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1217,6 +1221,8 @@ jobs: concurrency: group: "gh-aw-conclusion-agent-performance-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1231,7 +1237,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1255,9 +1261,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1268,9 +1274,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1293,9 +1299,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1310,9 +1316,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1332,7 +1338,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1341,9 +1347,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1355,6 +1361,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1368,7 +1376,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1411,9 +1419,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1429,6 +1437,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/agent-performance-analyzer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "agent-performance-analyzer" GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator" outputs: @@ -1452,7 +1461,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1478,9 +1487,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index cf840dbcada..b63d0c0c441 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "agent-persona-explorer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +128,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -185,9 +187,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +209,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -233,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -264,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: agentpersonaexplorer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,7 +288,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -324,10 +324,14 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -357,14 +361,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -373,10 +377,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -390,26 +394,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"agent-research\".", @@ -540,7 +544,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -651,8 +655,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -663,7 +667,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -693,7 +697,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -740,7 +744,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -774,7 +778,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -812,15 +816,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -830,7 +834,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -849,9 +853,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -875,18 +879,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -963,9 +967,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1012,9 +1016,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1059,6 +1063,8 @@ jobs: concurrency: group: "gh-aw-conclusion-agent-persona-explorer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1073,7 +1079,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1097,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1110,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1133,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1150,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1172,7 +1178,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1181,9 +1187,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1198,6 +1204,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/agent-persona-explorer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "agent-persona-explorer" GH_AW_WORKFLOW_NAME: "Agent Persona Explorer" outputs: @@ -1217,7 +1224,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1243,9 +1250,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1262,6 +1269,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: agentpersonaexplorer steps: - name: Checkout actions folder @@ -1273,7 +1281,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml index b3454110617..fd3e7ec38a4 100644 --- a/.github/workflows/agentics-maintenance.yml +++ b/.github/workflows/agentics-maintenance.yml @@ -60,6 +60,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Checkout actions folder uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -70,34 +72,32 @@ jobs: - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Close expired discussions uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_discussions.cjs'); + const { main } = require(" + JsRequireGhAw("actions/close_expired_discussions.cjs") + "); await main(); - name: Close expired issues uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_issues.cjs'); + const { main } = require(" + JsRequireGhAw("actions/close_expired_issues.cjs") + "); await main(); - name: Close expired pull requests uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_pull_requests.cjs'); + const { main } = require(" + JsRequireGhAw("actions/close_expired_pull_requests.cjs") + "); await main(); run_operation: @@ -107,6 +107,8 @@ jobs: actions: write contents: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -115,17 +117,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check admin/maintainer permissions uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_team_member.cjs'); + const { main } = require(" + JsRequireGhAw("actions/check_team_member.cjs") + "); await main(); - name: Setup Go @@ -146,9 +146,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/run_operation_update_upgrade.cjs'); + const { main } = require(" + JsRequireGhAw("actions/run_operation_update_upgrade.cjs") + "); await main(); compile-workflows: @@ -157,6 +157,8 @@ jobs: permissions: contents: read issues: write + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -179,16 +181,14 @@ jobs: - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check for out-of-sync workflows and create issue if needed uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_recompile_needed.cjs'); + const { main } = require(" + JsRequireGhAw("actions/check_workflow_recompile_needed.cjs") + "); await main(); zizmor-scan: @@ -197,6 +197,8 @@ jobs: needs: compile-workflows permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -235,8 +237,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Validate Secrets uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -254,9 +254,9 @@ jobs: NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/validate_secrets.cjs'); + const { main } = require(" + JsRequireGhAw("actions/validate_secrets.cjs") + "); await main(); - name: Upload secret validation report diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 80af233e42f..d30f0a985f8 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -64,6 +64,8 @@ jobs: permissions: contents: read issues: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -83,7 +85,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -105,11 +107,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -128,18 +130,18 @@ jobs: GH_AW_WORKFLOW_FILE: "ai-moderator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Lock issue for agent workflow id: lock-issue @@ -147,9 +149,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/lock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/lock-issue.cjs'); await main(); - name: Create prompt with built-in context env: @@ -166,16 +168,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_labels, hide_comment, missing_tool, missing_data, noop @@ -210,7 +212,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -227,9 +229,9 @@ jobs: GH_AW_EXPR_799BE623: ${{ github.event.issue.number || github.event.pull_request.number }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -251,10 +253,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -279,11 +281,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -306,10 +308,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: aimoderator outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -327,16 +327,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Cache cache-memory file share data uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -366,9 +370,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -378,7 +382,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -387,19 +391,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_labels":{"allowed":["spam","ai-generated","link-spam","ai-inspected"],"max":3,"target":"*"},"hide_comment":{"allowed_reasons":["spam"],"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add labels to an existing GitHub issue or pull request for categorization and filtering. Labels must already exist in the repository. For creating new issues with labels, use create_issue with the labels property instead. CONSTRAINTS: Only these labels are allowed: [\"spam\" \"ai-generated\" \"link-spam\" \"ai-inspected\"]. Target: *.", @@ -561,7 +565,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_labels": { "defaultMax": 5, @@ -689,8 +693,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -701,7 +705,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -754,7 +758,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -788,7 +792,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -830,15 +834,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -849,7 +853,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -868,9 +872,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -894,18 +898,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -927,9 +931,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { validateMemoryFiles } = require('/opt/gh-aw/actions/validate_memory_files.cjs'); + const { validateMemoryFiles } = require(process.env.GH_AW_HOME + '/actions/validate_memory_files.cjs'); const allowedExtensions = [".json"]; const result = validateMemoryFiles('/tmp/gh-aw/cache-memory', 'cache', allowedExtensions); if (!result.valid) { @@ -965,6 +969,8 @@ jobs: concurrency: group: "gh-aw-conclusion-ai-moderator" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -979,7 +985,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1003,9 +1009,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1016,9 +1022,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1036,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1053,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1076,7 +1082,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check user rate limit id: check_rate_limit uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1088,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_rate_limit.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_rate_limit.cjs'); await main(); - name: Check skip-roles id: check_skip_roles @@ -1101,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_roles.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_roles.cjs'); await main(); - name: Check skip-bots id: check_skip_bots @@ -1113,9 +1119,9 @@ jobs: GH_AW_WORKFLOW_NAME: "AI Moderator" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_bots.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_bots.cjs'); await main(); safe_outputs: @@ -1134,6 +1140,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ai-moderator" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "ai-moderator" GH_AW_WORKFLOW_NAME: "AI Moderator" outputs: @@ -1153,7 +1160,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1179,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1211,15 +1218,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/unlock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/unlock-issue.cjs'); await main(); diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 29130899c03..cab7e89c221 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -69,6 +69,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -87,7 +89,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -109,7 +111,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -129,9 +131,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -139,18 +141,18 @@ jobs: GH_AW_WORKFLOW_FILE: "archie.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -168,15 +170,15 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -211,7 +213,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -234,9 +236,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -257,10 +259,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -284,11 +286,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -313,10 +315,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: archie outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -337,13 +337,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -366,14 +370,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -382,19 +386,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -528,7 +532,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -631,8 +635,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -643,7 +647,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -672,7 +676,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -715,7 +719,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -750,7 +754,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -788,15 +792,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -805,7 +809,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -825,9 +829,9 @@ jobs: GH_AW_COMMAND: archie with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -851,18 +855,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -933,9 +937,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -983,9 +987,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1030,6 +1034,8 @@ jobs: concurrency: group: "gh-aw-conclusion-archie" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1044,7 +1050,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1068,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1081,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1102,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1119,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1147,7 +1153,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1156,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1167,9 +1173,9 @@ jobs: GH_AW_COMMANDS: "[\"archie\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1185,6 +1191,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/archie" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📊 *Diagram rendered by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔧 *Workflow sync report by [{workflow_name}]({run_url}) for {repository}*\",\"footerWorkflowRecompileComment\":\"\\u003e 🔄 *Update from [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"📐 [{workflow_name}]({run_url}) is analyzing the architecture for this {event_type}...\",\"runSuccess\":\"🎨 [{workflow_name}]({run_url}) has completed the architecture visualization. ✅\",\"runFailure\":\"📐 [{workflow_name}]({run_url}) encountered an issue and could not complete the architecture diagram. Check the [run logs]({run_url}) for details.\"}" GH_AW_WORKFLOW_ID: "archie" GH_AW_WORKFLOW_NAME: "Archie" @@ -1207,7 +1214,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1233,9 +1240,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 10c78f7bf71..6c47ff7aa6e 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +87,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "artifacts-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,15 +121,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -181,9 +183,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -199,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -221,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -250,10 +252,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: artifactssummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,13 +274,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -303,14 +307,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -319,19 +323,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"artifacts\".", @@ -462,7 +466,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -573,8 +577,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -585,7 +589,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -614,7 +618,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -649,7 +653,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -684,7 +688,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -722,15 +726,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -739,7 +743,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -758,9 +762,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -784,18 +788,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -866,9 +870,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -916,9 +920,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -962,6 +966,8 @@ jobs: concurrency: group: "gh-aw-conclusion-artifacts-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -976,7 +982,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1000,9 +1006,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1013,9 +1019,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1035,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1052,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1069,6 +1075,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/artifacts-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "artifacts-summary" GH_AW_WORKFLOW_NAME: "Artifacts Summary" outputs: @@ -1088,7 +1095,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1114,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index d68250fb2c0..e4eda76f775 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "audit-workflows.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,17 +128,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -195,9 +197,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -222,10 +224,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -253,11 +255,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -283,10 +285,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: auditworkflows outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,7 +306,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -342,7 +342,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Setup Python environment @@ -370,7 +374,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -387,7 +391,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -410,9 +414,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -420,7 +424,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -431,10 +435,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -448,26 +452,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -638,7 +642,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -758,8 +762,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -770,7 +774,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -802,7 +806,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -847,7 +851,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -972,15 +976,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -990,7 +994,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1009,9 +1013,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1027,18 +1031,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1133,9 +1137,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1193,9 +1197,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1242,6 +1246,8 @@ jobs: concurrency: group: "gh-aw-conclusion-audit-workflows" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1256,7 +1262,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1281,9 +1287,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1295,9 +1301,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1321,9 +1327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1339,9 +1345,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1353,6 +1359,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1366,7 +1374,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1409,9 +1417,9 @@ jobs: FILE_GLOB_FILTER: "memory/audit-workflows/*.json memory/audit-workflows/*.jsonl memory/audit-workflows/*.csv memory/audit-workflows/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1426,6 +1434,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/audit-workflows" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "audit-workflows-daily" GH_AW_WORKFLOW_ID: "audit-workflows" GH_AW_WORKFLOW_NAME: "Agentic Workflow Audit Agent" @@ -1446,7 +1455,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1472,9 +1481,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1491,6 +1500,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: auditworkflows steps: - name: Checkout actions folder @@ -1502,7 +1512,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1546,7 +1556,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1602,8 +1612,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 934128e089a..40edf657e6e 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -54,6 +54,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -71,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +95,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -110,18 +112,18 @@ jobs: GH_AW_WORKFLOW_FILE: "auto-triage-issues.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -136,15 +138,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, add_labels, missing_tool, missing_data, noop @@ -194,9 +196,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -213,10 +215,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -236,11 +238,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -263,10 +265,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: autotriageissues outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,13 +287,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -316,14 +320,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -332,19 +336,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_labels":{"max":10},"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Auto-Triage] \". Discussions will be created in category \"audits\".", @@ -504,7 +508,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_labels": { "defaultMax": 5, @@ -634,8 +638,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -646,7 +650,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -675,7 +679,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -710,7 +714,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -761,7 +765,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -799,15 +803,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -816,7 +820,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -835,9 +839,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -861,18 +865,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -943,9 +947,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -993,9 +997,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1040,6 +1044,8 @@ jobs: concurrency: group: "gh-aw-conclusion-auto-triage-issues" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1054,7 +1060,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1078,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1091,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1113,9 +1119,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1130,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1153,7 +1159,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1162,9 +1168,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check user rate limit id: check_rate_limit @@ -1177,9 +1183,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_rate_limit.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_rate_limit.cjs'); await main(); safe_outputs: @@ -1195,6 +1201,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/auto-triage-issues" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "auto-triage-issues" GH_AW_WORKFLOW_NAME: "Auto-Triage Issues" outputs: @@ -1214,7 +1221,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1240,9 +1247,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 236215bf343..ebe305046da 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "blog-auditor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +127,16 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -187,9 +189,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +231,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -258,10 +260,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: blogauditor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -281,13 +281,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -310,9 +314,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -320,7 +324,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -331,19 +335,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[audit] \". Discussions will be created in category \"audits\".", @@ -474,7 +478,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -585,8 +589,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -597,7 +601,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -626,7 +630,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -677,7 +681,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -834,15 +838,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -852,7 +856,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -871,9 +875,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -889,18 +893,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -971,9 +975,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1031,9 +1035,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1077,6 +1081,8 @@ jobs: concurrency: group: "gh-aw-conclusion-blog-auditor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1091,7 +1097,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1116,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1130,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1153,9 +1159,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1171,9 +1177,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1188,6 +1194,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/blog-auditor" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "blog-auditor-weekly" GH_AW_WORKFLOW_ID: "blog-auditor" GH_AW_WORKFLOW_NAME: "Blog Auditor" @@ -1208,7 +1215,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1234,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index d7b02a1d20c..880c456df28 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -45,6 +45,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -60,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "bot-detection.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +127,15 @@ jobs: GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ISSUE_NUMBER: ${{ needs.precompute.outputs.issue_number }} GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ISSUE_TITLE: ${{ needs.precompute.outputs.issue_title }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, update_issue, missing_tool, missing_data, noop @@ -185,9 +187,9 @@ jobs: GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ISSUE_TITLE: ${{ needs.precompute.outputs.issue_title }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +209,10 @@ jobs: GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ISSUE_TITLE: ${{ needs.precompute.outputs.issue_title }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -233,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -266,10 +268,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: botdetection outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,13 +288,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -317,14 +321,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -333,19 +337,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"mentions":{"allowed":["pelikhan"]},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"security\" \"bot-detection\"] will be automatically added.", @@ -563,7 +567,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -735,8 +739,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -747,7 +751,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -776,7 +780,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -811,7 +815,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -845,7 +849,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -883,15 +887,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -901,7 +905,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -920,9 +924,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -946,18 +950,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1001,6 +1005,8 @@ jobs: concurrency: group: "gh-aw-conclusion-bot-detection" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1015,7 +1021,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1039,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1052,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1073,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1090,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); precompute: @@ -1904,6 +1910,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/bot-detection" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "bot-detection" GH_AW_WORKFLOW_NAME: "Bot Detection" outputs: @@ -1925,7 +1932,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1951,9 +1958,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 7a918ece072..764f8327d78 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -55,6 +55,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -73,7 +75,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,7 +97,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -115,9 +117,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -125,18 +127,18 @@ jobs: GH_AW_WORKFLOW_FILE: "brave.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -154,15 +156,15 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -197,7 +199,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -219,9 +221,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -242,10 +244,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -269,11 +271,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -297,10 +299,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: brave outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -321,13 +321,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -350,14 +354,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -366,19 +370,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -512,7 +516,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -615,8 +619,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -627,7 +631,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -657,7 +661,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e BRAVE_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "brave-search": { @@ -702,7 +706,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -737,7 +741,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -775,15 +779,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'BRAVE_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -793,7 +797,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -813,9 +817,9 @@ jobs: GH_AW_COMMAND: brave with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -839,18 +843,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -921,9 +925,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -971,9 +975,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1018,6 +1022,8 @@ jobs: concurrency: group: "gh-aw-conclusion-brave" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1032,7 +1038,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1056,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1069,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1090,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1107,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1132,7 +1138,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1141,9 +1147,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1152,9 +1158,9 @@ jobs: GH_AW_COMMANDS: "[\"brave\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1170,6 +1176,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/brave" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦁 *Search results brought to you by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔄 *Maintenance report by [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"🔍 Brave Search activated! [{workflow_name}]({run_url}) is venturing into the web on this {event_type}...\",\"runSuccess\":\"🦁 Mission accomplished! [{workflow_name}]({run_url}) has returned with the findings. Knowledge acquired! 🏆\",\"runFailure\":\"🔍 Search interrupted! [{workflow_name}]({run_url}) {status}. The web remains unexplored...\"}" GH_AW_WORKFLOW_ID: "brave" GH_AW_WORKFLOW_NAME: "Brave Web Search Agent" @@ -1192,7 +1199,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1218,9 +1225,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 34e8b94dce9..6d4988a00b8 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +88,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "breaking-change-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,15 +122,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -181,9 +183,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +202,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +225,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -252,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: breakingchangechecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,13 +276,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -305,14 +309,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -321,19 +325,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned.", @@ -479,7 +483,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -597,8 +601,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -609,7 +613,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -638,7 +642,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -673,7 +677,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -728,7 +732,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -766,15 +770,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -783,7 +787,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -802,9 +806,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -828,18 +832,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -910,9 +914,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -960,9 +964,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1005,6 +1009,8 @@ jobs: concurrency: group: "gh-aw-conclusion-breaking-change-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1019,7 +1025,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1044,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1058,9 +1064,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1080,9 +1086,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1098,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1120,7 +1126,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1129,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1142,9 +1148,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1158,6 +1164,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/breaking-change-checker" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚠️ *Compatibility report by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🛠️ *Workflow maintenance by [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"🔬 Breaking Change Checker online! [{workflow_name}]({run_url}) is analyzing API compatibility on this {event_type}...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has reviewed all changes. Compatibility verdict delivered! 📋\",\"runFailure\":\"🔬 Analysis interrupted! [{workflow_name}]({run_url}) {status}. Compatibility status unknown...\"}" GH_AW_TRACKER_ID: "breaking-change-checker" GH_AW_WORKFLOW_ID: "breaking-change-checker" @@ -1181,7 +1188,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1208,9 +1215,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1220,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_copilot_to_created_issues.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index c38689d1890..3b9b6c86e22 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -63,6 +63,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -81,7 +83,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -103,11 +105,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -129,9 +131,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -139,18 +141,18 @@ jobs: GH_AW_WORKFLOW_FILE: "changeset.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -167,20 +169,20 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_pull_request, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -238,9 +240,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -259,10 +261,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -284,11 +286,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -311,10 +313,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: changeset outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -334,13 +334,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" @@ -366,9 +370,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -378,7 +382,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -387,19 +391,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0},"update_pull_request":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Update an existing GitHub pull request's title or body. Supports replacing, appending to, or prepending content to the body. Title is always replaced. Only the fields you specify will be updated; other fields remain unchanged. CONSTRAINTS: Maximum 1 pull request(s) can be updated.", @@ -578,7 +582,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -717,8 +721,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -729,7 +733,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -782,7 +786,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -816,7 +820,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -858,15 +862,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -877,7 +881,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -896,9 +900,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -922,18 +926,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1005,9 +1009,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1021,9 +1025,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1066,6 +1070,8 @@ jobs: concurrency: group: "gh-aw-conclusion-changeset" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1080,7 +1086,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1104,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1117,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1139,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1156,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1182,7 +1188,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1191,9 +1197,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1210,6 +1216,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/changeset" GH_AW_ENGINE_ID: "codex" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "changeset" GH_AW_WORKFLOW_NAME: "Changeset Generator" outputs: @@ -1231,7 +1238,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1286,9 +1293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/chroma-issue-indexer.lock.yml b/.github/workflows/chroma-issue-indexer.lock.yml index da289bc8c98..4feefbcc180 100644 --- a/.github/workflows/chroma-issue-indexer.lock.yml +++ b/.github/workflows/chroma-issue-indexer.lock.yml @@ -46,6 +46,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -61,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -83,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "chroma-issue-indexer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt_multi.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -176,9 +178,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -197,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -246,6 +248,7 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: chromaissueindexer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -261,13 +264,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory (chroma) run: | @@ -301,14 +308,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -317,10 +324,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/chroma + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/chroma - name: Start MCP Gateway id: start-mcp-gateway env: @@ -345,7 +352,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "chroma": { @@ -397,7 +404,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -430,7 +437,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -468,15 +475,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -486,7 +493,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -502,18 +509,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 85faab11111..7fac6bb417d 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +88,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "ci-coach.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,21 +123,21 @@ jobs: GH_AW_GITHUB_RUN_NUMBER: ${{ github.run_number }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -194,9 +196,9 @@ jobs: GH_AW_GITHUB_RUN_NUMBER: ${{ github.run_number }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -216,10 +218,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -242,11 +244,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -273,10 +275,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cicoach outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -297,7 +297,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -310,7 +310,11 @@ jobs: cache-dependency-path: 'actions/setup/js/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Download CI workflow runs from last 7 days @@ -345,7 +349,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -375,14 +379,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -391,19 +395,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[ci-coach] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ci-coach] \".", @@ -549,7 +553,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -670,8 +674,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -682,7 +686,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -711,7 +715,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -746,7 +750,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -781,7 +785,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -819,15 +823,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -836,7 +840,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -855,9 +859,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -881,18 +885,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -970,9 +974,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1020,9 +1024,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1067,6 +1071,8 @@ jobs: concurrency: group: "gh-aw-conclusion-ci-coach" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1081,7 +1087,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1106,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1120,9 +1126,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1143,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1161,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1176,9 +1182,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1195,6 +1201,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ci-coach" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "ci-coach-daily" GH_AW_WORKFLOW_ID: "ci-coach" GH_AW_WORKFLOW_NAME: "CI Optimization Coach" @@ -1217,7 +1224,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1272,9 +1279,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1291,6 +1298,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: cicoach steps: - name: Checkout actions folder @@ -1302,7 +1310,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index e5388bfee5b..5f02af082c2 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -58,6 +58,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -73,7 +75,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,11 +97,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -117,9 +119,9 @@ jobs: GH_AW_WORKFLOW_FILE: "ci-doctor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -140,16 +142,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_issue, missing_tool, missing_data, noop @@ -203,9 +205,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -231,10 +233,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -263,11 +265,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -293,10 +295,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cidoctor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -317,13 +317,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} REPO: ${{ github.repository }} @@ -333,7 +337,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -363,14 +367,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -379,19 +383,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[CI Failure Doctor] \". Labels [\"cookie\"] will be automatically added.", @@ -646,7 +650,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -836,8 +840,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -848,7 +852,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -877,7 +881,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -912,7 +916,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -946,7 +950,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -984,15 +988,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1002,7 +1006,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1021,9 +1025,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1047,18 +1051,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1135,9 +1139,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1184,9 +1188,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1232,6 +1236,8 @@ jobs: concurrency: group: "gh-aw-conclusion-ci-doctor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1246,7 +1252,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1272,9 +1278,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1287,9 +1293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1311,9 +1317,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1330,9 +1336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1353,7 +1359,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1362,9 +1368,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check stop-time limit id: check_stop_time @@ -1374,9 +1380,9 @@ jobs: GH_AW_WORKFLOW_NAME: "CI Failure Doctor" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_stop_time.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_stop_time.cjs'); await main(); safe_outputs: @@ -1393,6 +1399,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ci-doctor" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🩺 *Diagnosis provided by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🏥 CI Doctor reporting for duty! [{workflow_name}]({run_url}) is examining the patient on this {event_type}...\",\"runSuccess\":\"🩺 Examination complete! [{workflow_name}]({run_url}) has delivered the diagnosis. Prescription issued! 💊\",\"runFailure\":\"🏥 Medical emergency! [{workflow_name}]({run_url}) {status}. Doctor needs assistance...\"}" GH_AW_WORKFLOW_ID: "ci-doctor" GH_AW_WORKFLOW_NAME: "CI Failure Doctor" @@ -1419,7 +1426,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1445,9 +1452,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1464,6 +1471,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: cidoctor steps: - name: Checkout actions folder @@ -1475,7 +1483,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 07ce7f76eaf..1de5555b148 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "claude-code-user-docs-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +122,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -179,9 +181,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -225,11 +227,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -256,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: claudecodeuserdocsreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,16 +279,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -318,9 +322,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -328,7 +332,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -339,19 +343,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -482,7 +486,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -593,8 +597,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -605,7 +609,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -633,7 +637,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -667,7 +671,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -788,15 +792,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -806,7 +810,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -825,9 +829,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -843,18 +847,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -931,9 +935,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -991,9 +995,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1038,6 +1042,8 @@ jobs: concurrency: group: "gh-aw-conclusion-claude-code-user-docs-review" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1052,7 +1058,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1077,9 +1083,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1091,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1114,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1132,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1149,6 +1155,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/claude-code-user-docs-review" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "claude-code-user-docs-review" GH_AW_WORKFLOW_ID: "claude-code-user-docs-review" GH_AW_WORKFLOW_NAME: "Claude Code User Documentation Review" @@ -1169,7 +1176,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1195,9 +1202,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1214,6 +1221,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: claudecodeuserdocsreview steps: - name: Checkout actions folder @@ -1225,7 +1233,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index be1980c7289..a9e84ef82e2 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -43,6 +43,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -57,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -79,7 +81,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -96,9 +98,9 @@ jobs: GH_AW_WORKFLOW_FILE: "cli-consistency-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -113,15 +115,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -170,9 +172,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -188,10 +190,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -210,11 +212,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -241,10 +243,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cliconsistencychecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -265,13 +265,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -294,14 +298,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -310,19 +314,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[cli-consistency] \". Labels [\"automation\" \"cli\" \"documentation\" \"cookie\"] will be automatically added.", @@ -468,7 +472,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -586,8 +590,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -598,7 +602,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -627,7 +631,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -662,7 +666,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -697,7 +701,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -735,15 +739,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -752,7 +756,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -771,9 +775,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -797,18 +801,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -879,9 +883,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -929,9 +933,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -974,6 +978,8 @@ jobs: concurrency: group: "gh-aw-conclusion-cli-consistency-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -988,7 +994,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1012,9 +1018,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1025,9 +1031,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1045,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1062,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1078,6 +1084,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/cli-consistency-checker" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "cli-consistency-checker" GH_AW_WORKFLOW_NAME: "CLI Consistency Checker" outputs: @@ -1099,7 +1106,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1125,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 44aad0c6015..66f47dac107 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "cli-version-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +127,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -189,9 +191,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +237,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -264,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cliversionchecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,19 +287,23 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -329,9 +333,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -339,7 +343,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -350,19 +354,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ca] \". Labels [\"automation\" \"dependencies\" \"cookie\"] will be automatically added.", @@ -508,7 +512,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -626,8 +630,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -638,7 +642,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -666,7 +670,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -700,7 +704,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -822,15 +826,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -840,7 +844,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -859,9 +863,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -877,18 +881,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -965,9 +969,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1025,9 +1029,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1071,6 +1075,8 @@ jobs: concurrency: group: "gh-aw-conclusion-cli-version-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1085,7 +1091,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1109,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1122,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1142,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1159,9 +1165,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1175,6 +1181,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/cli-version-checker" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "cli-version-checker" GH_AW_WORKFLOW_NAME: "CLI Version Checker" outputs: @@ -1196,7 +1203,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1222,9 +1229,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1241,6 +1248,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: cliversionchecker steps: - name: Checkout actions folder @@ -1252,7 +1260,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index eef08c73b7f..5d55eaaeb6b 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -92,6 +92,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -111,7 +113,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -133,11 +135,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -158,9 +160,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -168,18 +170,18 @@ jobs: GH_AW_WORKFLOW_FILE: "cloclo.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -200,22 +202,22 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -248,7 +250,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -279,9 +281,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -308,10 +310,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -341,11 +343,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -370,10 +372,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cloclo outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -393,7 +393,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -429,13 +429,17 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -465,9 +469,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -475,7 +479,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -486,10 +490,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -503,26 +507,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"title_prefix":"[cloclo] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -705,7 +709,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -844,8 +848,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -856,7 +860,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -886,7 +890,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -964,7 +968,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1129,15 +1133,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1147,7 +1151,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1167,9 +1171,9 @@ jobs: GH_AW_COMMAND: cloclo with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1185,18 +1189,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1274,9 +1278,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1334,9 +1338,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1382,6 +1386,8 @@ jobs: concurrency: group: "gh-aw-conclusion-cloclo" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1396,7 +1402,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1420,9 +1426,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1433,9 +1439,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1456,9 +1462,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1473,9 +1479,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1487,9 +1493,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1525,7 +1531,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1534,9 +1540,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1545,9 +1551,9 @@ jobs: GH_AW_COMMANDS: "[\"cloclo\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1565,6 +1571,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/cloclo" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎤 *Magnifique! Performance by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎵 Comme d'habitude! [{workflow_name}]({run_url}) takes the stage on this {event_type}...\",\"runSuccess\":\"🎤 Bravo! [{workflow_name}]({run_url}) has delivered a stunning performance! Standing ovation! 🌟\",\"runFailure\":\"🎵 Intermission... [{workflow_name}]({run_url}) {status}. The show must go on... eventually!\"}" GH_AW_WORKFLOW_ID: "cloclo" GH_AW_WORKFLOW_NAME: "/cloclo" @@ -1589,7 +1596,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1644,9 +1651,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1663,6 +1670,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: cloclo steps: - name: Checkout actions folder @@ -1674,7 +1682,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index a87de0d3323..8e325be6b0d 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -58,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -80,7 +82,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -97,9 +99,9 @@ jobs: GH_AW_WORKFLOW_FILE: "code-scanning-fixer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -114,22 +116,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, add_labels, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -174,9 +176,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -198,10 +200,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -226,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -254,10 +256,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: codescanningfixer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,16 +278,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -304,7 +308,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/campaigns CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -327,14 +331,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -344,19 +348,19 @@ jobs: CUSTOM_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_labels":{"allowed":["agentic-campaign","z_campaign_security-alert-burndown"],"max":3},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[code-scanning-fix] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/campaigns","id":"campaigns","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[code-scanning-fix] \". Labels [\"security\" \"automated-fix\" \"agentic-campaign\" \"z_campaign_security-alert-burndown\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -546,7 +550,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_labels": { "defaultMax": 5, @@ -686,8 +690,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -698,7 +702,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -727,7 +731,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -762,7 +766,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -797,7 +801,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -835,15 +839,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -852,7 +856,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -871,9 +875,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -897,18 +901,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -995,9 +999,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1045,9 +1049,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1093,6 +1097,8 @@ jobs: concurrency: group: "gh-aw-conclusion-code-scanning-fixer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1107,7 +1113,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1131,9 +1137,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1144,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1169,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1186,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1200,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1222,7 +1228,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1231,9 +1237,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1244,9 +1250,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); push_repo_memory: @@ -1258,6 +1264,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.validation_error }} validation_failed_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.validation_failed }} @@ -1271,7 +1279,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1314,9 +1322,9 @@ jobs: FILE_GLOB_FILTER: "security-alert-burndown/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1333,6 +1341,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/code-scanning-fixer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "code-scanning-fixer" GH_AW_WORKFLOW_NAME: "Code Scanning Fixer" outputs: @@ -1354,7 +1363,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1409,9 +1418,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1428,6 +1437,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: codescanningfixer steps: - name: Checkout actions folder @@ -1439,7 +1449,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 8f574c46d1f..540da3a8299 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -66,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "code-simplifier.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,20 +129,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -190,9 +192,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +211,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -232,11 +234,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -261,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: codesimplifier outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,13 +285,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -314,14 +318,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -330,19 +334,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"reviewers":["copilot"],"title_prefix":"[code-simplifier] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[code-simplifier] \". Labels [\"refactoring\" \"code-quality\" \"automation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -488,7 +492,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -609,8 +613,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -621,7 +625,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -650,7 +654,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -685,7 +689,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -719,7 +723,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -757,15 +761,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -775,7 +779,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -794,9 +798,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -820,18 +824,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -903,9 +907,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -952,9 +956,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -998,6 +1002,8 @@ jobs: concurrency: group: "gh-aw-conclusion-code-simplifier" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1012,7 +1018,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1037,9 +1043,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1051,9 +1057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1075,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1093,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1108,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1130,7 +1136,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1139,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1152,9 +1158,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1171,6 +1177,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/code-simplifier" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "code-simplifier" GH_AW_WORKFLOW_ID: "code-simplifier" GH_AW_WORKFLOW_NAME: "Code Simplifier" @@ -1193,7 +1200,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1248,9 +1255,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 635aa120d22..c0fb7304eb3 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -41,6 +41,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -56,7 +58,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -78,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -101,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "codex-github-remote-mcp-test.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -117,14 +119,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -169,9 +171,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -187,10 +189,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -209,11 +211,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -231,6 +233,7 @@ jobs: contents: read issues: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: codexgithubremotemcptest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -245,13 +248,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -274,9 +281,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -286,7 +293,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -295,10 +302,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -339,7 +346,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -367,7 +374,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -408,15 +415,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -427,7 +434,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -443,18 +450,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 1278f089053..b83d5a46fa0 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "commit-changes-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,15 +129,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -188,9 +190,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -257,10 +259,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: commitchangesanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,13 +280,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -309,9 +313,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -319,7 +323,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -330,19 +334,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"dev\".", @@ -473,7 +477,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -584,8 +588,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -596,7 +600,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -624,7 +628,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -658,7 +662,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -776,15 +780,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -794,7 +798,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -813,9 +817,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -831,18 +835,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -913,9 +917,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -973,9 +977,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1019,6 +1023,8 @@ jobs: concurrency: group: "gh-aw-conclusion-commit-changes-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1033,7 +1039,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1057,9 +1063,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1070,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1092,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1109,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1126,6 +1132,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/commit-changes-analyzer" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "commit-changes-analyzer" GH_AW_WORKFLOW_NAME: "Commit Changes Analyzer" outputs: @@ -1145,7 +1152,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1171,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 7889f81bd23..f655e07c317 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -43,6 +43,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -58,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -80,11 +82,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -102,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "constraint-solving-potd.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,16 +121,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -175,9 +177,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -196,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -221,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -249,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: constraintsolvingpotd outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} @@ -272,16 +272,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -302,9 +306,9 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -313,19 +317,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"max_bot_mentions":1,"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"🧩 Constraint Solving POTD:\". Discussions will be created in category \"announcements\".", @@ -456,7 +460,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -567,8 +571,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -579,7 +583,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -608,7 +612,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -643,7 +647,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -677,7 +681,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -715,15 +719,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -733,7 +737,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -753,9 +757,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -779,18 +783,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -867,9 +871,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -916,9 +920,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -963,6 +967,8 @@ jobs: concurrency: group: "gh-aw-conclusion-constraint-solving-potd" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -977,7 +983,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1001,9 +1007,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1014,9 +1020,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1036,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1053,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1070,6 +1076,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/constraint-solving-potd" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "constraint-solving-potd" GH_AW_WORKFLOW_NAME: "Constraint Solving — Problem of the Day" outputs: @@ -1089,7 +1096,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1115,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1134,6 +1141,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: constraintsolvingpotd steps: - name: Checkout actions folder @@ -1145,7 +1153,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 70dbc183c81..27ca7a3d511 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -46,6 +46,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -61,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -83,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "contribution-check.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,15 +125,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, missing_tool, missing_data, noop @@ -180,9 +182,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -199,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -251,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: contributioncheck outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,13 +275,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -304,25 +308,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":10,"target":"*","target-repo":"${{ vars.TARGET_REPOSITORY }}"},"add_labels":{"allowed":["spam","needs-work","outdated","lgtm"],"max":4,"target":"*","target-repo":"${{ vars.TARGET_REPOSITORY }}"},"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[Contribution Check Report]\". Labels [\"contribution-report\"] will be automatically added.", @@ -534,7 +538,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -689,8 +693,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -701,7 +705,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -729,7 +733,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -763,7 +767,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -797,7 +801,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -835,15 +839,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -853,7 +857,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -872,9 +876,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -898,18 +902,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -980,9 +984,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1029,9 +1033,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1076,6 +1080,8 @@ jobs: concurrency: group: "gh-aw-conclusion-contribution-check" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1090,7 +1096,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1114,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1127,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1148,9 +1154,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1165,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1183,6 +1189,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/contribution-check" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "contribution-check" GH_AW_WORKFLOW_NAME: "Contribution Check" outputs: @@ -1206,7 +1213,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1232,9 +1239,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index ccd2ab6ad5e..d0fc2cb1b96 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -66,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -110,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-agent-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,17 +129,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -197,9 +199,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -224,10 +226,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -255,11 +257,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -285,10 +287,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotagentanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -308,13 +308,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -325,7 +329,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -342,7 +346,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -365,9 +369,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -375,7 +379,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -386,19 +390,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-agent-analysis] \". Discussions will be created in category \"audits\".", @@ -544,7 +548,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -655,8 +659,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -667,7 +671,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -695,7 +699,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -729,7 +733,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -850,15 +854,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -868,7 +872,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -887,9 +891,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -905,18 +909,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1002,9 +1006,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1062,9 +1066,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1110,6 +1114,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-agent-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1124,7 +1130,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1148,9 +1154,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1161,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1186,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1203,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1217,6 +1223,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1230,7 +1238,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1273,9 +1281,9 @@ jobs: FILE_GLOB_FILTER: "memory/copilot-agent-analysis/*.json memory/copilot-agent-analysis/*.jsonl memory/copilot-agent-analysis/*.csv memory/copilot-agent-analysis/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1290,6 +1298,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-agent-analysis" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-agent-analysis" GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" outputs: @@ -1309,7 +1318,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1335,9 +1344,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1354,6 +1363,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotagentanalysis steps: - name: Checkout actions folder @@ -1365,7 +1375,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 207fc7c5078..fe7574a0042 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -101,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-cli-deep-research.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,16 +120,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -180,9 +182,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -204,10 +206,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -232,11 +234,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -264,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotclideepresearch outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,13 +288,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -304,7 +308,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -327,14 +331,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -343,19 +347,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":204800,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-cli-research] \". Discussions will be created in category \"research\".", @@ -501,7 +505,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -612,8 +616,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -624,7 +628,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -653,7 +657,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -688,7 +692,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -745,7 +749,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -783,15 +787,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -800,7 +804,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -819,9 +823,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -845,18 +849,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -936,9 +940,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -986,9 +990,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1033,6 +1037,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-cli-deep-research" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1047,7 +1053,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1071,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1084,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1109,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1126,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1140,6 +1146,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1153,7 +1161,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1196,9 +1204,9 @@ jobs: FILE_GLOB_FILTER: "memory/copilot-cli-research/*.json memory/copilot-cli-research/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1213,6 +1221,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-cli-deep-research" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-cli-deep-research" GH_AW_WORKFLOW_NAME: "Copilot CLI Deep Research Agent" outputs: @@ -1232,7 +1241,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1258,9 +1267,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 328a5b6e30e..3220592a24d 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +89,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -104,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-pr-merged-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -194,9 +196,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -215,10 +217,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -240,11 +242,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -271,10 +273,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotprmergedreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -295,13 +295,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -312,7 +316,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -342,14 +346,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -358,19 +362,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-pr-merged-report] \". Discussions will be created in category \"audits\".", @@ -501,7 +505,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -612,8 +616,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -624,16 +628,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -660,7 +664,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -669,17 +673,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -691,7 +695,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -725,7 +729,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -758,7 +762,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -800,7 +804,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -837,7 +841,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -875,15 +879,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -892,7 +896,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -911,9 +915,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -937,27 +941,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1035,9 +1039,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1085,9 +1089,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1132,6 +1136,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-pr-merged-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1146,7 +1152,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1170,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1183,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1205,9 +1211,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1222,9 +1228,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1239,6 +1245,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-pr-merged-report" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-pr-merged-report" GH_AW_WORKFLOW_NAME: "Daily Copilot PR Merged Report" outputs: @@ -1258,7 +1265,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1284,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1303,6 +1310,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotprmergedreport steps: - name: Checkout actions folder @@ -1314,7 +1322,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index f691c591572..995eef2e1e7 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +89,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -104,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-pr-nlp-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,17 +123,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -197,9 +199,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -224,10 +226,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -255,11 +257,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -286,10 +288,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotprnlpanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -310,13 +310,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -356,7 +360,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -373,7 +377,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -396,14 +400,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -412,19 +416,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[nlp-analysis] \". Discussions will be created in category \"audits\".", @@ -595,7 +599,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -715,8 +719,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -727,7 +731,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -759,7 +763,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -794,7 +798,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -832,7 +836,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -870,15 +874,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -887,7 +891,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -906,9 +910,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -932,18 +936,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1038,9 +1042,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1088,9 +1092,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1137,6 +1141,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-pr-nlp-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1151,7 +1157,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1175,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1188,9 +1194,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1213,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1230,9 +1236,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1244,6 +1250,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1257,7 +1265,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1300,9 +1308,9 @@ jobs: FILE_GLOB_FILTER: "memory/nlp-analysis/*.json memory/nlp-analysis/*.jsonl memory/nlp-analysis/*.csv memory/nlp-analysis/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1317,6 +1325,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-pr-nlp-analysis" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-pr-nlp-analysis" GH_AW_WORKFLOW_NAME: "Copilot PR Conversation NLP Analysis" outputs: @@ -1336,7 +1345,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1362,9 +1371,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1381,6 +1390,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotprnlpanalysis steps: - name: Checkout actions folder @@ -1392,7 +1402,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1436,7 +1446,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1491,8 +1501,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index ea39aa4ca58..52030357343 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +89,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -104,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-pr-prompt-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,17 +123,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -192,9 +194,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -219,10 +221,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -250,11 +252,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -281,10 +283,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotprpromptanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -305,13 +305,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -322,7 +326,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -339,7 +343,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -362,14 +366,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -378,19 +382,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[prompt-analysis] \". Discussions will be created in category \"audits\".", @@ -536,7 +540,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -647,8 +651,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -659,7 +663,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -688,7 +692,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -723,7 +727,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -758,7 +762,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -796,15 +800,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -813,7 +817,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -832,9 +836,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -858,18 +862,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -955,9 +959,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1005,9 +1009,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1053,6 +1057,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-pr-prompt-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1067,7 +1073,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1091,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1104,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1129,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1146,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1160,6 +1166,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1173,7 +1181,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1216,9 +1224,9 @@ jobs: FILE_GLOB_FILTER: "memory/prompt-analysis/*.json memory/prompt-analysis/*.jsonl memory/prompt-analysis/*.csv memory/prompt-analysis/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1233,6 +1241,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-pr-prompt-analysis" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-pr-prompt-analysis" GH_AW_WORKFLOW_NAME: "Copilot PR Prompt Pattern Analysis" outputs: @@ -1252,7 +1261,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1278,9 +1287,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1297,6 +1306,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotprpromptanalysis steps: - name: Checkout actions folder @@ -1308,7 +1318,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 64f7023c616..5edf6613fce 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -53,6 +53,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -68,7 +70,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,11 +92,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -112,9 +114,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-session-insights.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,17 +132,17 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -210,9 +212,9 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -238,10 +240,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -270,11 +272,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -300,10 +302,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotsessioninsights outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -323,13 +323,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -362,7 +366,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -379,7 +383,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -402,9 +406,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -412,7 +416,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -423,19 +427,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-session-insights] \". Discussions will be created in category \"audits\".", @@ -606,7 +610,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -726,8 +730,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -738,7 +742,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -769,7 +773,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -803,7 +807,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -927,15 +931,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -945,7 +949,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -964,9 +968,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -982,18 +986,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1088,9 +1092,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1148,9 +1152,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1197,6 +1201,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-session-insights" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1211,7 +1217,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1235,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1248,9 +1254,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1273,9 +1279,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1290,9 +1296,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1304,6 +1310,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1317,7 +1325,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1360,9 +1368,9 @@ jobs: FILE_GLOB_FILTER: "memory/session-insights/*.json memory/session-insights/*.jsonl memory/session-insights/*.csv memory/session-insights/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1377,6 +1385,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-session-insights" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-session-insights" GH_AW_WORKFLOW_NAME: "Copilot Session Insights" outputs: @@ -1396,7 +1405,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1422,9 +1431,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1441,6 +1450,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotsessioninsights steps: - name: Checkout actions folder @@ -1452,7 +1462,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1496,7 +1506,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1551,8 +1561,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 185884057c2..0fbefadacfd 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -52,6 +52,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -70,7 +72,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,7 +94,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -112,9 +114,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -122,18 +124,18 @@ jobs: GH_AW_WORKFLOW_FILE: "craft.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -150,20 +152,20 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -196,7 +198,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -214,9 +216,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -236,10 +238,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -262,11 +264,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -290,10 +292,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: craft outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -314,13 +314,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install gh-aw extension run: |- gh extension remove gh-aw || true @@ -348,14 +352,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -364,19 +368,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -546,7 +550,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -669,8 +673,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -681,7 +685,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -710,7 +714,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -745,7 +749,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -780,7 +784,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -818,15 +822,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -835,7 +839,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -855,9 +859,9 @@ jobs: GH_AW_COMMAND: craft with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -881,18 +885,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -964,9 +968,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1014,9 +1018,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1061,6 +1065,8 @@ jobs: concurrency: group: "gh-aw-conclusion-craft" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1075,7 +1081,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1099,9 +1105,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1112,9 +1118,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1135,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1152,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1176,7 +1182,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1185,9 +1191,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1196,9 +1202,9 @@ jobs: GH_AW_COMMANDS: "[\"craft\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1216,6 +1222,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/craft" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚒️ *Crafted with care by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🛠️ Master Crafter at work! [{workflow_name}]({run_url}) is forging a new workflow on this {event_type}...\",\"runSuccess\":\"⚒️ Masterpiece complete! [{workflow_name}]({run_url}) has crafted your workflow. May it serve you well! 🎖️\",\"runFailure\":\"🛠️ Forge cooling down! [{workflow_name}]({run_url}) {status}. The anvil awaits another attempt...\"}" GH_AW_WORKFLOW_ID: "craft" GH_AW_WORKFLOW_NAME: "Workflow Craft Agent" @@ -1240,7 +1247,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1295,9 +1302,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 323a0d0af7b..3aec05037fd 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -101,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-architecture-diagram.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,21 +120,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -180,9 +182,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -226,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -256,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyarchitecturediagram outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,16 +280,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -319,14 +323,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -335,19 +339,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"create_pull_request":{"expires":7,"max":1,"title_prefix":"[architecture] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"🏗️ Architecture Diagram:\". Labels [\"architecture\" \"diagram\"] will be automatically added.", @@ -542,7 +546,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -696,8 +700,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -708,7 +712,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -737,7 +741,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -772,7 +776,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -807,7 +811,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -845,15 +849,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -862,7 +866,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -881,9 +885,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -907,18 +911,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -996,9 +1000,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1046,9 +1050,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1093,6 +1097,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-architecture-diagram" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1107,7 +1113,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1131,9 +1137,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1144,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1166,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1183,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1197,9 +1203,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1216,6 +1222,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-architecture-diagram" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-architecture-diagram" GH_AW_WORKFLOW_NAME: "Architecture Diagram Generator" outputs: @@ -1239,7 +1246,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1294,9 +1301,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1313,6 +1320,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyarchitecturediagram steps: - name: Checkout actions folder @@ -1324,7 +1332,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index b074068276a..af2093d1855 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -43,6 +43,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -57,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -79,7 +81,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -96,9 +98,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-assign-issue-to-user.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -113,15 +115,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, assign_to_user, missing_tool, missing_data, noop @@ -168,9 +170,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -186,10 +188,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -208,11 +210,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -238,10 +240,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyassignissuetouser outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -262,13 +262,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -291,14 +295,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -307,19 +311,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1,"target":"*"},"assign_to_user":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: *.", @@ -492,7 +496,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -617,8 +621,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -629,7 +633,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -658,7 +662,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -693,7 +697,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -728,7 +732,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -766,15 +770,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -783,7 +787,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -802,9 +806,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -828,18 +832,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -910,9 +914,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -960,9 +964,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1007,6 +1011,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-assign-issue-to-user" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1021,7 +1027,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1045,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1058,9 +1064,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1078,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1095,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1113,6 +1119,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-assign-issue-to-user" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-assign-issue-to-user" GH_AW_WORKFLOW_NAME: "Auto-Assign Issue" outputs: @@ -1135,7 +1142,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1161,9 +1168,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index c9976742db5..ea90f1c38c9 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -43,6 +43,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -58,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -80,11 +82,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -102,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-choice-test.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,15 +121,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: missing_tool, missing_data, noop @@ -174,9 +176,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -192,10 +194,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -214,11 +216,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -243,10 +245,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailychoicetest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -266,13 +266,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -295,9 +299,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -305,7 +309,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -316,19 +320,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"test_environment":{"description":"A test job with choice input","inputs":{"environment":{"default":null,"description":"Target environment","options":["staging","production"],"required":true,"type":"choice"},"test_type":{"default":null,"description":"Type of test to run","options":["smoke","integration","e2e"],"required":true,"type":"choice"}},"output":"Environment test completed successfully"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -456,7 +460,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -541,8 +545,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -553,7 +557,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -581,7 +585,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -615,7 +619,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -733,15 +737,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -751,7 +755,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -770,9 +774,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -788,18 +792,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -870,9 +874,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -930,9 +934,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -973,6 +977,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-choice-test" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -987,7 +993,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1012,9 +1018,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1026,9 +1032,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1047,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1065,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1078,6 +1084,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-choice-test" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUTS_STAGED: "true" GH_AW_TRACKER_ID: "daily-choice-test" GH_AW_WORKFLOW_ID: "daily-choice-test" @@ -1099,7 +1106,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1125,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); test_environment: @@ -1136,17 +1143,19 @@ jobs: if: > ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'test_environment')) runs-on: ubuntu-latest + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: /opt/gh-aw/safe-jobs/ + path: ${GH_AW_HOME}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${GH_AW_HOME}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${GH_AW_HOME}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Display test configuration run: |- if [ -f "$GH_AW_AGENT_OUTPUT" ]; then diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 7ad681c59f4..04cf30f38c4 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +87,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-cli-performance.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +122,16 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, missing_tool, missing_data, noop @@ -185,9 +187,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +212,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -239,11 +241,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -269,10 +271,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycliperformance outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -293,13 +293,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -309,7 +313,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -332,14 +336,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -348,19 +352,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":5},"create_issue":{"expires":48,"group":true,"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":512000,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[performance] \". Labels [\"performance\" \"automation\" \"cookie\"] will be automatically added.", @@ -558,7 +562,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -694,8 +698,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -706,16 +710,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "go", @@ -756,7 +760,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -765,17 +769,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash # Auto-generated mcp-script tool: go # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -787,8 +791,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GO_EOF - chmod +x /opt/gh-aw/mcp-scripts/go.sh - cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/go.sh + cat > ${GH_AW_HOME}/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash # Auto-generated mcp-script tool: make # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -799,7 +803,7 @@ jobs: make $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/mcp-scripts/make.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/make.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -831,7 +835,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -862,7 +866,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -904,7 +908,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -939,7 +943,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -977,15 +981,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -994,7 +998,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1013,9 +1017,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1039,27 +1043,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1140,9 +1144,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1190,9 +1194,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1238,6 +1242,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-cli-performance" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1252,7 +1258,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1277,9 +1283,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1291,9 +1297,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1315,9 +1321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1333,9 +1339,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1347,6 +1353,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1360,7 +1368,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1403,9 +1411,9 @@ jobs: FILE_GLOB_FILTER: "memory/cli-performance/*.json memory/cli-performance/*.jsonl memory/cli-performance/*.txt" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1421,6 +1429,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-cli-performance" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-cli-performance" GH_AW_WORKFLOW_ID: "daily-cli-performance" GH_AW_WORKFLOW_NAME: "Daily CLI Performance Agent" @@ -1445,7 +1454,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1471,9 +1480,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index eedbb1ddc19..438552d94b1 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-cli-tools-tester.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,15 +122,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -177,9 +179,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -195,10 +197,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -217,11 +219,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -247,10 +249,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyclitoolstester outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -271,7 +271,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -307,7 +307,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -330,14 +334,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -346,10 +350,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -363,26 +367,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[cli-tools-test] \". Labels [\"testing\" \"automation\" \"cli-tools\"] will be automatically added.", @@ -528,7 +532,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -646,8 +650,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -658,7 +662,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -688,7 +692,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -735,7 +739,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -769,7 +773,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -807,15 +811,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -825,7 +829,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -844,9 +848,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -870,18 +874,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -952,9 +956,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1001,9 +1005,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1046,6 +1050,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-cli-tools-tester" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1060,7 +1066,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1084,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1097,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1118,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1135,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1151,6 +1157,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-cli-tools-tester" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-cli-tools-tester" GH_AW_WORKFLOW_NAME: "Daily CLI Tools Exploratory Tester" outputs: @@ -1172,7 +1179,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1198,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index e2a1ede659f..a4e78b0fc7e 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-code-metrics.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,17 +128,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -194,9 +196,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -221,10 +223,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -252,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -281,10 +283,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycodemetrics outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -304,13 +304,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -336,7 +340,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -353,7 +357,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -376,9 +380,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -386,7 +390,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -397,19 +401,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -580,7 +584,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -700,8 +704,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -712,7 +716,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -743,7 +747,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -777,7 +781,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -901,15 +905,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -919,7 +923,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -938,9 +942,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -956,18 +960,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1062,9 +1066,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1122,9 +1126,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1171,6 +1175,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-code-metrics" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1185,7 +1191,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1210,9 +1216,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1224,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1250,9 +1256,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1268,9 +1274,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1282,6 +1288,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1295,7 +1303,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1338,9 +1346,9 @@ jobs: FILE_GLOB_FILTER: "*.json *.jsonl *.csv *.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1355,6 +1363,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-code-metrics" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-code-metrics" GH_AW_WORKFLOW_ID: "daily-code-metrics" GH_AW_WORKFLOW_NAME: "Daily Code Metrics and Trend Tracking Agent" @@ -1375,7 +1384,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1401,9 +1410,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1420,6 +1429,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailycodemetrics steps: - name: Checkout actions folder @@ -1431,7 +1441,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1475,7 +1485,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1531,8 +1541,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 9814ea7ed36..8156202039a 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +87,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-compiler-quality.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,16 +121,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -183,9 +185,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -204,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +231,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -259,10 +261,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycompilerquality outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,16 +283,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -322,14 +326,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -338,19 +342,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -481,7 +485,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -592,8 +596,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -604,7 +608,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -633,7 +637,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -676,7 +680,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -732,7 +736,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -770,15 +774,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -787,7 +791,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -806,9 +810,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -832,18 +836,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -920,9 +924,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -970,9 +974,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1017,6 +1021,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-compiler-quality" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1031,7 +1037,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1056,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1070,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1093,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1111,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1128,6 +1134,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-compiler-quality" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-compiler-quality" GH_AW_WORKFLOW_ID: "daily-compiler-quality" GH_AW_WORKFLOW_NAME: "Daily Compiler Quality Check" @@ -1148,7 +1155,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1193,6 +1200,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailycompilerquality steps: - name: Checkout actions folder @@ -1204,7 +1212,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 35fb40eeeb8..c2cb441bffc 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +87,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-copilot-token-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,17 +121,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -185,9 +187,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -212,10 +214,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -243,11 +245,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -274,10 +276,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycopilottokenreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -298,9 +298,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Go @@ -364,7 +368,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -381,7 +385,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -404,14 +408,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -420,19 +424,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -603,7 +607,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -723,8 +727,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -735,7 +739,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -767,7 +771,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -802,7 +806,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -840,7 +844,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -878,15 +882,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -895,7 +899,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -914,9 +918,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -940,18 +944,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1046,9 +1050,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1096,9 +1100,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1145,6 +1149,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-copilot-token-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1159,7 +1165,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1184,9 +1190,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1198,9 +1204,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1224,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1242,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1256,6 +1262,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1269,7 +1277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1312,9 +1320,9 @@ jobs: FILE_GLOB_FILTER: "memory/token-metrics/*.json memory/token-metrics/*.jsonl memory/token-metrics/*.csv memory/token-metrics/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1329,6 +1337,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-copilot-token-report" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-copilot-token-report" GH_AW_WORKFLOW_ID: "daily-copilot-token-report" GH_AW_WORKFLOW_NAME: "Daily Copilot Token Consumption Report" @@ -1349,7 +1358,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1375,9 +1384,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1394,6 +1403,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailycopilottokenreport steps: - name: Checkout actions folder @@ -1405,7 +1415,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1449,7 +1459,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1505,8 +1515,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index a106466018d..d5946616675 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-doc-healer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,21 +122,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -180,9 +182,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -226,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -255,10 +257,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailydochealer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,16 +278,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -317,9 +321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -327,7 +331,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -338,19 +342,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":72,"max":1},"create_pull_request":{"expires":72,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[doc-healer] \". Labels [\"documentation\" \"automation\"] will be automatically added. Assignees [\"copilot\"] will be automatically assigned.", @@ -545,7 +549,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -699,8 +703,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -711,7 +715,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -739,7 +743,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -773,7 +777,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -919,15 +923,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -937,7 +941,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -956,9 +960,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -974,18 +978,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1063,9 +1067,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1123,9 +1127,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1170,6 +1174,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-doc-healer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1184,7 +1190,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1209,9 +1215,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1223,9 +1229,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1246,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1264,9 +1270,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1279,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1298,6 +1304,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-doc-healer" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-doc-healer" GH_AW_WORKFLOW_ID: "daily-doc-healer" GH_AW_WORKFLOW_NAME: "Daily Documentation Healer" @@ -1322,7 +1329,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1378,9 +1385,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1390,9 +1397,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_copilot_to_created_issues.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1409,6 +1416,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailydochealer steps: - name: Checkout actions folder @@ -1420,7 +1428,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index ba92f6c5234..05f464f5a38 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-doc-updater.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,21 +122,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -180,9 +182,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -226,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -255,10 +257,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailydocupdater outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,16 +278,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -317,9 +321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -327,7 +331,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -338,19 +342,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"auto_merge":true,"expires":24,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"automation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -496,7 +500,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -617,8 +621,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -629,7 +633,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -657,7 +661,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -691,7 +695,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -838,15 +842,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -856,7 +860,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -875,9 +879,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -893,18 +897,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -982,9 +986,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1042,9 +1046,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1089,6 +1093,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-doc-updater" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1103,7 +1109,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1128,9 +1134,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1142,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1165,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1183,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1198,9 +1204,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1217,6 +1223,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-doc-updater" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-doc-updater" GH_AW_WORKFLOW_ID: "daily-doc-updater" GH_AW_WORKFLOW_NAME: "Daily Documentation Updater" @@ -1239,7 +1246,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1294,9 +1301,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1313,6 +1320,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailydocupdater steps: - name: Checkout actions folder @@ -1324,7 +1332,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index c6f123def86..b5591fe5761 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -43,6 +43,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -52,7 +54,7 @@ jobs: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -74,11 +76,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -88,9 +90,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-fact.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -105,15 +107,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -161,9 +163,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -179,10 +181,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -201,11 +203,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -232,10 +234,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfact outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -249,13 +249,17 @@ jobs: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -278,9 +282,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -290,7 +294,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -299,19 +303,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1,"target":"4750"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: 4750.", @@ -445,7 +449,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -548,8 +552,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -560,7 +564,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -613,7 +617,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -647,7 +651,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -689,15 +693,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -708,7 +712,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -727,9 +731,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -753,18 +757,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -835,9 +839,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -871,9 +875,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -918,6 +922,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-fact" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -926,7 +932,7 @@ jobs: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -951,9 +957,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -965,9 +971,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -987,9 +993,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1005,9 +1011,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1024,6 +1030,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-fact" GH_AW_ENGINE_ID: "codex" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Penned with care by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 Hark! The muse awakens — [{workflow_name}]({run_url}) begins its verse upon this {event_type}...\",\"runSuccess\":\"✨ Lo! [{workflow_name}]({run_url}) hath woven its tale to completion, like a sonnet finding its final rhyme. 🌟\",\"runFailure\":\"🌧️ Alas! [{workflow_name}]({run_url}) {status}, its quill fallen mid-verse. The poem remains unfinished...\"}" GH_AW_TRACKER_ID: "daily-fact-thread" GH_AW_WORKFLOW_ID: "daily-fact" @@ -1041,7 +1048,7 @@ jobs: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1067,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 7189dd265e8..5ce3021f233 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -52,6 +52,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -66,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +90,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -105,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-file-diet.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,15 +124,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -188,9 +190,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +209,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -260,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfilediet outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,13 +284,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -313,14 +317,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -329,19 +333,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[file-diet] \". Labels [\"refactoring\" \"code-health\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -487,7 +491,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -605,8 +609,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -617,7 +621,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -646,7 +650,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -689,7 +693,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -746,7 +750,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -784,15 +788,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -801,7 +805,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -820,9 +824,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -846,18 +850,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -928,9 +932,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -978,9 +982,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1023,6 +1027,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-file-diet" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1037,7 +1043,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1062,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1076,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1097,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1115,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1137,7 +1143,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1146,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1159,9 +1165,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1175,6 +1181,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-file-diet" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-file-diet" GH_AW_WORKFLOW_ID: "daily-file-diet" GH_AW_WORKFLOW_NAME: "Daily File Diet" @@ -1197,7 +1204,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1223,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index d87274eaf93..bce7dd78337 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-firewall-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +127,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -189,9 +191,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +237,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -267,10 +269,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfirewallreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,7 +291,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -327,7 +327,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: | mkdir -p /tmp/gh-aw/python/{data,charts,artifacts} @@ -353,7 +357,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -383,14 +387,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -399,10 +403,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -416,26 +420,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -591,7 +595,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -711,8 +715,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -723,7 +727,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -756,7 +760,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -803,7 +807,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -840,7 +844,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -878,15 +882,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -896,7 +900,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -915,9 +919,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -941,18 +945,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1038,9 +1042,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1087,9 +1091,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1135,6 +1139,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-firewall-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1149,7 +1155,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1188,9 +1194,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1212,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1230,9 +1236,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1247,6 +1253,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-firewall-report" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-firewall-report" GH_AW_WORKFLOW_ID: "daily-firewall-report" GH_AW_WORKFLOW_NAME: "Daily Firewall Logs Collector and Reporter" @@ -1267,7 +1274,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1293,9 +1300,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1312,6 +1319,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyfirewallreport steps: - name: Checkout actions folder @@ -1323,7 +1331,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1367,7 +1375,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1423,8 +1431,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 7c3f4dd75b8..851262d27a3 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -54,6 +54,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -69,7 +71,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,11 +96,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -117,9 +119,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-issues-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -134,16 +136,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, upload_asset, missing_tool, missing_data, noop @@ -209,9 +211,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -231,10 +233,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -257,11 +259,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -288,10 +290,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyissuesreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -311,13 +311,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -350,7 +354,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -380,9 +384,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -392,18 +396,18 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily issues] \". Discussions will be created in category \"audits\".", @@ -601,7 +605,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -748,8 +752,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -760,7 +764,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -815,7 +819,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -849,7 +853,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -894,15 +898,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -913,7 +917,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -932,9 +936,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -958,18 +962,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1055,9 +1059,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1091,9 +1095,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1139,6 +1143,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-issues-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1153,7 +1159,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1178,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1192,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1215,9 +1221,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1233,9 +1239,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1255,7 +1261,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1264,9 +1270,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1281,6 +1287,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-issues-report" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-issues-report" GH_AW_WORKFLOW_ID: "daily-issues-report" GH_AW_WORKFLOW_NAME: "Daily Issues Report Generator" @@ -1301,7 +1308,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1327,9 +1334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1346,6 +1353,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyissuesreport steps: - name: Checkout actions folder @@ -1357,7 +1365,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1401,7 +1409,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1457,8 +1465,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index aa62afd657c..4f24978d50e 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -101,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-malicious-code-scan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,15 +120,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_code_scanning_alert, missing_tool, missing_data, noop @@ -177,9 +179,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -195,10 +197,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -217,11 +219,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -247,10 +249,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailymaliciouscodescan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -269,13 +269,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -298,14 +302,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -314,19 +318,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_code_scanning_alert":{"max":0},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a code scanning alert for security vulnerabilities, code quality issues, or other findings. Alerts appear in the repository's Security tab and integrate with GitHub's security features. Use this for automated security analysis results.", @@ -483,7 +487,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_code_scanning_alert": { "defaultMax": 40, @@ -609,8 +613,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -621,7 +625,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -650,7 +654,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -685,7 +689,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -720,7 +724,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -758,15 +762,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -775,7 +779,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -794,9 +798,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -820,18 +824,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -875,6 +879,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-malicious-code-scan" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -889,7 +895,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -914,9 +920,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -928,9 +934,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -949,9 +955,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -967,9 +973,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -983,6 +989,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-malicious-code-scan" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "malicious-code-scan" GH_AW_WORKFLOW_ID: "daily-malicious-code-scan" GH_AW_WORKFLOW_NAME: "Daily Malicious Code Scan Agent" @@ -1003,7 +1010,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1029,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 4732d4cab66..a432248f663 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -101,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-mcp-concurrency-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,16 +120,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_agent_session, missing_tool, missing_data, noop @@ -182,9 +184,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -203,10 +205,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -228,11 +230,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -258,10 +260,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailymcpconcurrencyanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,16 +282,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -321,14 +325,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -337,19 +341,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_agent_session":{"max":3},"create_issue":{"expires":168,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[concurrency] \". Labels [\"bug\" \"concurrency\" \"thread-safety\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -520,7 +524,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_agent_session": { "defaultMax": 1, @@ -653,8 +657,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -665,7 +669,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -694,7 +698,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -737,7 +741,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -794,7 +798,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -832,15 +836,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -849,7 +853,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -868,9 +872,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -894,18 +898,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -982,9 +986,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1032,9 +1036,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1078,6 +1082,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-mcp-concurrency-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1092,7 +1098,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1117,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1131,9 +1137,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1152,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1170,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1186,6 +1192,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-mcp-concurrency-analysis" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "mcp-concurrency-analysis" GH_AW_WORKFLOW_ID: "daily-mcp-concurrency-analysis" GH_AW_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" @@ -1210,7 +1217,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1236,9 +1243,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Create Agent Session id: create_agent_session @@ -1249,9 +1256,9 @@ jobs: with: github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); + const { main } = require(process.env.GH_AW_HOME + '/actions/create_agent_session.cjs'); await main(); - name: Upload safe output items manifest if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1267,6 +1274,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailymcpconcurrencyanalysis steps: - name: Checkout actions folder @@ -1278,7 +1286,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 51cebc24dbd..bcee0d8cd8b 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -54,6 +54,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -69,7 +71,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,11 +93,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -113,9 +115,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-multi-device-docs-tester.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -131,16 +133,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, upload_asset, missing_tool, missing_data, noop @@ -200,9 +202,9 @@ jobs: GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -219,10 +221,10 @@ jobs: GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -242,11 +244,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -271,10 +273,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailymultidevicedocstester outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -294,13 +294,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -323,9 +327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -333,7 +337,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -344,19 +348,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"cookie\"] will be automatically added.", @@ -527,7 +531,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -654,8 +658,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -666,7 +670,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -698,7 +702,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -749,7 +753,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -912,15 +916,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -930,7 +934,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -949,9 +953,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -967,18 +971,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1058,9 +1062,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1118,9 +1122,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1164,6 +1168,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-multi-device-docs-tester" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1178,7 +1184,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1203,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1217,9 +1223,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1238,9 +1244,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1256,9 +1262,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1272,6 +1278,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-multi-device-docs-tester" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-multi-device-docs-tester" GH_AW_WORKFLOW_ID: "daily-multi-device-docs-tester" GH_AW_WORKFLOW_NAME: "Multi-Device Docs Tester" @@ -1294,7 +1301,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1320,9 +1327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1352,7 +1359,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1408,8 +1415,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index b7e6051c166..4d93ad392f2 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +89,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -104,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-news.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,17 +123,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -195,9 +197,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -222,10 +224,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -253,11 +255,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -285,10 +287,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailynews outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -309,13 +309,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Setup Python environment @@ -409,7 +413,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -426,7 +430,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -449,14 +453,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -465,19 +469,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"daily-news\".", @@ -648,7 +652,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -768,8 +772,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -780,7 +784,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -813,7 +817,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -861,7 +865,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -900,7 +904,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -938,15 +942,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -956,7 +960,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -975,9 +979,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1001,18 +1005,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1107,9 +1111,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1157,9 +1161,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1206,6 +1210,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-news" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1220,7 +1226,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1245,9 +1251,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1259,9 +1265,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1285,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1303,9 +1309,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1317,6 +1323,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1330,7 +1338,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1373,9 +1381,9 @@ jobs: FILE_GLOB_FILTER: "memory/daily-news/*.json memory/daily-news/*.jsonl memory/daily-news/*.csv memory/daily-news/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1390,6 +1398,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-news" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-news-weekday" GH_AW_WORKFLOW_ID: "daily-news" GH_AW_WORKFLOW_NAME: "Daily News" @@ -1410,7 +1419,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1436,9 +1445,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1455,6 +1464,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailynews steps: - name: Checkout actions folder @@ -1466,7 +1476,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1510,7 +1520,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1566,8 +1576,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 82ab0c1bf51..c8ab54b0637 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -110,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-observability-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,15 +129,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, missing_tool, missing_data, noop @@ -187,9 +189,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +208,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +231,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -260,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyobservabilityreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,7 +283,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -319,7 +319,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -342,9 +346,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -354,7 +358,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -363,10 +367,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -380,26 +384,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[observability] \". Discussions will be created in category \"audits\".", @@ -572,7 +576,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -710,8 +714,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -722,7 +726,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -781,7 +785,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -826,7 +830,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -868,15 +872,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -887,7 +891,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -906,9 +910,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -932,18 +936,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1014,9 +1018,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1050,9 +1054,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1096,6 +1100,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-observability-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1110,7 +1116,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1135,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1149,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1172,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1190,9 +1196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1212,7 +1218,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1221,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1238,6 +1244,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-observability-report" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-observability-report" GH_AW_WORKFLOW_ID: "daily-observability-report" GH_AW_WORKFLOW_NAME: "Daily Observability Report for AWF Firewall and MCP Gateway" @@ -1258,7 +1265,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1284,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 6edd2268d79..c7ede134c99 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-performance-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +128,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, upload_asset, missing_tool, missing_data, noop @@ -195,9 +197,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -216,10 +218,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -241,11 +243,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -272,10 +274,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyperformancesummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -296,13 +296,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: | mkdir -p /tmp/gh-aw/python/{data,charts,artifacts} @@ -328,7 +332,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -358,14 +362,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -374,19 +378,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily performance] \". Discussions will be created in category \"audits\".", @@ -584,7 +588,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -731,8 +735,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -743,16 +747,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "github-discussion-query", @@ -843,7 +847,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -852,17 +856,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -998,8 +1002,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1079,8 +1083,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1166,7 +1170,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1199,7 +1203,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1234,7 +1238,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1276,7 +1280,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1314,7 +1318,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1352,15 +1356,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1370,7 +1374,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1389,9 +1393,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1415,27 +1419,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1522,9 +1526,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1571,9 +1575,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1619,6 +1623,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-performance-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1633,7 +1639,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1658,9 +1664,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1672,9 +1678,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1696,9 +1702,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1714,9 +1720,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1731,6 +1737,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-performance-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-performance-summary" GH_AW_WORKFLOW_ID: "daily-performance-summary" GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" @@ -1751,7 +1758,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1777,9 +1784,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1796,6 +1803,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyperformancesummary steps: - name: Checkout actions folder @@ -1807,7 +1815,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1851,7 +1859,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1907,8 +1915,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 965477155dc..0fa4f7df1ad 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-regulatory.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +127,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, missing_tool, missing_data, noop @@ -188,9 +190,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -228,11 +230,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -259,10 +261,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyregulatory outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,13 +283,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -312,14 +316,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -328,19 +332,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily regulatory] \". Discussions will be created in category \"audits\".", @@ -513,7 +517,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -651,8 +655,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -663,16 +667,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "github-discussion-query", @@ -763,7 +767,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -772,17 +776,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -918,8 +922,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -999,8 +1003,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1086,7 +1090,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1119,7 +1123,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1151,7 +1155,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1193,7 +1197,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1228,7 +1232,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1266,15 +1270,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1284,7 +1288,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1303,9 +1307,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1329,27 +1333,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1421,9 +1425,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1470,9 +1474,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1516,6 +1520,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-regulatory" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1530,7 +1536,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1555,9 +1561,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1569,9 +1575,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1593,9 +1599,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1611,9 +1617,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1628,6 +1634,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-regulatory" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-regulatory" GH_AW_WORKFLOW_ID: "daily-regulatory" GH_AW_WORKFLOW_NAME: "Daily Regulatory Report Generator" @@ -1648,7 +1655,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1674,9 +1681,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index f817913aa6a..86322604079 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -66,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -110,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-rendering-scripts-verifier.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,21 +129,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -191,9 +193,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -213,10 +215,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -239,11 +241,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -269,10 +271,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyrenderingscriptsverifier outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -292,7 +292,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -328,10 +328,14 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -361,9 +365,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -371,7 +375,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -382,10 +386,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -399,26 +403,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":72,"max":1,"reviewers":["copilot"],"title_prefix":"[rendering-scripts] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[rendering-scripts] \". Labels [\"rendering\" \"javascript\" \"automated-fix\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -564,7 +568,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -685,8 +689,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -697,7 +701,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -726,7 +730,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -771,7 +775,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -922,15 +926,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -940,7 +944,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -959,9 +963,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -977,18 +981,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1066,9 +1070,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1126,9 +1130,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1173,6 +1177,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-rendering-scripts-verifier" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1187,7 +1193,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1212,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1226,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1249,9 +1255,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1267,9 +1273,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1282,9 +1288,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1304,7 +1310,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1313,9 +1319,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1326,9 +1332,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1345,6 +1351,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-rendering-scripts-verifier" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-rendering-scripts-verifier" GH_AW_WORKFLOW_ID: "daily-rendering-scripts-verifier" GH_AW_WORKFLOW_NAME: "Daily Rendering Scripts Verifier" @@ -1367,7 +1374,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1422,9 +1429,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1441,6 +1448,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyrenderingscriptsverifier steps: - name: Checkout actions folder @@ -1452,7 +1460,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index fac4dc56ef5..d6ab0f38478 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +87,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-repo-chronicle.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,16 +121,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -187,9 +189,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +210,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -233,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -264,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyrepochronicle outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,13 +288,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -320,7 +324,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -350,14 +354,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -366,19 +370,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"📰 \". Discussions will be created in category \"announcements\".", @@ -534,7 +538,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -654,8 +658,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -666,7 +670,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -698,7 +702,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -733,7 +737,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -771,7 +775,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -809,15 +813,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -826,7 +830,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -845,9 +849,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -871,18 +875,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -968,9 +972,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1018,9 +1022,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1066,6 +1070,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-repo-chronicle" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1080,7 +1086,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1105,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1119,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1142,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1160,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1177,6 +1183,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-repo-chronicle" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-repo-chronicle" GH_AW_WORKFLOW_ID: "daily-repo-chronicle" GH_AW_WORKFLOW_NAME: "The Daily Repository Chronicle" @@ -1197,7 +1204,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1223,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1242,6 +1249,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyrepochronicle steps: - name: Checkout actions folder @@ -1253,7 +1261,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1297,7 +1305,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1353,8 +1361,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 200ec8ea669..9ef76f90b0a 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -52,6 +52,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -67,7 +69,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,11 +91,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -111,9 +113,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-safe-output-optimizer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,16 +130,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -191,9 +193,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -213,10 +215,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -239,11 +241,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -269,10 +271,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysafeoutputoptimizer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -292,7 +292,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -328,7 +328,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -338,7 +342,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -368,9 +372,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -378,7 +382,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -389,10 +393,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -406,26 +410,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[safeoutputs] \". Labels [\"bug\" \"safe-outputs\" \"tool-improvement\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -571,7 +575,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -689,8 +693,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -701,7 +705,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -730,7 +734,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -775,7 +779,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -911,15 +915,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -929,7 +933,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -948,9 +952,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -966,18 +970,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1054,9 +1058,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1114,9 +1118,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1160,6 +1164,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-safe-output-optimizer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1174,7 +1180,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1198,9 +1204,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1211,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1231,9 +1237,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1248,9 +1254,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1270,7 +1276,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1279,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1292,9 +1298,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1308,6 +1314,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-safe-output-optimizer" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-safe-output-optimizer" GH_AW_WORKFLOW_NAME: "Daily Safe Output Tool Optimizer" outputs: @@ -1329,7 +1336,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1355,9 +1362,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1374,6 +1381,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailysafeoutputoptimizer steps: - name: Checkout actions folder @@ -1385,7 +1393,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index e30e3e1575d..e2d9eb684c8 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-safe-outputs-conformance.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -184,9 +186,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -202,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -224,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -252,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysafeoutputsconformance outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,13 +275,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -304,9 +308,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -314,7 +318,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -325,19 +329,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":24,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[Safe Outputs Conformance] \". Labels [\"safe-outputs\" \"conformance\" \"automated\"] will be automatically added.", @@ -483,7 +487,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -601,8 +605,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -613,7 +617,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -641,7 +645,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -675,7 +679,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -792,15 +796,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -810,7 +814,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -829,9 +833,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -847,18 +851,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -929,9 +933,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -989,9 +993,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1034,6 +1038,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-safe-outputs-conformance" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1048,7 +1054,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1073,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1087,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1108,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1126,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1142,6 +1148,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-safe-outputs-conformance" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "safe-outputs-conformance" GH_AW_WORKFLOW_ID: "daily-safe-outputs-conformance" GH_AW_WORKFLOW_NAME: "Daily Safe Outputs Conformance Checker" @@ -1164,7 +1171,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1190,9 +1197,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index f5f0dd7183b..73bc2842532 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -101,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-secrets-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,15 +120,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, missing_tool, missing_data, noop @@ -178,9 +180,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -196,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -218,11 +220,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -249,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysecretsanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -273,13 +273,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -302,14 +306,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -318,19 +322,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily secrets] \". Discussions will be created in category \"audits\".", @@ -503,7 +507,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -641,8 +645,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -653,7 +657,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -682,7 +686,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -717,7 +721,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -752,7 +756,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -790,15 +794,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -807,7 +811,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -826,9 +830,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -852,18 +856,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -934,9 +938,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -984,9 +988,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1030,6 +1034,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-secrets-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1044,7 +1050,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1069,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1083,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1106,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1124,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1141,6 +1147,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-secrets-analysis" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-secrets-analysis" GH_AW_WORKFLOW_ID: "daily-secrets-analysis" GH_AW_WORKFLOW_NAME: "Daily Secrets Analysis Agent" @@ -1161,7 +1168,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1187,9 +1194,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 726afb903a7..9c4dee81545 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-security-red-team.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +127,15 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -186,9 +188,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -228,11 +230,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -256,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysecurityredteam outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,13 +279,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -308,9 +312,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -318,7 +322,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -329,19 +333,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"🚨 [SECURITY]\". Labels [\"security\" \"red-team\"] will be automatically added.", @@ -487,7 +491,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -605,8 +609,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -617,7 +621,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -645,7 +649,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -679,7 +683,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -796,15 +800,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -814,7 +818,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -833,9 +837,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -851,18 +855,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -933,9 +937,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -993,9 +997,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1038,6 +1042,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-security-red-team" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1052,7 +1058,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1077,9 +1083,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1091,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1112,9 +1118,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1130,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1146,6 +1152,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-security-red-team" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "security-red-team" GH_AW_WORKFLOW_ID: "daily-security-red-team" GH_AW_WORKFLOW_NAME: "Daily Security Red Team Agent" @@ -1168,7 +1175,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1194,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index a29e5c2f1a6..79b7f0efde4 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-semgrep-scan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_code_scanning_alert, missing_tool, missing_data, noop @@ -182,9 +184,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -252,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysemgrepscan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,13 +276,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -305,14 +309,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -321,19 +325,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine semgrep/semgrep:latest + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine semgrep/semgrep:latest - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_code_scanning_alert":{"max":0},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a code scanning alert for security vulnerabilities, code quality issues, or other findings. Alerts appear in the repository's Security tab and integrate with GitHub's security features. Use this for automated security analysis results.", @@ -490,7 +494,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_code_scanning_alert": { "defaultMax": 40, @@ -616,8 +620,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -628,7 +632,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -657,7 +661,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -705,7 +709,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -739,7 +743,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -777,15 +781,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -795,7 +799,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -814,9 +818,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -840,18 +844,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -922,9 +926,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -971,9 +975,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1016,6 +1020,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-semgrep-scan" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1030,7 +1036,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1054,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1067,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1088,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1105,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1121,6 +1127,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-semgrep-scan" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-semgrep-scan" GH_AW_WORKFLOW_NAME: "Daily Semgrep Scan" outputs: @@ -1140,7 +1147,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1166,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index d43ce017e6e..945926c7836 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -101,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-syntax-error-quality.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,15 +120,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -178,9 +180,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -196,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -218,11 +220,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -248,10 +250,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysyntaxerrorquality outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,13 +272,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: @@ -314,25 +318,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[syntax-error-quality] \". Labels [\"dx\" \"error-messages\" \"automated-analysis\"] will be automatically added.", @@ -478,7 +482,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -596,8 +600,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -608,7 +612,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -636,7 +640,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -670,7 +674,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -726,7 +730,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -764,15 +768,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -781,7 +785,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -800,9 +804,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -826,18 +830,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -908,9 +912,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -958,9 +962,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1003,6 +1007,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-syntax-error-quality" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1017,7 +1023,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1042,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1056,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1077,9 +1083,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1095,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1111,6 +1117,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-syntax-error-quality" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-syntax-error-quality" GH_AW_WORKFLOW_ID: "daily-syntax-error-quality" GH_AW_WORKFLOW_NAME: "Daily Syntax Error Quality Check" @@ -1133,7 +1140,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1159,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 06fd97cef73..2146da33ad9 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-team-evolution-insights.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -184,9 +186,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -202,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -224,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -255,10 +257,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyteamevolutioninsights outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,13 +278,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -307,9 +311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -317,7 +321,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -328,19 +332,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -471,7 +475,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -582,8 +586,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -594,7 +598,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -622,7 +626,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -656,7 +660,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -773,15 +777,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -791,7 +795,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -810,9 +814,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -828,18 +832,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -910,9 +914,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -970,9 +974,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1016,6 +1020,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-team-evolution-insights" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1030,7 +1036,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1055,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1069,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1092,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1110,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1127,6 +1133,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-team-evolution-insights" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-team-evolution-insights" GH_AW_WORKFLOW_ID: "daily-team-evolution-insights" GH_AW_WORKFLOW_NAME: "Daily Team Evolution Insights" @@ -1147,7 +1154,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1173,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index dbcbfd9b83e..0e741bbd0ea 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -57,6 +57,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -72,7 +74,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,11 +96,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -116,9 +118,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-team-status.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -133,15 +135,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -191,9 +193,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +212,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -233,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -262,10 +264,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyteamstatus outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,13 +286,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -315,14 +319,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -331,19 +335,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[team-status] \". Labels [\"automation\" \"daily-report\"] will be automatically added.", @@ -489,7 +493,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -607,8 +611,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -619,7 +623,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -648,7 +652,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -683,7 +687,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -717,7 +721,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -755,15 +759,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -773,7 +777,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -792,9 +796,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -818,18 +822,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -900,9 +904,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -949,9 +953,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -994,6 +998,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-team-status" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1008,7 +1014,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1035,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1051,9 +1057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1075,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1095,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1117,7 +1123,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check stop-time limit id: check_stop_time uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1126,9 +1132,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Daily Team Status" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_stop_time.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_stop_time.cjs'); await main(); safe_outputs: @@ -1142,6 +1148,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-team-status" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-team-status" GH_AW_WORKFLOW_ID: "daily-team-status" GH_AW_WORKFLOW_NAME: "Daily Team Status" @@ -1166,7 +1173,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1192,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index b7b9e96efb5..fbf3c8897d1 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -53,6 +53,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -67,7 +69,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +91,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -106,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-testify-uber-super-expert.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,16 +125,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -190,9 +192,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -215,10 +217,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -244,11 +246,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -274,10 +276,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailytestifyubersuperexpert outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -298,13 +298,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -314,7 +318,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -337,14 +341,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -353,19 +357,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":51200,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[testify-expert] \". Labels [\"testing\" \"code-quality\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -526,7 +530,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -644,8 +648,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -656,7 +660,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -685,7 +689,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -728,7 +732,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -784,7 +788,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -822,15 +826,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -839,7 +843,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -858,9 +862,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -884,18 +888,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -975,9 +979,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1025,9 +1029,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1071,6 +1075,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-testify-uber-super-expert" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1085,7 +1091,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1110,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1124,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1148,9 +1154,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1166,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1188,7 +1194,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1197,9 +1203,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1210,9 +1216,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); push_repo_memory: @@ -1224,6 +1230,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1237,7 +1245,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1280,9 +1288,9 @@ jobs: FILE_GLOB_FILTER: "memory/testify-expert/*.json memory/testify-expert/*.txt" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1296,6 +1304,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-testify-uber-super-expert" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-testify-uber-super-expert" GH_AW_WORKFLOW_ID: "daily-testify-uber-super-expert" GH_AW_WORKFLOW_NAME: "Daily Testify Uber Super Expert" @@ -1318,7 +1327,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1344,9 +1353,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 02b891f86ec..dcb892788ee 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -58,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -80,7 +82,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -97,9 +99,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-workflow-updater.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -114,20 +116,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -172,9 +174,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -190,10 +192,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -212,11 +214,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -242,10 +244,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyworkflowupdater outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -266,13 +266,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -295,14 +299,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -311,19 +315,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"title_prefix":"[actions] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[actions] \". Labels [\"dependencies\" \"automation\"] will be automatically added.", @@ -469,7 +473,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -590,8 +594,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -602,7 +606,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -631,7 +635,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -666,7 +670,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -701,7 +705,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -739,15 +743,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -756,7 +760,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -775,9 +779,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -801,18 +805,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -884,9 +888,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -934,9 +938,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -980,6 +984,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-workflow-updater" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -994,7 +1000,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1019,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1033,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1056,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1074,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1089,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1108,6 +1114,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-workflow-updater" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-workflow-updater" GH_AW_WORKFLOW_ID: "daily-workflow-updater" GH_AW_WORKFLOW_NAME: "Daily Workflow Updater" @@ -1130,7 +1137,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1185,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 5e478e2e05b..3df8959cb81 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -47,6 +47,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -61,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -83,7 +85,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -100,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dead-code-remover.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,21 +120,21 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -180,9 +182,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -203,10 +205,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -260,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: deadcoderemover outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,7 +284,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -297,13 +297,17 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install deadcode analyzer run: go install golang.org/x/tools/cmd/deadcode@latest # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -333,14 +337,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -350,19 +354,19 @@ jobs: CUSTOM_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":72,"max":1,"reviewers":["copilot"],"title_prefix":"[dead-code] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[dead-code] \". Labels [\"chore\" \"dead-code\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -508,7 +512,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -629,8 +633,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -641,7 +645,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -670,7 +674,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -705,7 +709,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -740,7 +744,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -778,15 +782,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -795,7 +799,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -814,9 +818,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -840,18 +844,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -929,9 +933,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -979,9 +983,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1026,6 +1030,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dead-code-remover" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1040,7 +1046,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1064,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1077,9 +1083,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1099,9 +1105,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1116,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1130,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1152,7 +1158,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1161,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1174,9 +1180,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1193,6 +1199,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dead-code-remover" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dead-code-remover" GH_AW_WORKFLOW_NAME: "Dead Code Removal Agent" outputs: @@ -1214,7 +1221,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1269,9 +1276,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1288,6 +1295,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: deadcoderemover steps: - name: Checkout actions folder @@ -1299,7 +1307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index fa027419056..81377a0519a 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "deep-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,17 +128,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, upload_asset, missing_tool, missing_data, noop @@ -194,9 +196,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -221,10 +223,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -252,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -284,10 +286,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: deepreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -307,7 +307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -343,7 +343,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -354,7 +358,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -371,7 +375,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -394,9 +398,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -406,7 +410,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -415,10 +419,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -432,26 +436,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_issue":{"expires":48,"group":true,"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":1048576,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[deep-report] \". Labels [\"automation\" \"improvement\" \"quick-win\" \"cookie\"] will be automatically added.", @@ -671,7 +675,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -824,8 +828,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -836,7 +840,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -898,7 +902,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -943,7 +947,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -988,15 +992,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -1007,7 +1011,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1026,9 +1030,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1052,18 +1056,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1158,9 +1162,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1194,9 +1198,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1243,6 +1247,8 @@ jobs: concurrency: group: "gh-aw-conclusion-deep-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1257,7 +1263,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1282,9 +1288,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1296,9 +1302,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1322,9 +1328,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1340,9 +1346,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1354,6 +1360,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1367,7 +1375,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1410,9 +1418,9 @@ jobs: FILE_GLOB_FILTER: "memory/deep-report/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1427,6 +1435,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/deep-report" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "deep-report-intel-agent" GH_AW_WORKFLOW_ID: "deep-report" GH_AW_WORKFLOW_NAME: "DeepReport - Intelligence Gathering Agent" @@ -1449,7 +1458,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1475,9 +1484,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1494,6 +1503,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: deepreport steps: - name: Checkout actions folder @@ -1505,7 +1515,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1549,7 +1559,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1605,8 +1615,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 17858ede622..833e9d4a8c8 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +87,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "delight.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,16 +121,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, missing_tool, missing_data, noop @@ -183,9 +185,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +209,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +237,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -266,10 +268,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: delight outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -290,13 +290,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" @@ -309,7 +313,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -332,14 +336,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -348,19 +352,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_issue":{"expires":48,"group":true,"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 2 issue(s) can be created. Labels [\"delight\" \"cookie\"] will be automatically added.", @@ -555,7 +559,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -699,8 +703,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -711,7 +715,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -740,7 +744,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -775,7 +779,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -833,7 +837,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -871,15 +875,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -888,7 +892,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -907,9 +911,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -933,18 +937,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1024,9 +1028,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1074,9 +1078,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1121,6 +1125,8 @@ jobs: concurrency: group: "gh-aw-conclusion-delight" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1135,7 +1141,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1160,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1174,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1201,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1219,9 +1225,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1233,6 +1239,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1246,7 +1254,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1289,9 +1297,9 @@ jobs: FILE_GLOB_FILTER: "memory/delight/*.json memory/delight/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1306,6 +1314,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/delight" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📊 *User experience analysis by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📊 Delight Agent starting! [{workflow_name}]({run_url}) is analyzing user-facing aspects for improvement opportunities...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has identified targeted improvements for user experience.\",\"runFailure\":\"⚠️ Analysis interrupted! [{workflow_name}]({run_url}) {status}. Please review the logs...\"}" GH_AW_TRACKER_ID: "delight-daily" GH_AW_WORKFLOW_ID: "delight" @@ -1329,7 +1338,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1355,9 +1364,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 5617e459fdc..b1c1defcbd6 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -45,6 +45,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -60,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dependabot-burner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -176,9 +178,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -195,10 +197,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -218,11 +220,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -247,10 +249,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dependabotburner outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -271,13 +271,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -300,14 +304,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -316,19 +320,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[dependabot-burner] \".", @@ -474,7 +478,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -592,8 +596,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -604,7 +608,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -633,7 +637,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -668,7 +672,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -702,7 +706,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -740,15 +744,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -758,7 +762,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -777,9 +781,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -803,18 +807,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -885,9 +889,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -934,9 +938,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -979,6 +983,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dependabot-burner" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -993,7 +999,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1017,9 +1023,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1030,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1051,9 +1057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1068,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1090,7 +1096,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1099,9 +1105,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1115,6 +1121,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dependabot-burner" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dependabot-burner" GH_AW_WORKFLOW_NAME: "Dependabot Burner" outputs: @@ -1136,7 +1143,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1162,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 864ffecf897..d3e0f3c5751 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -43,6 +43,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -58,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -80,11 +82,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -102,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dependabot-go-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,15 +121,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, close_issue, missing_tool, missing_data, noop @@ -175,9 +177,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -193,10 +195,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -215,11 +217,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -246,10 +248,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dependabotgochecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -270,13 +270,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -299,14 +303,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -315,19 +319,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_issue":{"max":20,"required_title_prefix":"[deps]","target":"*"},"create_issue":{"expires":48,"group":true,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[deps]\". Labels [\"dependencies\" \"go\" \"cookie\"] will be automatically added.", @@ -505,7 +509,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_issue": { "defaultMax": 1, @@ -641,8 +645,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -653,7 +657,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -682,7 +686,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -717,7 +721,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -751,7 +755,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -789,15 +793,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -807,7 +811,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -826,9 +830,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -852,18 +856,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -934,9 +938,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -983,9 +987,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1028,6 +1032,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dependabot-go-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1042,7 +1048,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1066,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1079,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1100,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1117,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1133,6 +1139,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dependabot-go-checker" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dependabot-go-checker" GH_AW_WORKFLOW_NAME: "Dependabot Dependency Checker" outputs: @@ -1154,7 +1161,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1180,9 +1187,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 20a1f9c0ab1..821fdef93c4 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -54,6 +54,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -68,7 +70,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +92,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dev-hawk.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,15 +132,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -192,9 +194,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -217,10 +219,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -246,11 +248,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -276,10 +278,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: devhawk outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -300,7 +300,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -336,7 +336,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -359,14 +363,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -375,10 +379,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -392,26 +396,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: *.", @@ -545,7 +549,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -648,8 +652,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -660,7 +664,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -690,7 +694,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -737,7 +741,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -788,7 +792,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -826,15 +830,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -843,7 +847,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -862,9 +866,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -888,18 +892,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -970,9 +974,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1020,9 +1024,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1067,6 +1071,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dev-hawk" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1081,7 +1087,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1105,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1118,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1139,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1156,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1179,7 +1185,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1188,9 +1194,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1206,6 +1212,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dev-hawk" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦅 *Observed from above by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🦅 Dev Hawk circles the sky! [{workflow_name}]({run_url}) is monitoring this {event_type} from above...\",\"runSuccess\":\"🦅 Hawk eyes report! [{workflow_name}]({run_url}) has completed reconnaissance. Intel delivered! 🎯\",\"runFailure\":\"🦅 Hawk down! [{workflow_name}]({run_url}) {status}. The skies grow quiet...\"}" GH_AW_WORKFLOW_ID: "dev-hawk" GH_AW_WORKFLOW_NAME: "Dev Hawk" @@ -1228,7 +1235,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1254,9 +1261,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 6360da31a7d..abc878157e5 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -43,6 +43,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -57,7 +59,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -79,7 +81,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -96,9 +98,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dev.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -113,15 +115,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -168,9 +170,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -186,10 +188,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -208,11 +210,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -238,10 +240,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dev outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -262,13 +262,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -291,14 +295,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -307,19 +311,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[Daily Report] \".", @@ -465,7 +469,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -583,8 +587,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -595,7 +599,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -624,7 +628,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -659,7 +663,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -694,7 +698,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -732,15 +736,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -749,7 +753,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -768,9 +772,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -794,18 +798,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -876,9 +880,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -926,9 +930,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -971,6 +975,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dev" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -985,7 +991,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1009,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1022,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1042,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1059,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1075,6 +1081,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dev" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dev" GH_AW_WORKFLOW_NAME: "Dev" outputs: @@ -1096,7 +1103,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1122,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index b8ba9d7a0e6..a8d87288007 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "developer-docs-consolidator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,22 +127,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -193,9 +195,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -220,10 +222,10 @@ jobs: GH_AW_WIKI_NOTE: "\n\n> **GitHub Wiki**: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)." with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -251,11 +253,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -281,10 +283,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: developerdocsconsolidator outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -304,16 +304,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -330,7 +334,7 @@ jobs: TARGET_REPO: ${{ github.repository }}.wiki MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: false - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -353,9 +357,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -363,7 +367,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -374,19 +378,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_pull_request":{"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -581,7 +585,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -728,8 +732,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -740,7 +744,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -768,7 +772,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -818,7 +822,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -964,15 +968,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -982,7 +986,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1001,9 +1005,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1019,18 +1023,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1117,9 +1121,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1177,9 +1181,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1226,6 +1230,8 @@ jobs: concurrency: group: "gh-aw-conclusion-developer-docs-consolidator" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1240,7 +1246,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1264,9 +1270,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1277,9 +1283,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1304,9 +1310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1321,9 +1327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1335,9 +1341,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1349,6 +1355,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1362,7 +1370,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1405,9 +1413,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1425,6 +1433,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/developer-docs-consolidator" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "developer-docs-consolidator" GH_AW_WORKFLOW_NAME: "Developer Documentation Consolidator" outputs: @@ -1446,7 +1455,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1501,9 +1510,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1520,6 +1529,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: developerdocsconsolidator steps: - name: Checkout actions folder @@ -1531,7 +1541,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 9bce7100077..a39d00f706b 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -47,6 +47,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -61,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -83,7 +85,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -100,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dictation-prompt.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -117,20 +119,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -178,9 +180,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -196,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -218,11 +220,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -248,10 +250,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dictationprompt outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,13 +272,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -301,14 +305,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -317,19 +321,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"auto_merge":true,"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"automation\"] will be automatically added.", @@ -475,7 +479,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -596,8 +600,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -608,7 +612,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -637,7 +641,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -672,7 +676,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -707,7 +711,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -745,15 +749,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -762,7 +766,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -781,9 +785,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -807,18 +811,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -890,9 +894,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -940,9 +944,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -986,6 +990,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dictation-prompt" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1000,7 +1006,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1024,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1037,9 +1043,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1059,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1076,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1090,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1109,6 +1115,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dictation-prompt" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dictation-prompt" GH_AW_WORKFLOW_NAME: "Dictation Prompt Generator" outputs: @@ -1130,7 +1137,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1185,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index f2667109b9c..5bff55aea94 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +90,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -105,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "discussion-task-miner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,16 +124,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, missing_tool, missing_data, noop @@ -184,9 +186,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +210,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -236,11 +238,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -267,10 +269,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: discussiontaskminer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,13 +291,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" @@ -310,7 +314,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -333,25 +337,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3},"create_issue":{"expires":24,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[Code Quality] \". Labels [\"code-quality\" \"automation\" \"task-mining\"] will be automatically added.", @@ -549,7 +553,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -685,8 +689,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -697,7 +701,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -725,7 +729,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -760,7 +764,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -816,7 +820,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -854,15 +858,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -871,7 +875,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -890,9 +894,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -916,18 +920,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1007,9 +1011,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1057,9 +1061,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1105,6 +1109,8 @@ jobs: concurrency: group: "gh-aw-conclusion-discussion-task-miner" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1119,7 +1125,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1144,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1158,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1183,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1201,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1215,6 +1221,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1228,7 +1236,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1271,9 +1279,9 @@ jobs: FILE_GLOB_FILTER: "memory/discussion-task-miner/*.json memory/discussion-task-miner/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1289,6 +1297,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/discussion-task-miner" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Task mining by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 Discussion Task Miner starting! [{workflow_name}]({run_url}) is scanning discussions for code quality improvements...\",\"runSuccess\":\"✅ Task mining complete! [{workflow_name}]({run_url}) has identified actionable code quality tasks. 📊\",\"runFailure\":\"⚠️ Task mining interrupted! [{workflow_name}]({run_url}) {status}. Please review the logs...\"}" GH_AW_TRACKER_ID: "discussion-task-miner" GH_AW_WORKFLOW_ID: "discussion-task-miner" @@ -1314,7 +1323,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1340,9 +1349,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index b220c1d6ea6..c29ddfa492c 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -101,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "docs-noob-tester.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,16 +120,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -181,9 +183,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -199,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -221,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -251,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: docsnoobtester outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,13 +275,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -304,14 +308,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -320,19 +324,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -488,7 +492,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -608,8 +612,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -620,7 +624,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -653,7 +657,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -695,7 +699,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -733,7 +737,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -771,15 +775,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -788,7 +792,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -807,9 +811,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -833,18 +837,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -924,9 +928,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -974,9 +978,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1021,6 +1025,8 @@ jobs: concurrency: group: "gh-aw-conclusion-docs-noob-tester" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1035,7 +1041,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1059,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1072,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1094,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1111,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1128,6 +1134,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/docs-noob-tester" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "docs-noob-tester" GH_AW_WORKFLOW_NAME: "Documentation Noob Tester" outputs: @@ -1147,7 +1154,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1173,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1205,7 +1212,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1260,8 +1267,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 174133b402a..3e5683c4353 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -58,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -80,7 +82,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -97,9 +99,9 @@ jobs: GH_AW_WORKFLOW_FILE: "draft-pr-cleanup.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -114,15 +116,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, close_pull_request, add_labels, missing_tool, missing_data, noop @@ -171,9 +173,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -189,10 +191,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -211,11 +213,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -240,10 +242,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: draftprcleanup outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -264,13 +264,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -293,14 +297,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -309,19 +313,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":20},"add_labels":{"max":20},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Close a pull request WITHOUT merging, adding a closing comment. You can and should always add a comment when closing a PR to explain the action or provide context. Use this for PRs that should be abandoned, superseded, or closed for other reasons. The closing comment should explain why the PR is being closed. This does NOT merge the changes. If the PR is already closed, a comment will still be posted. CONSTRAINTS: Maximum 10 pull request(s) can be closed. Target: *.", @@ -516,7 +520,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -638,8 +642,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -650,7 +654,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -679,7 +683,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -714,7 +718,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -765,7 +769,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -803,15 +807,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -820,7 +824,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -839,9 +843,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -865,18 +869,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -947,9 +951,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -997,9 +1001,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1044,6 +1048,8 @@ jobs: concurrency: group: "gh-aw-conclusion-draft-pr-cleanup" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1058,7 +1064,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1082,9 +1088,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1095,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1116,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1133,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1151,6 +1157,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/draft-pr-cleanup" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🧹 Starting draft PR cleanup... [{workflow_name}]({run_url}) is reviewing draft PRs for staleness\",\"runSuccess\":\"✅ Draft PR cleanup complete! [{workflow_name}]({run_url}) has reviewed and processed stale drafts.\",\"runFailure\":\"❌ Draft PR cleanup failed! [{workflow_name}]({run_url}) {status}. Some draft PRs may not be processed.\"}" GH_AW_WORKFLOW_ID: "draft-pr-cleanup" GH_AW_WORKFLOW_NAME: "Draft PR Cleanup" @@ -1173,7 +1180,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1199,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index ffe2227aad8..a3af0625d61 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "duplicate-code-detector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +128,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -188,9 +190,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -259,10 +261,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: duplicatecodedetector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,13 +282,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -311,9 +315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -323,7 +327,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -332,19 +336,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned.", @@ -490,7 +494,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -608,8 +612,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -620,7 +624,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -689,7 +693,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -739,7 +743,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -781,15 +785,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -800,7 +804,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -819,9 +823,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -845,18 +849,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -927,9 +931,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -963,9 +967,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1008,6 +1012,8 @@ jobs: concurrency: group: "gh-aw-conclusion-duplicate-code-detector" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1022,7 +1028,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1046,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1059,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1079,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1096,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1112,6 +1118,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/duplicate-code-detector" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "duplicate-code-detector" GH_AW_WORKFLOW_NAME: "Duplicate Code Detector" outputs: @@ -1133,7 +1140,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1160,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1172,9 +1179,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_copilot_to_created_issues.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 9468a6d200e..3adc7014399 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -41,6 +41,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -56,7 +58,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -78,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -100,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "example-permissions-warning.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -116,14 +118,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -167,9 +169,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -185,10 +187,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -207,11 +209,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -230,6 +232,7 @@ jobs: issues: read pull-requests: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: examplepermissionswarning outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -245,13 +248,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -274,14 +281,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -290,10 +297,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -318,7 +325,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -346,7 +353,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -379,7 +386,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -417,15 +424,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -435,7 +442,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -451,18 +458,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 1eb8ce76970..c759812b870 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "example-workflow-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -182,9 +184,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -252,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: exampleworkflowanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,7 +275,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -311,7 +311,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -334,9 +338,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -344,7 +348,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -355,10 +359,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -372,26 +376,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[workflow-analysis] \". Discussions will be created in category \"audits\".", @@ -522,7 +526,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -633,8 +637,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -645,7 +649,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -674,7 +678,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -719,7 +723,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -836,15 +840,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -854,7 +858,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -873,9 +877,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -891,18 +895,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -973,9 +977,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1033,9 +1037,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1079,6 +1083,8 @@ jobs: concurrency: group: "gh-aw-conclusion-example-workflow-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1093,7 +1099,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1117,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1130,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1152,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1169,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1186,6 +1192,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/example-workflow-analyzer" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "example-workflow-analyzer" GH_AW_WORKFLOW_NAME: "Weekly Workflow Analysis" outputs: @@ -1205,7 +1212,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1231,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 5994d982711..57dd914d5f7 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -54,6 +54,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -71,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +95,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -110,18 +112,18 @@ jobs: GH_AW_WORKFLOW_FILE: "firewall-escape.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -136,17 +138,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -194,9 +196,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -222,10 +224,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -254,11 +256,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -284,10 +286,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: firewallescape outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -308,16 +308,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -334,7 +338,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -357,14 +361,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -373,19 +377,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":524288,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Firewall Escape] \". Discussions will be created in category \"audits\".", @@ -531,7 +535,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -642,8 +646,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -654,7 +658,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -683,7 +687,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -718,7 +722,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -753,7 +757,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -791,15 +795,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -808,7 +812,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -827,9 +831,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -853,18 +857,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -950,9 +954,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1000,9 +1004,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1048,6 +1052,8 @@ jobs: concurrency: group: "gh-aw-conclusion-firewall-escape" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1062,7 +1068,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1087,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1101,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1127,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1145,9 +1151,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); post-issue: @@ -1199,7 +1205,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1208,9 +1214,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1222,6 +1228,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1235,7 +1243,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1277,9 +1285,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1294,6 +1302,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/firewall-escape" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "firewall-escape" GH_AW_WORKFLOW_ID: "firewall-escape" GH_AW_WORKFLOW_NAME: "The Great Escapi" @@ -1314,7 +1323,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1340,9 +1349,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1359,6 +1368,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: firewallescape steps: - name: Checkout actions folder @@ -1370,7 +1380,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index d0a29e091e6..5569c8c79a7 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -41,6 +41,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -56,7 +58,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -78,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -100,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "firewall.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -116,14 +118,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -169,9 +171,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -187,10 +189,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -209,11 +211,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -232,6 +234,7 @@ jobs: issues: read pull-requests: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: firewall outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -247,13 +250,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -276,14 +283,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -292,10 +299,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -320,7 +327,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -348,7 +355,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -381,7 +388,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -419,15 +426,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -437,7 +444,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -453,18 +460,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index ee1b21155a3..23d47d4273a 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -47,6 +47,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "functional-pragmatist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,20 +125,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -186,9 +188,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -204,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -226,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -255,10 +257,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: functionalpragmatist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,13 +279,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -308,14 +312,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -324,19 +328,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"reviewers":["copilot"],"title_prefix":"[fp-enhancer] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[fp-enhancer] \". Labels [\"refactoring\" \"functional\" \"immutability\" \"code-quality\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -482,7 +486,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -603,8 +607,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -615,7 +619,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -644,7 +648,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -679,7 +683,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -713,7 +717,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -751,15 +755,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -769,7 +773,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -788,9 +792,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -814,18 +818,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -897,9 +901,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -946,9 +950,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -992,6 +996,8 @@ jobs: concurrency: group: "gh-aw-conclusion-functional-pragmatist" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1006,7 +1012,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1031,9 +1037,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1045,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1069,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1087,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1102,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1121,6 +1127,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/functional-pragmatist" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "functional-pragmatist" GH_AW_WORKFLOW_ID: "functional-pragmatist" GH_AW_WORKFLOW_NAME: "Functional Pragmatist" @@ -1143,7 +1150,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1198,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 1aa75376ef7..365b0f4d23a 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "github-mcp-structural-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +126,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -190,9 +192,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -211,10 +213,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -236,11 +238,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -268,10 +270,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: githubmcpstructuralanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,13 +291,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -323,7 +327,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -353,9 +357,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -363,7 +367,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -374,19 +378,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[mcp-analysis] \". Discussions will be created in category \"audits\".", @@ -542,7 +546,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -662,8 +666,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -674,7 +678,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -705,7 +709,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -739,7 +743,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -863,15 +867,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -881,7 +885,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -900,9 +904,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -918,18 +922,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1015,9 +1019,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1075,9 +1079,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1123,6 +1127,8 @@ jobs: concurrency: group: "gh-aw-conclusion-github-mcp-structural-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1137,7 +1143,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1161,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1174,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1196,9 +1202,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1213,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1230,6 +1236,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/github-mcp-structural-analysis" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "github-mcp-structural-analysis" GH_AW_WORKFLOW_NAME: "GitHub MCP Structural Analysis" outputs: @@ -1249,7 +1256,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1275,9 +1282,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1294,6 +1301,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: githubmcpstructuralanalysis steps: - name: Checkout actions folder @@ -1305,7 +1313,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1349,7 +1357,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1404,8 +1412,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index c0c7562f190..a359e18f1ff 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "github-mcp-tools-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,21 +126,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -187,9 +189,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +210,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -233,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -265,10 +267,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: githubmcptoolsreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,16 +288,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -327,9 +331,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -337,7 +341,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -348,19 +352,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[mcp-tools] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -540,7 +544,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -687,8 +691,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -699,7 +703,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -727,7 +731,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -762,7 +766,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -883,15 +887,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -901,7 +905,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -920,9 +924,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -938,18 +942,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1027,9 +1031,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1087,9 +1091,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1135,6 +1139,8 @@ jobs: concurrency: group: "gh-aw-conclusion-github-mcp-tools-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1149,7 +1155,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1173,9 +1179,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1186,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1210,9 +1216,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1227,9 +1233,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1241,9 +1247,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1261,6 +1267,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/github-mcp-tools-report" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "github-mcp-tools-report" GH_AW_WORKFLOW_NAME: "GitHub MCP Remote Server Tools Report Generator" outputs: @@ -1282,7 +1289,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1337,9 +1344,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1356,6 +1363,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: githubmcptoolsreport steps: - name: Checkout actions folder @@ -1367,7 +1375,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index a1705aa1d14..7edc9379d8a 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "github-remote-mcp-auth-test.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,15 +123,15 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -179,9 +181,9 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -198,10 +200,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -221,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -250,10 +252,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: githubremotemcpauthtest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,13 +274,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -303,14 +307,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -319,19 +323,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[auth-test] \". Discussions will be created in category \"audits\".", @@ -462,7 +466,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -573,8 +577,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -585,7 +589,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -615,7 +619,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_PERSONAL_ACCESS_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -658,7 +662,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -692,7 +696,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -730,15 +734,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -748,7 +752,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -767,9 +771,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -793,18 +797,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -875,9 +879,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -924,9 +928,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -970,6 +974,8 @@ jobs: concurrency: group: "gh-aw-conclusion-github-remote-mcp-auth-test" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -984,7 +990,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1008,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1021,9 +1027,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1044,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1061,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1079,6 +1085,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/github-remote-mcp-auth-test" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "github-remote-mcp-auth-test" GH_AW_WORKFLOW_NAME: "GitHub Remote MCP Authentication Test" outputs: @@ -1098,7 +1105,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1124,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 89da87ede71..cd9e0dbf518 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "glossary-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,22 +127,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -195,9 +197,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -222,10 +224,10 @@ jobs: GH_AW_WIKI_NOTE: "\n\n> **GitHub Wiki**: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)." with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -253,11 +255,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -283,10 +285,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: glossarymaintainer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -307,7 +307,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -319,15 +319,19 @@ jobs: GH_AW_AGENT_IMPORT_SPEC: "../agents/technical-doc-writer.agent.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/merge_remote_agent_github_folder.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/merge_remote_agent_github_folder.cjs'); await main(); - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -344,7 +348,7 @@ jobs: TARGET_REPO: ${{ github.repository }}.wiki MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: false - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -367,14 +371,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -383,19 +387,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"glossary\"] will be automatically added.", @@ -556,7 +560,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -677,8 +681,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -689,7 +693,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -718,7 +722,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -761,7 +765,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -823,7 +827,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -861,15 +865,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -879,7 +883,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -898,9 +902,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -924,18 +928,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1022,9 +1026,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1071,9 +1075,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1119,6 +1123,8 @@ jobs: concurrency: group: "gh-aw-conclusion-glossary-maintainer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1133,7 +1139,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1157,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1170,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1196,9 +1202,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1213,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1227,9 +1233,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1241,6 +1247,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1254,7 +1262,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1297,9 +1305,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1316,6 +1324,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/glossary-maintainer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "glossary-maintainer" GH_AW_WORKFLOW_NAME: "Glossary Maintainer" outputs: @@ -1337,7 +1346,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1392,9 +1401,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1411,6 +1420,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: glossarymaintainer steps: - name: Checkout actions folder @@ -1422,7 +1432,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index cd51dfa1569..9646ddf2711 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "go-fan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +126,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -189,9 +191,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +237,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -265,10 +267,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gofan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,16 +288,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -327,9 +331,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -337,7 +341,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -348,19 +352,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[go-fan] \". Discussions will be created in category \"audits\".", @@ -491,7 +495,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -602,8 +606,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -614,7 +618,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -642,7 +646,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -692,7 +696,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -831,15 +835,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -849,7 +853,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -868,9 +872,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -886,18 +890,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -974,9 +978,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1034,9 +1038,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1081,6 +1085,8 @@ jobs: concurrency: group: "gh-aw-conclusion-go-fan" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1095,7 +1101,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1120,9 +1126,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1134,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1157,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1175,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1192,6 +1198,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/go-fan" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "go-fan-daily" GH_AW_WORKFLOW_ID: "go-fan" GH_AW_WORKFLOW_NAME: "Go Fan" @@ -1212,7 +1219,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1238,9 +1245,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1257,6 +1264,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: gofan steps: - name: Checkout actions folder @@ -1268,7 +1276,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 82199dd3651..97acba592c9 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "go-logger.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,21 +126,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -186,9 +188,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -232,11 +234,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -261,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gologger outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,7 +284,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -297,7 +297,11 @@ jobs: cache-dependency-path: 'actions/setup/js/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: @@ -309,7 +313,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -339,9 +343,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -349,7 +353,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -360,19 +364,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[log] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[log] \". Labels [\"enhancement\" \"automation\"] will be automatically added.", @@ -518,7 +522,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -639,8 +643,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -651,16 +655,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "go", @@ -701,7 +705,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -710,17 +714,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash # Auto-generated mcp-script tool: go # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -732,8 +736,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GO_EOF - chmod +x /opt/gh-aw/mcp-scripts/go.sh - cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/go.sh + cat > ${GH_AW_HOME}/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash # Auto-generated mcp-script tool: make # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -744,7 +748,7 @@ jobs: make $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/mcp-scripts/make.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/make.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -776,7 +780,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -806,7 +810,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -847,7 +851,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -996,15 +1000,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1014,7 +1018,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1033,9 +1037,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1051,27 +1055,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1150,9 +1154,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1210,9 +1214,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1257,6 +1261,8 @@ jobs: concurrency: group: "gh-aw-conclusion-go-logger" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1271,7 +1277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1295,9 +1301,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1308,9 +1314,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1330,9 +1336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1347,9 +1353,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1361,9 +1367,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1380,6 +1386,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/go-logger" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "go-logger" GH_AW_WORKFLOW_NAME: "Go Logger Enhancement" outputs: @@ -1401,7 +1408,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1456,9 +1463,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1475,6 +1482,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: gologger steps: - name: Checkout actions folder @@ -1486,7 +1494,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 20a63685cda..66e818778bd 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -47,6 +47,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -106,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "go-pattern-detector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -185,9 +187,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -204,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -227,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -259,10 +261,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gopatterndetector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,13 +282,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -311,9 +315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -321,7 +325,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -332,19 +336,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/ast-grep:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/ast-grep:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ast-grep] \". Labels [\"code-quality\" \"ast-grep\" \"cookie\"] will be automatically added.", @@ -490,7 +494,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -608,8 +612,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -620,7 +624,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -648,7 +652,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "ast-grep": { @@ -689,7 +693,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -807,15 +811,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -825,7 +829,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -844,9 +848,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -862,18 +866,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -944,9 +948,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1004,9 +1008,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1083,6 +1087,8 @@ jobs: concurrency: group: "gh-aw-conclusion-go-pattern-detector" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1097,7 +1103,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1121,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1134,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1154,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1171,9 +1177,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1187,6 +1193,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/go-pattern-detector" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "go-pattern-detector" GH_AW_WORKFLOW_NAME: "Go Pattern Detector" outputs: @@ -1208,7 +1215,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1234,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index be565bec2c4..ccc6da8eefb 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "gpclean.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +122,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -177,9 +179,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -198,10 +200,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +225,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -252,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gpclean outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,13 +276,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -291,7 +295,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -321,14 +325,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -337,19 +341,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[gpl-dependency]\". Labels [\"dependency-cleaner\"] will be automatically added.", @@ -495,7 +499,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -613,8 +617,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -625,7 +629,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -654,7 +658,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -689,7 +693,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -723,7 +727,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -761,15 +765,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -779,7 +783,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -798,9 +802,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -824,18 +828,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -912,9 +916,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -961,9 +965,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1007,6 +1011,8 @@ jobs: concurrency: group: "gh-aw-conclusion-gpclean" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1021,7 +1027,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1045,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1058,9 +1064,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1079,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1096,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1112,6 +1118,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/gpclean" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "gpclean" GH_AW_WORKFLOW_NAME: "GPL Dependency Cleaner (gpclean)" outputs: @@ -1133,7 +1140,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1159,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1178,6 +1185,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: gpclean steps: - name: Checkout actions folder @@ -1189,7 +1197,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 43e46acfa0e..6f2f8dc394e 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -56,6 +56,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -75,7 +77,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -100,11 +102,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -125,9 +127,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -135,18 +137,18 @@ jobs: GH_AW_WORKFLOW_FILE: "grumpy-reviewer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -163,16 +165,16 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request_review_comment, submit_pull_request_review, missing_tool, missing_data, noop @@ -207,7 +209,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -225,9 +227,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -250,10 +252,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -279,11 +281,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -305,10 +307,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: grumpyreviewer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -329,16 +329,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -368,25 +372,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request_review_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead. CONSTRAINTS: Maximum 5 review comment(s) can be created. Comments will be on the RIGHT side of the diff.", @@ -567,7 +571,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request_review_comment": { "defaultMax": 1, @@ -704,8 +708,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -716,7 +720,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -744,7 +748,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -779,7 +783,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -813,7 +817,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -851,15 +855,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -869,7 +873,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -889,9 +893,9 @@ jobs: GH_AW_COMMAND: grumpy with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -915,18 +919,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1003,9 +1007,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1052,9 +1056,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1098,6 +1102,8 @@ jobs: concurrency: group: "gh-aw-conclusion-grumpy-reviewer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1112,7 +1118,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1136,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1149,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1171,9 +1177,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1188,9 +1194,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1214,7 +1220,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1223,9 +1229,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1234,9 +1240,9 @@ jobs: GH_AW_COMMANDS: "[\"grumpy\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1250,6 +1256,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/grumpy-reviewer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 😤 *Reluctantly reviewed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"😤 *sigh* [{workflow_name}]({run_url}) is begrudgingly looking at this {event_type}... This better be worth my time.\",\"runSuccess\":\"😤 Fine. [{workflow_name}]({run_url}) finished the review. It wasn't completely terrible. I guess. 🙄\",\"runFailure\":\"😤 Great. [{workflow_name}]({run_url}) {status}. As if my day couldn't get any worse...\"}" GH_AW_WORKFLOW_ID: "grumpy-reviewer" GH_AW_WORKFLOW_NAME: "Grumpy Code Reviewer 🔥" @@ -1270,7 +1277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1296,9 +1303,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1315,6 +1322,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: grumpyreviewer steps: - name: Checkout actions folder @@ -1326,7 +1334,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 900740dd373..1b691f242d3 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "hourly-ci-cleaner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,20 +130,20 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_RUN_ID: ${{ needs.check_ci_status.outputs.ci_run_id }} GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -193,9 +195,9 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -214,10 +216,10 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -239,11 +241,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -272,10 +274,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: hourlycicleaner outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -296,7 +296,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -308,9 +308,9 @@ jobs: GH_AW_AGENT_IMPORT_SPEC: "../agents/ci-cleaner.agent.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/merge_remote_agent_github_folder.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/merge_remote_agent_github_folder.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -320,7 +320,11 @@ jobs: cache-dependency-path: 'actions/setup/js/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install Make run: | sudo apt-get update @@ -358,14 +362,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -374,19 +378,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"title_prefix":"[ca] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ca] \".", @@ -532,7 +536,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -653,8 +657,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -665,7 +669,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -694,7 +698,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -729,7 +733,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -763,7 +767,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -801,15 +805,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -819,7 +823,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -838,9 +842,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -864,18 +868,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -947,9 +951,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -996,9 +1000,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1089,6 +1093,8 @@ jobs: concurrency: group: "gh-aw-conclusion-hourly-ci-cleaner" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1103,7 +1109,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1128,9 +1134,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1144,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1168,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1186,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1201,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1220,6 +1226,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/hourly-ci-cleaner" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "hourly-ci-cleaner" GH_AW_WORKFLOW_ID: "hourly-ci-cleaner" GH_AW_WORKFLOW_NAME: "CI Cleaner" @@ -1242,7 +1249,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1297,9 +1304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 59ca55bb6c5..f1f49331b8e 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "instructions-janitor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,21 +122,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -179,9 +181,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -225,11 +227,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -254,10 +256,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: instructionsjanitor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,16 +277,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -316,9 +320,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -326,7 +330,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -337,19 +341,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[instructions] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[instructions] \". Labels [\"documentation\" \"automation\" \"instructions\"] will be automatically added.", @@ -495,7 +499,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -616,8 +620,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -628,7 +632,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -656,7 +660,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -690,7 +694,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -834,15 +838,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -852,7 +856,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -871,9 +875,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -889,18 +893,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -978,9 +982,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1038,9 +1042,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1085,6 +1089,8 @@ jobs: concurrency: group: "gh-aw-conclusion-instructions-janitor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1099,7 +1105,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1123,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1136,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1158,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1175,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1189,9 +1195,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1208,6 +1214,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/instructions-janitor" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "instructions-janitor" GH_AW_WORKFLOW_NAME: "Instructions Janitor" outputs: @@ -1229,7 +1236,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1284,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1303,6 +1310,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: instructionsjanitor steps: - name: Checkout actions folder @@ -1314,7 +1322,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index f341df7286f..177f6c35f71 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -111,9 +113,9 @@ jobs: GH_AW_WORKFLOW_FILE: "issue-arborist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,15 +130,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, link_sub_issue, missing_tool, missing_data, noop @@ -187,9 +189,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -227,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -255,10 +257,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: issuearborist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,13 +278,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -315,9 +319,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -327,18 +331,18 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"create_issue":{"expires":48,"group":true,"max":5},"link_sub_issue":{"max":50},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[Parent] \".", @@ -554,7 +558,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -716,8 +720,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -728,7 +732,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -780,7 +784,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -814,7 +818,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -856,15 +860,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -875,7 +879,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -894,9 +898,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -920,18 +924,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1002,9 +1006,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1038,9 +1042,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1084,6 +1088,8 @@ jobs: concurrency: group: "gh-aw-conclusion-issue-arborist" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1098,7 +1104,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1122,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1135,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1157,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1174,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1191,6 +1197,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/issue-arborist" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "issue-arborist" GH_AW_WORKFLOW_NAME: "Issue Arborist" outputs: @@ -1212,7 +1219,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1238,9 +1245,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 25001b03af8..9a42715d06e 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -52,6 +52,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -67,7 +69,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -114,9 +116,9 @@ jobs: GH_AW_WORKFLOW_FILE: "issue-monster.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -134,15 +136,15 @@ jobs: GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_LIST: ${{ needs.search_issues.outputs.issue_list }} GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, assign_to_agent, missing_tool, missing_data, noop @@ -193,9 +195,9 @@ jobs: GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -215,10 +217,10 @@ jobs: GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -241,11 +243,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -272,10 +274,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: issuemonster outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -296,13 +296,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -325,25 +329,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3,"target":"*"},"assign_to_agent":{"allowed":["copilot"],"max":3,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 3 comment(s) can be added. Target: *.", @@ -517,7 +521,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -645,8 +649,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -657,7 +661,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -685,7 +689,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -720,7 +724,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -754,7 +758,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -792,15 +796,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -810,7 +814,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -829,9 +833,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -855,18 +859,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -937,9 +941,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -986,9 +990,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1033,6 +1037,8 @@ jobs: concurrency: group: "gh-aw-conclusion-issue-monster" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1047,7 +1053,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1071,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1084,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1108,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1125,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1147,7 +1153,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1156,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1169,9 +1175,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "5" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); - name: Check skip-if-no-match query id: check_skip_if_no_match @@ -1182,9 +1188,9 @@ jobs: GH_AW_SKIP_MIN_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_no_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_no_match.cjs'); await main(); safe_outputs: @@ -1201,6 +1207,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/issue-monster" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🍪 *Om nom nom by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🍪 ISSUE! ISSUE! [{workflow_name}]({run_url}) hungry for issues on this {event_type}! Om nom nom...\",\"runSuccess\":\"🍪 YUMMY! [{workflow_name}]({run_url}) ate the issues! That was DELICIOUS! Me want MORE! 😋\",\"runFailure\":\"🍪 Aww... [{workflow_name}]({run_url}) {status}. No cookie for monster today... 😢\"}" GH_AW_WORKFLOW_ID: "issue-monster" GH_AW_WORKFLOW_NAME: "Issue Monster" @@ -1226,7 +1233,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1252,9 +1259,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1268,9 +1275,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_to_agent.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 0f935840726..8f31c715939 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -46,6 +46,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -61,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "issue-triage-agent.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +127,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, add_labels, missing_tool, missing_data, noop @@ -184,9 +186,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -202,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -224,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -252,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: issuetriageagent outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} @@ -275,13 +275,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -295,20 +299,20 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["bug","feature","enhancement","documentation","question","help-wanted","good-first-issue"],"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -471,7 +475,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -593,8 +597,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -605,7 +609,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -633,7 +637,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -668,7 +672,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -702,7 +706,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -740,15 +744,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -758,7 +762,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -777,9 +781,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -803,18 +807,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -885,9 +889,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -934,9 +938,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -981,6 +985,8 @@ jobs: concurrency: group: "gh-aw-conclusion-issue-triage-agent" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -995,7 +1001,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1019,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1032,9 +1038,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1052,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1069,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1087,6 +1093,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/issue-triage-agent" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "issue-triage-agent" GH_AW_WORKFLOW_NAME: "Issue Triage Agent" outputs: @@ -1108,7 +1115,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1134,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index fd5ef2a1bf8..24676cd19db 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "jsweep.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,21 +122,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -181,9 +183,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -202,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -227,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -257,10 +259,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: jsweep outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -281,7 +281,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -292,14 +292,18 @@ jobs: node-version: '20' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install Node.js dependencies run: npm install working-directory: actions/setup/js # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -329,14 +333,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -345,19 +349,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"draft":true,"expires":48,"max":1,"title_prefix":"[jsweep] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[jsweep] \". Labels [\"unbloat\" \"automation\"] will be automatically added. PRs will be created as drafts.", @@ -503,7 +507,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -624,8 +628,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -636,7 +640,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -665,7 +669,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -708,7 +712,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -742,7 +746,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -780,15 +784,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -798,7 +802,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -817,9 +821,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -843,18 +847,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -932,9 +936,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -981,9 +985,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1028,6 +1032,8 @@ jobs: concurrency: group: "gh-aw-conclusion-jsweep" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1042,7 +1048,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1067,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1081,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1105,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1123,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1138,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1157,6 +1163,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/jsweep" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "jsweep-daily" GH_AW_WORKFLOW_ID: "jsweep" GH_AW_WORKFLOW_NAME: "jsweep - JavaScript Unbloater" @@ -1179,7 +1186,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1234,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1253,6 +1260,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: jsweep steps: - name: Checkout actions folder @@ -1264,7 +1272,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 4d7210194cb..12724ac22ed 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -45,6 +45,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -60,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "layout-spec-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,20 +123,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -179,9 +181,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -197,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -219,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -248,10 +250,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: layoutspecmaintainer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,13 +272,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache configuration from frontmatter processed below - name: Cache layout spec data uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 @@ -308,14 +312,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -324,19 +328,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[specs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[specs] \". Labels [\"documentation\" \"automation\"] will be automatically added.", @@ -482,7 +486,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -603,8 +607,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -615,7 +619,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -644,7 +648,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -679,7 +683,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -742,7 +746,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -780,15 +784,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -798,7 +802,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -817,9 +821,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -843,18 +847,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -926,9 +930,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -975,9 +979,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1021,6 +1025,8 @@ jobs: concurrency: group: "gh-aw-conclusion-layout-spec-maintainer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1035,7 +1041,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1060,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1074,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1098,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1116,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1131,9 +1137,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1150,6 +1156,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/layout-spec-maintainer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "layout-spec-maintainer" GH_AW_WORKFLOW_ID: "layout-spec-maintainer" GH_AW_WORKFLOW_NAME: "Layout Specification Maintainer" @@ -1172,7 +1179,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1227,9 +1234,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 3ba38ec5449..53ceccacbe0 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "lockfile-stats.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +126,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -184,9 +186,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -259,10 +261,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: lockfilestats outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,16 +282,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -321,9 +325,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -331,7 +335,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -342,19 +346,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -485,7 +489,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -596,8 +600,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -608,7 +612,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -636,7 +640,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -670,7 +674,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -791,15 +795,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -809,7 +813,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -828,9 +832,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -846,18 +850,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -934,9 +938,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -994,9 +998,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1041,6 +1045,8 @@ jobs: concurrency: group: "gh-aw-conclusion-lockfile-stats" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1055,7 +1061,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1079,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1092,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1114,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1131,9 +1137,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1148,6 +1154,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/lockfile-stats" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "lockfile-stats" GH_AW_WORKFLOW_NAME: "Lockfile Statistics Analysis Agent" outputs: @@ -1167,7 +1174,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1193,9 +1200,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1212,6 +1219,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: lockfilestats steps: - name: Checkout actions folder @@ -1223,7 +1231,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 78f0c3d65e7..b24e8bcb638 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -63,6 +63,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -78,7 +80,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -100,11 +102,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -122,9 +124,9 @@ jobs: GH_AW_WORKFLOW_FILE: "mcp-inspector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -139,16 +141,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -243,9 +245,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -264,10 +266,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -289,11 +291,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -319,10 +321,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: mcpinspector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -343,7 +343,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -390,10 +390,14 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -423,14 +427,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -439,10 +443,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -456,26 +460,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"notion-add-comment":{"description":"Add a comment to a Notion page","inputs":{"comment":{"default":null,"description":"The comment text to add","required":true,"type":"string"}},"output":"Comment added to Notion successfully!"},"post-to-slack-channel":{"description":"Post a message to a Slack channel. Message must be 200 characters or less. Supports basic Slack markdown: *bold*, _italic_, ~strike~, `code`, ```code block```, \u003equote, and links \u003curl|text\u003e. Requires GH_AW_SLACK_CHANNEL_ID environment variable to be set.","inputs":{"message":{"default":null,"description":"The message to post (max 200 characters, supports Slack markdown)","required":true,"type":"string"}},"output":"Message posted to Slack successfully!"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -640,7 +644,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -751,8 +755,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -763,7 +767,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -806,7 +810,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID -e BRAVE_API_KEY -e CONTEXT7_API_KEY -e DD_API_KEY -e DD_APPLICATION_KEY -e DD_SITE -e NOTION_API_TOKEN -e SENTRY_ACCESS_TOKEN -e SENTRY_HOST -e SENTRY_OPENAI_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1040,7 +1044,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1078,7 +1082,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1116,15 +1120,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID,BRAVE_API_KEY,CONTEXT7_API_KEY,COPILOT_GITHUB_TOKEN,DD_API_KEY,DD_APPLICATION_KEY,DD_SITE,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,NOTION_API_TOKEN,SENTRY_ACCESS_TOKEN,SENTRY_OPENAI_API_KEY,TAVILY_API_KEY' @@ -1146,7 +1150,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1165,9 +1169,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1191,18 +1195,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1279,9 +1283,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1328,9 +1332,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1377,6 +1381,8 @@ jobs: concurrency: group: "gh-aw-conclusion-mcp-inspector" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1391,7 +1397,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1415,9 +1421,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1428,9 +1434,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1451,9 +1457,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1468,9 +1474,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); notion_add_comment: @@ -1480,17 +1486,19 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: /opt/gh-aw/safe-jobs/ + path: ${GH_AW_HOME}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${GH_AW_HOME}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${GH_AW_HOME}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Add comment to Notion page uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: @@ -1608,17 +1616,19 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: /opt/gh-aw/safe-jobs/ + path: ${GH_AW_HOME}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${GH_AW_HOME}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${GH_AW_HOME}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Post message to Slack uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: @@ -1755,6 +1765,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/mcp-inspector" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "mcp-inspector" GH_AW_WORKFLOW_NAME: "MCP Inspector Agent" outputs: @@ -1774,7 +1785,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1800,9 +1811,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1819,6 +1830,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: mcpinspector steps: - name: Checkout actions folder @@ -1830,7 +1842,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 8ef86696c1e..39f6889dc6a 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -51,6 +51,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -70,7 +72,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -117,9 +119,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -127,18 +129,18 @@ jobs: GH_AW_WORKFLOW_FILE: "mergefest.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -154,20 +156,20 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -200,7 +202,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -218,9 +220,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -239,10 +241,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -264,11 +266,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -291,10 +293,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: mergefest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -315,13 +315,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials run: "git config user.name \"github-actions[bot]\"\ngit config user.email \"github-actions[bot]@users.noreply.github.com\"\n\n# Create .gitignore to exclude workflow YAML files\ncat > /tmp/merge-gitignore << 'EOF'\n# Exclude all .yml files in .github/workflows/\n.github/workflows/*.yml\nEOF" @@ -347,14 +351,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -363,19 +367,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Push committed changes to a pull request's branch. Use this to add follow-up commits to an existing PR, such as addressing review feedback or fixing issues. Changes must be committed locally before calling this tool.", @@ -508,7 +512,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -613,8 +617,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -625,7 +629,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -654,7 +658,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -689,7 +693,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -762,7 +766,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -800,15 +804,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -818,7 +822,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -838,9 +842,9 @@ jobs: GH_AW_COMMAND: mergefest with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -864,18 +868,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -947,9 +951,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -996,9 +1000,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1041,6 +1045,8 @@ jobs: concurrency: group: "gh-aw-conclusion-mergefest" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1055,7 +1061,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1079,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1092,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1115,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1132,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1157,7 +1163,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1166,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1177,9 +1183,9 @@ jobs: GH_AW_COMMANDS: "[\"mergefest\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1195,6 +1201,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/mergefest" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "mergefest" GH_AW_WORKFLOW_NAME: "Mergefest" outputs: @@ -1216,7 +1223,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1271,9 +1278,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 6531942a392..fb4d1db875b 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -46,6 +46,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -61,7 +63,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -83,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "metrics-collector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -174,9 +176,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -199,10 +201,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -228,11 +230,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -255,6 +257,7 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: metricscollector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -270,7 +273,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -306,7 +309,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -316,7 +323,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -339,14 +346,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -355,10 +362,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -372,13 +379,13 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 @@ -408,7 +415,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -448,7 +455,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -481,7 +488,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -519,15 +526,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -537,7 +544,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -553,18 +560,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -621,7 +628,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -630,9 +637,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -644,6 +651,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -657,7 +666,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -700,8 +709,8 @@ jobs: FILE_GLOB_FILTER: "metrics/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 14474ceeac0..c718d2dc001 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "notion-issue-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,15 +129,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: missing_tool, missing_data, noop @@ -186,9 +188,9 @@ jobs: GH_AW_EXPR_FD3E9604: ${{ github.event.inputs.issue-number }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -228,11 +230,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -255,10 +257,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: notionissuesummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,13 +277,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -306,14 +310,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -322,19 +326,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/notion node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/notion node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"notion-add-comment":{"description":"Add a comment to a Notion page","inputs":{"comment":{"default":null,"description":"The comment text to add","required":true,"type":"string"}},"output":"Comment added to Notion successfully!"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -448,7 +452,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -533,8 +537,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -545,7 +549,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -575,7 +579,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e NOTION_API_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -623,7 +627,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -657,7 +661,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -695,15 +699,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,NOTION_API_TOKEN' @@ -714,7 +718,7 @@ jobs: SECRET_NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -733,9 +737,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -759,18 +763,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -812,6 +816,8 @@ jobs: concurrency: group: "gh-aw-conclusion-notion-issue-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -826,7 +832,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -850,9 +856,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -863,9 +869,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -884,9 +890,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -901,9 +907,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); notion_add_comment: @@ -913,17 +919,19 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: /opt/gh-aw/safe-jobs/ + path: ${GH_AW_HOME}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${GH_AW_HOME}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${GH_AW_HOME}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Add comment to Notion page uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: @@ -1042,6 +1050,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/notion-issue-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "notion-issue-summary" GH_AW_WORKFLOW_NAME: "Issue Summary to Notion" outputs: @@ -1061,7 +1070,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1087,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index fda3baa3975..a0742f8737e 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,11 +92,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -112,9 +114,9 @@ jobs: GH_AW_WORKFLOW_FILE: "org-health-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,16 +131,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -196,9 +198,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -217,10 +219,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -242,11 +244,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -273,10 +275,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: orghealthreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -297,13 +297,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -331,7 +335,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -361,25 +365,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"reports\".", @@ -535,7 +539,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -655,8 +659,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -667,7 +671,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -698,7 +702,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -733,7 +737,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -770,7 +774,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -808,15 +812,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -826,7 +830,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -845,9 +849,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -871,18 +875,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -968,9 +972,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1017,9 +1021,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1065,6 +1069,8 @@ jobs: concurrency: group: "gh-aw-conclusion-org-health-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1079,7 +1085,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1103,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1116,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1139,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1156,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1173,6 +1179,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/org-health-report" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "org-health-report" GH_AW_WORKFLOW_NAME: "Organization Health Report" outputs: @@ -1192,7 +1199,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1218,9 +1225,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1237,6 +1244,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: orghealthreport steps: - name: Checkout actions folder @@ -1248,7 +1256,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1292,7 +1300,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1347,8 +1355,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 732a62459c2..01753cb0a5f 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -74,6 +74,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -93,7 +95,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -115,11 +117,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -140,9 +142,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -150,18 +152,18 @@ jobs: GH_AW_WORKFLOW_FILE: "pdf-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -181,16 +183,16 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_discussion, missing_tool, missing_data, noop @@ -225,7 +227,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -249,9 +251,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -277,10 +279,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -309,11 +311,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -337,10 +339,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: pdfsummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -361,16 +361,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -400,14 +404,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -416,19 +420,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/markitdown node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created.", @@ -596,7 +600,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -725,8 +729,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -737,7 +741,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -766,7 +770,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -808,7 +812,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -842,7 +846,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -880,15 +884,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -898,7 +902,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -918,9 +922,9 @@ jobs: GH_AW_COMMAND: summarize with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -944,18 +948,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1032,9 +1036,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1081,9 +1085,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1129,6 +1133,8 @@ jobs: concurrency: group: "gh-aw-conclusion-pdf-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1143,7 +1149,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1167,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1180,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1204,9 +1210,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1221,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1249,7 +1255,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1258,9 +1264,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1269,9 +1275,9 @@ jobs: GH_AW_COMMANDS: "[\"summarize\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1287,6 +1293,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pdf-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📄 *Summary compiled by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📖 Page by page! [{workflow_name}]({run_url}) is reading through this {event_type}...\",\"runSuccess\":\"📚 TL;DR ready! [{workflow_name}]({run_url}) has distilled the essence. Knowledge condensed! ✨\",\"runFailure\":\"📖 Reading interrupted! [{workflow_name}]({run_url}) {status}. The document remains unsummarized...\"}" GH_AW_WORKFLOW_ID: "pdf-summary" GH_AW_WORKFLOW_NAME: "Resource Summarizer Agent" @@ -1309,7 +1316,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1335,9 +1342,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1354,6 +1361,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: pdfsummary steps: - name: Checkout actions folder @@ -1365,7 +1373,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 2714fb39cfb..1ee8805ea9d 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -56,6 +56,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -75,7 +77,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,11 +99,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -122,9 +124,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -132,18 +134,18 @@ jobs: GH_AW_WORKFLOW_FILE: "plan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -160,15 +162,15 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, close_discussion, missing_tool, missing_data, noop @@ -203,7 +205,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -222,9 +224,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -244,10 +246,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -270,11 +272,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -298,10 +300,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: plan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -322,13 +322,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -351,25 +355,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":1,"required_category":"Ideas"},"create_issue":{"expires":48,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[plan] \". Labels [\"plan\" \"ai-generated\" \"cookie\"] will be automatically added.", @@ -557,7 +561,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -702,8 +706,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -714,7 +718,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -742,7 +746,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -776,7 +780,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -810,7 +814,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -848,15 +852,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -866,7 +870,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -886,9 +890,9 @@ jobs: GH_AW_COMMAND: plan with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -912,18 +916,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -994,9 +998,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1043,9 +1047,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1089,6 +1093,8 @@ jobs: concurrency: group: "gh-aw-conclusion-plan" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1103,7 +1109,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1127,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1140,9 +1146,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1161,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1178,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1204,7 +1210,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1213,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1224,9 +1230,9 @@ jobs: GH_AW_COMMANDS: "[\"plan\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1241,6 +1247,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/plan" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "plan" GH_AW_WORKFLOW_NAME: "Plan Command" outputs: @@ -1262,7 +1269,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1288,9 +1295,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 0d4e504468c..0a6461b4e10 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -66,6 +66,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -85,7 +87,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -107,11 +109,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -132,9 +134,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -142,18 +144,18 @@ jobs: GH_AW_WORKFLOW_FILE: "poem-bot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -171,22 +173,22 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_issue, create_discussion, create_agent_session, create_pull_request, close_pull_request, create_pull_request_review_comment, add_labels, push_to_pull_request_branch, upload_asset, link_sub_issue, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -221,7 +223,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -243,9 +245,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -269,10 +271,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -299,11 +301,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -326,10 +328,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: poembot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -350,16 +350,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -389,14 +393,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -405,19 +409,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3,"target":"*"},"add_labels":{"allowed":["poetry","creative","automation","ai-generated","epic","haiku","sonnet","limerick"],"max":5},"create_agent_session":{"max":1},"create_discussion":{"expires":24,"max":2},"create_issue":{"expires":48,"group":true,"max":2},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[🎨 POETRY] "},"create_pull_request_review_comment":{"max":2},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0},"update_issue":{"max":2},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 2 issue(s) can be created. Title will be prefixed with \"[🎭 POEM-BOT] \". Labels [\"poetry\" \"automation\" \"ai-generated\"] will be automatically added.", @@ -991,7 +995,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1358,8 +1362,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1370,7 +1374,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1402,7 +1406,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1437,7 +1441,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1499,7 +1503,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1537,15 +1541,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1555,7 +1559,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1575,9 +1579,9 @@ jobs: GH_AW_COMMAND: poem-bot with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1601,18 +1605,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1700,9 +1704,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1749,9 +1753,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1798,6 +1802,8 @@ jobs: concurrency: group: "gh-aw-conclusion-poem-bot" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1812,7 +1818,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1836,9 +1842,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1851,9 +1857,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1877,9 +1883,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1894,9 +1900,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1908,9 +1914,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1933,7 +1939,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1942,9 +1948,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1953,9 +1959,9 @@ jobs: GH_AW_COMMANDS: "[\"poem-bot\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1974,6 +1980,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/poem-bot" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUTS_STAGED: "true" GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Verses penned by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎭 Hear ye! The muse stirs! [{workflow_name}]({run_url}) takes quill in hand for this {event_type}...\",\"runSuccess\":\"🪶 The poem is writ! [{workflow_name}]({run_url}) has composed verses most fair. Applause! 👏\",\"runFailure\":\"🎭 Alas! [{workflow_name}]({run_url}) {status}. The muse has fled, leaving verses unsung...\"}" GH_AW_WORKFLOW_ID: "poem-bot" @@ -2005,7 +2012,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2061,9 +2068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Create Agent Session id: create_agent_session @@ -2075,9 +2082,9 @@ jobs: with: github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); + const { main } = require(process.env.GH_AW_HOME + '/actions/create_agent_session.cjs'); await main(); update_cache_memory: needs: agent @@ -2086,6 +2093,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: poembot steps: - name: Checkout actions folder @@ -2097,7 +2105,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -2141,7 +2149,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -2199,8 +2207,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 9229dc22cd9..5b207e47cd5 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "portfolio-analyst.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +128,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -194,9 +196,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -215,10 +217,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -240,11 +242,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -270,10 +272,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: portfolioanalyst outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -294,7 +294,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -330,7 +330,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Setup Python environment @@ -364,7 +368,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -394,14 +398,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -410,10 +414,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -427,26 +431,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[portfolio] \". Discussions will be created in category \"audits\".", @@ -602,7 +606,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -722,8 +726,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -734,7 +738,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -767,7 +771,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -814,7 +818,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -851,7 +855,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -889,15 +893,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -907,7 +911,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -926,9 +930,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -952,18 +956,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1049,9 +1053,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1098,9 +1102,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1146,6 +1150,8 @@ jobs: concurrency: group: "gh-aw-conclusion-portfolio-analyst" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1160,7 +1166,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1185,9 +1191,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1199,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1223,9 +1229,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1241,9 +1247,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1258,6 +1264,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/portfolio-analyst" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "portfolio-analyst-weekly" GH_AW_WORKFLOW_ID: "portfolio-analyst" GH_AW_WORKFLOW_NAME: "Automated Portfolio Analyst" @@ -1278,7 +1285,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1304,9 +1311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1323,6 +1330,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: portfolioanalyst steps: - name: Checkout actions folder @@ -1334,7 +1342,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1378,7 +1386,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1434,8 +1442,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 75b7fbacedf..07f7131df26 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -84,6 +84,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -103,7 +105,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -125,11 +127,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -150,9 +152,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -160,18 +162,18 @@ jobs: GH_AW_WORKFLOW_FILE: "pr-nitpick-reviewer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -188,16 +190,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, create_pull_request_review_comment, submit_pull_request_review, missing_tool, missing_data, noop @@ -232,7 +234,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -254,9 +256,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -279,10 +281,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -308,11 +310,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -335,10 +337,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: prnitpickreviewer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -359,16 +359,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -398,14 +402,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -414,19 +418,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"create_pull_request_review_comment":{"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[nitpick-report] \". Discussions will be created in category \"audits\".", @@ -641,7 +645,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -804,8 +808,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -816,7 +820,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -845,7 +849,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -880,7 +884,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -914,7 +918,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -952,15 +956,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -970,7 +974,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -990,9 +994,9 @@ jobs: GH_AW_COMMAND: nit with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1016,18 +1020,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1104,9 +1108,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1153,9 +1157,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1201,6 +1205,8 @@ jobs: concurrency: group: "gh-aw-conclusion-pr-nitpick-reviewer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1215,7 +1221,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1239,9 +1245,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1252,9 +1258,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1276,9 +1282,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1293,9 +1299,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1325,7 +1331,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1334,9 +1340,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1345,9 +1351,9 @@ jobs: GH_AW_COMMANDS: "[\"nit\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1363,6 +1369,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pr-nitpick-reviewer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Meticulously inspected by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 Adjusting monocle... [{workflow_name}]({run_url}) is scrutinizing every pixel of this {event_type}...\",\"runSuccess\":\"🔍 Nitpicks catalogued! [{workflow_name}]({run_url}) has documented all the tiny details. Perfection awaits! ✅\",\"runFailure\":\"🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected...\"}" GH_AW_WORKFLOW_ID: "pr-nitpick-reviewer" GH_AW_WORKFLOW_NAME: "PR Nitpick Reviewer 🔍" @@ -1383,7 +1390,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1409,9 +1416,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1428,6 +1435,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: prnitpickreviewer steps: - name: Checkout actions folder @@ -1439,7 +1447,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 6ff4c6dd8ec..abcfa7cddbd 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -43,6 +43,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -58,7 +60,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -83,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "pr-triage-agent.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,16 +124,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, missing_tool, missing_data, noop @@ -180,9 +182,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -204,10 +206,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -232,11 +234,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -261,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: prtriageagent outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,13 +285,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -301,7 +305,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -324,25 +328,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":50},"add_labels":{"max":100},"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[PR Triage Report] \".", @@ -569,7 +573,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -724,8 +728,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -736,7 +740,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -764,7 +768,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -799,7 +803,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -833,7 +837,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -871,15 +875,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -889,7 +893,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -908,9 +912,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -934,18 +938,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1025,9 +1029,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1074,9 +1078,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1122,6 +1126,8 @@ jobs: concurrency: group: "gh-aw-conclusion-pr-triage-agent" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1136,7 +1142,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1160,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1173,9 +1179,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1198,9 +1204,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1215,9 +1221,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1229,6 +1235,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1242,7 +1250,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1285,9 +1293,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1303,6 +1311,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pr-triage-agent" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🔍 Starting PR triage analysis... [{workflow_name}]({run_url}) is categorizing and prioritizing agent-created PRs\",\"runSuccess\":\"✅ PR triage complete! [{workflow_name}]({run_url}) has analyzed and categorized PRs. Check the issue for detailed report.\",\"runFailure\":\"❌ PR triage failed! [{workflow_name}]({run_url}) {status}. Some PRs may not be triaged.\"}" GH_AW_WORKFLOW_ID: "pr-triage-agent" GH_AW_WORKFLOW_NAME: "PR Triage Agent" @@ -1327,7 +1336,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1353,9 +1362,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 390a4b53279..b5d4faec0cc 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -53,6 +53,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -68,7 +70,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,11 +92,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -112,9 +114,9 @@ jobs: GH_AW_WORKFLOW_FILE: "prompt-clustering-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,16 +131,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -198,9 +200,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -219,10 +221,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -244,11 +246,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -274,10 +276,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: promptclusteringanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -297,7 +297,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -333,7 +333,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -386,7 +390,7 @@ jobs: restore-keys: prompt-clustering-cache- # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -416,9 +420,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -426,7 +430,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -437,10 +441,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -454,26 +458,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[prompt-clustering] \". Discussions will be created in category \"audits\".", @@ -604,7 +608,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -715,8 +719,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -727,7 +731,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -756,7 +760,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -801,7 +805,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -922,15 +926,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -940,7 +944,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -959,9 +963,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -977,18 +981,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1065,9 +1069,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1125,9 +1129,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1172,6 +1176,8 @@ jobs: concurrency: group: "gh-aw-conclusion-prompt-clustering-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1186,7 +1192,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1210,9 +1216,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1223,9 +1229,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1245,9 +1251,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1262,9 +1268,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1279,6 +1285,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/prompt-clustering-analysis" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "prompt-clustering-analysis" GH_AW_WORKFLOW_NAME: "Copilot Agent Prompt Clustering Analysis" outputs: @@ -1298,7 +1305,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1324,9 +1331,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1343,6 +1350,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: promptclusteringanalysis steps: - name: Checkout actions folder @@ -1354,7 +1362,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 35d34248a14..7b117f1c223 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -47,6 +47,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "python-data-charts.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,16 +125,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -192,9 +194,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -213,10 +215,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -238,11 +240,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -266,10 +268,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: pythondatacharts outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -290,7 +290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -326,7 +326,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -352,7 +356,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -382,14 +386,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -398,10 +402,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -415,26 +419,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"artifacts\".", @@ -590,7 +594,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -710,8 +714,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -722,7 +726,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -755,7 +759,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -802,7 +806,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -839,7 +843,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -877,15 +881,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -895,7 +899,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -914,9 +918,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -940,18 +944,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1037,9 +1041,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1086,9 +1090,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1134,6 +1138,8 @@ jobs: concurrency: group: "gh-aw-conclusion-python-data-charts" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1148,7 +1154,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1172,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1185,9 +1191,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1208,9 +1214,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1225,9 +1231,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1242,6 +1248,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/python-data-charts" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "python-data-charts" GH_AW_WORKFLOW_NAME: "Python Data Visualization Generator" outputs: @@ -1261,7 +1268,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1287,9 +1294,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1306,6 +1313,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: pythondatacharts steps: - name: Checkout actions folder @@ -1317,7 +1325,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1361,7 +1369,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1416,8 +1424,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 4dc7137ea9b..e5229198b69 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -92,6 +92,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -111,7 +113,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -133,11 +135,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -158,9 +160,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -168,18 +170,18 @@ jobs: GH_AW_WORKFLOW_FILE: "q.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -197,21 +199,21 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -244,7 +246,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -269,9 +271,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -295,10 +297,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -325,11 +327,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -354,10 +356,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: q outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -378,7 +378,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -414,10 +414,14 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -447,14 +451,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -463,10 +467,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -480,26 +484,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[q] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -682,7 +686,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -821,8 +825,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -833,7 +837,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -863,7 +867,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -918,7 +922,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -952,7 +956,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -990,15 +994,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1008,7 +1012,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1028,9 +1032,9 @@ jobs: GH_AW_COMMAND: q with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1054,18 +1058,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1143,9 +1147,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1192,9 +1196,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1240,6 +1244,8 @@ jobs: concurrency: group: "gh-aw-conclusion-q" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1254,7 +1260,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1278,9 +1284,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1291,9 +1297,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1315,9 +1321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1332,9 +1338,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1346,9 +1352,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1384,7 +1390,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1393,9 +1399,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1404,9 +1410,9 @@ jobs: GH_AW_COMMANDS: "[\"q\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1424,6 +1430,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/q" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎩 *Equipped by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Pay attention, 007! [{workflow_name}]({run_url}) is preparing your gadgets for this {event_type}...\",\"runSuccess\":\"🎩 Mission equipment ready! [{workflow_name}]({run_url}) has optimized your workflow. Use wisely, 007! 🔫\",\"runFailure\":\"🔧 Technical difficulties! [{workflow_name}]({run_url}) {status}. Even Q Branch has bad days...\"}" GH_AW_WORKFLOW_ID: "q" GH_AW_WORKFLOW_NAME: "Q" @@ -1448,7 +1455,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1503,9 +1510,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1522,6 +1529,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: q steps: - name: Checkout actions folder @@ -1533,7 +1541,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index ec8d999c14f..437d7a7f0d7 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -56,6 +56,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -74,7 +76,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -99,11 +101,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -121,18 +123,18 @@ jobs: GH_AW_WORKFLOW_FILE: "refiner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -148,20 +150,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -210,9 +212,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -230,10 +232,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -254,11 +256,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -281,10 +283,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: refiner outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -305,13 +305,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -334,25 +338,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"max":1,"reviewers":["copilot"],"title_prefix":"[refiner] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -535,7 +539,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -674,8 +678,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -686,7 +690,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -714,7 +718,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -749,7 +753,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -783,7 +787,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -821,15 +825,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -839,7 +843,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -858,9 +862,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -884,18 +888,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -967,9 +971,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1016,9 +1020,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1063,6 +1067,8 @@ jobs: concurrency: group: "gh-aw-conclusion-refiner" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1077,7 +1083,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1101,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1114,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1138,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1155,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1169,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1194,7 +1200,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1203,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1223,6 +1229,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/refiner" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🔍 Starting code refinement... [{workflow_name}]({run_url}) is analyzing PR #${{ github.event.pull_request.number }} for style alignment and security issues\",\"runSuccess\":\"✅ Refinement complete! [{workflow_name}]({run_url}) has created a PR with improvements for PR #${{ github.event.pull_request.number }}\",\"runFailure\":\"❌ Refinement failed! [{workflow_name}]({run_url}) {status} while processing PR #${{ github.event.pull_request.number }}\"}" GH_AW_WORKFLOW_ID: "refiner" GH_AW_WORKFLOW_NAME: "Code Refiner" @@ -1247,7 +1254,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1302,9 +1309,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 6227919f131..96fe938951d 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -55,6 +55,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -70,7 +72,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -114,9 +116,9 @@ jobs: GH_AW_WORKFLOW_FILE: "release.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -131,15 +133,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_release, missing_tool, missing_data, noop @@ -187,9 +189,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +208,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +231,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -260,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: release outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,13 +284,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_ID: ${{ needs.release.outputs.release_id }} @@ -320,14 +324,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -336,19 +340,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_release":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Update a GitHub release description by replacing, appending to, or prepending to the existing content. Use this to add release notes, changelogs, or additional information to an existing release. CONSTRAINTS: Maximum 1 release(s) can be updated.", @@ -485,7 +489,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -595,8 +599,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -607,7 +611,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -636,7 +640,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -671,7 +675,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -705,7 +709,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -743,15 +747,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -761,7 +765,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -780,9 +784,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -806,18 +810,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -888,9 +892,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -937,9 +941,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -981,6 +985,8 @@ jobs: concurrency: group: "gh-aw-conclusion-release" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -995,7 +1001,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1019,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1032,9 +1038,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1053,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1070,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); config: @@ -1200,7 +1206,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1209,9 +1215,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); release: @@ -1372,6 +1378,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/release" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "release" GH_AW_WORKFLOW_NAME: "Release" outputs: @@ -1391,7 +1398,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1417,9 +1424,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index c7fea246684..edf7e2f5cee 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -66,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "repo-audit-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,16 +130,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_INPUTS_REPOSITORY: ${{ inputs.repository }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -188,9 +190,9 @@ jobs: GH_AW_INPUTS_REPOSITORY: ${{ inputs.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +212,10 @@ jobs: GH_AW_INPUTS_REPOSITORY: ${{ inputs.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -236,11 +238,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -264,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: repoauditanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,13 +288,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory (repo-audits) run: | @@ -328,14 +332,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -344,19 +348,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"create_missing_tool_issue":{"labels":["cookie"],"max":1,"title_prefix":"[missing tool]"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -487,7 +491,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -598,8 +602,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -610,7 +614,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -639,7 +643,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -674,7 +678,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -708,7 +712,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -746,15 +750,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -764,7 +768,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -783,9 +787,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -809,18 +813,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -897,9 +901,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -946,9 +950,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -993,6 +997,8 @@ jobs: concurrency: group: "gh-aw-conclusion-repo-audit-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1007,7 +1013,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1031,9 +1037,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1047,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1070,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1087,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1104,6 +1110,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/repo-audit-analyzer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "repo-audit-analyzer" GH_AW_WORKFLOW_NAME: "Repository Audit & Agentic Workflow Opportunity Analyzer" outputs: @@ -1123,7 +1130,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1149,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1168,6 +1175,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: repoauditanalyzer steps: - name: Checkout actions folder @@ -1179,7 +1187,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (repo-audits) id: download_cache_repo_audits uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index f493592ca15..3a22ef4f2f4 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "repo-tree-map.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -182,9 +184,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -251,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: repotreemap outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,13 +275,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -304,14 +308,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -320,19 +324,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"dev\".", @@ -463,7 +467,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -574,8 +578,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -586,7 +590,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -615,7 +619,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -650,7 +654,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -684,7 +688,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -722,15 +726,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -740,7 +744,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -759,9 +763,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -785,18 +789,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -867,9 +871,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -916,9 +920,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -962,6 +966,8 @@ jobs: concurrency: group: "gh-aw-conclusion-repo-tree-map" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -976,7 +982,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1000,9 +1006,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1013,9 +1019,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1036,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1053,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1070,6 +1076,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/repo-tree-map" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "repo-tree-map" GH_AW_WORKFLOW_NAME: "Repository Tree Map Generator" outputs: @@ -1089,7 +1096,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1115,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index f5e1dca1346..8bfdb3aa0ab 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "repository-quality-improver.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +126,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -187,9 +189,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +210,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -233,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -263,10 +265,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: repositoryqualityimprover outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,13 +287,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory (focus-areas) run: | @@ -327,14 +331,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -343,19 +347,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -486,7 +490,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -597,8 +601,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -609,7 +613,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -638,7 +642,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -681,7 +685,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -715,7 +719,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -753,15 +757,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -771,7 +775,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -790,9 +794,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -816,18 +820,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -904,9 +908,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -953,9 +957,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1000,6 +1004,8 @@ jobs: concurrency: group: "gh-aw-conclusion-repository-quality-improver" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1014,7 +1020,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1038,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1051,9 +1057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1074,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1091,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1108,6 +1114,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/repository-quality-improver" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "repository-quality-improver" GH_AW_WORKFLOW_NAME: "Repository Quality Improvement Agent" outputs: @@ -1127,7 +1134,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1153,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1172,6 +1179,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: repositoryqualityimprover steps: - name: Checkout actions folder @@ -1183,7 +1191,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (focus-areas) id: download_cache_focus_areas uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 686a4ee54de..b03680e7f43 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -66,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "research.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,15 +130,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -192,9 +194,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -211,10 +213,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +236,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -261,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: research outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,13 +285,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -314,14 +318,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -330,19 +334,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"research\".", @@ -473,7 +477,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -584,8 +588,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -596,7 +600,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -626,7 +630,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -674,7 +678,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -709,7 +713,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -747,15 +751,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -766,7 +770,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -785,9 +789,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -811,18 +815,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -893,9 +897,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -942,9 +946,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -988,6 +992,8 @@ jobs: concurrency: group: "gh-aw-conclusion-research" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1002,7 +1008,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1026,9 +1032,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1039,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1062,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1079,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1096,6 +1102,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/research" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "research" GH_AW_WORKFLOW_NAME: "Basic Research Agent" outputs: @@ -1115,7 +1122,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1141,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 2c1ce20f5f6..7d285073495 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "safe-output-health.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +127,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -188,9 +190,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +211,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +236,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -264,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: safeoutputhealth outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,7 +287,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -323,7 +323,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -333,7 +337,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -363,9 +367,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -373,7 +377,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -384,10 +388,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -401,26 +405,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -551,7 +555,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -662,8 +666,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -674,7 +678,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -703,7 +707,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -748,7 +752,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -884,15 +888,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -902,7 +906,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -921,9 +925,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -939,18 +943,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1027,9 +1031,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1087,9 +1091,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1134,6 +1138,8 @@ jobs: concurrency: group: "gh-aw-conclusion-safe-output-health" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1148,7 +1154,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1172,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1185,9 +1191,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1207,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1224,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1241,6 +1247,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/safe-output-health" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "safe-output-health" GH_AW_WORKFLOW_NAME: "Safe Output Health Monitor" outputs: @@ -1260,7 +1267,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1286,9 +1293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1305,6 +1312,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: safeoutputhealth steps: - name: Checkout actions folder @@ -1316,7 +1324,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index cbd13224ca2..f7a76dffbf3 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "schema-consistency-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +126,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -183,9 +185,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -204,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +231,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -259,10 +261,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: schemaconsistencychecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,16 +282,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -321,9 +325,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -331,7 +335,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -342,19 +346,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Schema Consistency] \". Discussions will be created in category \"audits\".", @@ -485,7 +489,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -596,8 +600,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -608,7 +612,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -636,7 +640,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -671,7 +675,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -792,15 +796,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -810,7 +814,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -829,9 +833,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -847,18 +851,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -935,9 +939,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -995,9 +999,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1042,6 +1046,8 @@ jobs: concurrency: group: "gh-aw-conclusion-schema-consistency-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1056,7 +1062,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1080,9 +1086,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1093,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1115,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1132,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1149,6 +1155,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/schema-consistency-checker" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "schema-consistency-checker" GH_AW_WORKFLOW_NAME: "Schema Consistency Checker" outputs: @@ -1168,7 +1175,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1194,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1213,6 +1220,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: schemaconsistencychecker steps: - name: Checkout actions folder @@ -1224,7 +1232,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 4765c2b6cdc..95a1da2bf09 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -111,6 +111,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -130,7 +132,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -152,11 +154,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -177,9 +179,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -187,18 +189,18 @@ jobs: GH_AW_WORKFLOW_FILE: "scout.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -218,16 +220,16 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, add_labels, missing_tool, missing_data, noop @@ -262,7 +264,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -304,9 +306,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -332,10 +334,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -364,11 +366,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -391,10 +393,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: scout outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -414,19 +414,23 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -456,9 +460,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -466,20 +470,20 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"add_labels":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -642,7 +646,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -764,8 +768,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -776,7 +780,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -804,7 +808,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "arxiv": { @@ -879,7 +883,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1023,15 +1027,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -1042,7 +1046,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1062,9 +1066,9 @@ jobs: GH_AW_COMMAND: scout with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1080,18 +1084,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1168,9 +1172,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1228,9 +1232,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1276,6 +1280,8 @@ jobs: concurrency: group: "gh-aw-conclusion-scout" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1290,7 +1296,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1314,9 +1320,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1327,9 +1333,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1348,9 +1354,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1365,9 +1371,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1402,7 +1408,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1411,9 +1417,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1422,9 +1428,9 @@ jobs: GH_AW_COMMANDS: "[\"scout\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1440,6 +1446,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/scout" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔭 *Intelligence gathered by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🏕️ Scout on patrol! [{workflow_name}]({run_url}) is blazing trails through this {event_type}...\",\"runSuccess\":\"🔭 Recon complete! [{workflow_name}]({run_url}) has charted the territory. Map ready! 🗺️\",\"runFailure\":\"🏕️ Lost in the wilderness! [{workflow_name}]({run_url}) {status}. Sending search party...\"}" GH_AW_WORKFLOW_ID: "scout" GH_AW_WORKFLOW_NAME: "Scout" @@ -1462,7 +1469,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1488,9 +1495,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1507,6 +1514,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: scout steps: - name: Checkout actions folder @@ -1518,7 +1526,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index 349e5700118..35d099bfe40 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "security-alert-burndown.campaign.g.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +126,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_project, create_project_status_update, missing_tool, missing_data, noop @@ -180,9 +182,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +202,10 @@ jobs: GH_AW_MEMORY_LIST: "- **campaigns**: `/tmp/gh-aw/repo-memory/campaigns/` (branch: `memory/campaigns`)\n" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -224,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -251,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: securityalertburndown.campaign.g outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,13 +274,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Create workspace directory run: mkdir -p ./.gh-aw - env: @@ -308,7 +312,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/campaigns CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -331,9 +335,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -341,7 +345,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -352,19 +356,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3},"create_issue":{"max":1},"create_project_status_update":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/campaigns","id":"campaigns","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]},"update_project":{"max":10}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -758,7 +762,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -976,8 +980,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -988,7 +992,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1016,7 +1020,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1050,7 +1054,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1167,15 +1171,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1185,7 +1189,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1204,9 +1208,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1222,18 +1226,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1313,9 +1317,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1373,9 +1377,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1421,6 +1425,8 @@ jobs: concurrency: group: "gh-aw-conclusion-security-alert-burndown.campaign.g" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1435,7 +1441,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1459,9 +1465,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1472,9 +1478,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1495,9 +1501,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1512,9 +1518,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1526,6 +1532,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.validation_error }} validation_failed_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.validation_failed }} @@ -1539,7 +1547,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1582,9 +1590,9 @@ jobs: FILE_GLOB_FILTER: "security-alert-burndown/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1600,6 +1608,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/security-alert-burndown.campaign.g" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "security-alert-burndown.campaign.g" GH_AW_WORKFLOW_NAME: "Security Alert Burndown" outputs: @@ -1623,7 +1632,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1652,9 +1661,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 8adb1d70081..ae5e29a30b6 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -53,6 +53,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -71,7 +73,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,11 +95,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -115,18 +117,18 @@ jobs: GH_AW_WORKFLOW_FILE: "security-compliance.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -144,16 +146,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -204,9 +206,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -231,10 +233,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -262,11 +264,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -288,10 +290,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: securitycompliance outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -312,13 +312,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -328,7 +332,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -351,14 +355,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -367,19 +371,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"group":true,"max":100},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 100 issue(s) can be created. Labels [\"security\" \"campaign-tracker\" \"cookie\"] will be automatically added.", @@ -540,7 +544,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -658,8 +662,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -670,7 +674,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -699,7 +703,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -734,7 +738,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -768,7 +772,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -806,15 +810,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -824,7 +828,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -843,9 +847,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -869,18 +873,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -960,9 +964,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1009,9 +1013,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1055,6 +1059,8 @@ jobs: concurrency: group: "gh-aw-conclusion-security-compliance" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1069,7 +1075,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1093,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1106,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1130,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1147,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1161,6 +1167,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1174,7 +1182,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1217,9 +1225,9 @@ jobs: FILE_GLOB_FILTER: "memory/campaigns/security-compliance-*/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1233,6 +1241,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/security-compliance" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "security-compliance" GH_AW_WORKFLOW_NAME: "Security Compliance Campaign" outputs: @@ -1254,7 +1263,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1280,9 +1289,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index c7dbe6b0324..c3b889c2dd0 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -56,6 +56,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -75,7 +77,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,11 +99,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -122,9 +124,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -132,18 +134,18 @@ jobs: GH_AW_WORKFLOW_FILE: "security-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -160,16 +162,16 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request_review_comment, submit_pull_request_review, missing_tool, missing_data, noop @@ -204,7 +206,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -222,9 +224,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -247,10 +249,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -276,11 +278,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -306,10 +308,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: securityreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -330,7 +330,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -366,10 +366,14 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -399,14 +403,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -415,10 +419,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -432,26 +436,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request_review_comment":{"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead. CONSTRAINTS: Maximum 10 review comment(s) can be created. Comments will be on the RIGHT side of the diff.", @@ -632,7 +636,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request_review_comment": { "defaultMax": 1, @@ -769,8 +773,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -781,7 +785,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -811,7 +815,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -858,7 +862,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -892,7 +896,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -930,15 +934,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -948,7 +952,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -968,9 +972,9 @@ jobs: GH_AW_COMMAND: security-review with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -994,18 +998,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1082,9 +1086,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1131,9 +1135,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1177,6 +1181,8 @@ jobs: concurrency: group: "gh-aw-conclusion-security-review" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1191,7 +1197,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1215,9 +1221,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1228,9 +1234,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1250,9 +1256,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1267,9 +1273,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1293,7 +1299,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1302,9 +1308,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1313,9 +1319,9 @@ jobs: GH_AW_COMMANDS: "[\"security-review\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1329,6 +1335,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/security-review" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔒 *Security review by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) is analyzing this {event_type} for security implications...\",\"runSuccess\":\"🔒 [{workflow_name}]({run_url}) completed the security review.\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status} during security review.\"}" GH_AW_WORKFLOW_ID: "security-review" GH_AW_WORKFLOW_NAME: "Security Review Agent 🔒" @@ -1349,7 +1356,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1375,9 +1382,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1394,6 +1401,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: securityreview steps: - name: Checkout actions folder @@ -1405,7 +1413,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index cf911fd278b..e5deae8ea5a 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "semantic-function-refactor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +127,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, close_issue, missing_tool, missing_data, noop @@ -188,9 +190,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -228,11 +230,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -257,10 +259,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: semanticfunctionrefactor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,13 +280,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -309,9 +313,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -319,7 +323,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -330,19 +334,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_issue":{"max":10,"required_title_prefix":"[refactor] ","target":"*"},"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[refactor] \". Labels [\"refactoring\" \"code-quality\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -520,7 +524,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_issue": { "defaultMax": 1, @@ -656,8 +660,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -668,7 +672,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -696,7 +700,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -746,7 +750,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -882,15 +886,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -900,7 +904,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -919,9 +923,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -937,18 +941,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1019,9 +1023,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1079,9 +1083,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1124,6 +1128,8 @@ jobs: concurrency: group: "gh-aw-conclusion-semantic-function-refactor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1138,7 +1144,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1162,9 +1168,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1175,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1195,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1212,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1228,6 +1234,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/semantic-function-refactor" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "semantic-function-refactor" GH_AW_WORKFLOW_NAME: "Semantic Function Refactoring" outputs: @@ -1249,7 +1256,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1275,9 +1282,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 17eeee492b5..24b349ac1e8 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "sergo.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +127,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -189,9 +191,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +237,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -265,10 +267,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: sergo outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,16 +288,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -327,9 +331,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -337,7 +341,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -348,19 +352,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[sergo] \". Discussions will be created in category \"audits\".", @@ -491,7 +495,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -602,8 +606,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -614,7 +618,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -642,7 +646,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -692,7 +696,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -830,15 +834,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -848,7 +852,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -867,9 +871,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -885,18 +889,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -973,9 +977,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1033,9 +1037,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1080,6 +1084,8 @@ jobs: concurrency: group: "gh-aw-conclusion-sergo" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1094,7 +1100,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1119,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1133,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1156,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1174,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1191,6 +1197,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/sergo" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "sergo-daily" GH_AW_WORKFLOW_ID: "sergo" GH_AW_WORKFLOW_NAME: "Sergo - Serena Go Expert" @@ -1211,7 +1218,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1237,9 +1244,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1256,6 +1263,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: sergo steps: - name: Checkout actions folder @@ -1267,7 +1275,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 45c0f512ee1..e28fef1bec1 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -66,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "slide-deck-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,22 +131,22 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_INPUTS_FOCUS: ${{ inputs.focus }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -194,9 +196,9 @@ jobs: GH_AW_INPUTS_FOCUS: ${{ inputs.focus }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -218,10 +220,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -246,11 +248,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -275,10 +277,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: slidedeckmaintainer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -299,13 +299,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: @@ -319,7 +323,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -349,14 +353,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -365,19 +369,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"title_prefix":"[slides] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[slides] \".", @@ -523,7 +527,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -644,8 +648,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -656,7 +660,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -686,7 +690,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -728,7 +732,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -802,7 +806,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -840,15 +844,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -858,7 +862,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -877,9 +881,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -903,18 +907,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -992,9 +996,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1041,9 +1045,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1088,6 +1092,8 @@ jobs: concurrency: group: "gh-aw-conclusion-slide-deck-maintainer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1102,7 +1108,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1127,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1141,9 +1147,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1165,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1183,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1198,9 +1204,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1220,7 +1226,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1229,9 +1235,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1242,9 +1248,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1261,6 +1267,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/slide-deck-maintainer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "slide-deck-maintainer" GH_AW_WORKFLOW_ID: "slide-deck-maintainer" GH_AW_WORKFLOW_NAME: "Slide Deck Maintainer" @@ -1283,7 +1290,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1338,9 +1345,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1357,6 +1364,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: slidedeckmaintainer steps: - name: Checkout actions folder @@ -1368,7 +1376,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index 72fcb3fe499..fc011dbc6bb 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -54,6 +54,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -73,7 +75,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,11 +97,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -118,18 +120,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -140,9 +142,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🤖 [{workflow_name}]({run_url}) is looking for a Smoke issue to assign...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed. Issue assigned to the agentic-workflows agent.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -157,15 +159,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, assign_to_agent, missing_tool, missing_data, noop @@ -213,9 +215,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -232,10 +234,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -255,11 +257,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -282,10 +284,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagent outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -305,13 +305,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -334,9 +338,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -346,7 +350,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -355,19 +359,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"assign_to_agent":{"allowed":["copilot"],"max":1,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -541,7 +545,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -669,8 +673,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -681,7 +685,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -734,7 +738,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -768,7 +772,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -810,15 +814,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -829,7 +833,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -848,9 +852,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -874,18 +878,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -956,9 +960,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -992,9 +996,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1039,6 +1043,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-agent" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1053,7 +1059,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1077,9 +1083,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1090,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1113,9 +1119,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1130,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1149,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1174,7 +1180,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1183,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1201,6 +1207,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🤖 [{workflow_name}]({run_url}) is looking for a Smoke issue to assign...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed. Issue assigned to the agentic-workflows agent.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent" GH_AW_WORKFLOW_NAME: "Smoke Agent" @@ -1226,7 +1233,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1252,9 +1259,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1269,9 +1276,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_to_agent.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 9ef25565421..0aa33b09cc2 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -68,6 +68,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -87,7 +89,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -109,11 +111,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -134,9 +136,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -144,18 +146,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-claude.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -166,9 +168,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 💥 *[THE END] — Illustrated by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"💥 **WHOOSH!** [{workflow_name}]({run_url}) springs into action on this {event_type}! *[Panel 1 begins...]*\",\"runSuccess\":\"🎬 **THE END** — [{workflow_name}]({run_url}) **MISSION: ACCOMPLISHED!** The hero saves the day! ✨\",\"runFailure\":\"💫 **TO BE CONTINUED...** [{workflow_name}]({run_url}) {status}! Our hero faces unexpected challenges...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -184,22 +186,22 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, close_pull_request, update_pull_request, create_pull_request_review_comment, submit_pull_request_review, resolve_pull_request_review_thread, add_labels, add_reviewer, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -581,9 +583,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -604,10 +606,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -631,11 +633,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -660,10 +662,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeclaude outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -683,7 +683,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -726,10 +726,14 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -759,9 +763,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -769,7 +773,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -780,10 +784,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -797,26 +801,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-claude"],"max":3},"add_reviewer":{"max":2},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0,"target":"*"},"resolve_pull_request_review_thread":{"max":5},"submit_pull_request_review":{"max":1},"update_pull_request":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -1286,7 +1290,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1575,8 +1579,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1587,16 +1591,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -1745,7 +1749,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -1754,17 +1758,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1776,8 +1780,8 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1913,8 +1917,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1994,8 +1998,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -2081,8 +2085,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh - cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash # Auto-generated mcp-script tool: go # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -2094,8 +2098,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GO_EOF - chmod +x /opt/gh-aw/mcp-scripts/go.sh - cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/go.sh + cat > ${GH_AW_HOME}/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash # Auto-generated mcp-script tool: make # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -2106,7 +2110,7 @@ jobs: make $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/mcp-scripts/make.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/make.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -2141,7 +2145,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -2177,7 +2181,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -2272,7 +2276,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -2420,15 +2424,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -2439,7 +2443,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -2458,9 +2462,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -2476,27 +2480,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -2575,9 +2579,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2635,9 +2639,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2683,6 +2687,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-claude" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -2697,7 +2703,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2721,9 +2727,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2734,9 +2740,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2757,9 +2763,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2774,9 +2780,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2793,9 +2799,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -2818,7 +2824,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2827,9 +2833,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -2847,6 +2853,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-claude" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 💥 *[THE END] — Illustrated by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"💥 **WHOOSH!** [{workflow_name}]({run_url}) springs into action on this {event_type}! *[Panel 1 begins...]*\",\"runSuccess\":\"🎬 **THE END** — [{workflow_name}]({run_url}) **MISSION: ACCOMPLISHED!** The hero saves the day! ✨\",\"runFailure\":\"💫 **TO BE CONTINUED...** [{workflow_name}]({run_url}) {status}! Our hero faces unexpected challenges...\"}" GH_AW_WORKFLOW_ID: "smoke-claude" GH_AW_WORKFLOW_NAME: "Smoke Claude" @@ -2874,7 +2881,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2929,9 +2936,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -2948,6 +2955,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokeclaude steps: - name: Checkout actions folder @@ -2959,7 +2967,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 221dc0ead6b..06e2ba64f07 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -61,6 +61,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -80,7 +82,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,11 +104,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -128,9 +130,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -138,18 +140,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-codex.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -160,9 +162,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔮 *The oracle has spoken through [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔮 The ancient spirits stir... [{workflow_name}]({run_url}) awakens to divine this {event_type}...\",\"runSuccess\":\"✨ The prophecy is fulfilled... [{workflow_name}]({run_url}) has completed its mystical journey. The stars align. 🌟\",\"runFailure\":\"🌑 The shadows whisper... [{workflow_name}]({run_url}) {status}. The oracle requires further meditation...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -177,17 +179,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, remove_labels, unassign_from_user, hide_comment, missing_tool, missing_data, noop @@ -246,9 +248,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -268,10 +270,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -294,11 +296,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -321,10 +323,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecodex outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -344,7 +344,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -358,10 +358,14 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -391,9 +395,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -403,7 +407,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -412,19 +416,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/fetch mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/fetch mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-codex"],"max":3},"create_issue":{"expires":2,"max":1},"hide_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke"],"max":3},"unassign_from_user":{"allowed":["githubactionagent"],"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -744,7 +748,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -965,8 +969,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -977,16 +981,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -1013,7 +1017,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -1022,17 +1026,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1044,7 +1048,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1078,7 +1082,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1176,7 +1180,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1253,7 +1257,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -1297,15 +1301,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -1316,7 +1320,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1335,9 +1339,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1361,27 +1365,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1459,9 +1463,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1495,9 +1499,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1543,6 +1547,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-codex" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1557,7 +1563,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1581,9 +1587,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1594,9 +1600,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1615,9 +1621,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1632,9 +1638,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1651,9 +1657,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1676,7 +1682,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1685,9 +1691,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1703,6 +1709,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-codex" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔮 *The oracle has spoken through [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔮 The ancient spirits stir... [{workflow_name}]({run_url}) awakens to divine this {event_type}...\",\"runSuccess\":\"✨ The prophecy is fulfilled... [{workflow_name}]({run_url}) has completed its mystical journey. The stars align. 🌟\",\"runFailure\":\"🌑 The shadows whisper... [{workflow_name}]({run_url}) {status}. The oracle requires further meditation...\"}" GH_AW_WORKFLOW_ID: "smoke-codex" GH_AW_WORKFLOW_NAME: "Smoke Codex" @@ -1727,7 +1734,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1753,9 +1760,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1772,6 +1779,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokecodex steps: - name: Checkout actions folder @@ -1783,7 +1791,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index b1f53afeb82..e419c576f1c 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -60,6 +60,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -79,7 +81,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,11 +103,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -126,9 +128,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -136,18 +138,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-copilot-arm.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -158,9 +160,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -176,17 +178,17 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_discussion, create_pull_request_review_comment, submit_pull_request_review, add_labels, remove_labels, dispatch_workflow, missing_tool, missing_data, noop @@ -246,9 +248,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -269,10 +271,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -296,11 +298,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -325,10 +327,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecopilotarm outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -349,7 +349,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -392,10 +392,14 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -425,14 +429,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -441,10 +445,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -458,26 +462,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"allowed_repos":["github/gh-aw"],"max":2},"add_labels":{"allowed":["smoke-copilot-arm"],"allowed_repos":["github/gh-aw"],"max":3},"create_discussion":{"expires":2,"max":1},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke"],"max":3},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"default":null,"description":"The message to send","required":true,"type":"string"}},"output":"Slack message stub executed!"},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -882,7 +886,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1134,8 +1138,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1146,16 +1150,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -1268,7 +1272,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -1277,17 +1281,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1299,8 +1303,8 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1436,8 +1440,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1517,8 +1521,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1604,7 +1608,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1639,7 +1643,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1675,7 +1679,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1744,7 +1748,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1781,7 +1785,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1819,15 +1823,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1837,7 +1841,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1856,9 +1860,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1882,27 +1886,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1980,9 +1984,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2029,9 +2033,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2079,6 +2083,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-copilot-arm" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -2093,7 +2099,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2117,9 +2123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2130,9 +2136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2154,9 +2160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2171,9 +2177,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2190,9 +2196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -2215,7 +2221,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2224,9 +2230,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -2243,6 +2249,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-copilot-arm" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_WORKFLOW_ID: "smoke-copilot-arm" GH_AW_WORKFLOW_NAME: "Smoke Copilot ARM64" @@ -2267,7 +2274,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2293,9 +2300,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -2312,17 +2319,19 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: /opt/gh-aw/safe-jobs/ + path: ${GH_AW_HOME}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${GH_AW_HOME}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${GH_AW_HOME}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Stub Slack message run: | echo "🎭 This is a stub - not sending to Slack" @@ -2346,6 +2355,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokecopilotarm steps: - name: Checkout actions folder @@ -2357,7 +2367,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 8f9117f3a08..19583d4209c 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -62,6 +62,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -81,7 +83,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -103,11 +105,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -128,9 +130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -138,18 +140,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-copilot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -161,9 +163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -179,17 +181,17 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_discussion, create_pull_request_review_comment, submit_pull_request_review, add_labels, remove_labels, set_issue_type, dispatch_workflow, missing_tool, missing_data, noop @@ -249,9 +251,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -272,10 +274,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -299,11 +301,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -328,10 +330,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecopilot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -352,7 +352,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -395,10 +395,14 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -428,14 +432,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -444,10 +448,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -461,26 +465,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"allowed_repos":["github/gh-aw"],"max":2},"add_labels":{"allowed":["smoke-copilot"],"allowed_repos":["github/gh-aw"],"max":3},"create_discussion":{"expires":2,"max":1},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke"],"max":3},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"default":null,"description":"The message to send","required":true,"type":"string"}},"output":"Slack message stub executed!"},"set_issue_type":{"max":5},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -917,7 +921,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1187,8 +1191,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1199,16 +1203,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -1321,7 +1325,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -1330,17 +1334,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1352,8 +1356,8 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1489,8 +1493,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1570,8 +1574,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1657,7 +1661,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1692,7 +1696,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1728,7 +1732,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1797,7 +1801,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1834,7 +1838,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1872,15 +1876,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1890,7 +1894,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1909,9 +1913,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1935,27 +1939,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -2033,9 +2037,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2082,9 +2086,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2132,6 +2136,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-copilot" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -2146,7 +2152,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2170,9 +2176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2183,9 +2189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2207,9 +2213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2224,9 +2230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2243,9 +2249,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -2268,7 +2274,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2277,9 +2283,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -2296,6 +2302,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-copilot" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_WORKFLOW_ID: "smoke-copilot" GH_AW_WORKFLOW_NAME: "Smoke Copilot" @@ -2320,7 +2327,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2346,9 +2353,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -2365,17 +2372,19 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: /opt/gh-aw/safe-jobs/ + path: ${GH_AW_HOME}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${GH_AW_HOME}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${GH_AW_HOME}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Stub Slack message run: | echo "🎭 This is a stub - not sending to Slack" @@ -2399,6 +2408,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokecopilot steps: - name: Checkout actions folder @@ -2410,7 +2420,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 8b96af76226..a14e86ff41f 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -56,6 +56,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -74,7 +76,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +98,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -113,18 +115,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-create-cross-repo-pr.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -135,9 +137,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -153,20 +155,20 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -217,9 +219,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -237,10 +239,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -261,11 +263,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -289,10 +291,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecreatecrossrepopr outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -313,7 +313,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -325,7 +325,11 @@ jobs: repository: githubnext/gh-aw-side-repo token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -348,14 +352,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -365,19 +369,19 @@ jobs: CUSTOM_GITHUB_TOKEN: ${{ secrets.GH_AW_SIDE_REPO_PAT }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"create_issue":{"expires":2,"max":1},"create_pull_request":{"draft":true,"expires":24,"fallback_as_issue":false,"max":1,"target-repo":"githubnext/gh-aw-side-repo","title_prefix":"[smoke] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -609,7 +613,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -781,8 +785,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -793,7 +797,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -822,7 +826,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -857,7 +861,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -892,7 +896,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -930,15 +934,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_SIDE_REPO_PAT,GITHUB_TOKEN' @@ -948,7 +952,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -967,9 +971,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -993,18 +997,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1076,9 +1080,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1126,9 +1130,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1173,6 +1177,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-create-cross-repo-pr" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1187,7 +1193,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1211,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1224,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1247,9 +1253,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1264,9 +1270,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1278,9 +1284,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1297,9 +1303,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1322,7 +1328,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1331,9 +1337,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1351,6 +1357,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-create-cross-repo-pr" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-create-cross-repo-pr" GH_AW_WORKFLOW_NAME: "Smoke Create Cross-Repo PR" @@ -1377,7 +1384,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1435,9 +1442,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 95876d757af..eb0096008bf 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -61,6 +61,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -80,7 +82,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,11 +104,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate GEMINI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh GEMINI_API_KEY 'Gemini CLI' https://geminicli.com/docs/get-started/authentication/ + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh GEMINI_API_KEY 'Gemini CLI' https://geminicli.com/docs/get-started/authentication/ env: GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} - name: Checkout .github and .agents folders @@ -127,9 +129,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -137,18 +139,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-gemini.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -159,9 +161,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ✨ *[{workflow_name}]({run_url}) — Powered by Gemini*{history_link}\",\"runStarted\":\"✨ Gemini awakens... [{workflow_name}]({run_url}) begins its journey on this {event_type}...\",\"runSuccess\":\"🚀 [{workflow_name}]({run_url}) **MISSION COMPLETE!** Gemini has spoken. ✨\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status}. Gemini encountered unexpected challenges...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -176,16 +178,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, missing_tool, missing_data, noop @@ -240,9 +242,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -262,10 +264,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -288,11 +290,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -315,10 +317,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokegemini outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -338,16 +338,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -377,9 +381,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -387,7 +391,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Gemini CLI run: npm install -g @google/gemini-cli@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -398,19 +402,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/fetch node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcp/fetch node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-gemini"],"max":3},"create_issue":{"expires":2,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -622,7 +626,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -777,8 +781,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -789,16 +793,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -825,7 +829,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -834,17 +838,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -856,7 +860,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -890,7 +894,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -922,7 +926,7 @@ jobs: export GH_AW_ENGINE="gemini" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -966,7 +970,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Write Gemini settings run: | mkdir -p "$GITHUB_WORKSPACE/.gemini" @@ -1019,15 +1023,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GEMINI_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1037,7 +1041,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1056,9 +1060,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1085,27 +1089,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_gemini_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_gemini_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Upload cache-memory data as artifact uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1167,9 +1171,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1214,9 +1218,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1262,6 +1266,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-gemini" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1276,7 +1282,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1300,9 +1306,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1313,9 +1319,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1334,9 +1340,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1351,9 +1357,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1370,9 +1376,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1395,7 +1401,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1404,9 +1410,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1422,6 +1428,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-gemini" GH_AW_ENGINE_ID: "gemini" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ✨ *[{workflow_name}]({run_url}) — Powered by Gemini*{history_link}\",\"runStarted\":\"✨ Gemini awakens... [{workflow_name}]({run_url}) begins its journey on this {event_type}...\",\"runSuccess\":\"🚀 [{workflow_name}]({run_url}) **MISSION COMPLETE!** Gemini has spoken. ✨\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status}. Gemini encountered unexpected challenges...\"}" GH_AW_WORKFLOW_ID: "smoke-gemini" GH_AW_WORKFLOW_NAME: "Smoke Gemini" @@ -1446,7 +1453,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1472,9 +1479,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1491,6 +1498,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokegemini steps: - name: Checkout actions folder @@ -1502,7 +1510,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 43ab51ff4ae..68494454271 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -56,6 +56,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -75,7 +77,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,11 +99,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -122,9 +124,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -132,18 +134,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-multi-pr.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -154,9 +156,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Multi PR smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing multiple PR creation...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created multiple PRs.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create multiple PRs. Check the logs.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -171,20 +173,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -230,9 +232,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -249,10 +251,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -272,11 +274,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -298,10 +300,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokemultipr outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -322,13 +322,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -351,14 +355,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -367,19 +371,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":2,"max":2,"title_prefix":"[smoke-multi-pr] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -562,7 +566,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -701,8 +705,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -713,7 +717,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -742,7 +746,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -777,7 +781,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -836,7 +840,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -874,15 +878,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -892,7 +896,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -911,9 +915,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -937,18 +941,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1020,9 +1024,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1069,9 +1073,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1116,6 +1120,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-multi-pr" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1130,7 +1136,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1154,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1167,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1191,9 +1197,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1208,9 +1214,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1222,9 +1228,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1241,9 +1247,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1266,7 +1272,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1275,9 +1281,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1295,6 +1301,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-multi-pr" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Multi PR smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing multiple PR creation...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created multiple PRs.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create multiple PRs. Check the logs.\"}" GH_AW_WORKFLOW_ID: "smoke-multi-pr" GH_AW_WORKFLOW_NAME: "Smoke Multi PR" @@ -1319,7 +1326,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1374,9 +1381,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 6fe565cd742..41198343873 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -54,6 +54,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -73,7 +75,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,11 +97,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -120,9 +122,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -130,18 +132,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-project.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -152,9 +154,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Project smoke test report by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing project operations...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. All project operations validated.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -169,20 +171,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_pull_request, add_labels, remove_labels, update_project, create_project_status_update, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -227,9 +229,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -246,10 +248,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -269,11 +271,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -297,10 +299,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeproject outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -321,13 +321,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -350,14 +354,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -366,19 +370,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-project"],"max":3},"create_issue":{"expires":2,"group":true,"max":1},"create_project_status_update":{"max":1},"create_pull_request":{"expires":2,"max":1,"title_prefix":"[smoke-project] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke-project"],"max":3},"update_project":{"max":20}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"ai-generated\" \"automation\" \"testing\"] will be automatically added.", @@ -867,7 +871,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1159,8 +1163,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1171,7 +1175,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1200,7 +1204,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1235,7 +1239,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1269,7 +1273,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1307,15 +1311,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1325,7 +1329,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1344,9 +1348,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1370,18 +1374,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1453,9 +1457,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1502,9 +1506,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1549,6 +1553,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-project" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1563,7 +1569,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1587,9 +1593,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1600,9 +1606,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1624,9 +1630,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1641,9 +1647,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1655,9 +1661,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1674,9 +1680,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1699,7 +1705,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1708,9 +1714,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1728,6 +1734,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-project" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Project smoke test report by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing project operations...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. All project operations validated.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-project" GH_AW_WORKFLOW_NAME: "Smoke Project" @@ -1754,7 +1761,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1812,9 +1819,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index d2690ec0c59..b135b20b2cc 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -54,6 +54,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -73,7 +75,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,11 +97,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -120,9 +122,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -130,18 +132,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-temporary-id.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -152,9 +154,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Temporary ID smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing temporary ID functionality...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. Temporary ID validation passed.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -169,15 +171,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, link_sub_issue, missing_tool, missing_data, noop @@ -224,9 +226,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -243,10 +245,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -266,11 +268,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -293,10 +295,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smoketemporaryid outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -317,13 +317,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -346,14 +350,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -362,19 +366,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"create_issue":{"expires":2,"group":true,"max":5},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[smoke-temporary-id] \". Labels [\"ai-generated\" \"automation\" \"testing\"] will be automatically added.", @@ -593,7 +597,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -747,8 +751,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -759,7 +763,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -788,7 +792,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -823,7 +827,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -857,7 +861,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -895,15 +899,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -913,7 +917,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -932,9 +936,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -958,18 +962,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1040,9 +1044,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1089,9 +1093,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1136,6 +1140,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-temporary-id" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1150,7 +1156,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1187,9 +1193,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1209,9 +1215,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1226,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1245,9 +1251,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1270,7 +1276,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1279,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1297,6 +1303,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-temporary-id" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Temporary ID smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing temporary ID functionality...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. Temporary ID validation passed.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-temporary-id" GH_AW_WORKFLOW_NAME: "Smoke Temporary ID" @@ -1321,7 +1328,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1347,9 +1354,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 6514269b661..562406f3daf 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -56,6 +56,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -75,7 +77,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,11 +99,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -119,18 +121,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-test-tools.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -141,9 +143,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔧 *Tool validation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Starting tool validation... [{workflow_name}]({run_url}) is checking the agent container tools...\",\"runSuccess\":\"✅ All tools validated successfully! [{workflow_name}]({run_url}) confirms agent container is ready.\",\"runFailure\":\"❌ Tool validation failed! [{workflow_name}]({run_url}) detected missing tools: {status}\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -158,15 +160,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -213,9 +215,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -232,10 +234,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -255,11 +257,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -282,10 +284,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smoketesttools outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,7 +306,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -337,7 +337,11 @@ jobs: with: python-version: '3.11' - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -360,14 +364,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -376,19 +380,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -522,7 +526,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -625,8 +629,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -637,7 +641,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -666,7 +670,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -701,7 +705,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -735,7 +739,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -773,15 +777,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -791,7 +795,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -810,9 +814,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -836,18 +840,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -918,9 +922,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -967,9 +971,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1014,6 +1018,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-test-tools" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1028,7 +1034,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1052,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1065,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1087,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1104,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1123,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1148,7 +1154,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1157,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1175,6 +1181,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-test-tools" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔧 *Tool validation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Starting tool validation... [{workflow_name}]({run_url}) is checking the agent container tools...\",\"runSuccess\":\"✅ All tools validated successfully! [{workflow_name}]({run_url}) confirms agent container is ready.\",\"runFailure\":\"❌ Tool validation failed! [{workflow_name}]({run_url}) detected missing tools: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-test-tools" GH_AW_WORKFLOW_NAME: "Agent Container Smoke Test" @@ -1197,7 +1204,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1223,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 8ae6fb186ce..31eba2f4c72 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -56,6 +56,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: ${{ steps.add-comment.outputs.comment-id }} @@ -74,7 +76,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +98,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -113,18 +115,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-update-cross-repo-pr.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -135,9 +137,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -153,21 +155,21 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -218,9 +220,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -241,10 +243,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -268,11 +270,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -296,10 +298,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeupdatecrossrepopr outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -320,7 +320,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -339,10 +339,14 @@ jobs: header=$(printf "x-access-token:%s" "${GH_AW_FETCH_TOKEN}" | base64) git -c "http.extraheader=Authorization: Basic ${header}" fetch origin '+refs/heads/main:refs/remotes/origin/main' '+refs/pull/*/head:refs/remotes/origin/pull/*/head' - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -372,14 +376,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -389,19 +393,19 @@ jobs: CUSTOM_GITHUB_TOKEN: ${{ secrets.GH_AW_SIDE_REPO_PAT }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"create_issue":{"expires":2,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0,"target":"1"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -620,7 +624,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -776,8 +780,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -788,7 +792,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -817,7 +821,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -852,7 +856,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -887,7 +891,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -925,15 +929,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_SIDE_REPO_PAT,GITHUB_TOKEN' @@ -943,7 +947,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -962,9 +966,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -988,18 +992,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1077,9 +1081,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1127,9 +1131,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1175,6 +1179,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-update-cross-repo-pr" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1189,7 +1195,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1213,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1226,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1249,9 +1255,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1266,9 +1272,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1285,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1310,7 +1316,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1319,9 +1325,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1339,6 +1345,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-update-cross-repo-pr" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-update-cross-repo-pr" GH_AW_WORKFLOW_NAME: "Smoke Update Cross-Repo PR" @@ -1365,7 +1372,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1422,9 +1429,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1441,6 +1448,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokeupdatecrossrepopr steps: - name: Checkout actions folder @@ -1452,7 +1460,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 18f58ab2754..6a984ffb1d9 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -66,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-workflow-call.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,15 +129,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -182,9 +184,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +203,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -224,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -250,10 +252,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeworkflowcall outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,13 +274,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -303,14 +307,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -319,19 +323,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -465,7 +469,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -568,8 +572,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -580,7 +584,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -609,7 +613,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -644,7 +648,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -698,7 +702,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -736,15 +740,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -754,7 +758,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -773,9 +777,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -799,18 +803,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -881,9 +885,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -930,9 +934,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -977,6 +981,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-workflow-call" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -991,7 +997,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1015,9 +1021,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1028,9 +1034,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1050,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1067,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1089,7 +1095,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1098,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1116,6 +1122,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-workflow-call" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔁 *workflow_call smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🔁 [{workflow_name}]({run_url}) is validating workflow_call checkout...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully validated workflow_call checkout.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to validate workflow_call checkout. Check the logs.\"}" GH_AW_WORKFLOW_ID: "smoke-workflow-call" GH_AW_WORKFLOW_NAME: "Smoke Workflow Call" @@ -1138,7 +1145,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1164,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 5bf556974fe..701d6480939 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -58,6 +58,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -73,7 +75,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -98,11 +100,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -120,9 +122,9 @@ jobs: GH_AW_WORKFLOW_FILE: "stale-repo-identifier.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -138,16 +140,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, upload_asset, missing_tool, missing_data, noop @@ -208,9 +210,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -230,10 +232,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -256,11 +258,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -286,10 +288,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: stalerepoidentifier outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -310,13 +310,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -378,7 +382,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -408,25 +412,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"group":true,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[Stale Repository] \". Labels [\"stale-repository\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -597,7 +601,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -724,8 +728,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -736,7 +740,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -767,7 +771,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -802,7 +806,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -839,7 +843,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -877,15 +881,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -895,7 +899,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -914,9 +918,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -940,18 +944,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1037,9 +1041,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1086,9 +1090,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1133,6 +1137,8 @@ jobs: concurrency: group: "gh-aw-conclusion-stale-repo-identifier" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1147,7 +1153,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1171,9 +1177,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1184,9 +1190,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1206,9 +1212,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1223,9 +1229,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1239,6 +1245,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/stale-repo-identifier" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Analysis by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 Stale Repository Identifier starting! [{workflow_name}]({run_url}) is analyzing repository activity...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has finished analyzing stale repositories.\",\"runFailure\":\"⚠️ Analysis interrupted! [{workflow_name}]({run_url}) {status}.\"}" GH_AW_WORKFLOW_ID: "stale-repo-identifier" GH_AW_WORKFLOW_NAME: "Stale Repository Identifier" @@ -1261,7 +1268,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1287,9 +1294,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1306,6 +1313,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: stalerepoidentifier steps: - name: Checkout actions folder @@ -1317,7 +1325,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1361,7 +1369,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1417,8 +1425,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 0264a0440ed..1a5f9441d5d 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "static-analysis-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +126,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -184,9 +186,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -260,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: staticanalysisreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,7 +283,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -319,7 +319,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Pull static analysis Docker images run: "set -e\necho \"Pulling Docker images for static analysis tools...\"\n\n# Pull zizmor Docker image\necho \"Pulling zizmor image...\"\ndocker pull ghcr.io/zizmorcore/zizmor:latest\n\n# Pull poutine Docker image\necho \"Pulling poutine image...\"\ndocker pull ghcr.io/boostsecurityio/poutine:latest\n\necho \"All static analysis Docker images pulled successfully\"\n" - name: Verify static analysis tools @@ -329,7 +333,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -359,9 +363,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -369,7 +373,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -380,10 +384,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -397,26 +401,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"security\".", @@ -547,7 +551,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -658,8 +662,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -670,7 +674,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -699,7 +703,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -744,7 +748,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -866,15 +870,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -884,7 +888,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -903,9 +907,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -921,18 +925,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1009,9 +1013,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1069,9 +1073,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1116,6 +1120,8 @@ jobs: concurrency: group: "gh-aw-conclusion-static-analysis-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1130,7 +1136,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1154,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1167,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1189,9 +1195,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1206,9 +1212,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1223,6 +1229,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/static-analysis-report" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "static-analysis-report" GH_AW_WORKFLOW_NAME: "Static Analysis Report" outputs: @@ -1242,7 +1249,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1268,9 +1275,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1287,6 +1294,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: staticanalysisreport steps: - name: Checkout actions folder @@ -1298,7 +1306,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 9ed0b77fa1f..4677e06a0ad 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "step-name-alignment.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +122,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -176,9 +178,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -197,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -251,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: stepnamealignment outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,16 +274,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -313,9 +317,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -323,7 +327,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -334,19 +338,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[step-names] \". Labels [\"maintenance\" \"step-naming\" \"cookie\"] will be automatically added.", @@ -492,7 +496,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -610,8 +614,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -622,7 +626,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -650,7 +654,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -684,7 +688,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -821,15 +825,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -839,7 +843,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -858,9 +862,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -876,18 +880,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -964,9 +968,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1024,9 +1028,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1070,6 +1074,8 @@ jobs: concurrency: group: "gh-aw-conclusion-step-name-alignment" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1084,7 +1090,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1108,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1121,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1141,9 +1147,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1158,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1174,6 +1180,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/step-name-alignment" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "step-name-alignment" GH_AW_WORKFLOW_NAME: "Step Name Alignment" outputs: @@ -1195,7 +1202,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1221,9 +1228,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1240,6 +1247,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: stepnamealignment steps: - name: Checkout actions folder @@ -1251,7 +1259,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 1b1e2d6a37d..b9f0b42c321 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "sub-issue-closer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,15 +122,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, update_issue, missing_tool, missing_data, noop @@ -176,9 +178,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -194,10 +196,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -216,11 +218,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -244,10 +246,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: subissuecloser outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -268,13 +268,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -297,14 +301,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -313,19 +317,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":20,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":20}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 20 comment(s) can be added. Target: *.", @@ -531,7 +535,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -688,8 +692,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -700,7 +704,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -729,7 +733,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -764,7 +768,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -798,7 +802,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -836,15 +840,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -854,7 +858,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -873,9 +877,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -899,18 +903,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -981,9 +985,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1030,9 +1034,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1077,6 +1081,8 @@ jobs: concurrency: group: "gh-aw-conclusion-sub-issue-closer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1091,7 +1097,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1115,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1128,9 +1134,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1149,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1166,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1184,6 +1190,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/sub-issue-closer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "sub-issue-closer" GH_AW_WORKFLOW_NAME: "Sub-Issue Closer" outputs: @@ -1205,7 +1212,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1231,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 6de16f77171..dc44323995f 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -47,6 +47,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "super-linter.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +126,16 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -187,9 +189,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +211,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +237,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -267,10 +269,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: superlinter outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,13 +291,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Download super-linter log uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: @@ -306,7 +310,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -336,14 +340,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -352,19 +356,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[linter] \". Labels [\"automation\" \"code-quality\" \"cookie\"] will be automatically added.", @@ -510,7 +514,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -628,8 +632,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -640,7 +644,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -669,7 +673,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -704,7 +708,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -738,7 +742,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -776,15 +780,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -794,7 +798,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -813,9 +817,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -839,18 +843,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -927,9 +931,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -976,9 +980,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1022,6 +1026,8 @@ jobs: concurrency: group: "gh-aw-conclusion-super-linter" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1036,7 +1042,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1060,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1073,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1094,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1111,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1127,6 +1133,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/super-linter" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "super-linter" GH_AW_WORKFLOW_NAME: "Super Linter Report" outputs: @@ -1148,7 +1155,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1239,6 +1246,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: superlinter steps: - name: Checkout actions folder @@ -1250,7 +1258,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index b50a69a9f56..03f9f53ab9a 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -51,6 +51,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -66,7 +68,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "technical-doc-writer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,22 +130,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, upload_asset, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -197,9 +199,9 @@ jobs: GH_AW_GITHUB_EVENT_INPUTS_TOPIC: ${{ github.event.inputs.topic }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -225,10 +227,10 @@ jobs: GH_AW_WIKI_NOTE: "\n\n> **GitHub Wiki**: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)." with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -257,11 +259,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -285,10 +287,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: technicaldocwriter outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -309,7 +309,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -321,9 +321,9 @@ jobs: GH_AW_AGENT_IMPORT_SPEC: "../agents/technical-doc-writer.agent.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/merge_remote_agent_github_folder.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/merge_remote_agent_github_folder.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -333,7 +333,11 @@ jobs: cache-dependency-path: 'docs/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install dependencies run: npm ci working-directory: ./docs @@ -345,7 +349,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -362,7 +366,7 @@ jobs: TARGET_REPO: ${{ github.repository }}.wiki MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: false - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -385,14 +389,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -401,19 +405,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -636,7 +640,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -784,8 +788,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -796,7 +800,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -828,7 +832,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -863,7 +867,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -900,7 +904,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -938,15 +942,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -956,7 +960,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -975,9 +979,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1001,18 +1005,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1108,9 +1112,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1157,9 +1161,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1207,6 +1211,8 @@ jobs: concurrency: group: "gh-aw-conclusion-technical-doc-writer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1221,7 +1227,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1245,9 +1251,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1258,9 +1264,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1285,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1302,9 +1308,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1316,9 +1322,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1330,6 +1336,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1343,7 +1351,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1386,9 +1394,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1406,6 +1414,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/technical-doc-writer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📝 *Documentation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"✍️ The Technical Writer begins! [{workflow_name}]({run_url}) is documenting this {event_type}...\",\"runSuccess\":\"📝 Documentation complete! [{workflow_name}]({run_url}) has written the docs. Clear as crystal! ✨\",\"runFailure\":\"✍️ Writer's block! [{workflow_name}]({run_url}) {status}. The page remains blank...\"}" GH_AW_WORKFLOW_ID: "technical-doc-writer" GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes" @@ -1430,7 +1439,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1485,9 +1494,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1504,6 +1513,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: technicaldocwriter steps: - name: Checkout actions folder @@ -1515,7 +1525,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1559,7 +1569,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1615,8 +1625,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 025721daba9..763a718ac37 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "terminal-stylist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -184,9 +186,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -202,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -224,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -251,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: terminalstylist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,13 +275,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -304,14 +308,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -320,19 +324,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -463,7 +467,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -574,8 +578,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -586,7 +590,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -615,7 +619,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -658,7 +662,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -692,7 +696,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -730,15 +734,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -748,7 +752,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -767,9 +771,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -793,18 +797,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -875,9 +879,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -924,9 +928,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -970,6 +974,8 @@ jobs: concurrency: group: "gh-aw-conclusion-terminal-stylist" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -984,7 +990,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1008,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1021,9 +1027,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1044,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1061,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1078,6 +1084,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/terminal-stylist" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "terminal-stylist" GH_AW_WORKFLOW_NAME: "Terminal Stylist" outputs: @@ -1097,7 +1104,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1123,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index eaa55f65f22..2a51393e272 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -41,6 +41,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -56,7 +58,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -78,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -100,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-create-pr-error-handling.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -117,21 +119,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -176,9 +178,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -197,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -249,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: testcreateprerrorhandling outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,16 +272,20 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -311,9 +315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -321,7 +325,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -332,19 +336,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Labels [\"test\"] will be automatically added.", @@ -490,7 +494,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -611,8 +615,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -623,7 +627,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -651,7 +655,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -685,7 +689,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -806,15 +810,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -824,7 +828,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -843,9 +847,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -861,18 +865,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -950,9 +954,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1010,9 +1014,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1057,6 +1061,8 @@ jobs: concurrency: group: "gh-aw-conclusion-test-create-pr-error-handling" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1071,7 +1077,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1095,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1108,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1130,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1147,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1161,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1180,6 +1186,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/test-create-pr-error-handling" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "test-create-pr-error-handling" GH_AW_WORKFLOW_NAME: "Test Create PR Error Handling" outputs: @@ -1201,7 +1208,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1256,9 +1263,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1275,6 +1282,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: testcreateprerrorhandling steps: - name: Checkout actions folder @@ -1286,7 +1294,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index a914bd34265..f5400cc320b 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -40,6 +40,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -55,7 +57,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -77,11 +79,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -99,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-dispatcher.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -116,15 +118,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: dispatch_workflow, missing_tool, missing_data, noop @@ -171,9 +173,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -189,10 +191,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -211,11 +213,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -237,10 +239,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: testdispatcher outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -261,13 +261,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -290,14 +294,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -306,19 +310,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"dispatch_workflow":{"max":1,"workflow_files":{"test-workflow":".lock.yml"},"workflows":["test-workflow"]},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -433,7 +437,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -518,8 +522,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -530,7 +534,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -559,7 +563,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -594,7 +598,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -628,7 +632,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -666,15 +670,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -684,7 +688,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -703,9 +707,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -729,18 +733,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -811,9 +815,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -860,9 +864,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -904,6 +908,8 @@ jobs: concurrency: group: "gh-aw-conclusion-test-dispatcher" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -918,7 +924,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -942,9 +948,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -955,9 +961,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -976,9 +982,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -993,9 +999,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1008,6 +1014,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/test-dispatcher" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "test-dispatcher" GH_AW_WORKFLOW_NAME: "Test Dispatcher Workflow" outputs: @@ -1027,7 +1034,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1053,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index d17b4713a4b..def8b883953 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -40,6 +40,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -55,7 +57,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -77,11 +79,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -99,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-project-url-default.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -116,15 +118,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_project, create_project_status_update, missing_tool, missing_data, noop @@ -171,9 +173,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -189,10 +191,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -211,11 +213,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -236,10 +238,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: testprojecturldefault outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -260,13 +260,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -289,14 +293,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -305,19 +309,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_project_status_update":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_project":{"max":5}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -610,7 +614,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_project_status_update": { "defaultMax": 10, @@ -777,8 +781,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -789,7 +793,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -818,7 +822,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -853,7 +857,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -887,7 +891,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -925,15 +929,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -943,7 +947,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -962,9 +966,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -988,18 +992,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1070,9 +1074,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1119,9 +1123,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1163,6 +1167,8 @@ jobs: concurrency: group: "gh-aw-conclusion-test-project-url-default" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1177,7 +1183,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1201,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1214,9 +1220,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1235,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1252,9 +1258,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1267,6 +1273,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/test-project-url-default" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "test-project-url-default" GH_AW_WORKFLOW_NAME: "Test Project URL Explicit Requirement" outputs: @@ -1286,7 +1293,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1315,9 +1322,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index a7053a9c5a0..44003459d76 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -45,6 +45,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -60,7 +62,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-workflow.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,14 +122,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -171,9 +173,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -189,10 +191,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -211,11 +213,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -232,6 +234,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: testworkflow outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -247,13 +250,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -276,14 +283,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -292,10 +299,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -320,7 +327,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -348,7 +355,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -381,7 +388,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -419,15 +426,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -437,7 +444,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -453,18 +460,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index c28d7e0604a..c9b7121c8ee 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -64,6 +64,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -83,7 +85,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -105,11 +107,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -130,9 +132,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -140,18 +142,18 @@ jobs: GH_AW_WORKFLOW_FILE: "tidy.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -167,21 +169,21 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -214,7 +216,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -229,9 +231,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -250,10 +252,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -275,11 +277,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -302,10 +304,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: tidy outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -326,13 +326,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: @@ -369,14 +373,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -385,19 +389,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[tidy] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[tidy] \". Labels [\"automation\" \"maintenance\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -579,7 +583,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -720,8 +724,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -732,7 +736,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -761,7 +765,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -796,7 +800,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -855,7 +859,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -893,15 +897,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -911,7 +915,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -931,9 +935,9 @@ jobs: GH_AW_COMMAND: tidy with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -957,18 +961,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1040,9 +1044,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1089,9 +1093,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1135,6 +1139,8 @@ jobs: concurrency: group: "gh-aw-conclusion-tidy" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1149,7 +1155,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1173,9 +1179,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1188,9 +1194,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1211,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1228,9 +1234,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1242,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1267,7 +1273,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1276,9 +1282,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1287,9 +1293,9 @@ jobs: GH_AW_COMMANDS: "[\"tidy\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1306,6 +1312,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/tidy" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "tidy" GH_AW_WORKFLOW_NAME: "Tidy" outputs: @@ -1329,7 +1336,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1384,9 +1391,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 0f3c0ce5c7f..2d48bc502b0 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "typist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -187,9 +189,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -227,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -256,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: typist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,13 +279,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -308,9 +312,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -318,7 +322,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -329,19 +333,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -472,7 +476,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -583,8 +587,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -595,7 +599,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -623,7 +627,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -673,7 +677,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -809,15 +813,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -827,7 +831,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -846,9 +850,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -864,18 +868,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -946,9 +950,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1006,9 +1010,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1052,6 +1056,8 @@ jobs: concurrency: group: "gh-aw-conclusion-typist" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1066,7 +1072,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1090,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1103,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1125,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1142,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1159,6 +1165,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/typist" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "typist" GH_AW_WORKFLOW_NAME: "Typist - Go Type Analysis" outputs: @@ -1178,7 +1185,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1204,9 +1211,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 7a79e9f32f6..541aae38514 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -47,6 +47,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -62,7 +64,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "ubuntu-image-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,20 +125,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -182,9 +184,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +203,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -224,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -254,10 +256,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: ubuntuimageanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,13 +278,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -307,14 +311,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -323,19 +327,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[ubuntu-image] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ubuntu-image] \". Labels [\"documentation\" \"automation\" \"infrastructure\"] will be automatically added.", @@ -481,7 +485,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -602,8 +606,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -614,7 +618,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -643,7 +647,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -678,7 +682,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -738,7 +742,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -776,15 +780,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -794,7 +798,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -813,9 +817,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -839,18 +843,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -922,9 +926,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -971,9 +975,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1017,6 +1021,8 @@ jobs: concurrency: group: "gh-aw-conclusion-ubuntu-image-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1031,7 +1037,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1056,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1070,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1094,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1112,9 +1118,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1127,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1149,7 +1155,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1158,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1171,9 +1177,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1190,6 +1196,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ubuntu-image-analyzer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "ubuntu-image-analyzer" GH_AW_WORKFLOW_ID: "ubuntu-image-analyzer" GH_AW_WORKFLOW_NAME: "Ubuntu Actions Image Analyzer" @@ -1212,7 +1219,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1267,9 +1274,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 897d3bb4e31..6a29d5d7714 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -60,6 +60,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -79,7 +81,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,11 +103,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -126,9 +128,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -136,18 +138,18 @@ jobs: GH_AW_WORKFLOW_FILE: "unbloat-docs.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -162,22 +164,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, upload_asset, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -233,9 +235,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -256,10 +258,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -283,11 +285,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -310,10 +312,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: unbloatdocs outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -333,9 +333,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -358,7 +362,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -388,9 +392,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -398,7 +402,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -409,19 +413,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"auto_merge":true,"draft":true,"expires":48,"fallback_as_issue":false,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -629,7 +633,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -777,8 +781,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -789,7 +793,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -821,7 +825,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -874,7 +878,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1057,15 +1061,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1075,7 +1079,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1095,9 +1099,9 @@ jobs: GH_AW_COMMAND: unbloat with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1113,18 +1117,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1211,9 +1215,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1271,9 +1275,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1320,6 +1324,8 @@ jobs: concurrency: group: "gh-aw-conclusion-unbloat-docs" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1334,7 +1340,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1358,9 +1364,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1371,9 +1377,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1394,9 +1400,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1411,9 +1417,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1425,9 +1431,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1450,7 +1456,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1459,9 +1465,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1470,9 +1476,9 @@ jobs: GH_AW_COMMANDS: "[\"unbloat\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1490,6 +1496,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/unbloat-docs" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🗜️ *Compressed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📦 Time to slim down! [{workflow_name}]({run_url}) is trimming the excess from this {event_type}...\",\"runSuccess\":\"🗜️ Docs on a diet! [{workflow_name}]({run_url}) has removed the bloat. Lean and mean! 💪\",\"runFailure\":\"📦 Unbloating paused! [{workflow_name}]({run_url}) {status}. The docs remain... fluffy.\"}" GH_AW_WORKFLOW_ID: "unbloat-docs" GH_AW_WORKFLOW_NAME: "Documentation Unbloat" @@ -1514,7 +1521,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1569,9 +1576,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1588,6 +1595,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: unbloatdocs steps: - name: Checkout actions folder @@ -1599,7 +1607,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1643,7 +1651,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1699,8 +1707,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index bedc6a1bc77..8f1febd77ef 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "video-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,15 +129,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -188,9 +190,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -257,10 +259,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: videoanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -281,13 +281,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - id: setup-ffmpeg name: Setup FFmpeg run: |- @@ -318,14 +322,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -334,19 +338,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[video-analysis] \". Labels [\"automation\" \"video-processing\" \"cookie\"] will be automatically added.", @@ -492,7 +496,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -610,8 +614,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -622,7 +626,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -651,7 +655,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -686,7 +690,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -737,7 +741,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -775,15 +779,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -793,7 +797,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -812,9 +816,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -838,18 +842,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -920,9 +924,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -969,9 +973,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1014,6 +1018,8 @@ jobs: concurrency: group: "gh-aw-conclusion-video-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1028,7 +1034,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1052,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1065,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1086,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1103,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1119,6 +1125,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/video-analyzer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "video-analyzer" GH_AW_WORKFLOW_NAME: "Video Analysis Agent" outputs: @@ -1140,7 +1147,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1166,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 0d9a8b992a5..b32ac77464f 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "weekly-editors-health-check.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,21 +122,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, upload_asset, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -183,9 +185,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +225,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -251,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: weeklyeditorshealthcheck outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,13 +275,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -304,14 +308,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -320,19 +324,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":168,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":5}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"automation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -503,7 +507,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -633,8 +637,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -645,7 +649,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -678,7 +682,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -720,7 +724,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -783,7 +787,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -821,15 +825,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -839,7 +843,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -858,9 +862,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -884,18 +888,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -976,9 +980,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1025,9 +1029,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1072,6 +1076,8 @@ jobs: concurrency: group: "gh-aw-conclusion-weekly-editors-health-check" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1086,7 +1092,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1111,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1125,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1149,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1167,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1182,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1201,6 +1207,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-editors-health-check" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "weekly-editors-health-check" GH_AW_WORKFLOW_ID: "weekly-editors-health-check" GH_AW_WORKFLOW_NAME: "Weekly Editors Health Check" @@ -1223,7 +1230,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1278,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1310,7 +1317,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1366,8 +1373,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 4f051440a5a..80eb58eafdc 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -49,6 +49,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -64,7 +66,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,11 +91,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -111,9 +113,9 @@ jobs: GH_AW_WORKFLOW_FILE: "weekly-issue-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,16 +130,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -196,9 +198,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -217,10 +219,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -242,11 +244,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -270,10 +272,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: weeklyissuesummary outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} @@ -293,13 +293,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -325,7 +329,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -346,20 +350,20 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Weekly Summary] \". Discussions will be created in category \"audits\".", @@ -515,7 +519,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -635,8 +639,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -647,7 +651,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -678,7 +682,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -713,7 +717,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -750,7 +754,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -788,15 +792,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -806,7 +810,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -825,9 +829,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -851,18 +855,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -948,9 +952,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -997,9 +1001,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1045,6 +1049,8 @@ jobs: concurrency: group: "gh-aw-conclusion-weekly-issue-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1059,7 +1065,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1084,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1098,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1121,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1139,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1156,6 +1162,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-issue-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "weekly-issue-summary" GH_AW_WORKFLOW_ID: "weekly-issue-summary" GH_AW_WORKFLOW_NAME: "Weekly Issue Summary" @@ -1176,7 +1183,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1202,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1221,6 +1228,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: weeklyissuesummary steps: - name: Checkout actions folder @@ -1232,7 +1240,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1276,7 +1284,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1332,8 +1340,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index cea5c981466..378da312697 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -44,6 +44,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -59,7 +61,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "weekly-safe-outputs-spec-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,20 +125,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -181,9 +183,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -199,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -221,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -249,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: weeklysafeoutputsspecreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -273,13 +273,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -302,25 +306,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":168,"max":1,"title_prefix":"[spec-review] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[spec-review] \". Labels [\"documentation\" \"safe-outputs\" \"automation\"] will be automatically added.", @@ -466,7 +470,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -587,8 +591,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -599,7 +603,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -627,7 +631,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -662,7 +666,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -696,7 +700,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -734,15 +738,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -752,7 +756,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -771,9 +775,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -797,18 +801,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -880,9 +884,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -929,9 +933,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -975,6 +979,8 @@ jobs: concurrency: group: "gh-aw-conclusion-weekly-safe-outputs-spec-review" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -989,7 +995,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1014,9 +1020,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1028,9 +1034,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1052,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1070,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1085,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1104,6 +1110,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-safe-outputs-spec-review" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "weekly-safe-outputs-spec-review" GH_AW_WORKFLOW_ID: "weekly-safe-outputs-spec-review" GH_AW_WORKFLOW_NAME: "Weekly Safe Outputs Specification Review" @@ -1126,7 +1133,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1181,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index b109e6afb30..949387be0c6 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -49,6 +49,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -68,7 +70,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,11 +95,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -118,9 +120,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -128,18 +130,18 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-generator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Lock issue for agent workflow id: lock-issue @@ -147,9 +149,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/lock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/lock-issue.cjs'); await main(); - name: Create prompt with built-in context env: @@ -164,15 +166,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_issue, assign_to_agent, missing_tool, missing_data, noop @@ -219,9 +221,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -238,10 +240,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -261,11 +263,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -288,10 +290,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflowgenerator outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -312,13 +312,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -341,25 +345,25 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"assign_to_agent":{"allowed":["copilot"],"max":1,"target":"triggering"},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Assign the GitHub Copilot coding agent to work on an issue or pull request. The agent will analyze the issue/PR and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot. Example usage: assign_to_agent(issue_number=123, agent=\"copilot\") or assign_to_agent(pull_number=456, agent=\"copilot\", pull_request_repo=\"owner/repo\") CONSTRAINTS: Maximum 1 issue(s) can be assigned to agent.", @@ -568,7 +572,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "assign_to_agent": { "defaultMax": 1, @@ -732,8 +736,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -744,7 +748,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -772,7 +776,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -807,7 +811,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -841,7 +845,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -879,15 +883,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -897,7 +901,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -916,9 +920,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -942,18 +946,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1024,9 +1028,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1073,9 +1077,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1119,6 +1123,8 @@ jobs: concurrency: group: "gh-aw-conclusion-workflow-generator" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1133,7 +1139,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1157,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1170,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1193,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1210,9 +1216,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1234,7 +1240,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1243,9 +1249,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check user rate limit id: check_rate_limit @@ -1258,9 +1264,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_rate_limit.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_rate_limit.cjs'); await main(); safe_outputs: @@ -1277,6 +1283,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-generator" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "workflow-generator" GH_AW_WORKFLOW_NAME: "Workflow Generator" outputs: @@ -1299,7 +1306,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1325,9 +1332,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1341,9 +1348,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_to_agent.cjs'); await main(); - name: Upload safe output items manifest if: always() @@ -1373,15 +1380,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/unlock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/unlock-issue.cjs'); await main(); diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index b20d38039a9..4e97856fe01 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -50,6 +50,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -65,7 +67,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-health-manager.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +128,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_issue, missing_tool, missing_data, noop @@ -185,9 +187,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +212,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -239,11 +241,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -269,10 +271,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflowhealthmanager outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -293,13 +293,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -309,7 +313,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -332,14 +336,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -348,19 +352,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":15},"create_issue":{"expires":24,"group":true,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"update_issue":{"max":5}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Labels [\"cookie\"] will be automatically added.", @@ -630,7 +634,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -820,8 +824,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -832,7 +836,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -861,7 +865,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -896,7 +900,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -930,7 +934,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -968,15 +972,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -986,7 +990,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1005,9 +1009,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1031,18 +1035,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1122,9 +1126,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1171,9 +1175,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1219,6 +1223,8 @@ jobs: concurrency: group: "gh-aw-conclusion-workflow-health-manager" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1233,7 +1239,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1257,9 +1263,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1270,9 +1276,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1294,9 +1300,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1311,9 +1317,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1333,7 +1339,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1342,9 +1348,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1356,6 +1362,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} @@ -1369,7 +1377,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1412,9 +1420,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1430,6 +1438,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-health-manager" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "workflow-health-manager" GH_AW_WORKFLOW_NAME: "Workflow Health Manager - Meta-Orchestrator" outputs: @@ -1453,7 +1462,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1479,9 +1488,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index ec6cd41985d..edd1fa18b79 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-normalizer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -183,9 +185,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +225,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -253,10 +255,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflownormalizer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,7 +277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -313,7 +313,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,14 +340,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -352,10 +356,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -369,26 +373,26 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[workflow-style] \". Labels [\"cookie\"] will be automatically added.", @@ -534,7 +538,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -652,8 +656,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -664,7 +668,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -694,7 +698,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -741,7 +745,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -775,7 +779,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -813,15 +817,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -831,7 +835,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -850,9 +854,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -876,18 +880,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -958,9 +962,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1007,9 +1011,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1052,6 +1056,8 @@ jobs: concurrency: group: "gh-aw-conclusion-workflow-normalizer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1066,7 +1072,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1091,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1105,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1127,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1145,9 +1151,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1161,6 +1167,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-normalizer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "workflow-normalizer" GH_AW_WORKFLOW_ID: "workflow-normalizer" GH_AW_WORKFLOW_NAME: "Workflow Normalizer" @@ -1183,7 +1190,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1209,9 +1216,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 038deaaad55..172e9ba96af 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -63,7 +65,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-skill-extractor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, missing_tool, missing_data, noop @@ -182,9 +184,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -252,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflowskillextractor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,13 +276,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -305,14 +309,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -321,19 +325,19 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_issue":{"expires":48,"group":true,"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[refactoring] \". Labels [\"refactoring\" \"shared-component\" \"improvement\" \"cookie\"] will be automatically added.", @@ -513,7 +517,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -657,8 +661,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -669,7 +673,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -698,7 +702,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -733,7 +737,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -787,7 +791,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -825,15 +829,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -843,7 +847,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload Safe Outputs if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -862,9 +866,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -888,18 +892,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -970,9 +974,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1019,9 +1023,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1065,6 +1069,8 @@ jobs: concurrency: group: "gh-aw-conclusion-workflow-skill-extractor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1079,7 +1085,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1103,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1116,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1139,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1156,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1173,6 +1179,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-skill-extractor" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "workflow-skill-extractor" GH_AW_WORKFLOW_NAME: "Workflow Skill Extractor" outputs: @@ -1194,7 +1201,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1220,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload safe output items manifest if: always() diff --git a/actions/setup/setup.sh b/actions/setup/setup.sh index 4e5ecfca15a..5705322cedd 100755 --- a/actions/setup/setup.sh +++ b/actions/setup/setup.sh @@ -27,6 +27,15 @@ create_dir() { # Get destination from input or use default DESTINATION="${INPUT_DESTINATION:-/opt/gh-aw/actions}" +# Derive GH_AW_HOME from DESTINATION (strip /actions suffix) +# This allows setup.sh to be used with custom base directories +GH_AW_HOME="${DESTINATION%/actions}" + +# Export GH_AW_HOME to $GITHUB_ENV so all subsequent steps can use it +if [ -n "${GITHUB_ENV}" ]; then + echo "GH_AW_HOME=${GH_AW_HOME}" >> "${GITHUB_ENV}" +fi + # Get safe-output-custom-tokens flag from input (default: false) SAFE_OUTPUT_CUSTOM_TOKENS_ENABLED="${INPUT_SAFE_OUTPUT_CUSTOM_TOKENS:-false}" @@ -118,7 +127,7 @@ fi echo "Successfully copied ${FILE_COUNT} files to ${DESTINATION}" # Copy prompt markdown files to their expected directory -PROMPTS_DEST="/opt/gh-aw/prompts" +PROMPTS_DEST="${GH_AW_HOME}/prompts" echo "Copying prompt markdown files to ${PROMPTS_DEST}" create_dir "${PROMPTS_DEST}" @@ -140,7 +149,7 @@ else fi # Copy mcp-scripts files to their expected directory -MCP_SCRIPTS_DEST="/opt/gh-aw/mcp-scripts" +MCP_SCRIPTS_DEST="${GH_AW_HOME}/mcp-scripts" echo "Copying mcp-scripts files to ${MCP_SCRIPTS_DEST}" create_dir "${MCP_SCRIPTS_DEST}" @@ -194,7 +203,7 @@ fi echo "Successfully copied ${MCP_SCRIPTS_COUNT} mcp-scripts files to ${MCP_SCRIPTS_DEST}" # Copy safe-outputs files to their expected directory -SAFE_OUTPUTS_DEST="/opt/gh-aw/safeoutputs" +SAFE_OUTPUTS_DEST="${GH_AW_HOME}/safeoutputs" echo "Copying safe-outputs files to ${SAFE_OUTPUTS_DEST}" create_dir "${SAFE_OUTPUTS_DEST}" diff --git a/actions/setup/sh/start_mcp_gateway.sh b/actions/setup/sh/start_mcp_gateway.sh index f46547dad41..59ae5cd033a 100755 --- a/actions/setup/sh/start_mcp_gateway.sh +++ b/actions/setup/sh/start_mcp_gateway.sh @@ -355,19 +355,19 @@ echo "Detected engine type: $ENGINE_TYPE" case "$ENGINE_TYPE" in copilot) echo "Using Copilot converter..." - bash /opt/gh-aw/actions/convert_gateway_config_copilot.sh + bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_copilot.sh ;; codex) echo "Using Codex converter..." - bash /opt/gh-aw/actions/convert_gateway_config_codex.sh + bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_codex.sh ;; claude) echo "Using Claude converter..." - bash /opt/gh-aw/actions/convert_gateway_config_claude.sh + bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_claude.sh ;; gemini) echo "Using Gemini converter..." - bash /opt/gh-aw/actions/convert_gateway_config_gemini.sh + bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_gemini.sh ;; *) echo "No agent-specific converter found for engine: $ENGINE_TYPE" @@ -384,13 +384,13 @@ echo "" # Check MCP server functionality echo "Checking MCP server functionality..." MCP_CHECK_START=$(date +%s%3N) -if [ -f /opt/gh-aw/actions/check_mcp_servers.sh ]; then +if [ -f ${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh ]; then echo "Running MCP server checks..." # Store check diagnostic logs in /tmp/gh-aw/mcp-logs/start-gateway.log for artifact upload # Use tee to output to both stdout and the log file # Enable pipefail so the exit code comes from check_mcp_servers.sh, not tee set -o pipefail - if ! bash /opt/gh-aw/actions/check_mcp_servers.sh \ + if ! bash ${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh \ /tmp/gh-aw/mcp-config/gateway-output.json \ "http://localhost:${MCP_GATEWAY_PORT}" \ "${MCP_GATEWAY_API_KEY}" 2>&1 | tee /tmp/gh-aw/mcp-logs/start-gateway.log; then @@ -402,7 +402,7 @@ if [ -f /opt/gh-aw/actions/check_mcp_servers.sh ]; then set +o pipefail print_timing $MCP_CHECK_START "MCP server connectivity checks" else - echo "WARNING: MCP server check script not found at /opt/gh-aw/actions/check_mcp_servers.sh" + echo "WARNING: MCP server check script not found at ${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh" echo "Skipping MCP server functionality checks" fi echo "" diff --git a/actions/setup/sh/start_mcp_scripts_server.sh b/actions/setup/sh/start_mcp_scripts_server.sh index e1899ab3b26..0c79ae537c4 100755 --- a/actions/setup/sh/start_mcp_scripts_server.sh +++ b/actions/setup/sh/start_mcp_scripts_server.sh @@ -4,20 +4,20 @@ set -e -cd /opt/gh-aw/mcp-scripts || exit 1 +cd ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts || exit 1 # Verify required files exist echo "Verifying mcp-scripts setup..." # Check core configuration files if [ ! -f mcp-server.cjs ]; then - echo "ERROR: mcp-server.cjs not found in /opt/gh-aw/mcp-scripts" - ls -la /opt/gh-aw/mcp-scripts/ + echo "ERROR: mcp-server.cjs not found in ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts" + ls -la ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/ exit 1 fi if [ ! -f tools.json ]; then - echo "ERROR: tools.json not found in /opt/gh-aw/mcp-scripts" - ls -la /opt/gh-aw/mcp-scripts/ + echo "ERROR: tools.json not found in ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts" + ls -la ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/ exit 1 fi @@ -48,13 +48,13 @@ for dep in "${REQUIRED_DEPS[@]}"; do done if [ ${#MISSING_FILES[@]} -gt 0 ]; then - echo "ERROR: Missing required dependency files in /opt/gh-aw/mcp-scripts/" + echo "ERROR: Missing required dependency files in ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/" for file in "${MISSING_FILES[@]}"; do echo " - $file" done echo echo "Current directory contents:" - ls -la /opt/gh-aw/mcp-scripts/ + ls -la ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/ echo echo "These files should have been copied by the Setup Scripts action." echo "This usually indicates a problem with the actions/setup step." diff --git a/actions/setup/sh/start_safe_outputs_server.sh b/actions/setup/sh/start_safe_outputs_server.sh index fe763edd86c..ef1628de059 100755 --- a/actions/setup/sh/start_safe_outputs_server.sh +++ b/actions/setup/sh/start_safe_outputs_server.sh @@ -4,20 +4,20 @@ set -e -cd /opt/gh-aw/safeoutputs || exit 1 +cd ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs || exit 1 # Verify required files exist echo "Verifying safe-outputs setup..." # Check core files (mcp-server.cjs and tools.json are required) if [ ! -f mcp-server.cjs ]; then - echo "ERROR: mcp-server.cjs not found in /opt/gh-aw/safeoutputs" - ls -la /opt/gh-aw/safeoutputs/ + echo "ERROR: mcp-server.cjs not found in ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs" + ls -la ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/ exit 1 fi if [ ! -f tools.json ]; then - echo "ERROR: tools.json not found in /opt/gh-aw/safeoutputs" - ls -la /opt/gh-aw/safeoutputs/ + echo "ERROR: tools.json not found in ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs" + ls -la ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/ exit 1 fi @@ -48,13 +48,13 @@ for dep in "${REQUIRED_DEPS[@]}"; do done if [ ${#MISSING_FILES[@]} -gt 0 ]; then - echo "ERROR: Missing required dependency files in /opt/gh-aw/safeoutputs/" + echo "ERROR: Missing required dependency files in ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/" for file in "${MISSING_FILES[@]}"; do echo " - $file" done echo echo "Current directory contents:" - ls -la /opt/gh-aw/safeoutputs/ + ls -la ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/ echo echo "These files should have been copied by the Setup Scripts action." echo "This usually indicates a problem with the actions/setup step." diff --git a/pkg/workflow/agentic_engine.go b/pkg/workflow/agentic_engine.go index 20f998609b3..6b4e5f06eb8 100644 --- a/pkg/workflow/agentic_engine.go +++ b/pkg/workflow/agentic_engine.go @@ -508,7 +508,7 @@ func GenerateMultiSecretValidationStep(secretNames []string, engineName, docsURL stepLines := []string{ stepName, " id: validate-secret", - " run: /opt/gh-aw/actions/validate_multi_secret.sh " + scriptArgsStr, + " run: " + GhAwHome + "/actions/validate_multi_secret.sh " + scriptArgsStr, " env:", } diff --git a/pkg/workflow/agentic_output_test.go b/pkg/workflow/agentic_output_test.go index 20fa552f9f3..22b8888173c 100644 --- a/pkg/workflow/agentic_output_test.go +++ b/pkg/workflow/agentic_output_test.go @@ -62,8 +62,8 @@ This workflow tests the agentic output collection functionality. lockContent := string(content) // Verify GH_AW_SAFE_OUTPUTS is set at job level with fixed path - if !strings.Contains(lockContent, "GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl") { - t.Error("Expected 'GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl' environment variable in generated workflow") + if !strings.Contains(lockContent, "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl") { + t.Error("Expected 'GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl' environment variable in generated workflow") } if !strings.Contains(lockContent, "- name: Ingest agent output") { @@ -161,8 +161,8 @@ This workflow tests that Codex engine gets GH_AW_SAFE_OUTPUTS but not engine out lockContent := string(content) // Verify that Codex workflow DOES have GH_AW_SAFE_OUTPUTS functionality at job level - if !strings.Contains(lockContent, "GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl") { - t.Error("Codex workflow should have 'GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl' environment variable (GH_AW_SAFE_OUTPUTS functionality)") + if !strings.Contains(lockContent, "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl") { + t.Error("Codex workflow should have 'GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl' environment variable (GH_AW_SAFE_OUTPUTS functionality)") } if !strings.Contains(lockContent, "- name: Ingest agent output") { diff --git a/pkg/workflow/agentic_workflow_test.go b/pkg/workflow/agentic_workflow_test.go index 1120317735e..b34499e2bf8 100644 --- a/pkg/workflow/agentic_workflow_test.go +++ b/pkg/workflow/agentic_workflow_test.go @@ -162,7 +162,7 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { "install step should include command to verify gh-aw installation") // Verify the binary copy command is present for MCP server containerization - assert.Contains(t, result, "cp \"$GH_AW_BIN\" /opt/gh-aw/gh-aw", + assert.Contains(t, result, "cp \"$GH_AW_BIN\" ${GH_AW_HOME}/gh-aw", "install step should copy gh-aw binary to /opt/gh-aw for MCP server containerization") } diff --git a/pkg/workflow/aw_info_tmp_test.go b/pkg/workflow/aw_info_tmp_test.go index a26f50da6fe..2b3d1b3cade 100644 --- a/pkg/workflow/aw_info_tmp_test.go +++ b/pkg/workflow/aw_info_tmp_test.go @@ -56,7 +56,7 @@ This workflow tests that aw_info.json is generated in /tmp directory. lockStr := string(lockContent) // Test 1: Verify the step uses the generate_aw_info.cjs module - if !strings.Contains(lockStr, "require('/opt/gh-aw/actions/generate_aw_info.cjs')") { + if !strings.Contains(lockStr, "require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs')") { t.Error("Expected step to require generate_aw_info.cjs module") } diff --git a/pkg/workflow/cache.go b/pkg/workflow/cache.go index dd7c709570d..5f438bae9eb 100644 --- a/pkg/workflow/cache.go +++ b/pkg/workflow/cache.go @@ -360,7 +360,7 @@ func generateCacheMemorySteps(builder *strings.Builder, data *WorkflowData) { if useBackwardCompatiblePaths { // For single default cache, use the original directory for backward compatibility builder.WriteString(" - name: Create cache-memory directory\n") - builder.WriteString(" run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh\n") + builder.WriteString(" run: bash " + GhAwHome + "/actions/create_cache_memory_dir.sh\n") } else { fmt.Fprintf(builder, " - name: Create cache-memory directory (%s)\n", cache.ID) builder.WriteString(" run: |\n") @@ -498,9 +498,9 @@ func generateCacheMemoryValidation(builder *strings.Builder, data *WorkflowData) // Build validation script var validationScript strings.Builder - validationScript.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + validationScript.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") validationScript.WriteString(" setupGlobals(core, github, context, exec, io);\n") - validationScript.WriteString(" const { validateMemoryFiles } = require('/opt/gh-aw/actions/validate_memory_files.cjs');\n") + validationScript.WriteString(" const { validateMemoryFiles } = require(" + JsRequireGhAw("actions/validate_memory_files.cjs") + ");\n") fmt.Fprintf(&validationScript, " const allowedExtensions = %s;\n", allowedExtsJSON) fmt.Fprintf(&validationScript, " const result = validateMemoryFiles('%s', 'cache', allowedExtensions);\n", cacheDir) validationScript.WriteString(" if (!result.valid) {\n") @@ -763,9 +763,9 @@ func (c *Compiler) buildUpdateCacheMemoryJob(data *WorkflowData, threatDetection // Build validation script var validationScript strings.Builder - validationScript.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + validationScript.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") validationScript.WriteString(" setupGlobals(core, github, context, exec, io);\n") - validationScript.WriteString(" const { validateMemoryFiles } = require('/opt/gh-aw/actions/validate_memory_files.cjs');\n") + validationScript.WriteString(" const { validateMemoryFiles } = require(" + JsRequireGhAw("actions/validate_memory_files.cjs") + ");\n") fmt.Fprintf(&validationScript, " const allowedExtensions = %s;\n", allowedExtsJSON) fmt.Fprintf(&validationScript, " const result = validateMemoryFiles('%s', 'cache', allowedExtensions);\n", cacheDir) validationScript.WriteString(" if (!result.valid) {\n") @@ -836,12 +836,13 @@ func (c *Compiler) buildUpdateCacheMemoryJob(data *WorkflowData, threatDetection permissions = perms.RenderToYAML() } - // Set GH_AW_WORKFLOW_ID_SANITIZED so cache keys match those used in the agent job - var jobEnv map[string]string + // Build job-level environment variables + // Always include GH_AW_HOME so steps can use $GH_AW_HOME without the :-fallback syntax + jobEnv := map[string]string{ + "GH_AW_HOME": constants.GhAwHomeDefault, + } if data.WorkflowID != "" { - jobEnv = map[string]string{ - "GH_AW_WORKFLOW_ID_SANITIZED": SanitizeWorkflowIDForCacheKey(data.WorkflowID), - } + jobEnv["GH_AW_WORKFLOW_ID_SANITIZED"] = SanitizeWorkflowIDForCacheKey(data.WorkflowID) } job := &Job{ diff --git a/pkg/workflow/cache_memory_integration_test.go b/pkg/workflow/cache_memory_integration_test.go index b920405868a..9330802e325 100644 --- a/pkg/workflow/cache_memory_integration_test.go +++ b/pkg/workflow/cache_memory_integration_test.go @@ -42,7 +42,7 @@ tools: "uses: actions/cache@", "key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}", "path: /tmp/gh-aw/cache-memory", - "cat \"/opt/gh-aw/prompts/cache_memory_prompt.md\"", + "cat \"${GH_AW_HOME}/prompts/cache_memory_prompt.md\"", "GH_AW_CACHE_DIR: '/tmp/gh-aw/cache-memory/'", "GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR", }, diff --git a/pkg/workflow/codex_engine_test.go b/pkg/workflow/codex_engine_test.go index 09afd567a92..f8f161ff458 100644 --- a/pkg/workflow/codex_engine_test.go +++ b/pkg/workflow/codex_engine_test.go @@ -308,7 +308,7 @@ func TestCodexEngineRenderMCPConfig(t *testing.T) { "GH_AW_MCP_CONFIG_EOF", "", "# Generate JSON config for MCP gateway", - "cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh", + "cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh", "{", "\"mcpServers\": {", "\"github\": {", diff --git a/pkg/workflow/compiler_activation_job.go b/pkg/workflow/compiler_activation_job.go index e9b110d4eb1..a766e395547 100644 --- a/pkg/workflow/compiler_activation_job.go +++ b/pkg/workflow/compiler_activation_job.go @@ -370,6 +370,7 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate RunsOn: c.formatSafeOutputsRunsOn(data.SafeOutputs), Permissions: permissions, Environment: environment, + Env: map[string]string{"GH_AW_HOME": constants.GhAwHomeDefault}, Steps: steps, Outputs: outputs, Needs: activationNeeds, // Depend on pre-activation job if it exists diff --git a/pkg/workflow/compiler_custom_actions_test.go b/pkg/workflow/compiler_custom_actions_test.go index b09c327e025..345c3d9fb2e 100644 --- a/pkg/workflow/compiler_custom_actions_test.go +++ b/pkg/workflow/compiler_custom_actions_test.go @@ -218,7 +218,7 @@ Test workflow with script mode. } // 5. Setup step should have INPUT_DESTINATION environment variable - if !strings.Contains(lockStr, "INPUT_DESTINATION: /opt/gh-aw/actions") { + if !strings.Contains(lockStr, "bash /tmp/gh-aw/actions-source/actions/setup/setup.sh") { t.Error("Expected INPUT_DESTINATION environment variable in setup step for script mode") } diff --git a/pkg/workflow/compiler_main_job.go b/pkg/workflow/compiler_main_job.go index 0bb6ffd04be..019f816166a 100644 --- a/pkg/workflow/compiler_main_job.go +++ b/pkg/workflow/compiler_main_job.go @@ -166,24 +166,22 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( } } - // Build job-level environment variables for safe outputs - var env map[string]string - if data.SafeOutputs != nil { - env = make(map[string]string) + // Build job-level environment variables + // Always initialize env with GH_AW_HOME so steps don't need the :-fallback syntax + env := map[string]string{ + "GH_AW_HOME": constants.GhAwHomeDefault, + } - // Set GH_AW_SAFE_OUTPUTS to path in /opt (read-only mount for agent container) - // The MCP server writes agent outputs to this file during execution - // This file is in /opt to prevent the agent container from having write access - env["GH_AW_SAFE_OUTPUTS"] = "/opt/gh-aw/safeoutputs/outputs.jsonl" + if data.SafeOutputs != nil { + // Safe outputs paths are set via $GITHUB_ENV in the "Create gh-aw temp directory" step + // (after setup.sh sets GH_AW_HOME). This ensures GitHub Actions expressions like + // ${{ env.GH_AW_SAFE_OUTPUTS }} in upload-artifact resolve to real paths, not + // unexpanded shell expressions. // Set GH_AW_MCP_LOG_DIR for safe outputs MCP server logging // Store in mcp-logs directory so it's included in mcp-logs artifact env["GH_AW_MCP_LOG_DIR"] = "/tmp/gh-aw/mcp-logs/safeoutputs" - // Set config and tools paths (readonly files in /opt/gh-aw) - env["GH_AW_SAFE_OUTPUTS_CONFIG_PATH"] = "/opt/gh-aw/safeoutputs/config.json" - env["GH_AW_SAFE_OUTPUTS_TOOLS_PATH"] = "/opt/gh-aw/safeoutputs/tools.json" - // Add asset-related environment variables // These must always be set (even to empty) because awmg v0.0.12+ validates ${VAR} references if data.SafeOutputs.UploadAssets != nil { @@ -206,9 +204,6 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( // This contains the workflow ID with all hyphens removed and lowercased // Used in cache keys to avoid spaces and special characters if data.WorkflowID != "" { - if env == nil { - env = make(map[string]string) - } sanitizedID := SanitizeWorkflowIDForCacheKey(data.WorkflowID) env["GH_AW_WORKFLOW_ID_SANITIZED"] = sanitizedID } diff --git a/pkg/workflow/compiler_safe_outputs_job.go b/pkg/workflow/compiler_safe_outputs_job.go index 7073021b739..b261b61305b 100644 --- a/pkg/workflow/compiler_safe_outputs_job.go +++ b/pkg/workflow/compiler_safe_outputs_job.go @@ -254,7 +254,12 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa if len(c.generateCheckoutActionsFolder(data)) > 0 { insertIndex += 6 // Checkout step (6 lines: name, uses, with, sparse-checkout header, actions, persist-credentials) } - insertIndex += 4 // Setup step (4 lines: name, uses, with, destination) + enableCustomTokens := c.hasCustomTokenSafeOutputs(data.SafeOutputs) + if enableCustomTokens { + insertIndex += 4 // Setup step with custom tokens (4 lines: name, uses, with, safe-output-custom-tokens) + } else { + insertIndex += 2 // Setup step without custom tokens (2 lines: name, uses) + } } // Add artifact download steps count @@ -361,6 +366,9 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa func (c *Compiler) buildJobLevelSafeOutputEnvVars(data *WorkflowData, workflowID string) map[string]string { envVars := make(map[string]string) + // Set GH_AW_HOME so steps can use $GH_AW_HOME without the :-fallback syntax + envVars["GH_AW_HOME"] = constants.GhAwHomeDefault + // Set GH_AW_WORKFLOW_ID to the workflow ID (filename without extension) // This is used for branch naming in create_pull_request and other operations envVars["GH_AW_WORKFLOW_ID"] = fmt.Sprintf("%q", workflowID) diff --git a/pkg/workflow/compiler_safe_outputs_specialized.go b/pkg/workflow/compiler_safe_outputs_specialized.go index 9217585f8d5..4e304574359 100644 --- a/pkg/workflow/compiler_safe_outputs_specialized.go +++ b/pkg/workflow/compiler_safe_outputs_specialized.go @@ -127,7 +127,7 @@ func (c *Compiler) buildCreateAgentSessionStepConfig(data *WorkflowData, mainJob return SafeOutputStepConfig{ StepName: "Create Agent Session", StepID: "create_agent_session", - Script: "const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/create_agent_session.cjs") + "); await main();", CustomEnvVars: customEnvVars, Condition: condition, Token: cfg.GitHubToken, diff --git a/pkg/workflow/compiler_safe_outputs_steps.go b/pkg/workflow/compiler_safe_outputs_steps.go index 983db9cd496..b303ed9fe5c 100644 --- a/pkg/workflow/compiler_safe_outputs_steps.go +++ b/pkg/workflow/compiler_safe_outputs_steps.go @@ -156,13 +156,13 @@ func (c *Compiler) buildConsolidatedSafeOutputStep(data *WorkflowData, config Sa // Use require mode if ScriptName is set, otherwise inline the bundled script if config.ScriptName != "" { // Require mode: Use setup_globals helper - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, fmt.Sprintf(" const { main } = require('"+SetupActionDestination+"/%s.cjs');\n", config.ScriptName)) + steps = append(steps, fmt.Sprintf(" const { main } = require("+JsRequireGhAw("actions/%s.cjs")+");\n", config.ScriptName)) steps = append(steps, " await main();\n") } else { // Inline JavaScript: Use setup_globals helper - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") // Inline mode: embed the bundled script directly formattedScript := FormatJavaScriptForYAML(config.Script) @@ -426,9 +426,9 @@ func (c *Compiler) buildHandlerManagerStep(data *WorkflowData) []string { c.addSafeOutputGitHubTokenForConfig(&steps, data, configToken) steps = append(steps, " script: |\n") - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, " const { main } = require('"+SetupActionDestination+"/safe_output_handler_manager.cjs');\n") + steps = append(steps, " const { main } = require("+JsRequireGhAw("actions/safe_output_handler_manager.cjs")+");\n") steps = append(steps, " await main();\n") return steps diff --git a/pkg/workflow/compiler_safe_outputs_steps_test.go b/pkg/workflow/compiler_safe_outputs_steps_test.go index 6aad571ec81..bd8ff3c40f6 100644 --- a/pkg/workflow/compiler_safe_outputs_steps_test.go +++ b/pkg/workflow/compiler_safe_outputs_steps_test.go @@ -47,7 +47,7 @@ func TestBuildConsolidatedSafeOutputStep(t *testing.T) { "name: Create Issue", "id: create_issue", "setupGlobals", - "require('/opt/gh-aw/actions/create_issue_handler.cjs')", + "require(process.env.GH_AW_HOME + '/actions/create_issue_handler.cjs')", "await main();", }, checkNotContains: []string{ @@ -726,7 +726,7 @@ func TestScriptNameVsInlineScript(t *testing.T) { stepsContent := strings.Join(steps, "") assert.Contains(t, stepsContent, "setupGlobals") - assert.Contains(t, stepsContent, "require('/opt/gh-aw/actions/test_handler.cjs')") + assert.Contains(t, stepsContent, "require(process.env.GH_AW_HOME + '/actions/test_handler.cjs')") assert.Contains(t, stepsContent, "await main()") assert.NotContains(t, stepsContent, "console.log") }) diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go index 364339c84cc..5587c074712 100644 --- a/pkg/workflow/compiler_yaml.go +++ b/pkg/workflow/compiler_yaml.go @@ -499,13 +499,13 @@ func (c *Compiler) generatePrompt(yaml *strings.Builder, data *WorkflowData, pre yaml.WriteString(" - name: Validate prompt placeholders\n") yaml.WriteString(" env:\n") yaml.WriteString(" GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/validate_prompt_placeholders.sh\n") // Print prompt (merged into prompt generation) yaml.WriteString(" - name: Print prompt\n") yaml.WriteString(" env:\n") yaml.WriteString(" GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/print_prompt_summary.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/print_prompt_summary.sh\n") } func (c *Compiler) generatePostSteps(yaml *strings.Builder, data *WorkflowData) { if data.PostSteps != "" { @@ -651,7 +651,7 @@ func (c *Compiler) generateCreateAwInfo(yaml *strings.Builder, data *WorkflowDat fmt.Fprintf(yaml, " uses: %s\n", GetActionPin("actions/github-script")) yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/generate_aw_info.cjs") + ");\n") yaml.WriteString(" await main(core, context);\n") } @@ -713,9 +713,9 @@ func (c *Compiler) generateOutputCollectionStep(yaml *strings.Builder, data *Wor yaml.WriteString(" script: |\n") // Load script from external file using require() - yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/collect_ndjson_output.cjs") + ");\n") yaml.WriteString(" await main();\n") // Record artifact upload for validation diff --git a/pkg/workflow/compiler_yaml_ai_execution.go b/pkg/workflow/compiler_yaml_ai_execution.go index c0ac972ff18..f1a0bcc085f 100644 --- a/pkg/workflow/compiler_yaml_ai_execution.go +++ b/pkg/workflow/compiler_yaml_ai_execution.go @@ -47,10 +47,10 @@ func (c *Compiler) generateLogParsing(yaml *strings.Builder, engine CodingAgentE yaml.WriteString(" script: |\n") // Use the setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load log parser script from external file using require() - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/" + parserScriptName + ".cjs');\n") + yaml.WriteString(" const { main } = require(" + GhAwHomeJS + " + '/actions/" + parserScriptName + ".cjs');\n") yaml.WriteString(" await main();\n") } @@ -65,10 +65,10 @@ func (c *Compiler) generateMCPScriptsLogParsing(yaml *strings.Builder) { yaml.WriteString(" script: |\n") // Use the setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load mcp-scripts log parser script from external file using require() - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/parse_mcp_scripts_logs.cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -83,10 +83,10 @@ func (c *Compiler) generateMCPGatewayLogParsing(yaml *strings.Builder) { yaml.WriteString(" script: |\n") // Use the setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load MCP gateway log parser script from external file using require() - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/parse_mcp_gateway_log.cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -108,7 +108,7 @@ func (c *Compiler) generateStopMCPGateway(yaml *strings.Builder, data *WorkflowD yaml.WriteString(" GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" bash /opt/gh-aw/actions/stop_mcp_gateway.sh \"$GATEWAY_PID\"\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/stop_mcp_gateway.sh \"$GATEWAY_PID\"\n") } // generateAgentStepSummaryAppend generates a step that appends the agent's GITHUB_STEP_SUMMARY @@ -120,5 +120,5 @@ func (c *Compiler) generateAgentStepSummaryAppend(yaml *strings.Builder) { yaml.WriteString(" - name: Append agent step summary\n") yaml.WriteString(" if: always()\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/append_agent_step_summary.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/append_agent_step_summary.sh\n") } diff --git a/pkg/workflow/compiler_yaml_helpers.go b/pkg/workflow/compiler_yaml_helpers.go index eb46b1226a8..b41df747950 100644 --- a/pkg/workflow/compiler_yaml_helpers.go +++ b/pkg/workflow/compiler_yaml_helpers.go @@ -133,11 +133,11 @@ func generatePlaceholderSubstitutionStep(yaml *strings.Builder, expressionMappin yaml.WriteString(indent + " script: |\n") // Use setup_globals helper to make GitHub Actions objects available globally - yaml.WriteString(indent + " const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(indent + " const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(indent + " setupGlobals(core, github, context, exec, io);\n") yaml.WriteString(indent + " \n") // Use require() to load script from copied files - yaml.WriteString(indent + " const substitutePlaceholders = require('" + SetupActionDestination + "/substitute_placeholders.cjs');\n") + yaml.WriteString(indent + " const substitutePlaceholders = require(" + JsRequireGhAw("actions/substitute_placeholders.cjs") + ");\n") yaml.WriteString(indent + " \n") yaml.WriteString(indent + " // Call the substitution function\n") yaml.WriteString(indent + " return await substitutePlaceholders({\n") @@ -226,9 +226,9 @@ func generateGitHubScriptWithRequire(scriptPath string) string { var script strings.Builder // Use the setup_globals helper to store GitHub Actions objects in global scope - script.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + script.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") script.WriteString(" setupGlobals(core, github, context, exec, io);\n") - script.WriteString(" const { main } = require('" + SetupActionDestination + "/" + scriptPath + "');\n") + script.WriteString(" const { main } = require(" + JsRequireGhAw("actions/"+scriptPath) + ");\n") script.WriteString(" await main();\n") return script.String() diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index 269662c4952..d0c3a579f8a 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -107,9 +107,9 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/merge_remote_agent_github_folder.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/merge_remote_agent_github_folder.cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -168,7 +168,11 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat // Create /tmp/gh-aw/ base directory for all temporary files // This must be created before custom steps so they can use the temp directory yaml.WriteString(" - name: Create gh-aw temp directory\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh\n") + yaml.WriteString(" run: |\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/create_gh_aw_tmp_dir.sh\n") + yaml.WriteString(" echo \"GH_AW_SAFE_OUTPUTS=" + GhAwHome + "/safeoutputs/outputs.jsonl\" >> \"$GITHUB_ENV\"\n") + yaml.WriteString(" echo \"GH_AW_SAFE_OUTPUTS_CONFIG_PATH=" + GhAwHome + "/safeoutputs/config.json\" >> \"$GITHUB_ENV\"\n") + yaml.WriteString(" echo \"GH_AW_SAFE_OUTPUTS_TOOLS_PATH=" + GhAwHome + "/safeoutputs/tools.json\" >> \"$GITHUB_ENV\"\n") // Add custom steps if present if data.CustomSteps != "" { diff --git a/pkg/workflow/compiler_yaml_main_job_test.go b/pkg/workflow/compiler_yaml_main_job_test.go index 62fcc97b3fd..b6d376ec02b 100644 --- a/pkg/workflow/compiler_yaml_main_job_test.go +++ b/pkg/workflow/compiler_yaml_main_job_test.go @@ -558,7 +558,7 @@ func TestGenerateMainJobSteps(t *testing.T) { "- name: Checkout repository", "persist-credentials: false", "- name: Create gh-aw temp directory", - "run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh", + "bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh", }, shouldError: false, }, diff --git a/pkg/workflow/copilot_engine_execution.go b/pkg/workflow/copilot_engine_execution.go index 73219e35c38..da82af3ed92 100644 --- a/pkg/workflow/copilot_engine_execution.go +++ b/pkg/workflow/copilot_engine_execution.go @@ -388,7 +388,7 @@ func generateInferenceAccessErrorDetectionStep() GitHubActionStep { step = append(step, " id: detect-inference-error") step = append(step, " if: always()") step = append(step, " continue-on-error: true") - step = append(step, " run: bash /opt/gh-aw/actions/detect_inference_access_error.sh") + step = append(step, " run: bash "+GhAwHome+"/actions/detect_inference_access_error.sh") return GitHubActionStep(step) } diff --git a/pkg/workflow/copilot_engine_installation.go b/pkg/workflow/copilot_engine_installation.go index 7912df72050..b08957c0a0e 100644 --- a/pkg/workflow/copilot_engine_installation.go +++ b/pkg/workflow/copilot_engine_installation.go @@ -161,7 +161,7 @@ func generateAWFInstallationStep(version string, agentConfig *AgentSandboxConfig stepLines := []string{ " - name: Install awf binary", - " run: bash /opt/gh-aw/actions/install_awf_binary.sh " + version, + " run: bash " + GhAwHome + "/actions/install_awf_binary.sh " + version, } return GitHubActionStep(stepLines) diff --git a/pkg/workflow/copilot_installer.go b/pkg/workflow/copilot_installer.go index 451a190aa43..6c110c4dc12 100644 --- a/pkg/workflow/copilot_installer.go +++ b/pkg/workflow/copilot_installer.go @@ -22,7 +22,7 @@ func GenerateCopilotInstallerSteps(version, stepName string) []GitHubActionStep // This script includes retry logic for robustness against transient network failures stepLines := []string{ " - name: " + stepName, - " run: /opt/gh-aw/actions/install_copilot_cli.sh " + version, + " run: " + GhAwHome + "/actions/install_copilot_cli.sh " + version, } return []GitHubActionStep{GitHubActionStep(stepLines)} diff --git a/pkg/workflow/copilot_installer_test.go b/pkg/workflow/copilot_installer_test.go index d86da61a189..b1292c10a94 100644 --- a/pkg/workflow/copilot_installer_test.go +++ b/pkg/workflow/copilot_installer_test.go @@ -24,7 +24,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { stepName: "Install GitHub Copilot CLI", expectedVersion: "0.0.369", shouldContain: []string{ - "/opt/gh-aw/actions/install_copilot_cli.sh 0.0.369", + "${GH_AW_HOME}/actions/install_copilot_cli.sh 0.0.369", "name: Install GitHub Copilot CLI", }, shouldNotContain: []string{ @@ -37,7 +37,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { stepName: "Install GitHub Copilot CLI", expectedVersion: "v0.0.370", shouldContain: []string{ - "/opt/gh-aw/actions/install_copilot_cli.sh v0.0.370", + "${GH_AW_HOME}/actions/install_copilot_cli.sh v0.0.370", }, shouldNotContain: []string{ "gh.io/copilot-install | sudo bash", @@ -49,7 +49,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { stepName: "Custom Install Step", expectedVersion: "1.2.3", shouldContain: []string{ - "/opt/gh-aw/actions/install_copilot_cli.sh 1.2.3", + "${GH_AW_HOME}/actions/install_copilot_cli.sh 1.2.3", "name: Custom Install Step", }, shouldNotContain: []string{ @@ -62,7 +62,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { stepName: "Install GitHub Copilot CLI", expectedVersion: string(constants.DefaultCopilotVersion), // Should use DefaultCopilotVersion shouldContain: []string{ - "/opt/gh-aw/actions/install_copilot_cli.sh " + string(constants.DefaultCopilotVersion), + "${GH_AW_HOME}/actions/install_copilot_cli.sh " + string(constants.DefaultCopilotVersion), }, shouldNotContain: []string{ "gh.io/copilot-install | sudo bash", @@ -96,7 +96,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { } // Verify the version is correctly passed to the install script - expectedVersionLine := "/opt/gh-aw/actions/install_copilot_cli.sh " + tt.expectedVersion + expectedVersionLine := "${GH_AW_HOME}/actions/install_copilot_cli.sh " + tt.expectedVersion if !strings.Contains(stepContent, expectedVersionLine) { t.Errorf("Expected version to be set to '%s', but step content was:\n%s", tt.expectedVersion, stepContent) } @@ -133,7 +133,7 @@ func TestCopilotInstallerCustomVersion(t *testing.T) { } // Should contain the custom version - expectedVersionLine := "/opt/gh-aw/actions/install_copilot_cli.sh " + customVersion + expectedVersionLine := "${GH_AW_HOME}/actions/install_copilot_cli.sh " + customVersion if !strings.Contains(installStep, expectedVersionLine) { t.Errorf("Expected custom version %s in install step, got:\n%s", customVersion, installStep) } diff --git a/pkg/workflow/detection_success_test.go b/pkg/workflow/detection_success_test.go index b10ca9bc00c..4ad9631fa09 100644 --- a/pkg/workflow/detection_success_test.go +++ b/pkg/workflow/detection_success_test.go @@ -69,7 +69,7 @@ Create an issue. } // Check that the script uses require to load the parse_threat_detection_results.cjs file - if !strings.Contains(agentSection, "require('/opt/gh-aw/actions/parse_threat_detection_results.cjs')") { + if !strings.Contains(agentSection, "require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs')") { t.Error("Parse results step doesn't use require to load parse_threat_detection_results.cjs") } diff --git a/pkg/workflow/docker.go b/pkg/workflow/docker.go index 6a4339fb6e1..f8f7df08e48 100644 --- a/pkg/workflow/docker.go +++ b/pkg/workflow/docker.go @@ -184,7 +184,7 @@ func generateDownloadDockerImagesStep(yaml *strings.Builder, dockerImages []stri } yaml.WriteString(" - name: Download container images\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/download_docker_images.sh") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/download_docker_images.sh") for _, image := range dockerImages { fmt.Fprintf(yaml, " %s", image) } diff --git a/pkg/workflow/docker_predownload_test.go b/pkg/workflow/docker_predownload_test.go index 1f5c223ff2a..a3f08de4e85 100644 --- a/pkg/workflow/docker_predownload_test.go +++ b/pkg/workflow/docker_predownload_test.go @@ -166,8 +166,8 @@ Test workflow with both GitHub and Serena tools.`, // If we expect a step, verify the images are present if tt.expectStep { // Verify the script call is present - if !strings.Contains(string(yaml), "bash /opt/gh-aw/actions/download_docker_images.sh") { - t.Error("Expected to find 'bash /opt/gh-aw/actions/download_docker_images.sh' script call in generated YAML") + if !strings.Contains(string(yaml), "bash ${GH_AW_HOME}/actions/download_docker_images.sh") { + t.Error("Expected to find 'bash ${GH_AW_HOME}/actions/download_docker_images.sh' script call in generated YAML") } for _, expectedImage := range tt.expectedImages { // Check that the image is being passed as an argument to the script diff --git a/pkg/workflow/engine_helpers_shared_test.go b/pkg/workflow/engine_helpers_shared_test.go index 09d58de7e16..ab687f24ebc 100644 --- a/pkg/workflow/engine_helpers_shared_test.go +++ b/pkg/workflow/engine_helpers_shared_test.go @@ -389,7 +389,7 @@ func TestRenderJSONMCPConfig(t *testing.T) { }, }, expectedContent: []string{ - "cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh", + "cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh", "\"mcpServers\": {", "\"github\": { \"test\": true },", "\"playwright\": { \"test\": true }", @@ -426,7 +426,7 @@ func TestRenderJSONMCPConfig(t *testing.T) { }, }, expectedContent: []string{ - "cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh", + "cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh", "\"github\": { \"filtered\": true }", }, unexpectedContent: []string{ diff --git a/pkg/workflow/engine_includes_test.go b/pkg/workflow/engine_includes_test.go index b2889bd0cae..f25928878f2 100644 --- a/pkg/workflow/engine_includes_test.go +++ b/pkg/workflow/engine_includes_test.go @@ -251,7 +251,7 @@ This should use the default engine. lockStr := string(lockContent) // Should contain references to copilot CLI (default engine) using install script wrapper - if !strings.Contains(lockStr, "/opt/gh-aw/actions/install_copilot_cli.sh") { + if !strings.Contains(lockStr, "${GH_AW_HOME}/actions/install_copilot_cli.sh") { t.Error("Expected lock file to contain copilot CLI installation using install script wrapper") } diff --git a/pkg/workflow/firewall_version_pinning_test.go b/pkg/workflow/firewall_version_pinning_test.go index ba06e940f0a..b1b8f382fa8 100644 --- a/pkg/workflow/firewall_version_pinning_test.go +++ b/pkg/workflow/firewall_version_pinning_test.go @@ -28,7 +28,7 @@ func TestAWFInstallationStepDefaultVersion(t *testing.T) { } // Verify it uses the script from /opt/gh-aw/actions/ - if !strings.Contains(stepStr, "/opt/gh-aw/actions/install_awf_binary.sh") { + if !strings.Contains(stepStr, "${GH_AW_HOME}/actions/install_awf_binary.sh") { t.Error("Expected to call script from /opt/gh-aw/actions/ directory") } diff --git a/pkg/workflow/git_config_test.go b/pkg/workflow/git_config_test.go index 213b296875b..393cba781ef 100644 --- a/pkg/workflow/git_config_test.go +++ b/pkg/workflow/git_config_test.go @@ -201,7 +201,7 @@ func TestGitCredentialsCleanerStepsHelper(t *testing.T) { // Verify the content of the steps expectedContents := []string{ "Clean git credentials", - "run: bash /opt/gh-aw/actions/clean_git_credentials.sh", + "run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh", } fullContent := strings.Join(steps, "") diff --git a/pkg/workflow/git_configuration_steps.go b/pkg/workflow/git_configuration_steps.go index 863492bd8b3..277fa832baf 100644 --- a/pkg/workflow/git_configuration_steps.go +++ b/pkg/workflow/git_configuration_steps.go @@ -72,6 +72,6 @@ func getGitIdentityEnvVars() map[string]string { func (c *Compiler) generateGitCredentialsCleanerStep() []string { return []string{ " - name: Clean git credentials\n", - " run: bash /opt/gh-aw/actions/clean_git_credentials.sh\n", + " run: bash " + GhAwHome + "/actions/clean_git_credentials.sh\n", } } diff --git a/pkg/workflow/importable_tools_test.go b/pkg/workflow/importable_tools_test.go index d1bc8396b65..efddba5d788 100644 --- a/pkg/workflow/importable_tools_test.go +++ b/pkg/workflow/importable_tools_test.go @@ -240,7 +240,7 @@ Uses imported agentic-workflows tool. } // Verify binary mounts are NOT present in dev mode - if strings.Contains(workflowData, `/opt/gh-aw:/opt/gh-aw:ro`) { + if strings.Contains(workflowData, `\${GH_AW_HOME:-/opt/gh-aw}:\${GH_AW_HOME:-/opt/gh-aw}:ro`) { t.Error("Did not expect /opt/gh-aw mount in dev mode (binary is in image)") } diff --git a/pkg/workflow/inference_access_error_test.go b/pkg/workflow/inference_access_error_test.go index 64385ab64fa..c67b1157383 100644 --- a/pkg/workflow/inference_access_error_test.go +++ b/pkg/workflow/inference_access_error_test.go @@ -49,7 +49,7 @@ Test workflow` } // Check that the detection step calls the shell script - if !strings.Contains(lockStr, "bash /opt/gh-aw/actions/detect_inference_access_error.sh") { + if !strings.Contains(lockStr, "bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh") { t.Error("Expected detect-inference-error step to call detect_inference_access_error.sh") } diff --git a/pkg/workflow/main_job_env_test.go b/pkg/workflow/main_job_env_test.go index db8144ac82e..65cff4dedf8 100644 --- a/pkg/workflow/main_job_env_test.go +++ b/pkg/workflow/main_job_env_test.go @@ -21,12 +21,15 @@ func TestMainJobEnvironmentVariables(t *testing.T) { shouldHaveEnv bool }{ { - name: "No safe outputs - no env section", + name: "No safe outputs - GH_AW_HOME always set", frontmatter: map[string]any{ "name": "Test Workflow", "on": "push", }, - shouldHaveEnv: false, + expectedEnvVars: []string{ + "GH_AW_HOME: /opt/gh-aw", + }, + shouldHaveEnv: true, }, { name: "Safe outputs with create-issue", diff --git a/pkg/workflow/maintenance_workflow.go b/pkg/workflow/maintenance_workflow.go index 2eefc97c4d8..fbdec037e9d 100644 --- a/pkg/workflow/maintenance_workflow.go +++ b/pkg/workflow/maintenance_workflow.go @@ -198,6 +198,8 @@ jobs: discussions: write issues: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw steps: `) @@ -224,8 +226,6 @@ jobs: // Add setup step with the resolved action reference yaml.WriteString(` - name: Setup Scripts uses: ` + setupActionRef + ` - with: - destination: /opt/gh-aw/actions - name: Close expired discussions uses: ` + GetActionPin("actions/github-script") + ` @@ -234,9 +234,9 @@ jobs: `) // Add the close expired discussions script using require() - yaml.WriteString(` const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + yaml.WriteString(` const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_discussions.cjs'); + const { main } = require(" + JsRequireGhAw("actions/close_expired_discussions.cjs") + "); await main(); - name: Close expired issues @@ -246,9 +246,9 @@ jobs: `) // Add the close expired issues script using require() - yaml.WriteString(` const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + yaml.WriteString(` const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_issues.cjs'); + const { main } = require(" + JsRequireGhAw("actions/close_expired_issues.cjs") + "); await main(); - name: Close expired pull requests @@ -258,9 +258,9 @@ jobs: `) // Add the close expired pull requests script using require() - yaml.WriteString(` const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + yaml.WriteString(` const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_pull_requests.cjs'); + const { main } = require(" + JsRequireGhAw("actions/close_expired_pull_requests.cjs") + "); await main(); `) @@ -273,6 +273,8 @@ jobs: actions: write contents: write pull-requests: write + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Checkout repository uses: ` + GetActionPin("actions/checkout") + ` @@ -281,17 +283,15 @@ jobs: - name: Setup Scripts uses: ` + setupActionRef + ` - with: - destination: /opt/gh-aw/actions - name: Check admin/maintainer permissions uses: ` + GetActionPin("actions/github-script") + ` with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_team_member.cjs'); + const { main } = require(" + JsRequireGhAw("actions/check_team_member.cjs") + "); await main(); `) @@ -306,9 +306,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/run_operation_update_upgrade.cjs'); + const { main } = require(" + JsRequireGhAw("actions/run_operation_update_upgrade.cjs") + "); await main(); `) @@ -324,6 +324,8 @@ jobs: permissions: contents: read issues: write + env: + GH_AW_HOME: /opt/gh-aw steps: `) @@ -343,16 +345,14 @@ jobs: - name: Setup Scripts uses: ` + setupActionRef + ` - with: - destination: /opt/gh-aw/actions - name: Check for out-of-sync workflows and create issue if needed uses: ` + GetActionPin("actions/github-script") + ` with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_recompile_needed.cjs'); + const { main } = require(" + JsRequireGhAw("actions/check_workflow_recompile_needed.cjs") + "); await main(); zizmor-scan: @@ -361,6 +361,8 @@ jobs: needs: compile-workflows permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -406,8 +408,6 @@ jobs: - name: Setup Scripts uses: ` + setupActionRef + ` - with: - destination: /opt/gh-aw/actions - name: Validate Secrets uses: ` + GetActionPin("actions/github-script") + ` @@ -425,9 +425,9 @@ jobs: NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/validate_secrets.cjs'); + const { main } = require(" + JsRequireGhAw("actions/validate_secrets.cjs") + "); await main(); - name: Upload secret validation report diff --git a/pkg/workflow/mcp_config_builtin.go b/pkg/workflow/mcp_config_builtin.go index a1dbf157ee2..66b2647a8a8 100644 --- a/pkg/workflow/mcp_config_builtin.go +++ b/pkg/workflow/mcp_config_builtin.go @@ -201,7 +201,7 @@ func renderAgenticWorkflowsMCPConfigWithOptions(yaml *strings.Builder, isLast bo // Release mode: Use minimal Alpine image with mounted binaries // The gh-aw binary is mounted from /opt/gh-aw and executed directly // Pass --validate-actor flag to enable role-based access control - entrypoint = "/opt/gh-aw/gh-aw" + entrypoint = GhAwHome + "/gh-aw" entrypointArgs = []string{"mcp-server", "--validate-actor"} // Mount gh-aw binary, gh CLI binary, workspace, and temp directory mounts = []string{constants.DefaultGhAwMount, constants.DefaultGhBinaryMount, constants.DefaultWorkspaceMount, constants.DefaultTmpGhAwMount} diff --git a/pkg/workflow/mcp_config_compilation_test.go b/pkg/workflow/mcp_config_compilation_test.go index abc6cd6c59e..466e97a2627 100644 --- a/pkg/workflow/mcp_config_compilation_test.go +++ b/pkg/workflow/mcp_config_compilation_test.go @@ -487,7 +487,7 @@ This workflow tests that agentic-workflows uses the correct container in dev mod } // Verify binary mounts are NOT present in dev mode - if strings.Contains(string(lockContent), `/opt/gh-aw:/opt/gh-aw:ro`) { + if strings.Contains(string(lockContent), `\${GH_AW_HOME:-/opt/gh-aw}:\${GH_AW_HOME:-/opt/gh-aw}:ro`) { t.Error("Did not expect /opt/gh-aw mount in dev mode (binary is in image)") } if strings.Contains(string(lockContent), `/usr/bin/gh:/usr/bin/gh:ro`) { diff --git a/pkg/workflow/mcp_config_refactor_test.go b/pkg/workflow/mcp_config_refactor_test.go index cfa8bc6df63..95067fb9acf 100644 --- a/pkg/workflow/mcp_config_refactor_test.go +++ b/pkg/workflow/mcp_config_refactor_test.go @@ -115,10 +115,10 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) { }, unexpectedContent: []string{ `--cmd`, - `"entrypoint"`, // Not needed in dev mode - uses container's ENTRYPOINT - `"entrypointArgs"`, // Not needed in dev mode - uses container's CMD - `/opt/gh-aw:/opt/gh-aw:ro`, // Not needed in dev mode - binary is in image - `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode - gh CLI is in image + `"entrypoint"`, // Not needed in dev mode - uses container's ENTRYPOINT + `"entrypointArgs"`, // Not needed in dev mode - uses container's CMD + `\${GH_AW_HOME:-/opt/gh-aw}:\${GH_AW_HOME:-/opt/gh-aw}:ro`, // Not needed in dev mode - binary is in image + `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode - gh CLI is in image `${{ secrets.`, `"command":`, // Should NOT use command - must use container }, @@ -132,9 +132,9 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) { `"agenticworkflows": {`, `"type": "stdio"`, `"container": "alpine:latest"`, - `"entrypoint": "/opt/gh-aw/gh-aw"`, + `"entrypoint": "${GH_AW_HOME}/gh-aw"`, `"entrypointArgs": ["mcp-server", "--validate-actor"]`, - `"/opt/gh-aw:/opt/gh-aw:ro"`, // gh-aw binary mount (read-only) + `"\${GH_AW_HOME:-/opt/gh-aw}:\${GH_AW_HOME:-/opt/gh-aw}:ro"`, // gh-aw binary mount (read-only) `"/usr/bin/gh:/usr/bin/gh:ro"`, // gh CLI binary mount (read-only) `"\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"`, // workspace mount (read-write) `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount (read-write) @@ -171,10 +171,10 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) { `"type"`, `\\${`, `--cmd`, - `"entrypoint"`, // Not needed in dev mode - uses container's ENTRYPOINT - `"entrypointArgs"`, // Not needed in dev mode - uses container's CMD - `/opt/gh-aw:/opt/gh-aw:ro`, // Not needed in dev mode - binary is in image - `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode - gh CLI is in image + `"entrypoint"`, // Not needed in dev mode - uses container's ENTRYPOINT + `"entrypointArgs"`, // Not needed in dev mode - uses container's CMD + `\${GH_AW_HOME:-/opt/gh-aw}:\${GH_AW_HOME:-/opt/gh-aw}:ro`, // Not needed in dev mode - binary is in image + `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode - gh CLI is in image // Verify GitHub expressions are NOT in the output (security fix) `${{ secrets.`, `"command":`, // Should NOT use command - must use container @@ -231,7 +231,7 @@ func TestRenderSafeOutputsMCPConfigTOML(t *testing.T) { unexpectedContent := []string{ `container = "node:lts-alpine"`, `entrypoint = "node"`, - `entrypointArgs = ["/opt/gh-aw/safeoutputs/mcp-server.cjs"]`, + `entrypointArgs = ["${GH_AW_HOME}/safeoutputs/mcp-server.cjs"]`, `mounts =`, `env_vars =`, `stdio`, @@ -322,10 +322,10 @@ func TestRenderAgenticWorkflowsMCPConfigTOML(t *testing.T) { }, unexpectedContent: []string{ `--cmd`, - `entrypoint =`, // Not needed in dev mode - uses container's ENTRYPOINT - `entrypointArgs =`, // Not needed in dev mode - uses container's CMD - `/opt/gh-aw:/opt/gh-aw:ro`, // Not needed in dev mode - `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode + `entrypoint =`, // Not needed in dev mode - uses container's ENTRYPOINT + `entrypointArgs =`, // Not needed in dev mode - uses container's CMD + `\${GH_AW_HOME:-/opt/gh-aw}:\${GH_AW_HOME:-/opt/gh-aw}:ro`, // Not needed in dev mode + `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode }, }, { @@ -334,12 +334,12 @@ func TestRenderAgenticWorkflowsMCPConfigTOML(t *testing.T) { expectedContainer: `container = "alpine:latest"`, shouldHaveEntrypoint: true, expectedMounts: []string{ - `entrypoint = "/opt/gh-aw/gh-aw"`, // Entrypoint needed in release mode - `entrypointArgs = ["mcp-server", "--validate-actor"]`, // EntrypointArgs needed in release mode with validate-actor flag - `"/opt/gh-aw:/opt/gh-aw:ro"`, // gh-aw binary mount - `"/usr/bin/gh:/usr/bin/gh:ro"`, // gh CLI binary mount - `"\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"`, // workspace mount - `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount + `entrypoint = "${GH_AW_HOME}/gh-aw"`, // Entrypoint needed in release mode + `entrypointArgs = ["mcp-server", "--validate-actor"]`, // EntrypointArgs needed in release mode with validate-actor flag + `"\${GH_AW_HOME:-/opt/gh-aw}:\${GH_AW_HOME:-/opt/gh-aw}:ro"`, // gh-aw binary mount + `"/usr/bin/gh:/usr/bin/gh:ro"`, // gh CLI binary mount + `"\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"`, // workspace mount + `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount }, unexpectedContent: []string{ `--cmd`, diff --git a/pkg/workflow/mcp_github_config.go b/pkg/workflow/mcp_github_config.go index 2ba9965ae2a..7dce01b416f 100644 --- a/pkg/workflow/mcp_github_config.go +++ b/pkg/workflow/mcp_github_config.go @@ -340,7 +340,7 @@ func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder, } yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');\n") + yaml.WriteString(" const determineAutomaticLockdown = require(" + JsRequireGhAw("actions/determine_automatic_lockdown.cjs") + ");\n") yaml.WriteString(" await determineAutomaticLockdown(github, context, core);\n") } diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go index 327f305147c..89dcd7d38ac 100644 --- a/pkg/workflow/mcp_renderer.go +++ b/pkg/workflow/mcp_renderer.go @@ -419,7 +419,7 @@ func (r *MCPConfigRendererUnified) renderAgenticWorkflowsTOML(yaml *strings.Buil mounts = []string{constants.DefaultWorkspaceMount, constants.DefaultTmpGhAwMount} } else { // Release mode: Use minimal Alpine image with mounted binaries - entrypoint = "/opt/gh-aw/gh-aw" + entrypoint = GhAwHome + "/gh-aw" entrypointArgs = []string{"mcp-server", "--validate-actor"} // Mount gh-aw binary, gh CLI binary, workspace, and temp directory mounts = []string{constants.DefaultGhAwMount, constants.DefaultGhBinaryMount, constants.DefaultWorkspaceMount, constants.DefaultTmpGhAwMount} @@ -997,7 +997,7 @@ func RenderJSONMCPConfig( delimiter := GenerateHeredocDelimiter("MCP_CONFIG") // Write the configuration to the YAML output - yaml.WriteString(" cat << " + delimiter + " | bash /opt/gh-aw/actions/start_mcp_gateway.sh\n") + yaml.WriteString(" cat << " + delimiter + " | bash " + GhAwHome + "/actions/start_mcp_gateway.sh\n") yaml.WriteString(generatedConfig) yaml.WriteString(" " + delimiter + "\n") diff --git a/pkg/workflow/mcp_renderer_test.go b/pkg/workflow/mcp_renderer_test.go index 3a6432b6401..0ab988b0bf1 100644 --- a/pkg/workflow/mcp_renderer_test.go +++ b/pkg/workflow/mcp_renderer_test.go @@ -200,7 +200,7 @@ func TestRenderAgenticWorkflowsMCP_JSON_Copilot(t *testing.T) { t.Error("Did not expect entrypointArgs field in dev mode (uses container's CMD)") } // In dev mode, should NOT have binary mounts - if strings.Contains(output, `/opt/gh-aw:/opt/gh-aw:ro`) { + if strings.Contains(output, `\${GH_AW_HOME:-/opt/gh-aw}:\${GH_AW_HOME:-/opt/gh-aw}:ro`) { t.Error("Did not expect /opt/gh-aw mount in dev mode (binary is in image)") } if strings.Contains(output, `/usr/bin/gh:/usr/bin/gh:ro`) { @@ -274,7 +274,7 @@ func TestRenderAgenticWorkflowsMCP_TOML(t *testing.T) { t.Error("Did not expect entrypointArgs field in dev mode (uses container's CMD)") } // In dev mode, should NOT have binary mounts - if strings.Contains(output, `/opt/gh-aw:/opt/gh-aw:ro`) { + if strings.Contains(output, `\${GH_AW_HOME:-/opt/gh-aw}:\${GH_AW_HOME:-/opt/gh-aw}:ro`) { t.Error("Did not expect /opt/gh-aw mount in dev mode (binary is in image)") } if strings.Contains(output, `/usr/bin/gh:/usr/bin/gh:ro`) { diff --git a/pkg/workflow/mcp_scripts_generator.go b/pkg/workflow/mcp_scripts_generator.go index b109033d4ec..7734f7cc6b3 100644 --- a/pkg/workflow/mcp_scripts_generator.go +++ b/pkg/workflow/mcp_scripts_generator.go @@ -164,7 +164,7 @@ const apiKey = process.env.GH_AW_MCP_SCRIPTS_API_KEY || ""; startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: ` + GhAwHomeJS + ` + '/mcp-scripts/logs' }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); diff --git a/pkg/workflow/mcp_scripts_generator_test.go b/pkg/workflow/mcp_scripts_generator_test.go index 45de3579500..a57cf9fb946 100644 --- a/pkg/workflow/mcp_scripts_generator_test.go +++ b/pkg/workflow/mcp_scripts_generator_test.go @@ -77,7 +77,7 @@ func TestGenerateMCPScriptsMCPServerScript(t *testing.T) { t.Error("Script should reference tools.json configuration file") } - if !strings.Contains(script, "/opt/gh-aw/mcp-scripts/logs") { + if !strings.Contains(script, "mcp-scripts/logs") { t.Error("Script should specify log directory") } diff --git a/pkg/workflow/mcp_scripts_mode_test.go b/pkg/workflow/mcp_scripts_mode_test.go index 832550141c8..7f3472975b2 100644 --- a/pkg/workflow/mcp_scripts_mode_test.go +++ b/pkg/workflow/mcp_scripts_mode_test.go @@ -117,7 +117,7 @@ Test mcp-scripts HTTP mode // extractMCPServerEntryPoint extracts the mcp-server.cjs entry point script from the YAML func extractMCPServerEntryPoint(yamlStr string) string { // Find the mcp-server.cjs section - start := strings.Index(yamlStr, "cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs") + start := strings.Index(yamlStr, "cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs") if start == -1 { return "" } diff --git a/pkg/workflow/mcp_scripts_parser.go b/pkg/workflow/mcp_scripts_parser.go index cfdf94b49ec..d9d26a4504a 100644 --- a/pkg/workflow/mcp_scripts_parser.go +++ b/pkg/workflow/mcp_scripts_parser.go @@ -52,7 +52,7 @@ const ( ) // MCPScriptsDirectory is the directory where mcp-scripts files are generated -const MCPScriptsDirectory = "/opt/gh-aw/mcp-scripts" +const MCPScriptsDirectory = GhAwHome + "/mcp-scripts" // HasMCPScripts checks if mcp-scripts are configured func HasMCPScripts(mcpScripts *MCPScriptsConfig) bool { diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index fdc53a72ff1..688080abcf2 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -177,13 +177,13 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" gh extension install github/gh-aw\n") yaml.WriteString(" fi\n") yaml.WriteString(" gh aw --version\n") - yaml.WriteString(" # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization\n") - yaml.WriteString(" mkdir -p /opt/gh-aw\n") + yaml.WriteString(" # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization\n") + yaml.WriteString(" mkdir -p " + GhAwHome + "\n") yaml.WriteString(" GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1)\n") yaml.WriteString(" if [ -n \"$GH_AW_BIN\" ] && [ -f \"$GH_AW_BIN\" ]; then\n") - yaml.WriteString(" cp \"$GH_AW_BIN\" /opt/gh-aw/gh-aw\n") - yaml.WriteString(" chmod +x /opt/gh-aw/gh-aw\n") - yaml.WriteString(" echo \"Copied gh-aw binary to /opt/gh-aw/gh-aw\"\n") + yaml.WriteString(" cp \"$GH_AW_BIN\" " + GhAwHome + "/gh-aw\n") + yaml.WriteString(" chmod +x " + GhAwHome + "/gh-aw\n") + yaml.WriteString(" echo \"Copied gh-aw binary to " + GhAwHome + "/gh-aw\"\n") yaml.WriteString(" else\n") yaml.WriteString(" echo \"::error::Failed to find gh-aw binary for MCP server\"\n") yaml.WriteString(" exit 1\n") @@ -195,14 +195,14 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Step 1: Write config files (config.json, tools.json, validation.json) yaml.WriteString(" - name: Write Safe Outputs Config\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" mkdir -p /opt/gh-aw/safeoutputs\n") + yaml.WriteString(" mkdir -p " + GhAwHome + "/safeoutputs\n") yaml.WriteString(" mkdir -p /tmp/gh-aw/safeoutputs\n") yaml.WriteString(" mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs\n") // Write the safe-outputs configuration to config.json delimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_CONFIG") if safeOutputConfig != "" { - yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/config.json << '" + delimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/safeoutputs/config.json << '" + delimiter + "'\n") yaml.WriteString(" " + safeOutputConfig + "\n") yaml.WriteString(" " + delimiter + "\n") } @@ -215,7 +215,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, filteredToolsJSON = "[]" } toolsDelimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_TOOLS") - yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/tools.json << '" + toolsDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/safeoutputs/tools.json << '" + toolsDelimiter + "'\n") // Write each line of the indented JSON with proper YAML indentation for line := range strings.SplitSeq(filteredToolsJSON, "\n") { yaml.WriteString(" " + line + "\n") @@ -241,7 +241,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, validationConfigJSON = "{}" } validationDelimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_VALIDATION") - yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/validation.json << '" + validationDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/safeoutputs/validation.json << '" + validationDelimiter + "'\n") // Write each line of the indented JSON with proper YAML indentation for line := range strings.SplitSeq(validationConfigJSON, "\n") { yaml.WriteString(" " + line + "\n") @@ -280,8 +280,8 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" DEBUG: '*'\n") yaml.WriteString(" GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}\n") yaml.WriteString(" GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}\n") - yaml.WriteString(" GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json\n") - yaml.WriteString(" GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json\n") + yaml.WriteString(" GH_AW_SAFE_OUTPUTS_TOOLS_PATH: " + GhAwHome + "/safeoutputs/tools.json\n") + yaml.WriteString(" GH_AW_SAFE_OUTPUTS_CONFIG_PATH: " + GhAwHome + "/safeoutputs/config.json\n") yaml.WriteString(" GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs\n") yaml.WriteString(" run: |\n") @@ -295,7 +295,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" \n") // Call the bundled shell script to start the server - yaml.WriteString(" bash /opt/gh-aw/actions/start_safe_outputs_server.sh\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/start_safe_outputs_server.sh\n") yaml.WriteString(" \n") } @@ -305,12 +305,12 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Step 1: Write config files (JavaScript files are now copied by actions/setup) yaml.WriteString(" - name: Setup MCP Scripts Config\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" mkdir -p /opt/gh-aw/mcp-scripts/logs\n") + yaml.WriteString(" mkdir -p " + GhAwHome + "/mcp-scripts/logs\n") // Generate the tools.json configuration file toolsJSON := generateMCPScriptsToolsConfig(workflowData.MCPScripts) toolsDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_TOOLS") - yaml.WriteString(" cat > /opt/gh-aw/mcp-scripts/tools.json << '" + toolsDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/mcp-scripts/tools.json << '" + toolsDelimiter + "'\n") for line := range strings.SplitSeq(toolsJSON, "\n") { yaml.WriteString(" " + line + "\n") } @@ -319,12 +319,12 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Generate the MCP server entry point mcpScriptsMCPServer := generateMCPScriptsMCPServerScript(workflowData.MCPScripts) serverDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_SERVER") - yaml.WriteString(" cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << '" + serverDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/mcp-scripts/mcp-server.cjs << '" + serverDelimiter + "'\n") for _, line := range FormatJavaScriptForYAML(mcpScriptsMCPServer) { yaml.WriteString(line) } yaml.WriteString(" " + serverDelimiter + "\n") - yaml.WriteString(" chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs\n") + yaml.WriteString(" chmod +x " + GhAwHome + "/mcp-scripts/mcp-server.cjs\n") yaml.WriteString(" \n") // Step 2: Generate tool files (js/py/sh) @@ -341,7 +341,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // JavaScript tool toolScript := generateMCPScriptJavaScriptToolScript(toolConfig) jsDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_JS_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.cjs << '%s'\n", toolName, jsDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.cjs << '%s'\n", toolName, jsDelimiter) for _, line := range FormatJavaScriptForYAML(toolScript) { yaml.WriteString(line) } @@ -350,27 +350,27 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Shell script tool toolScript := generateMCPScriptShellToolScript(toolConfig) shDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_SH_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.sh << '%s'\n", toolName, shDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.sh << '%s'\n", toolName, shDelimiter) for line := range strings.SplitSeq(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } fmt.Fprintf(yaml, " %s\n", shDelimiter) - fmt.Fprintf(yaml, " chmod +x /opt/gh-aw/mcp-scripts/%s.sh\n", toolName) + fmt.Fprintf(yaml, " chmod +x "+GhAwHome+"/mcp-scripts/%s.sh\n", toolName) } else if toolConfig.Py != "" { // Python script tool toolScript := generateMCPScriptPythonToolScript(toolConfig) pyDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_PY_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.py << '%s'\n", toolName, pyDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.py << '%s'\n", toolName, pyDelimiter) for line := range strings.SplitSeq(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } fmt.Fprintf(yaml, " %s\n", pyDelimiter) - fmt.Fprintf(yaml, " chmod +x /opt/gh-aw/mcp-scripts/%s.py\n", toolName) + fmt.Fprintf(yaml, " chmod +x "+GhAwHome+"/mcp-scripts/%s.py\n", toolName) } else if toolConfig.Go != "" { // Go script tool toolScript := generateMCPScriptGoToolScript(toolConfig) goDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_GO_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.go << '%s'\n", toolName, goDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.go << '%s'\n", toolName, goDelimiter) for line := range strings.SplitSeq(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } @@ -430,7 +430,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" \n") // Call the bundled shell script to start the server - yaml.WriteString(" bash /opt/gh-aw/actions/start_mcp_scripts_server.sh\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/start_mcp_scripts_server.sh\n") yaml.WriteString(" \n") } diff --git a/pkg/workflow/notify_comment.go b/pkg/workflow/notify_comment.go index b0847e26227..b51eeffa25b 100644 --- a/pkg/workflow/notify_comment.go +++ b/pkg/workflow/notify_comment.go @@ -111,7 +111,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "missing_tool", MainJobName: mainJobName, CustomEnvVars: missingToolEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/missing_tool.cjs") + "); await main();", ScriptFile: "missing_tool.cjs", CustomToken: data.SafeOutputs.MissingTool.GitHubToken, }) @@ -209,7 +209,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "handle_agent_failure", MainJobName: mainJobName, CustomEnvVars: agentFailureEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/handle_agent_failure.cjs") + "); await main();", ScriptFile: "handle_agent_failure.cjs", CustomToken: "", // Will use default GITHUB_TOKEN }) @@ -239,7 +239,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "handle_noop_message", MainJobName: mainJobName, CustomEnvVars: noopMessageEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/handle_noop_message.cjs") + "); await main();", ScriptFile: "handle_noop_message.cjs", CustomToken: "", // Will use default GITHUB_TOKEN }) @@ -260,7 +260,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "handle_create_pr_error", MainJobName: mainJobName, CustomEnvVars: createPRErrorEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/handle_create_pr_error.cjs") + "); await main();", ScriptFile: "handle_create_pr_error.cjs", CustomToken: "", // Will use default GITHUB_TOKEN }) @@ -409,6 +409,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa RunsOn: c.formatSafeOutputsRunsOn(data.SafeOutputs), Permissions: permissions.RenderToYAML(), Concurrency: concurrency, + Env: map[string]string{"GH_AW_HOME": constants.GhAwHomeDefault}, Steps: steps, Needs: needs, Outputs: outputs, diff --git a/pkg/workflow/pr.go b/pkg/workflow/pr.go index 32d1f63bc07..0802b70c2d7 100644 --- a/pkg/workflow/pr.go +++ b/pkg/workflow/pr.go @@ -66,16 +66,16 @@ func (c *Compiler) generatePRReadyForReviewCheckout(yaml *strings.Builder, data if useRequire { // Use require() to load script from copied files using setup_globals helper - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('" + SetupActionDestination + "/checkout_pr_branch.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/checkout_pr_branch.cjs") + ");\n") yaml.WriteString(" await main();\n") } else { // Inline JavaScript: Attach GitHub Actions builtin objects to global scope before script execution - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript for checking out the PR branch - WriteJavaScriptToYAML(yaml, "const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main();") + WriteJavaScriptToYAML(yaml, "const { main } = require("+JsRequireGhAw("actions/checkout_pr_branch.cjs")+"); await main();") } } diff --git a/pkg/workflow/pr_checkout_test.go b/pkg/workflow/pr_checkout_test.go index 22ca2c6d498..497f8ac7f71 100644 --- a/pkg/workflow/pr_checkout_test.go +++ b/pkg/workflow/pr_checkout_test.go @@ -207,7 +207,7 @@ Test workflow with permissions but checkout should be conditional. } // Check for PR context prompt using cat command - hasPRPrompt := strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/pr_context_prompt.md\"") + hasPRPrompt := strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/pr_context_prompt.md\"") if hasPRPrompt != tt.expectPRPrompt { t.Errorf("Expected PR context prompt: %v, got: %v", tt.expectPRPrompt, hasPRPrompt) } @@ -228,7 +228,7 @@ Test workflow with permissions but checkout should be conditional. // If PR prompt is expected, verify the cat command references the correct file if tt.expectPRPrompt { - if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/pr_context_prompt.md\"") { + if !strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/pr_context_prompt.md\"") { t.Error("PR context prompt should reference pr_context_prompt.md file") } } diff --git a/pkg/workflow/prompts_test.go b/pkg/workflow/prompts_test.go index f560c671d4f..115cb4e1edf 100644 --- a/pkg/workflow/prompts_test.go +++ b/pkg/workflow/prompts_test.go @@ -227,8 +227,8 @@ This is a test workflow with cache-memory enabled. } // Test 3: Verify the template file is used (not inline text) - if !strings.Contains(lockStr, "/opt/gh-aw/prompts/cache_memory_prompt.md") { - t.Error("Expected '/opt/gh-aw/prompts/cache_memory_prompt.md' reference in generated workflow") + if !strings.Contains(lockStr, "${GH_AW_HOME}/prompts/cache_memory_prompt.md") { + t.Error("Expected '${GH_AW_HOME}/prompts/cache_memory_prompt.md' reference in generated workflow") } // Test 4: Verify the instruction mentions persistent cache @@ -412,7 +412,7 @@ This is a test workflow with playwright enabled. } // Test 2: Verify the cat command for playwright prompt file is included - if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/playwright_prompt.md\"") { + if !strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/playwright_prompt.md\"") { t.Error("Expected cat command for playwright prompt file in generated workflow") } @@ -589,7 +589,7 @@ This is a test workflow with issue_comment trigger. } // Test 2: Verify the cat command for PR context prompt file is included - if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/pr_context_prompt.md\"") { + if !strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/pr_context_prompt.md\"") { t.Error("Expected cat command for PR context prompt file in generated workflow") } diff --git a/pkg/workflow/redact_secrets.go b/pkg/workflow/redact_secrets.go index 95a3e5a1b05..b9485b2c7cf 100644 --- a/pkg/workflow/redact_secrets.go +++ b/pkg/workflow/redact_secrets.go @@ -79,9 +79,9 @@ func (c *Compiler) generateSecretRedactionStep(yaml *strings.Builder, yamlConten // Load redact_secrets script from external file // Use setupGlobals helper to attach GitHub Actions builtin objects to global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/redact_secrets.cjs") + ");\n") yaml.WriteString(" await main();\n") // Add environment variables diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go index 6a41ff415b9..903c47daad8 100644 --- a/pkg/workflow/repo_memory.go +++ b/pkg/workflow/repo_memory.go @@ -589,7 +589,7 @@ func generateRepoMemorySteps(builder *strings.Builder, data *WorkflowData) { fmt.Fprintf(builder, " TARGET_REPO: %s\n", targetRepo) fmt.Fprintf(builder, " MEMORY_DIR: %s\n", memoryDir) fmt.Fprintf(builder, " CREATE_ORPHAN: %t\n", memory.CreateOrphan) - builder.WriteString(" run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh\n") + builder.WriteString(" run: bash " + GhAwHome + "/actions/clone_repo_memory_branch.sh\n") } } @@ -709,16 +709,16 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna if useRequire { // Use require() to load script from copied files using setup_globals helper - step.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + step.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") - step.WriteString(" const { main } = require('" + SetupActionDestination + "/push_repo_memory.cjs');\n") + step.WriteString(" const { main } = require(" + JsRequireGhAw("actions/push_repo_memory.cjs") + ");\n") step.WriteString(" await main();\n") } else { // Inline JavaScript: Attach GitHub Actions builtin objects to global scope before script execution - step.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + step.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript script with proper indentation - formattedScript := FormatJavaScriptForYAML("const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main();") + formattedScript := FormatJavaScriptForYAML("const { main } = require(" + JsRequireGhAw("actions/push_repo_memory.cjs") + "); await main();") for _, line := range formattedScript { step.WriteString(line) } @@ -755,6 +755,7 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna If: jobCondition, Permissions: "permissions:\n contents: write", Concurrency: concurrency, + Env: map[string]string{"GH_AW_HOME": constants.GhAwHomeDefault}, Needs: []string{"agent"}, // Detection dependency added by caller if needed Steps: steps, Outputs: outputs, diff --git a/pkg/workflow/repo_memory_integration_test.go b/pkg/workflow/repo_memory_integration_test.go index 0a977810ff4..c79c634917f 100644 --- a/pkg/workflow/repo_memory_integration_test.go +++ b/pkg/workflow/repo_memory_integration_test.go @@ -243,7 +243,7 @@ This workflow has file validation. } // Check that push_repo_memory.cjs is being required (not inlined) - if !strings.Contains(lockFile, "require('/opt/gh-aw/actions/push_repo_memory.cjs')") { + if !strings.Contains(lockFile, "require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs')") { t.Error("Expected push_repo_memory script to be loaded via require") } @@ -360,7 +360,7 @@ This workflow tests GitHub Enterprise support. } // Check for the shell script that uses GITHUB_SERVER_URL - if !strings.Contains(lockFile, "bash /opt/gh-aw/actions/clone_repo_memory_branch.sh") { + if !strings.Contains(lockFile, "bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh") { t.Error("Expected clone_repo_memory_branch.sh script invocation") } } diff --git a/pkg/workflow/repo_memory_test.go b/pkg/workflow/repo_memory_test.go index dddebc6291f..49909e0514c 100644 --- a/pkg/workflow/repo_memory_test.go +++ b/pkg/workflow/repo_memory_test.go @@ -222,7 +222,7 @@ func TestRepoMemoryStepsGeneration(t *testing.T) { } // Check for script call - if !strings.Contains(output, "bash /opt/gh-aw/actions/clone_repo_memory_branch.sh") { + if !strings.Contains(output, "bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh") { t.Error("Expected clone_repo_memory_branch.sh script call") } diff --git a/pkg/workflow/safe_jobs.go b/pkg/workflow/safe_jobs.go index 11f62072c58..3decede8a55 100644 --- a/pkg/workflow/safe_jobs.go +++ b/pkg/workflow/safe_jobs.go @@ -167,6 +167,7 @@ func (c *Compiler) buildSafeJobs(data *WorkflowData, threatDetectionEnabled bool job := &Job{ Name: normalizedJobName, + Env: map[string]string{"GH_AW_HOME": constants.GhAwHomeDefault}, } // Set custom job name if specified @@ -221,19 +222,19 @@ func (c *Compiler) buildSafeJobs(data *WorkflowData, threatDetectionEnabled bool // Add step to download agent output artifact using shared helper downloadSteps := buildArtifactDownloadSteps(ArtifactDownloadConfig{ ArtifactName: constants.AgentOutputArtifactName, - DownloadPath: "/opt/gh-aw/safe-jobs/", + DownloadPath: GhAwHome + "/safe-jobs/", SetupEnvStep: false, // We'll handle env vars separately to add job-specific ones StepName: "Download agent output artifact", }) steps = append(steps, downloadSteps...) // the download artifacts always creates a folder, then unpacks in that folder - agentOutputArtifactFilename := "/opt/gh-aw/safe-jobs/" + constants.AgentOutputFilename + agentOutputArtifactFilename := GhAwHome + "/safe-jobs/" + constants.AgentOutputFilename // Add environment variables step with GH_AW_AGENT_OUTPUT and job-specific env vars steps = append(steps, " - name: Setup Safe Job Environment Variables\n") steps = append(steps, " run: |\n") - steps = append(steps, " find \"/opt/gh-aw/safe-jobs/\" -type f -print\n") + steps = append(steps, " find \""+GhAwHome+"/safe-jobs/\" -type f -print\n") // Configure GH_AW_AGENT_OUTPUT to point to downloaded artifact file steps = append(steps, fmt.Sprintf(" echo \"GH_AW_AGENT_OUTPUT=%s\" >> \"$GITHUB_ENV\"\n", agentOutputArtifactFilename)) diff --git a/pkg/workflow/safe_outputs_mcp_integration_test.go b/pkg/workflow/safe_outputs_mcp_integration_test.go index 2a68100a14f..5c5e5196903 100644 --- a/pkg/workflow/safe_outputs_mcp_integration_test.go +++ b/pkg/workflow/safe_outputs_mcp_integration_test.go @@ -53,7 +53,7 @@ Test safe outputs workflow with MCP server integration. // So we don't check for cat command anymore, we just check the MCP config references it // Check that safe-outputs configuration file is written - if !strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { + if !strings.Contains(yamlStr, "cat > ${GH_AW_HOME}/safeoutputs/config.json") { t.Error("Expected safe-outputs configuration to be written to config.json file") } @@ -73,7 +73,7 @@ Test safe outputs workflow with MCP server integration. } // Check that config file is created - if !strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { + if !strings.Contains(yamlStr, "cat > ${GH_AW_HOME}/safeoutputs/config.json") { t.Error("Expected config file to be created") } @@ -118,7 +118,7 @@ Test workflow without safe outputs. // The check is now redundant since we removed the cat command entirely // Check that safe-outputs configuration file is NOT written - if strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { + if strings.Contains(yamlStr, "cat > ${GH_AW_HOME}/safeoutputs/config.json") { t.Error("Expected safe-outputs configuration to NOT be written when safe-outputs are disabled") } @@ -171,7 +171,7 @@ Test safe outputs workflow with Codex engine. // So we don't check for cat command anymore // Check that safe-outputs configuration file is written - if !strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { + if !strings.Contains(yamlStr, "cat > ${GH_AW_HOME}/safeoutputs/config.json") { t.Error("Expected safe-outputs configuration to be written to config.json file") } diff --git a/pkg/workflow/secret_validation_test.go b/pkg/workflow/secret_validation_test.go index 7fbc66c35ec..c2738cecc58 100644 --- a/pkg/workflow/secret_validation_test.go +++ b/pkg/workflow/secret_validation_test.go @@ -80,7 +80,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { docsURL: "https://github.github.com/gh-aw/reference/engines/#openai-codex", wantStrings: []string{ "Validate CODEX_API_KEY or OPENAI_API_KEY secret", - "run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex", + "run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex", "CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }}", "OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}", }, @@ -92,7 +92,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { docsURL: "https://github.github.com/gh-aw/reference/engines/#github-copilot-default", wantStrings: []string{ "Validate COPILOT_GITHUB_TOKEN secret", - "run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default", + "run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default", "COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}", }, }, @@ -103,7 +103,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { docsURL: "https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code", wantStrings: []string{ "Validate ANTHROPIC_API_KEY secret", - "run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code", + "run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code", "ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}", }, }, @@ -121,7 +121,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { } // Verify it calls the validate_multi_secret.sh script - if !strings.Contains(stepContent, "/opt/gh-aw/actions/validate_multi_secret.sh") { + if !strings.Contains(stepContent, "${GH_AW_HOME}/actions/validate_multi_secret.sh") { t.Error("Expected step to call validate_multi_secret.sh script") } @@ -208,7 +208,7 @@ func TestCodexEngineHasSecretValidation(t *testing.T) { } // Should call the validate_multi_secret.sh script with both secret names - if !strings.Contains(stepContent, "/opt/gh-aw/actions/validate_multi_secret.sh") { + if !strings.Contains(stepContent, "${GH_AW_HOME}/actions/validate_multi_secret.sh") { t.Error("Should call validate_multi_secret.sh script") } if !strings.Contains(stepContent, "CODEX_API_KEY OPENAI_API_KEY") { diff --git a/pkg/workflow/step_order_validation_integration_test.go b/pkg/workflow/step_order_validation_integration_test.go index 28af1f2af5e..26bdf40ed7a 100644 --- a/pkg/workflow/step_order_validation_integration_test.go +++ b/pkg/workflow/step_order_validation_integration_test.go @@ -173,7 +173,7 @@ This workflow uploads artifacts. // Verify common upload paths are present and under /tmp/gh-aw/ or /opt/gh-aw/ uploadPaths := []string{ - "/opt/gh-aw/safeoutputs/outputs.jsonl", + "${GH_AW_HOME}/safeoutputs/outputs.jsonl", "/tmp/gh-aw/agent-stdio.log", "/tmp/gh-aw/mcp-logs/", } @@ -181,8 +181,8 @@ This workflow uploads artifacts. for _, path := range uploadPaths { if strings.Contains(contentStr, path) { // Verify it's under /tmp/gh-aw/ or /opt/gh-aw/ (scannable paths) - if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") { - t.Errorf("Upload path %s is not under /tmp/gh-aw/ or /opt/gh-aw/ and won't be scanned", path) + if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") && !strings.HasPrefix(path, "${GH_AW_HOME") { + t.Errorf("Upload path %s is not under /tmp/gh-aw/ or /opt/gh-aw/ or ${GH_AW_HOME} and won't be scanned", path) } } } diff --git a/pkg/workflow/step_order_validation_test.go b/pkg/workflow/step_order_validation_test.go index bae1f3db3ec..7bcc2d24ea1 100644 --- a/pkg/workflow/step_order_validation_test.go +++ b/pkg/workflow/step_order_validation_test.go @@ -110,7 +110,7 @@ func TestIsPathScannedBySecretRedaction_ScannableFiles(t *testing.T) { }, { name: "JSONL file in /opt/gh-aw/", - path: "/opt/gh-aw/safeoutputs/outputs.jsonl", + path: "${GH_AW_HOME}/safeoutputs/outputs.jsonl", expected: true, }, { diff --git a/pkg/workflow/step_summary_test.go b/pkg/workflow/step_summary_test.go index e25842be68f..e5db984dd13 100644 --- a/pkg/workflow/step_summary_test.go +++ b/pkg/workflow/step_summary_test.go @@ -134,7 +134,7 @@ This workflow tests that the step summary includes agentic run information. } // Verify that the generate_aw_info.cjs helper is invoked from the step - if !strings.Contains(lockContent, "require('/opt/gh-aw/actions/generate_aw_info.cjs')") { + if !strings.Contains(lockContent, "require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs')") { t.Error("Expected generate_aw_info.cjs require call in 'Generate agentic run info' step") } @@ -240,7 +240,7 @@ This workflow tests the workflow overview for Claude engine. } // Verify workflow overview call is present in the generate_aw_info step - if !strings.Contains(lockContent, "require('/opt/gh-aw/actions/generate_aw_info.cjs')") { + if !strings.Contains(lockContent, "require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs')") { t.Error("Expected generate_aw_info.cjs require call inside 'Generate agentic run info' step") } diff --git a/pkg/workflow/temp_folder_test.go b/pkg/workflow/temp_folder_test.go index 0649b15cea8..2585c328b69 100644 --- a/pkg/workflow/temp_folder_test.go +++ b/pkg/workflow/temp_folder_test.go @@ -56,7 +56,7 @@ This is a test workflow to verify temp folder instructions are included. } // Test 2: Verify the cat command for temp folder prompt file is included - if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/temp_folder_prompt.md\"") { + if !strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/temp_folder_prompt.md\"") { t.Error("Expected cat command for temp folder prompt file in generated workflow") } diff --git a/pkg/workflow/template.go b/pkg/workflow/template.go index 9bea3393b48..eaa81d6eb1f 100644 --- a/pkg/workflow/template.go +++ b/pkg/workflow/template.go @@ -123,8 +123,8 @@ func (c *Compiler) generateInterpolationAndTemplateStep(yaml *strings.Builder, e // Load interpolate_prompt script from external file // Use setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/interpolate_prompt.cjs") + ");\n") yaml.WriteString(" await main();\n") } diff --git a/pkg/workflow/template_rendering_test.go b/pkg/workflow/template_rendering_test.go index d3d003a6d61..ddbafb8b907 100644 --- a/pkg/workflow/template_rendering_test.go +++ b/pkg/workflow/template_rendering_test.go @@ -118,7 +118,7 @@ Normal content here. } // Verify the setupGlobals helper is used - if !strings.Contains(compiledStr, "const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs')") { + if !strings.Contains(compiledStr, "const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs')") { t.Error("Template rendering step should use setupGlobals helper") } @@ -127,7 +127,7 @@ Normal content here. } // Verify the interpolate_prompt script is loaded via require - if !strings.Contains(compiledStr, "const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs')") { + if !strings.Contains(compiledStr, "const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs')") { t.Error("Template rendering step should require interpolate_prompt.cjs") } diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden index be883cf21a8..70391a7dbdb 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -31,7 +33,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -53,11 +55,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -75,9 +77,9 @@ jobs: GH_AW_WORKFLOW_FILE: "basic-copilot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -91,14 +93,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -145,9 +147,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -164,10 +166,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -187,11 +189,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -208,6 +210,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: basiccopilot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -223,13 +226,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -252,14 +259,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -268,10 +275,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -296,7 +303,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -324,7 +331,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -357,7 +364,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -395,15 +402,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -413,7 +420,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -429,18 +436,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -488,7 +495,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -497,8 +504,8 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 4711c044e3c..42a0da2d7fe 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -27,6 +27,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: body: ${{ steps.sanitized.outputs.body }} comment_id: "" @@ -45,7 +47,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -67,11 +69,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -89,18 +91,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-copilot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -115,15 +117,15 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -227,9 +229,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -247,10 +249,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -271,11 +273,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -296,6 +298,7 @@ jobs: issues: read pull-requests: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokecopilot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -311,7 +314,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -354,7 +357,11 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -377,14 +384,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -393,10 +400,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -410,13 +417,13 @@ jobs: gh extension install github/gh-aw fi gh aw --version - # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + # Copy the gh-aw binary to $GH_AW_HOME for MCP server containerization + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 @@ -447,7 +454,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -502,7 +509,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -535,7 +542,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -573,15 +580,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -591,7 +598,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -607,18 +614,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -666,7 +673,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -675,8 +682,8 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden index 50d7ccb2933..24fdf0121eb 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-slim permissions: contents: read + env: + GH_AW_HOME: /opt/gh-aw outputs: comment_id: "" comment_repo: "" @@ -31,7 +33,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -53,11 +55,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -75,9 +77,9 @@ jobs: GH_AW_WORKFLOW_FILE: "with-imports.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -91,14 +93,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -148,9 +150,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -167,10 +169,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -190,11 +192,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -211,6 +213,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: withimports outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -226,13 +229,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -255,14 +262,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.23.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -271,10 +278,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -299,7 +306,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -327,7 +334,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -360,7 +367,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -398,15 +405,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -416,7 +423,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Upload engine output files uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: @@ -432,18 +439,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -491,7 +498,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -500,8 +507,8 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index 53b4cc7d49a..ce4d14bec43 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -432,9 +432,9 @@ func (c *Compiler) buildWorkflowContextEnvVars(data *WorkflowData) []string { // buildResultsParsingScriptRequire creates the parsing script that requires the .cjs module func (c *Compiler) buildResultsParsingScriptRequire() string { // Build a simple require statement that calls the main function - script := `const { setupGlobals } = require('` + SetupActionDestination + `/setup_globals.cjs'); + script := `const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); -const { main } = require('` + SetupActionDestination + `/parse_threat_detection_results.cjs'); +const { main } = require(` + JsRequireGhAw("actions/parse_threat_detection_results.cjs") + `); await main();` return script diff --git a/pkg/workflow/unified_prompt_step.go b/pkg/workflow/unified_prompt_step.go index d045c046345..1adba213e4e 100644 --- a/pkg/workflow/unified_prompt_step.go +++ b/pkg/workflow/unified_prompt_step.go @@ -455,7 +455,7 @@ func (c *Compiler) generateUnifiedPromptCreationStep(yaml *strings.Builder, buil } yaml.WriteString(" run: |\n") - yaml.WriteString(" bash /opt/gh-aw/actions/create_prompt_first.sh\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/create_prompt_first.sh\n") yaml.WriteString(" {\n") // Track if we're inside a heredoc From de37c65cd1945b55c6fe081114d3e1e117a0d20b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 03:43:23 +0000 Subject: [PATCH 04/12] fix: remove destination: input from setup step to fix GH_AW_HOME literal value bug MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The compiled lock files were passing `destination: ${GH_AW_HOME}/actions` to the setup action, which GitHub Actions treats as a literal string (not a shell variable). This caused setup.sh to set GH_AW_HOME="${GH_AW_HOME}" (literal), breaking all require() calls like `require('${GH_AW_HOME}/actions/setup_globals.cjs')`. Fix: generateSetupStep() no longer emits `with: destination:` — the setup action defaults to /opt/gh-aw/actions via action.yml, and setup.sh correctly derives and exports GH_AW_HOME=/opt/gh-aw to $GITHUB_ENV for subsequent steps. Also removes INPUT_DESTINATION from script mode (setup.sh default is used). Updates wasm golden files and recompiles all 166 lock files. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ace-editor.lock.yml | 6 ------ .../workflows/agent-performance-analyzer.lock.yml | 12 ------------ .github/workflows/agent-persona-explorer.lock.yml | 12 ------------ .github/workflows/ai-moderator.lock.yml | 12 ------------ .github/workflows/archie.lock.yml | 10 ---------- .github/workflows/artifacts-summary.lock.yml | 8 -------- .github/workflows/audit-workflows.lock.yml | 14 -------------- .github/workflows/auto-triage-issues.lock.yml | 10 ---------- .github/workflows/blog-auditor.lock.yml | 8 -------- .github/workflows/bot-detection.lock.yml | 8 -------- .github/workflows/brave.lock.yml | 10 ---------- .github/workflows/breaking-change-checker.lock.yml | 10 ---------- .github/workflows/changeset.lock.yml | 10 ---------- .github/workflows/chroma-issue-indexer.lock.yml | 4 ---- .github/workflows/ci-coach.lock.yml | 10 ---------- .github/workflows/ci-doctor.lock.yml | 12 ------------ .../claude-code-user-docs-review.lock.yml | 10 ---------- .github/workflows/cli-consistency-checker.lock.yml | 8 -------- .github/workflows/cli-version-checker.lock.yml | 10 ---------- .github/workflows/cloclo.lock.yml | 12 ------------ .github/workflows/code-scanning-fixer.lock.yml | 14 -------------- .github/workflows/code-simplifier.lock.yml | 10 ---------- .../codex-github-remote-mcp-test.lock.yml | 4 ---- .github/workflows/commit-changes-analyzer.lock.yml | 8 -------- .github/workflows/constraint-solving-potd.lock.yml | 10 ---------- .github/workflows/contribution-check.lock.yml | 8 -------- .github/workflows/copilot-agent-analysis.lock.yml | 12 ------------ .../workflows/copilot-cli-deep-research.lock.yml | 10 ---------- .../workflows/copilot-pr-merged-report.lock.yml | 10 ---------- .github/workflows/copilot-pr-nlp-analysis.lock.yml | 14 -------------- .../workflows/copilot-pr-prompt-analysis.lock.yml | 12 ------------ .../workflows/copilot-session-insights.lock.yml | 14 -------------- .github/workflows/craft.lock.yml | 10 ---------- .../workflows/daily-architecture-diagram.lock.yml | 10 ---------- .../workflows/daily-assign-issue-to-user.lock.yml | 8 -------- .github/workflows/daily-choice-test.lock.yml | 8 -------- .github/workflows/daily-cli-performance.lock.yml | 10 ---------- .github/workflows/daily-cli-tools-tester.lock.yml | 8 -------- .github/workflows/daily-code-metrics.lock.yml | 14 -------------- .github/workflows/daily-compiler-quality.lock.yml | 10 ---------- .../workflows/daily-copilot-token-report.lock.yml | 14 -------------- .github/workflows/daily-doc-healer.lock.yml | 10 ---------- .github/workflows/daily-doc-updater.lock.yml | 10 ---------- .github/workflows/daily-fact.lock.yml | 8 -------- .github/workflows/daily-file-diet.lock.yml | 10 ---------- .github/workflows/daily-firewall-report.lock.yml | 12 ------------ .github/workflows/daily-issues-report.lock.yml | 14 -------------- .../workflows/daily-malicious-code-scan.lock.yml | 8 -------- .../daily-mcp-concurrency-analysis.lock.yml | 10 ---------- .../daily-multi-device-docs-tester.lock.yml | 10 ---------- .github/workflows/daily-news.lock.yml | 14 -------------- .../workflows/daily-observability-report.lock.yml | 10 ---------- .../workflows/daily-performance-summary.lock.yml | 12 ------------ .github/workflows/daily-regulatory.lock.yml | 8 -------- .../daily-rendering-scripts-verifier.lock.yml | 12 ------------ .github/workflows/daily-repo-chronicle.lock.yml | 12 ------------ .../workflows/daily-safe-output-optimizer.lock.yml | 12 ------------ .../daily-safe-outputs-conformance.lock.yml | 8 -------- .github/workflows/daily-secrets-analysis.lock.yml | 8 -------- .github/workflows/daily-security-red-team.lock.yml | 8 -------- .github/workflows/daily-semgrep-scan.lock.yml | 8 -------- .../workflows/daily-syntax-error-quality.lock.yml | 8 -------- .../daily-team-evolution-insights.lock.yml | 8 -------- .github/workflows/daily-team-status.lock.yml | 10 ---------- .../daily-testify-uber-super-expert.lock.yml | 12 ------------ .github/workflows/daily-workflow-updater.lock.yml | 8 -------- .github/workflows/dead-code-remover.lock.yml | 12 ------------ .github/workflows/deep-report.lock.yml | 14 -------------- .github/workflows/delight.lock.yml | 10 ---------- .github/workflows/dependabot-burner.lock.yml | 10 ---------- .github/workflows/dependabot-go-checker.lock.yml | 8 -------- .github/workflows/dev-hawk.lock.yml | 10 ---------- .github/workflows/dev.lock.yml | 8 -------- .../workflows/developer-docs-consolidator.lock.yml | 12 ------------ .github/workflows/dictation-prompt.lock.yml | 8 -------- .github/workflows/discussion-task-miner.lock.yml | 10 ---------- .github/workflows/docs-noob-tester.lock.yml | 10 ---------- .github/workflows/draft-pr-cleanup.lock.yml | 8 -------- .github/workflows/duplicate-code-detector.lock.yml | 8 -------- .../workflows/example-permissions-warning.lock.yml | 4 ---- .../workflows/example-workflow-analyzer.lock.yml | 8 -------- .github/workflows/firewall-escape.lock.yml | 14 -------------- .github/workflows/firewall.lock.yml | 4 ---- .github/workflows/functional-pragmatist.lock.yml | 8 -------- .../github-mcp-structural-analysis.lock.yml | 12 ------------ .github/workflows/github-mcp-tools-report.lock.yml | 10 ---------- .../workflows/github-remote-mcp-auth-test.lock.yml | 8 -------- .github/workflows/glossary-maintainer.lock.yml | 12 ------------ .github/workflows/go-fan.lock.yml | 10 ---------- .github/workflows/go-logger.lock.yml | 10 ---------- .github/workflows/go-pattern-detector.lock.yml | 8 -------- .github/workflows/gpclean.lock.yml | 10 ---------- .github/workflows/grumpy-reviewer.lock.yml | 12 ------------ .github/workflows/hourly-ci-cleaner.lock.yml | 8 -------- .github/workflows/instructions-janitor.lock.yml | 10 ---------- .github/workflows/issue-arborist.lock.yml | 8 -------- .github/workflows/issue-monster.lock.yml | 10 ---------- .github/workflows/issue-triage-agent.lock.yml | 8 -------- .github/workflows/jsweep.lock.yml | 10 ---------- .github/workflows/layout-spec-maintainer.lock.yml | 8 -------- .github/workflows/lockfile-stats.lock.yml | 10 ---------- .github/workflows/mcp-inspector.lock.yml | 10 ---------- .github/workflows/mergefest.lock.yml | 10 ---------- .github/workflows/metrics-collector.lock.yml | 8 -------- .github/workflows/notion-issue-summary.lock.yml | 8 -------- .github/workflows/org-health-report.lock.yml | 12 ------------ .github/workflows/pdf-summary.lock.yml | 12 ------------ .github/workflows/plan.lock.yml | 10 ---------- .github/workflows/poem-bot.lock.yml | 14 -------------- .github/workflows/portfolio-analyst.lock.yml | 12 ------------ .github/workflows/pr-nitpick-reviewer.lock.yml | 12 ------------ .github/workflows/pr-triage-agent.lock.yml | 10 ---------- .../workflows/prompt-clustering-analysis.lock.yml | 10 ---------- .github/workflows/python-data-charts.lock.yml | 12 ------------ .github/workflows/q.lock.yml | 12 ------------ .github/workflows/refiner.lock.yml | 10 ---------- .github/workflows/release.lock.yml | 10 ---------- .github/workflows/repo-audit-analyzer.lock.yml | 10 ---------- .github/workflows/repo-tree-map.lock.yml | 8 -------- .../workflows/repository-quality-improver.lock.yml | 10 ---------- .github/workflows/research.lock.yml | 8 -------- .github/workflows/safe-output-health.lock.yml | 10 ---------- .../workflows/schema-consistency-checker.lock.yml | 10 ---------- .github/workflows/scout.lock.yml | 12 ------------ .../security-alert-burndown.campaign.g.lock.yml | 9 --------- .github/workflows/security-compliance.lock.yml | 10 ---------- .github/workflows/security-review.lock.yml | 12 ------------ .../workflows/semantic-function-refactor.lock.yml | 8 -------- .github/workflows/sergo.lock.yml | 10 ---------- .github/workflows/slide-deck-maintainer.lock.yml | 12 ------------ .github/workflows/smoke-agent.lock.yml | 10 ---------- .github/workflows/smoke-claude.lock.yml | 12 ------------ .github/workflows/smoke-codex.lock.yml | 12 ------------ .github/workflows/smoke-copilot-arm.lock.yml | 12 ------------ .github/workflows/smoke-copilot.lock.yml | 12 ------------ .../workflows/smoke-create-cross-repo-pr.lock.yml | 9 --------- .github/workflows/smoke-gemini.lock.yml | 12 ------------ .github/workflows/smoke-multi-pr.lock.yml | 10 ---------- .github/workflows/smoke-project.lock.yml | 9 --------- .github/workflows/smoke-temporary-id.lock.yml | 10 ---------- .github/workflows/smoke-test-tools.lock.yml | 10 ---------- .../workflows/smoke-update-cross-repo-pr.lock.yml | 11 ----------- .github/workflows/smoke-workflow-call.lock.yml | 10 ---------- .github/workflows/stale-repo-identifier.lock.yml | 12 ------------ .github/workflows/static-analysis-report.lock.yml | 10 ---------- .github/workflows/step-name-alignment.lock.yml | 10 ---------- .github/workflows/sub-issue-closer.lock.yml | 8 -------- .github/workflows/super-linter.lock.yml | 10 ---------- .github/workflows/technical-doc-writer.lock.yml | 14 -------------- .github/workflows/terminal-stylist.lock.yml | 8 -------- .../test-create-pr-error-handling.lock.yml | 10 ---------- .github/workflows/test-dispatcher.lock.yml | 8 -------- .../workflows/test-project-url-default.lock.yml | 7 ------- .github/workflows/test-workflow.lock.yml | 4 ---- .github/workflows/tidy.lock.yml | 10 ---------- .github/workflows/typist.lock.yml | 8 -------- .github/workflows/ubuntu-image-analyzer.lock.yml | 10 ---------- .github/workflows/unbloat-docs.lock.yml | 14 -------------- .github/workflows/video-analyzer.lock.yml | 8 -------- .../workflows/weekly-editors-health-check.lock.yml | 10 ---------- .github/workflows/weekly-issue-summary.lock.yml | 12 ------------ .../weekly-safe-outputs-spec-review.lock.yml | 8 -------- .github/workflows/workflow-generator.lock.yml | 12 ------------ .github/workflows/workflow-health-manager.lock.yml | 12 ------------ .github/workflows/workflow-normalizer.lock.yml | 8 -------- .../workflows/workflow-skill-extractor.lock.yml | 8 -------- pkg/workflow/compiler_yaml_helpers.go | 12 ++++++------ .../basic-copilot.golden | 6 ------ .../smoke-copilot.golden | 6 ------ .../with-imports.golden | 6 ------ 170 files changed, 6 insertions(+), 1679 deletions(-) diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index b49d8eade6d..31188eaa29a 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -71,8 +71,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -288,8 +286,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -573,8 +569,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 6881e1e09a9..24fd8266235 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -288,8 +286,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1236,8 +1232,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1337,8 +1331,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1375,8 +1367,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1460,8 +1450,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index b63d0c0c441..ad699583719 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1078,8 +1074,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1177,8 +1171,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1223,8 +1215,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1280,8 +1270,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index d30f0a985f8..1b8ed37f081 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -84,8 +84,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -326,8 +324,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -984,8 +980,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1081,8 +1075,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check user rate limit id: check_rate_limit uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1159,8 +1151,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1217,8 +1207,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index cab7e89c221..7458c681e4e 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -88,8 +88,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -336,8 +334,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1049,8 +1045,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1152,8 +1146,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1213,8 +1205,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 6c47ff7aa6e..8d5d3908c3c 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -273,8 +271,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -981,8 +977,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1094,8 +1088,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index e4eda76f775..a832773b90d 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -305,8 +303,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1261,8 +1257,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1373,8 +1367,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1454,8 +1446,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1511,8 +1501,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1555,8 +1543,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 40edf657e6e..d8cb085d7f5 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -72,8 +72,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -286,8 +284,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1059,8 +1055,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1158,8 +1152,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1220,8 +1212,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index ebe305046da..307108aa047 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -280,8 +278,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1096,8 +1092,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1214,8 +1208,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index 880c456df28..eb416b2dce4 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -61,8 +61,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1020,8 +1016,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1931,8 +1925,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 764f8327d78..fec93a24f62 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -320,8 +318,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1037,8 +1033,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1137,8 +1131,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1198,8 +1190,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 6d4988a00b8..272614f343c 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -275,8 +273,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1024,8 +1020,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1125,8 +1119,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1187,8 +1179,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 3b9b6c86e22..ad174ddd0a0 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -82,8 +82,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -333,8 +331,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1085,8 +1081,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1187,8 +1181,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1237,8 +1229,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/chroma-issue-indexer.lock.yml b/.github/workflows/chroma-issue-indexer.lock.yml index 4feefbcc180..567e9e743fa 100644 --- a/.github/workflows/chroma-issue-indexer.lock.yml +++ b/.github/workflows/chroma-issue-indexer.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -263,8 +261,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 7fac6bb417d..69967f56f17 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -296,8 +294,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1086,8 +1082,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1223,8 +1217,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1309,8 +1301,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 5f02af082c2..33df7a7c7de 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -316,8 +314,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1251,8 +1247,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1358,8 +1352,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1425,8 +1417,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1482,8 +1472,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 1de5555b148..75cacee334e 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -278,8 +276,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1057,8 +1053,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1175,8 +1169,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1232,8 +1224,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index a9e84ef82e2..7f43c074840 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -58,8 +58,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -264,8 +262,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -993,8 +989,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1105,8 +1099,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 66f47dac107..148063a635d 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -286,8 +284,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1090,8 +1086,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1202,8 +1196,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1259,8 +1251,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 5d55eaaeb6b..07cc65e041e 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -112,8 +112,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -392,8 +390,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1401,8 +1397,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1530,8 +1524,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1595,8 +1587,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1681,8 +1671,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 8e325be6b0d..9f7fbb760d9 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -277,8 +275,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1112,8 +1108,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1227,8 +1221,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1278,8 +1270,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1362,8 +1352,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1448,8 +1436,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 540da3a8299..7ebeea204c3 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -284,8 +282,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1017,8 +1013,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1135,8 +1129,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1199,8 +1191,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index c0fb7304eb3..cbfb2fff023 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -57,8 +57,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -247,8 +245,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index b83d5a46fa0..502702aaa89 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -279,8 +277,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1038,8 +1034,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1151,8 +1145,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index f655e07c317..fd9bc741b51 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -271,8 +269,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -982,8 +978,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1095,8 +1089,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1152,8 +1144,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 27ca7a3d511..33799659b08 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -274,8 +272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1095,8 +1091,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1212,8 +1206,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index d0fc2cb1b96..f4e5724cab1 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -307,8 +305,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1129,8 +1125,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1237,8 +1231,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1317,8 +1309,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1374,8 +1364,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index fe7574a0042..d5e76d0adae 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1052,8 +1048,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1160,8 +1154,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1240,8 +1232,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 3220592a24d..7f2b221ca46 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -294,8 +292,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1151,8 +1147,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1264,8 +1258,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1321,8 +1313,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 995eef2e1e7..02d6e7848f1 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -309,8 +307,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1156,8 +1152,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1264,8 +1258,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1344,8 +1336,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1401,8 +1391,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1445,8 +1433,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 52030357343..f8451234a19 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -304,8 +302,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1072,8 +1068,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1180,8 +1174,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1260,8 +1252,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1317,8 +1307,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 5edf6613fce..89a101d40fe 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -69,8 +69,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -322,8 +320,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1216,8 +1212,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1324,8 +1318,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1404,8 +1396,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1461,8 +1451,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1505,8 +1493,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 0fbefadacfd..f918453863e 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -71,8 +71,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -313,8 +311,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1080,8 +1076,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1181,8 +1175,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1246,8 +1238,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 3aec05037fd..b4e1d7f64a4 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -279,8 +277,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1112,8 +1108,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1245,8 +1239,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1331,8 +1323,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index af2093d1855..16db1892b56 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -58,8 +58,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -261,8 +259,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1026,8 +1022,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1141,8 +1135,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index ea90f1c38c9..3bdaca6c84c 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -265,8 +263,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -992,8 +988,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1105,8 +1099,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 04cf30f38c4..871ee393b27 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -292,8 +290,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1257,8 +1253,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1367,8 +1361,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1453,8 +1445,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 438552d94b1..e52a4282118 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -270,8 +268,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1065,8 +1061,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1178,8 +1172,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index a4e78b0fc7e..a7e6048f196 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -303,8 +301,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1190,8 +1186,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1302,8 +1296,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1383,8 +1375,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1440,8 +1430,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1484,8 +1472,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 8156202039a..b81de6fc063 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -282,8 +280,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1036,8 +1032,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1154,8 +1148,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1211,8 +1203,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index c2cb441bffc..a1aebbf73c9 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -297,8 +295,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Create gh-aw temp directory run: | bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh @@ -1164,8 +1160,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1276,8 +1270,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1357,8 +1349,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1414,8 +1404,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1458,8 +1446,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index d5946616675..72b8c5b0ab1 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -277,8 +275,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1189,8 +1185,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1328,8 +1322,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1427,8 +1419,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 05f464f5a38..d677b9379bf 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -277,8 +275,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1108,8 +1104,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1245,8 +1239,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1331,8 +1323,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index b5591fe5761..4d4c5e43cf2 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -53,8 +53,6 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -248,8 +246,6 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -931,8 +927,6 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1047,8 +1041,6 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 5ce3021f233..a77270f8b83 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -283,8 +281,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1042,8 +1038,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1142,8 +1136,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1203,8 +1195,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index bce7dd78337..c343e23237a 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -290,8 +288,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1154,8 +1150,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1273,8 +1267,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1330,8 +1322,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1374,8 +1364,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 851262d27a3..7710395f3b4 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -70,8 +70,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -310,8 +308,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1158,8 +1154,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1260,8 +1254,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1307,8 +1299,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1364,8 +1354,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1408,8 +1396,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 4f24978d50e..082ce19494f 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -268,8 +266,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -894,8 +890,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1009,8 +1003,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index a432248f663..9ff55b138ef 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +279,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1097,8 +1093,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1216,8 +1210,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1285,8 +1277,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index bcee0d8cd8b..e23e7c2f27e 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -70,8 +70,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -293,8 +291,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1183,8 +1179,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1300,8 +1294,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1358,8 +1350,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 4d93ad392f2..8115615f064 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -308,8 +306,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1225,8 +1221,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1337,8 +1331,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1418,8 +1410,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1475,8 +1465,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1519,8 +1507,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index c8ab54b0637..347da29724b 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -282,8 +280,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1115,8 +1111,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1217,8 +1211,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1264,8 +1256,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index c7ede134c99..75de298bf86 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -295,8 +293,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1638,8 +1634,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1757,8 +1751,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1814,8 +1806,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1858,8 +1848,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 0fa4f7df1ad..2be87cefaa7 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -282,8 +280,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1535,8 +1531,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1654,8 +1648,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 86322604079..677c4fe3a6f 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -291,8 +289,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1192,8 +1188,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1309,8 +1303,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1373,8 +1365,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1459,8 +1449,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index d6ab0f38478..254bdd92b19 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1085,8 +1081,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1203,8 +1197,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1260,8 +1252,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1304,8 +1294,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 9ef76f90b0a..71de1b526c7 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -68,8 +68,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -291,8 +289,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1179,8 +1175,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1275,8 +1269,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1335,8 +1327,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1392,8 +1382,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index e2d9eb684c8..2143abc4a45 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -274,8 +272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1053,8 +1049,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1170,8 +1164,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 73bc2842532..e3f3995eb3c 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -272,8 +270,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1049,8 +1045,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1167,8 +1161,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 9c4dee81545..2312e54e959 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -278,8 +276,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1057,8 +1053,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,8 +1168,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 79b7f0efde4..386ffaf6506 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -275,8 +273,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1035,8 +1031,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1146,8 +1140,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 945926c7836..4ffc98d8780 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -271,8 +269,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1022,8 +1018,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1139,8 +1133,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 2146da33ad9..84d5e054a13 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -277,8 +275,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1035,8 +1031,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1153,8 +1147,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 0e741bbd0ea..2a46a1c1f7e 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -285,8 +283,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1013,8 +1009,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1122,8 +1116,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check stop-time limit id: check_stop_time uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1172,8 +1164,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index fbf3c8897d1..660d8134161 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -68,8 +68,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -297,8 +295,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1090,8 +1086,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1193,8 +1187,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1244,8 +1236,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1326,8 +1316,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index dcb892788ee..7006cde2582 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -265,8 +263,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -999,8 +995,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1136,8 +1130,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 3df8959cb81..150e95cea85 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -283,8 +281,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1045,8 +1041,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1157,8 +1151,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1220,8 +1212,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1306,8 +1296,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 81377a0519a..b9fa26e89ce 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -306,8 +304,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1262,8 +1258,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1374,8 +1368,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1457,8 +1449,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1514,8 +1504,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1558,8 +1546,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 833e9d4a8c8..56ac42f3f45 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -289,8 +287,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1140,8 +1136,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1253,8 +1247,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1337,8 +1329,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index b1c1defcbd6..8c8a0d16e84 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -61,8 +61,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -270,8 +268,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -998,8 +994,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1095,8 +1089,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1142,8 +1134,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index d3e0f3c5751..a9465ae203e 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -269,8 +267,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1047,8 +1043,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1160,8 +1154,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 821fdef93c4..18aace62d1f 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -69,8 +69,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -299,8 +297,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1086,8 +1082,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1184,8 +1178,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1234,8 +1226,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index abc878157e5..1e6d1da6697 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -58,8 +58,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -261,8 +259,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -990,8 +986,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1102,8 +1096,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index a8d87288007..c15e28b769c 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -303,8 +301,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1245,8 +1241,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1369,8 +1363,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1454,8 +1446,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1540,8 +1530,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index a39d00f706b..b98321e7bd6 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -271,8 +269,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1005,8 +1001,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1136,8 +1130,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 5bff55aea94..4ee12c4f6e3 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -290,8 +288,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1124,8 +1120,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1235,8 +1229,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1322,8 +1314,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index c29ddfa492c..721f666f5e8 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -274,8 +272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1040,8 +1036,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1153,8 +1147,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1211,8 +1203,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 3e5683c4353..ca9590e7d73 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -263,8 +261,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1063,8 +1059,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1179,8 +1173,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index a3af0625d61..36e1b235cdc 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +279,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1027,8 +1023,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1139,8 +1133,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 3adc7014399..1351469f04b 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -57,8 +57,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -247,8 +245,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index c759812b870..0951ea3218e 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -274,8 +272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1098,8 +1094,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1211,8 +1205,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 57dd914d5f7..2d4532d132d 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -72,8 +72,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -307,8 +305,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1067,8 +1063,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1204,8 +1198,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1242,8 +1234,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1322,8 +1312,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1379,8 +1367,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index 5569c8c79a7..8ea96fd2e87 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -57,8 +57,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -249,8 +247,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 23d47d4273a..637aaf6303f 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -278,8 +276,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1011,8 +1007,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1149,8 +1143,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 365b0f4d23a..3be19f1c93b 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -290,8 +288,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1142,8 +1138,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1255,8 +1249,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1312,8 +1304,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1356,8 +1346,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index a359e18f1ff..1c030058788 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1154,8 +1150,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1288,8 +1282,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1374,8 +1366,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 7edc9379d8a..8a0762e87da 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -273,8 +271,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -989,8 +985,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1104,8 +1098,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index cd9e0dbf518..48f8c324e22 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -306,8 +304,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1138,8 +1134,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1261,8 +1255,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1345,8 +1337,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1431,8 +1421,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 9646ddf2711..60ae6974868 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1100,8 +1096,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1218,8 +1212,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1275,8 +1267,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 97acba592c9..5f12b60535d 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -283,8 +281,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1276,8 +1272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1407,8 +1401,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1493,8 +1485,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 66e818778bd..46307926a35 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +279,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1102,8 +1098,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1214,8 +1208,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index ccc6da8eefb..ffa0291529f 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -275,8 +273,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1026,8 +1022,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1139,8 +1133,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1196,8 +1188,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 6f2f8dc394e..fda25c2d903 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -76,8 +76,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -328,8 +326,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1117,8 +1113,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1219,8 +1213,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1276,8 +1268,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1333,8 +1323,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 1b691f242d3..df540874e04 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -295,8 +293,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1108,8 +1104,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1248,8 +1242,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index f1f49331b8e..04a61a2a13f 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -276,8 +274,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1104,8 +1100,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1235,8 +1229,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1321,8 +1313,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 177f6c35f71..3dd69fbc1c2 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -277,8 +275,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1103,8 +1099,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1218,8 +1212,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 9a42715d06e..dc521059460 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -68,8 +68,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -295,8 +293,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1052,8 +1048,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1152,8 +1146,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1232,8 +1224,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 8f31c715939..f105377fb65 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -274,8 +272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1000,8 +996,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1114,8 +1108,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 24676cd19db..1f74ba6c3e4 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -280,8 +278,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1047,8 +1043,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1185,8 +1179,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1271,8 +1263,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 12724ac22ed..10a28435892 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -61,8 +61,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -271,8 +269,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1040,8 +1036,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1178,8 +1172,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 53ceccacbe0..1d647d606d3 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +279,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1060,8 +1056,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1173,8 +1167,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1230,8 +1222,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index b24e8bcb638..6e7bfe6d106 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -79,8 +79,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -342,8 +340,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1396,8 +1392,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1784,8 +1778,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1841,8 +1833,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 39f6889dc6a..490b0af7174 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -71,8 +71,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -314,8 +312,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1060,8 +1056,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1162,8 +1156,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1222,8 +1214,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index fb4d1db875b..b261685cf4a 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -272,8 +270,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -627,8 +623,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -665,8 +659,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index c718d2dc001..06fa41d99d3 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -276,8 +274,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -831,8 +827,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1069,8 +1063,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index a0742f8737e..7ee5fb658c4 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -296,8 +294,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1084,8 +1080,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1198,8 +1192,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1255,8 +1247,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1299,8 +1289,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 01753cb0a5f..87c26784aa5 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -94,8 +94,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -360,8 +358,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1148,8 +1144,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1254,8 +1248,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1315,8 +1307,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1372,8 +1362,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 1ee8805ea9d..e845f4a4a6f 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -76,8 +76,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -321,8 +319,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1108,8 +1104,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1209,8 +1203,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1268,8 +1260,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 0a6461b4e10..4a23aedc774 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -86,8 +86,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -349,8 +347,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1817,8 +1813,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1938,8 +1932,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2011,8 +2003,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2104,8 +2094,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -2148,8 +2136,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 5b207e47cd5..d7c1cf046c7 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -293,8 +291,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1165,8 +1161,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1284,8 +1278,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1341,8 +1333,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1385,8 +1375,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 07f7131df26..3acd186badd 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -104,8 +104,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -358,8 +356,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1220,8 +1216,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1330,8 +1324,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1389,8 +1381,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1446,8 +1436,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index abcfa7cddbd..cc2cef1cb8d 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -284,8 +282,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1141,8 +1137,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1249,8 +1243,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1335,8 +1327,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index b5d4faec0cc..147c004e91b 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -69,8 +69,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -296,8 +294,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1191,8 +1187,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1304,8 +1298,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1361,8 +1353,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 7b117f1c223..e9afdcbb4f0 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -289,8 +287,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1153,8 +1149,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1267,8 +1261,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1324,8 +1316,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1368,8 +1358,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index e5229198b69..f83d84d0911 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -112,8 +112,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -377,8 +375,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1259,8 +1255,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1389,8 +1383,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1454,8 +1446,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1540,8 +1530,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 437d7a7f0d7..2e745c9043c 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -75,8 +75,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -304,8 +302,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1082,8 +1078,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1199,8 +1193,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1253,8 +1245,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 96fe938951d..560c8fd5882 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -71,8 +71,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -283,8 +281,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1000,8 +996,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1205,8 +1199,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1397,8 +1389,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index edf7e2f5cee..83bf8c9abeb 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1012,8 +1008,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1129,8 +1123,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1186,8 +1178,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (repo-audits) id: download_cache_repo_audits uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 3a22ef4f2f4..e5261570e6c 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -274,8 +272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -981,8 +977,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1095,8 +1089,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 8bfdb3aa0ab..1237ce81215 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -286,8 +284,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1019,8 +1015,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1133,8 +1127,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1190,8 +1182,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (focus-areas) id: download_cache_focus_areas uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index b03680e7f43..1e85d0e0aeb 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -284,8 +282,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1007,8 +1003,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1121,8 +1115,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 7d285073495..f6447a2871b 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -286,8 +284,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1153,8 +1149,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1266,8 +1260,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1323,8 +1315,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index f7a76dffbf3..27afa4c03e3 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +279,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1061,8 +1057,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,8 +1168,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1231,8 +1223,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 95a1da2bf09..0f4f3166a14 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -131,8 +131,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -413,8 +411,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1295,8 +1291,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1407,8 +1401,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1468,8 +1460,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1525,8 +1515,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index 35d099bfe40..6b73acd15aa 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -273,8 +271,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1440,8 +1436,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1546,8 +1540,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1632,7 +1624,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index ae5e29a30b6..41a965528da 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -72,8 +72,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -311,8 +309,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1074,8 +1070,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1181,8 +1175,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1262,8 +1254,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index c3b889c2dd0..54b07b0e85e 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -76,8 +76,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -329,8 +327,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1196,8 +1192,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1298,8 +1292,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1355,8 +1347,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1412,8 +1402,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index e5deae8ea5a..375484cf8fc 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -279,8 +277,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1143,8 +1139,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1255,8 +1249,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 24b349ac1e8..57da5a32944 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1099,8 +1095,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1217,8 +1211,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1274,8 +1266,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index e28fef1bec1..7c6fad18542 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -298,8 +296,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1107,8 +1103,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1225,8 +1219,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1289,8 +1281,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1375,8 +1365,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index fc011dbc6bb..d23d7e18fe5 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -304,8 +302,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1058,8 +1054,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1179,8 +1173,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1232,8 +1224,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 0aa33b09cc2..b29355be951 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -88,8 +88,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -682,8 +680,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -2702,8 +2698,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2823,8 +2817,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2880,8 +2872,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2966,8 +2956,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 06e2ba64f07..9d2e5cb9100 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -81,8 +81,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -343,8 +341,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1562,8 +1558,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1681,8 +1675,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1733,8 +1725,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1790,8 +1780,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index e419c576f1c..a6337648dd9 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -80,8 +80,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -348,8 +346,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -2098,8 +2094,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2220,8 +2214,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2273,8 +2265,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2366,8 +2356,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 19583d4209c..a2343301b06 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -82,8 +82,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -351,8 +349,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -2151,8 +2147,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2273,8 +2267,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2326,8 +2318,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2419,8 +2409,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index a14e86ff41f..8d9768e8560 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -75,8 +75,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -312,8 +310,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1192,8 +1188,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1327,8 +1321,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1384,7 +1376,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index eb0096008bf..cc7d634599e 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -81,8 +81,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -337,8 +335,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1281,8 +1277,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1400,8 +1394,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1452,8 +1444,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1509,8 +1499,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 68494454271..2439655282f 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -76,8 +76,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -321,8 +319,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1135,8 +1131,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1271,8 +1265,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1325,8 +1317,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 41198343873..32d9a57d28a 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -320,8 +318,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1568,8 +1564,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1704,8 +1698,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1761,7 +1753,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index b135b20b2cc..8d0ccbc17dc 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -316,8 +314,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1155,8 +1151,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1275,8 +1269,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1327,8 +1319,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 562406f3daf..327bf045ccc 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -76,8 +76,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -305,8 +303,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1033,8 +1029,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1153,8 +1147,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1203,8 +1195,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 31eba2f4c72..aa9762efb7f 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -75,8 +75,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -319,8 +317,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1194,8 +1190,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1315,8 +1309,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1372,7 +1364,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1459,8 +1450,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 6a984ffb1d9..edddeb29658 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -273,8 +271,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -996,8 +992,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1094,8 +1088,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1144,8 +1136,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 701d6480939..1d7de7183a8 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -309,8 +307,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1152,8 +1148,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1267,8 +1261,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1324,8 +1316,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1368,8 +1358,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 1a5f9441d5d..c78c5034687 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -282,8 +280,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1135,8 +1131,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1248,8 +1242,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1305,8 +1297,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 4677e06a0ad..be3b712034f 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -273,8 +271,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1089,8 +1085,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1201,8 +1195,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1258,8 +1250,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index b9f0b42c321..b10acc2c7c7 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -267,8 +265,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1096,8 +1092,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1211,8 +1205,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index dc44323995f..8d383a73a13 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -290,8 +288,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1041,8 +1037,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1154,8 +1148,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1257,8 +1249,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 03f9f53ab9a..42841fade81 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -308,8 +306,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1226,8 +1222,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1350,8 +1344,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1438,8 +1430,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1524,8 +1514,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1568,8 +1556,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 763a718ac37..5fd2272201c 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -274,8 +272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -989,8 +985,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1103,8 +1097,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 2a51393e272..6c673a887ab 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -57,8 +57,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -271,8 +269,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1076,8 +1072,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1207,8 +1201,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1293,8 +1285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index f5400cc320b..d2b6516dedf 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -56,8 +56,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -260,8 +258,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -923,8 +919,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1033,8 +1027,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index def8b883953..d61c2587b99 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -56,8 +56,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -259,8 +257,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1182,8 +1178,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1293,7 +1287,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: ${GH_AW_HOME}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index 44003459d76..1b32b82cdcc 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -61,8 +61,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -249,8 +247,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index c9b7121c8ee..531e4b9a418 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -84,8 +84,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -325,8 +323,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1154,8 +1150,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1272,8 +1266,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1335,8 +1327,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 2d48bc502b0..a4abf8c598b 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -278,8 +276,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1071,8 +1067,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1184,8 +1178,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 541aae38514..d4db1553575 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -277,8 +275,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1036,8 +1032,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1154,8 +1148,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1218,8 +1210,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 6a29d5d7714..865ee3eafd1 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -80,8 +80,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -332,8 +330,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Create gh-aw temp directory run: | bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh @@ -1339,8 +1335,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1455,8 +1449,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1520,8 +1512,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1606,8 +1596,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1650,8 +1638,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 8f1febd77ef..507abcb6c0b 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -280,8 +278,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1033,8 +1029,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1146,8 +1140,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index b32ac77464f..2a969bee39b 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -274,8 +272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1091,8 +1087,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1229,8 +1223,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1316,8 +1308,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 80eb58eafdc..d22467aab22 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -292,8 +290,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1064,8 +1060,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1182,8 +1176,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1239,8 +1231,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 @@ -1283,8 +1273,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 378da312697..0f23bb97571 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -272,8 +270,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -994,8 +990,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1132,8 +1126,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 949387be0c6..7a56c152560 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -69,8 +69,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -311,8 +309,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1138,8 +1134,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1239,8 +1233,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1305,8 +1297,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1379,8 +1369,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 4e97856fe01..98d6003e4f0 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -292,8 +290,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1238,8 +1234,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1338,8 +1332,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1376,8 +1368,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1461,8 +1451,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index edd1fa18b79..5ed5b918659 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -276,8 +274,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1071,8 +1067,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1189,8 +1183,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 172e9ba96af..d1704f5dbbe 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -275,8 +273,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1084,8 +1080,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1200,8 +1194,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true diff --git a/pkg/workflow/compiler_yaml_helpers.go b/pkg/workflow/compiler_yaml_helpers.go index b41df747950..54cf679965c 100644 --- a/pkg/workflow/compiler_yaml_helpers.go +++ b/pkg/workflow/compiler_yaml_helpers.go @@ -264,7 +264,7 @@ func generateInlineGitHubScriptStep(stepName, script, condition string) string { // // Parameters: // - setupActionRef: The action reference for setup action (e.g., "./actions/setup" or "github/gh-aw/actions/setup@sha") -// - destination: The destination path where files should be copied (e.g., SetupActionDestination) +// - destination: Unused. Kept for API compatibility. The setup action defaults to /opt/gh-aw/actions. // - enableCustomTokens: Whether to enable custom-token support (installs @actions/github so handler_auth.cjs can create per-handler Octokit clients) // // Returns a slice of strings representing the YAML lines for the setup step. @@ -275,23 +275,23 @@ func (c *Compiler) generateSetupStep(setupActionRef string, destination string, " - name: Setup Scripts\n", " run: |\n", " bash /tmp/gh-aw/actions-source/actions/setup/setup.sh\n", - " env:\n", - fmt.Sprintf(" INPUT_DESTINATION: %s\n", destination), } if enableCustomTokens { + lines = append(lines, " env:\n") lines = append(lines, " INPUT_SAFE_OUTPUT_CUSTOM_TOKENS: 'true'\n") } return lines } - // Dev/Release mode: use the setup action + // Dev/Release mode: use the setup action. + // The destination defaults to /opt/gh-aw/actions in action.yml, which setup.sh uses + // to derive GH_AW_HOME and export it to $GITHUB_ENV for subsequent steps. lines := []string{ " - name: Setup Scripts\n", fmt.Sprintf(" uses: %s\n", setupActionRef), - " with:\n", - fmt.Sprintf(" destination: %s\n", destination), } if enableCustomTokens { + lines = append(lines, " with:\n") lines = append(lines, " safe-output-custom-tokens: 'true'\n") } return lines diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden index 70391a7dbdb..3abfbd75068 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -32,8 +32,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -225,8 +223,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -494,8 +490,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 42a0da2d7fe..4a156e463fe 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -46,8 +46,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -313,8 +311,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -672,8 +668,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden index 24fdf0121eb..9fb1a206bd5 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden @@ -32,8 +32,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -228,8 +226,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -497,8 +493,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: ${GH_AW_HOME}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 From 555d5c7b4479927acac267c8c849fa179830e509 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 04:13:27 +0000 Subject: [PATCH 05/12] fix: use process.env.GH_AW_HOME in require() calls in safe-outputs and threat detection steps The safe_outputs_jobs.go buildGitHubScriptStep/buildGitHubScriptStepWithoutDownload and threat_detection.go buildSetupScriptRequire were generating JS require() calls with single-quoted strings: require('${GH_AW_HOME}/actions/...cjs') In Node.js single-quoted strings are not interpolated, so ${GH_AW_HOME} was treated as a literal (not the env var), causing MODULE_NOT_FOUND errors. Fixed by using JsRequireGhAw() helper which produces: require(process.env.GH_AW_HOME + '/actions/...cjs') Also updated threat_detection_test.go to assert the correct pattern. Recompiled all 166 lock files. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 20 ++++++------- .../workflows/agent-persona-explorer.lock.yml | 20 ++++++------- .github/workflows/ai-moderator.lock.yml | 16 +++++------ .github/workflows/archie.lock.yml | 20 ++++++------- .github/workflows/artifacts-summary.lock.yml | 20 ++++++------- .github/workflows/audit-workflows.lock.yml | 24 ++++++++-------- .github/workflows/auto-triage-issues.lock.yml | 20 ++++++------- .github/workflows/blog-auditor.lock.yml | 20 ++++++------- .github/workflows/bot-detection.lock.yml | 16 +++++------ .github/workflows/brave.lock.yml | 20 ++++++------- .../breaking-change-checker.lock.yml | 20 ++++++------- .github/workflows/changeset.lock.yml | 20 ++++++------- .github/workflows/ci-coach.lock.yml | 24 ++++++++-------- .github/workflows/ci-doctor.lock.yml | 20 ++++++------- .../claude-code-user-docs-review.lock.yml | 20 ++++++------- .../cli-consistency-checker.lock.yml | 20 ++++++------- .../workflows/cli-version-checker.lock.yml | 20 ++++++------- .github/workflows/cloclo.lock.yml | 24 ++++++++-------- .../workflows/code-scanning-fixer.lock.yml | 24 ++++++++-------- .github/workflows/code-simplifier.lock.yml | 24 ++++++++-------- .../commit-changes-analyzer.lock.yml | 20 ++++++------- .../constraint-solving-potd.lock.yml | 20 ++++++------- .github/workflows/contribution-check.lock.yml | 20 ++++++------- .../workflows/copilot-agent-analysis.lock.yml | 20 ++++++------- .../copilot-cli-deep-research.lock.yml | 20 ++++++------- .../copilot-pr-merged-report.lock.yml | 20 ++++++------- .../copilot-pr-nlp-analysis.lock.yml | 24 ++++++++-------- .../copilot-pr-prompt-analysis.lock.yml | 20 ++++++------- .../copilot-session-insights.lock.yml | 24 ++++++++-------- .github/workflows/craft.lock.yml | 20 ++++++------- .../daily-architecture-diagram.lock.yml | 24 ++++++++-------- .../daily-assign-issue-to-user.lock.yml | 20 ++++++------- .github/workflows/daily-choice-test.lock.yml | 20 ++++++------- .../workflows/daily-cli-performance.lock.yml | 20 ++++++------- .../workflows/daily-cli-tools-tester.lock.yml | 20 ++++++------- .github/workflows/daily-code-metrics.lock.yml | 24 ++++++++-------- .../workflows/daily-compiler-quality.lock.yml | 20 ++++++------- .../daily-copilot-token-report.lock.yml | 24 ++++++++-------- .github/workflows/daily-doc-healer.lock.yml | 24 ++++++++-------- .github/workflows/daily-doc-updater.lock.yml | 24 ++++++++-------- .github/workflows/daily-fact.lock.yml | 20 ++++++------- .github/workflows/daily-file-diet.lock.yml | 20 ++++++------- .../workflows/daily-firewall-report.lock.yml | 24 ++++++++-------- .../workflows/daily-issues-report.lock.yml | 24 ++++++++-------- .../daily-malicious-code-scan.lock.yml | 16 +++++------ .../daily-mcp-concurrency-analysis.lock.yml | 20 ++++++------- .../daily-multi-device-docs-tester.lock.yml | 24 ++++++++-------- .github/workflows/daily-news.lock.yml | 24 ++++++++-------- .../daily-observability-report.lock.yml | 20 ++++++------- .../daily-performance-summary.lock.yml | 24 ++++++++-------- .github/workflows/daily-regulatory.lock.yml | 20 ++++++------- .../daily-rendering-scripts-verifier.lock.yml | 24 ++++++++-------- .../workflows/daily-repo-chronicle.lock.yml | 24 ++++++++-------- .../daily-safe-output-optimizer.lock.yml | 20 ++++++------- .../daily-safe-outputs-conformance.lock.yml | 20 ++++++------- .../workflows/daily-secrets-analysis.lock.yml | 20 ++++++------- .../daily-security-red-team.lock.yml | 20 ++++++------- .github/workflows/daily-semgrep-scan.lock.yml | 20 ++++++------- .../daily-syntax-error-quality.lock.yml | 20 ++++++------- .../daily-team-evolution-insights.lock.yml | 20 ++++++------- .github/workflows/daily-team-status.lock.yml | 20 ++++++------- .../daily-testify-uber-super-expert.lock.yml | 20 ++++++------- .../workflows/daily-workflow-updater.lock.yml | 24 ++++++++-------- .github/workflows/dead-code-remover.lock.yml | 24 ++++++++-------- .github/workflows/deep-report.lock.yml | 24 ++++++++-------- .github/workflows/delight.lock.yml | 20 ++++++------- .github/workflows/dependabot-burner.lock.yml | 20 ++++++------- .../workflows/dependabot-go-checker.lock.yml | 20 ++++++------- .github/workflows/dev-hawk.lock.yml | 20 ++++++------- .github/workflows/dev.lock.yml | 20 ++++++------- .../developer-docs-consolidator.lock.yml | 24 ++++++++-------- .github/workflows/dictation-prompt.lock.yml | 24 ++++++++-------- .../workflows/discussion-task-miner.lock.yml | 20 ++++++------- .github/workflows/docs-noob-tester.lock.yml | 24 ++++++++-------- .github/workflows/draft-pr-cleanup.lock.yml | 20 ++++++------- .../duplicate-code-detector.lock.yml | 20 ++++++------- .../example-workflow-analyzer.lock.yml | 20 ++++++------- .github/workflows/firewall-escape.lock.yml | 20 ++++++------- .../workflows/functional-pragmatist.lock.yml | 24 ++++++++-------- .../github-mcp-structural-analysis.lock.yml | 24 ++++++++-------- .../github-mcp-tools-report.lock.yml | 24 ++++++++-------- .../github-remote-mcp-auth-test.lock.yml | 20 ++++++------- .../workflows/glossary-maintainer.lock.yml | 24 ++++++++-------- .github/workflows/go-fan.lock.yml | 20 ++++++------- .github/workflows/go-logger.lock.yml | 24 ++++++++-------- .../workflows/go-pattern-detector.lock.yml | 20 ++++++------- .github/workflows/gpclean.lock.yml | 20 ++++++------- .github/workflows/grumpy-reviewer.lock.yml | 20 ++++++------- .github/workflows/hourly-ci-cleaner.lock.yml | 24 ++++++++-------- .../workflows/instructions-janitor.lock.yml | 24 ++++++++-------- .github/workflows/issue-arborist.lock.yml | 20 ++++++------- .github/workflows/issue-monster.lock.yml | 20 ++++++------- .github/workflows/issue-triage-agent.lock.yml | 20 ++++++------- .github/workflows/jsweep.lock.yml | 24 ++++++++-------- .../workflows/layout-spec-maintainer.lock.yml | 24 ++++++++-------- .github/workflows/lockfile-stats.lock.yml | 20 ++++++------- .github/workflows/mcp-inspector.lock.yml | 20 ++++++------- .github/workflows/mergefest.lock.yml | 20 ++++++------- .../workflows/notion-issue-summary.lock.yml | 16 +++++------ .github/workflows/org-health-report.lock.yml | 24 ++++++++-------- .github/workflows/pdf-summary.lock.yml | 20 ++++++------- .github/workflows/plan.lock.yml | 20 ++++++------- .github/workflows/poem-bot.lock.yml | 28 +++++++++---------- .github/workflows/portfolio-analyst.lock.yml | 24 ++++++++-------- .../workflows/pr-nitpick-reviewer.lock.yml | 20 ++++++------- .github/workflows/pr-triage-agent.lock.yml | 20 ++++++------- .../prompt-clustering-analysis.lock.yml | 20 ++++++------- .github/workflows/python-data-charts.lock.yml | 24 ++++++++-------- .github/workflows/q.lock.yml | 24 ++++++++-------- .github/workflows/refiner.lock.yml | 24 ++++++++-------- .github/workflows/release.lock.yml | 20 ++++++------- .../workflows/repo-audit-analyzer.lock.yml | 20 ++++++------- .github/workflows/repo-tree-map.lock.yml | 20 ++++++------- .../repository-quality-improver.lock.yml | 20 ++++++------- .github/workflows/research.lock.yml | 20 ++++++------- .github/workflows/safe-output-health.lock.yml | 20 ++++++------- .../schema-consistency-checker.lock.yml | 20 ++++++------- .github/workflows/scout.lock.yml | 20 ++++++------- ...ecurity-alert-burndown.campaign.g.lock.yml | 20 ++++++------- .../workflows/security-compliance.lock.yml | 20 ++++++------- .github/workflows/security-review.lock.yml | 20 ++++++------- .../semantic-function-refactor.lock.yml | 20 ++++++------- .github/workflows/sergo.lock.yml | 20 ++++++------- .../workflows/slide-deck-maintainer.lock.yml | 24 ++++++++-------- .github/workflows/smoke-agent.lock.yml | 24 ++++++++-------- .github/workflows/smoke-claude.lock.yml | 24 ++++++++-------- .github/workflows/smoke-codex.lock.yml | 24 ++++++++-------- .github/workflows/smoke-copilot-arm.lock.yml | 24 ++++++++-------- .github/workflows/smoke-copilot.lock.yml | 24 ++++++++-------- .../smoke-create-cross-repo-pr.lock.yml | 28 +++++++++---------- .github/workflows/smoke-gemini.lock.yml | 24 ++++++++-------- .github/workflows/smoke-multi-pr.lock.yml | 28 +++++++++---------- .github/workflows/smoke-project.lock.yml | 28 +++++++++---------- .github/workflows/smoke-temporary-id.lock.yml | 24 ++++++++-------- .github/workflows/smoke-test-tools.lock.yml | 24 ++++++++-------- .../smoke-update-cross-repo-pr.lock.yml | 24 ++++++++-------- .../workflows/smoke-workflow-call.lock.yml | 20 ++++++------- .../workflows/stale-repo-identifier.lock.yml | 24 ++++++++-------- .../workflows/static-analysis-report.lock.yml | 20 ++++++------- .../workflows/step-name-alignment.lock.yml | 20 ++++++------- .github/workflows/sub-issue-closer.lock.yml | 20 ++++++------- .github/workflows/super-linter.lock.yml | 20 ++++++------- .../workflows/technical-doc-writer.lock.yml | 28 +++++++++---------- .github/workflows/terminal-stylist.lock.yml | 20 ++++++------- .../test-create-pr-error-handling.lock.yml | 24 ++++++++-------- .github/workflows/test-dispatcher.lock.yml | 20 ++++++------- .../test-project-url-default.lock.yml | 20 ++++++------- .github/workflows/tidy.lock.yml | 24 ++++++++-------- .github/workflows/typist.lock.yml | 20 ++++++------- .../workflows/ubuntu-image-analyzer.lock.yml | 24 ++++++++-------- .github/workflows/unbloat-docs.lock.yml | 28 +++++++++---------- .github/workflows/video-analyzer.lock.yml | 20 ++++++------- .../weekly-editors-health-check.lock.yml | 28 +++++++++---------- .../workflows/weekly-issue-summary.lock.yml | 24 ++++++++-------- .../weekly-safe-outputs-spec-review.lock.yml | 24 ++++++++-------- .github/workflows/workflow-generator.lock.yml | 20 ++++++------- .../workflow-health-manager.lock.yml | 20 ++++++------- .../workflows/workflow-normalizer.lock.yml | 20 ++++++------- .../workflow-skill-extractor.lock.yml | 20 ++++++------- pkg/workflow/safe_outputs_jobs.go | 8 +++--- pkg/workflow/threat_detection.go | 4 +-- pkg/workflow/threat_detection_test.go | 2 +- 162 files changed, 1727 insertions(+), 1727 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 24fd8266235..1455e555700 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1119,9 +1119,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1255,9 +1255,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1268,9 +1268,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1293,9 +1293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1310,9 +1310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index ad699583719..6b8b1ea775f 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -963,9 +963,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1097,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1110,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1133,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1150,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 1b8ed37f081..77c79e96e66 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -1003,9 +1003,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1016,9 +1016,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1036,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1053,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 7458c681e4e..c476681b2b7 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -933,9 +933,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1068,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1081,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1102,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1119,9 +1119,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 8d5d3908c3c..5cfe79f5e21 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -866,9 +866,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1000,9 +1000,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1035,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1052,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index a832773b90d..298681dc294 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1133,9 +1133,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1281,9 +1281,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1295,9 +1295,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1321,9 +1321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1339,9 +1339,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1598,8 +1598,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index d8cb085d7f5..8d972c90ec5 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -943,9 +943,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1078,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1113,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 307108aa047..2f3f1c30bbf 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -971,9 +971,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1116,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1153,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1171,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index eb416b2dce4..55929187139 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -1039,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1052,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1073,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1090,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); precompute: diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index fec93a24f62..b204d334dd0 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -921,9 +921,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1056,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1069,9 +1069,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1090,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1107,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 272614f343c..4b4aa3e93c3 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -910,9 +910,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1044,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1058,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1080,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1098,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index ad174ddd0a0..6bafb14c404 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1005,9 +1005,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1104,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1117,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1139,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1156,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 69967f56f17..1578c56e130 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -970,9 +970,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1106,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1120,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1143,9 +1143,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1161,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1176,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 33df7a7c7de..034764bd6ae 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1135,9 +1135,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1272,9 +1272,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1287,9 +1287,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1311,9 +1311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1330,9 +1330,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 75cacee334e..a881604ef8a 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -931,9 +931,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1114,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1132,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 7f43c074840..860445c0304 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -879,9 +879,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1012,9 +1012,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1025,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1045,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1062,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 148063a635d..e519f5b36d6 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -965,9 +965,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1109,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1122,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1142,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1159,9 +1159,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 07cc65e041e..9dd296f9774 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1274,9 +1274,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1420,9 +1420,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1433,9 +1433,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1456,9 +1456,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1473,9 +1473,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1487,9 +1487,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 9f7fbb760d9..9c94f40ee56 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -995,9 +995,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1131,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1144,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1169,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1186,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1200,9 +1200,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 7ebeea204c3..ecb49c30f81 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -903,9 +903,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1037,9 +1037,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1051,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1075,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1093,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1108,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 502702aaa89..45b60c02cdb 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -913,9 +913,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1057,9 +1057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1070,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1092,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1109,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index fd9bc741b51..9292cfbac25 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -867,9 +867,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1001,9 +1001,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1014,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1036,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1053,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 33799659b08..4e40f429a2c 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -980,9 +980,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1114,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1148,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1165,9 +1165,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index f4e5724cab1..db3bb060581 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1002,9 +1002,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1148,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1161,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1186,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1203,9 +1203,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index d5e76d0adae..639164be9a5 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -936,9 +936,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1071,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1109,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1126,9 +1126,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 7f2b221ca46..e649cf0cf90 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1035,9 +1035,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1170,9 +1170,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1183,9 +1183,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1205,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1222,9 +1222,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 02d6e7848f1..2efb4eab56b 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1038,9 +1038,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1175,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1188,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1213,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1230,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1487,8 +1487,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index f8451234a19..6850f609a08 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -955,9 +955,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1104,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1129,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1146,9 +1146,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 89a101d40fe..eadf6bbb93e 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1088,9 +1088,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1235,9 +1235,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1248,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1273,9 +1273,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1290,9 +1290,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1547,8 +1547,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index f918453863e..3c1d48acf69 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -964,9 +964,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1099,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1112,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1135,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1152,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index b4e1d7f64a4..28d99049b6c 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -996,9 +996,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1131,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1144,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1166,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1183,9 +1183,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1197,9 +1197,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 16db1892b56..b91cbb8bb46 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -910,9 +910,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1045,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1058,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1078,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1095,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 3bdaca6c84c..1d27ce7db42 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -870,9 +870,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1012,9 +1012,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1026,9 +1026,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1047,9 +1047,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1065,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 871ee393b27..a2bacb668f0 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1140,9 +1140,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1277,9 +1277,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1291,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1315,9 +1315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1333,9 +1333,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index e52a4282118..927b657924c 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -952,9 +952,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1097,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1118,9 +1118,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1135,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index a7e6048f196..7b0e34f0f70 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1062,9 +1062,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1210,9 +1210,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1224,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1250,9 +1250,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1268,9 +1268,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1527,8 +1527,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index b81de6fc063..7050fab4580 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -920,9 +920,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1056,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1070,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1093,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1111,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index a1aebbf73c9..00005b1f049 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1046,9 +1046,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1184,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1198,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1224,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1242,9 +1242,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1501,8 +1501,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 72b8c5b0ab1..1fb2943ffa8 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -1063,9 +1063,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1209,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1223,9 +1223,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1246,9 +1246,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1264,9 +1264,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1279,9 +1279,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index d677b9379bf..679aef14d97 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -982,9 +982,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1128,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1142,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1165,9 +1165,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1183,9 +1183,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1198,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 4d4c5e43cf2..b5bbfa68df1 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -835,9 +835,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -951,9 +951,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -965,9 +965,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -987,9 +987,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1005,9 +1005,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index a77270f8b83..5823c7f317a 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -928,9 +928,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1062,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1076,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1097,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1115,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index c343e23237a..6f77f06c9de 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1038,9 +1038,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1174,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1188,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1212,9 +1212,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1230,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1419,8 +1419,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 7710395f3b4..88087cd7d84 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1055,9 +1055,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1178,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1192,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1215,9 +1215,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1233,9 +1233,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1451,8 +1451,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 082ce19494f..88ad183fc38 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -914,9 +914,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -928,9 +928,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -949,9 +949,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -967,9 +967,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 9ff55b138ef..81f68953c73 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -982,9 +982,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1117,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1131,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1152,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1170,9 +1170,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index e23e7c2f27e..d102305797e 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1058,9 +1058,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1203,9 +1203,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1217,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1238,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1256,9 +1256,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1405,8 +1405,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 8115615f064..58630a91028 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1107,9 +1107,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1245,9 +1245,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1259,9 +1259,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1285,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1303,9 +1303,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1562,8 +1562,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 347da29724b..f87e1b86c69 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1014,9 +1014,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1135,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1149,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1172,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1190,9 +1190,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 75de298bf86..b4f99ee24a3 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1522,9 +1522,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1658,9 +1658,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1672,9 +1672,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1696,9 +1696,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1714,9 +1714,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1903,8 +1903,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 2be87cefaa7..2ed4c4bded8 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1421,9 +1421,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1555,9 +1555,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1569,9 +1569,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1593,9 +1593,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1611,9 +1611,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 677c4fe3a6f..37c808a1990 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1066,9 +1066,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1212,9 +1212,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1226,9 +1226,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1249,9 +1249,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1267,9 +1267,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1282,9 +1282,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 254bdd92b19..5dc8568d236 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -968,9 +968,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1105,9 +1105,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1119,9 +1119,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1142,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1160,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1349,8 +1349,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 71de1b526c7..4071420f7a1 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1054,9 +1054,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1198,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1211,9 +1211,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1231,9 +1231,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1248,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 2143abc4a45..25a81a81b22 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -929,9 +929,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1073,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1087,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1108,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1126,9 +1126,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index e3f3995eb3c..5429bcc9a33 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -934,9 +934,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1069,9 +1069,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1083,9 +1083,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1106,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1124,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 2312e54e959..3c42796b81f 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -933,9 +933,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1112,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 386ffaf6506..917fdfb8f17 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -922,9 +922,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1054,9 +1054,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1067,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1088,9 +1088,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1105,9 +1105,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 4ffc98d8780..325cb38c95a 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -908,9 +908,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1042,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1056,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1095,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 84d5e054a13..39a7f836155 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -910,9 +910,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1055,9 +1055,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1069,9 +1069,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1092,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1110,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 2a46a1c1f7e..f4ff5641a36 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -900,9 +900,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1035,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1051,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1075,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1095,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 660d8134161..93a6d9bec2b 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -975,9 +975,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1110,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1124,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1148,9 +1148,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1166,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 7006cde2582..bc9cd74a61e 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -884,9 +884,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1019,9 +1019,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1033,9 +1033,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1056,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1074,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1089,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 150e95cea85..5bc642c0a6c 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -929,9 +929,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1064,9 +1064,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1099,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1116,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index b9fa26e89ce..5f84512cc19 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1158,9 +1158,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1282,9 +1282,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1296,9 +1296,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1322,9 +1322,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1340,9 +1340,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1601,8 +1601,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 56ac42f3f45..38f15a87567 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1024,9 +1024,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1160,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1174,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1201,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1219,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 8c8a0d16e84..cbc5a87072a 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -885,9 +885,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1017,9 +1017,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1030,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1051,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1068,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index a9465ae203e..c24d66885b7 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -934,9 +934,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1066,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1079,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1100,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1117,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 18aace62d1f..d8eb60d949d 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -970,9 +970,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1105,9 +1105,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1118,9 +1118,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1139,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1156,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 1e6d1da6697..ead75bdeae9 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -876,9 +876,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1009,9 +1009,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1022,9 +1022,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1042,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index c15e28b769c..bf43d6757d4 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1117,9 +1117,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1264,9 +1264,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1277,9 +1277,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1304,9 +1304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1321,9 +1321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1335,9 +1335,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index b98321e7bd6..9f3f4b7c3bd 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -890,9 +890,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1024,9 +1024,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1037,9 +1037,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1076,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1090,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 4ee12c4f6e3..0b41af77569 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1007,9 +1007,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1144,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1158,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1183,9 +1183,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1201,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 721f666f5e8..e57b4494701 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -924,9 +924,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1072,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1094,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1111,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1257,8 +1257,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index ca9590e7d73..9d5fe94bfc2 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -947,9 +947,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1082,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1095,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1116,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1133,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 36e1b235cdc..1fd9a1de590 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -927,9 +927,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1046,9 +1046,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1059,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1079,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1096,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 0951ea3218e..48af3363dcb 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -973,9 +973,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1117,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1152,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1169,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 2d4532d132d..d8758e4168e 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -950,9 +950,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1087,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1101,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1145,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); post-issue: diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 637aaf6303f..e9ae88fd191 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -897,9 +897,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1031,9 +1031,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1045,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1069,9 +1069,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1087,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1102,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 3be19f1c93b..c10daf66013 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1015,9 +1015,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1161,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1174,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1196,9 +1196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1213,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1400,8 +1400,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 1c030058788..6d542f49399 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1027,9 +1027,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1173,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1186,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1210,9 +1210,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1227,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1241,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 8a0762e87da..67280a789d4 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -875,9 +875,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1008,9 +1008,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1021,9 +1021,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1044,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1061,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 48f8c324e22..972646b352f 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1022,9 +1022,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1157,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1170,9 +1170,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1196,9 +1196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1213,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1227,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 60ae6974868..e23a5177f3b 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -974,9 +974,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1120,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1134,9 +1134,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1157,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1175,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 5f12b60535d..d90e62c2f18 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1150,9 +1150,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1295,9 +1295,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1308,9 +1308,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1330,9 +1330,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1347,9 +1347,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1361,9 +1361,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 46307926a35..a6e1253d815 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -944,9 +944,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1121,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1134,9 +1134,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1154,9 +1154,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1171,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index ffa0291529f..f57a69016d5 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -912,9 +912,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1045,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1058,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1079,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1096,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index fda25c2d903..c479128befc 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1003,9 +1003,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1136,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1149,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1171,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1188,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index df540874e04..83f3e109ef1 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -947,9 +947,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1128,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1144,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1168,9 +1168,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1186,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1201,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 04a61a2a13f..f10397e5d9d 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -978,9 +978,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1123,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1136,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1158,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1175,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1189,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 3dd69fbc1c2..df8cd124615 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1002,9 +1002,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1122,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1135,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1157,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1174,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index dc521059460..69c2ccdded7 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -937,9 +937,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1071,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1108,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1125,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index f105377fb65..cf118183a09 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -885,9 +885,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1019,9 +1019,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1032,9 +1032,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1052,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1069,9 +1069,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 1f74ba6c3e4..8519c59aa96 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -932,9 +932,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1067,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1081,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1105,9 +1105,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1123,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1138,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 10a28435892..f843249aee1 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -926,9 +926,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1060,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1074,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1098,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1116,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1131,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 1d647d606d3..b60cec91011 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -934,9 +934,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1079,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1092,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1114,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1131,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 6e7bfe6d106..32f0a7d3302 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1279,9 +1279,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1415,9 +1415,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1428,9 +1428,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1451,9 +1451,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1468,9 +1468,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); notion_add_comment: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 490b0af7174..b52201d4483 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -947,9 +947,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1079,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1092,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1115,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1132,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 06fa41d99d3..e8ae145e198 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -850,9 +850,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -863,9 +863,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -884,9 +884,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -901,9 +901,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); notion_add_comment: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 7ee5fb658c4..e4f359fc031 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -968,9 +968,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1103,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1116,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1139,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1156,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1343,8 +1343,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 87c26784aa5..cc34fccd756 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1032,9 +1032,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1167,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1180,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1204,9 +1204,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1221,9 +1221,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index e845f4a4a6f..2be5f592014 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -994,9 +994,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1140,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1161,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1178,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 4a23aedc774..1f8c0002fed 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1700,9 +1700,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1836,9 +1836,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1851,9 +1851,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1877,9 +1877,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1894,9 +1894,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1908,9 +1908,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -2193,8 +2193,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index d7c1cf046c7..9b2d2e65e45 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1049,9 +1049,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1185,9 +1185,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1199,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1223,9 +1223,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1241,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1430,8 +1430,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 3acd186badd..3c415602fd8 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1104,9 +1104,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1239,9 +1239,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1252,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1276,9 +1276,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1293,9 +1293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index cc2cef1cb8d..b97f0236b72 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1025,9 +1025,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1160,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1173,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1198,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1215,9 +1215,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 147c004e91b..66e9d06fe03 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1065,9 +1065,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1210,9 +1210,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1223,9 +1223,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1245,9 +1245,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1262,9 +1262,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index e9afdcbb4f0..08e1217417a 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1037,9 +1037,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1172,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1185,9 +1185,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1208,9 +1208,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1225,9 +1225,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1412,8 +1412,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index f83d84d0911..8b09728ba0e 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1143,9 +1143,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1278,9 +1278,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1291,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1315,9 +1315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1332,9 +1332,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1346,9 +1346,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 2e745c9043c..9658db13818 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -967,9 +967,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1101,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1114,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1138,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1155,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1169,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 560c8fd5882..4a27a04ebef 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -888,9 +888,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1019,9 +1019,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1032,9 +1032,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1053,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1070,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); config: diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 83bf8c9abeb..7ced5799f74 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -897,9 +897,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1031,9 +1031,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1047,9 +1047,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1070,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1087,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index e5261570e6c..4b3f5bb1828 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -867,9 +867,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1000,9 +1000,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1013,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1036,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1053,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 1237ce81215..c5fe34f69c5 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -904,9 +904,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1038,9 +1038,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1051,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1074,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 1e85d0e0aeb..11e3de23fc2 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -893,9 +893,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1026,9 +1026,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1039,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1062,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1079,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index f6447a2871b..c6b2c09cc70 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1027,9 +1027,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1172,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1185,9 +1185,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1207,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1224,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 27afa4c03e3..d9a6947ef49 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -935,9 +935,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1080,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1093,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1115,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1132,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 0f4f3166a14..465ec08673a 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1168,9 +1168,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1314,9 +1314,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1327,9 +1327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1348,9 +1348,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1365,9 +1365,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index 6b73acd15aa..a0cb4a274bb 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -1313,9 +1313,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1459,9 +1459,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1472,9 +1472,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1495,9 +1495,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1512,9 +1512,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 41a965528da..e5081aa5867 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -960,9 +960,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1093,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1106,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1147,9 +1147,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 54b07b0e85e..0f52be82897 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1082,9 +1082,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1215,9 +1215,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1228,9 +1228,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1250,9 +1250,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1267,9 +1267,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 375484cf8fc..1c0c0b2bbee 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1019,9 +1019,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1162,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1175,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1195,9 +1195,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1212,9 +1212,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 57da5a32944..64d88935111 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -973,9 +973,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1119,9 +1119,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1133,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1156,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1174,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 7c6fad18542..e1f01f1bcde 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -992,9 +992,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1141,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1165,9 +1165,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1183,9 +1183,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1198,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index d23d7e18fe5..64cfb4601ee 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -956,9 +956,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1077,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1090,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1113,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1149,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index b29355be951..44bc5dca09b 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2575,9 +2575,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2721,9 +2721,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2734,9 +2734,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2757,9 +2757,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2774,9 +2774,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2793,9 +2793,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 9d2e5cb9100..5931461fe1c 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1459,9 +1459,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1581,9 +1581,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1594,9 +1594,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1615,9 +1615,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1632,9 +1632,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1651,9 +1651,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index a6337648dd9..c45e3dc5bba 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1980,9 +1980,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2117,9 +2117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2130,9 +2130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2154,9 +2154,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2171,9 +2171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2190,9 +2190,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index a2343301b06..12d4ad007f7 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -2033,9 +2033,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2170,9 +2170,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2183,9 +2183,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2207,9 +2207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2224,9 +2224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2243,9 +2243,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 8d9768e8560..2373fd1a4d5 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1076,9 +1076,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1211,9 +1211,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1224,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1247,9 +1247,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1264,9 +1264,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1278,9 +1278,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1297,9 +1297,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index cc7d634599e..7ffa16aaf91 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1167,9 +1167,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1300,9 +1300,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1313,9 +1313,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1334,9 +1334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1351,9 +1351,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1370,9 +1370,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 2439655282f..d539047ef2c 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1020,9 +1020,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1154,9 +1154,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1167,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1191,9 +1191,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1208,9 +1208,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1222,9 +1222,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1241,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 32d9a57d28a..f4bd0b8f7c1 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1453,9 +1453,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1587,9 +1587,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1600,9 +1600,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1624,9 +1624,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1641,9 +1641,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1655,9 +1655,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1674,9 +1674,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 8d0ccbc17dc..2bda9036455 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1040,9 +1040,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1174,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1187,9 +1187,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1209,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1226,9 +1226,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1245,9 +1245,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 327bf045ccc..db860ac82c9 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -918,9 +918,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1052,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1065,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1087,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1104,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1123,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index aa9762efb7f..425053bf1f6 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1077,9 +1077,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1213,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1226,9 +1226,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1249,9 +1249,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1266,9 +1266,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1285,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index edddeb29658..fdbf13b9e99 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -881,9 +881,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1015,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1028,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1050,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1067,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 1d7de7183a8..719f6cba15d 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1037,9 +1037,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1171,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1184,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1206,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1223,9 +1223,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1413,8 +1413,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index c78c5034687..4c903ae2e22 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1009,9 +1009,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1154,9 +1154,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1167,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1189,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1206,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index be3b712034f..d31c8240054 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -964,9 +964,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1108,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1121,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1141,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1158,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index b10acc2c7c7..da0a0f7448d 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -981,9 +981,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1115,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1128,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1149,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1166,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 8d383a73a13..ecc0f557bd5 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -927,9 +927,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1060,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1073,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1094,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1111,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 42841fade81..075f2742965 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1108,9 +1108,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1245,9 +1245,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1258,9 +1258,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1285,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1302,9 +1302,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1316,9 +1316,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1611,8 +1611,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 5fd2272201c..40317adfb80 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -875,9 +875,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1008,9 +1008,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1021,9 +1021,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1044,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1061,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 6c673a887ab..e071e3e89e9 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -950,9 +950,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1095,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1108,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1130,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1147,9 +1147,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1161,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index d2b6516dedf..cdcaeb725fe 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -811,9 +811,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -942,9 +942,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -955,9 +955,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -976,9 +976,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -993,9 +993,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index d61c2587b99..e26a4f87b34 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1070,9 +1070,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1201,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1214,9 +1214,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1235,9 +1235,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1252,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 531e4b9a418..ed29aae9a8a 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1040,9 +1040,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1173,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1188,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1211,9 +1211,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1228,9 +1228,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1242,9 +1242,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index a4abf8c598b..5859759e2d1 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -946,9 +946,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1090,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1103,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1125,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1142,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index d4db1553575..f46a026363f 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -922,9 +922,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1056,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1070,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1094,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1112,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 865ee3eafd1..22f7ace73e0 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1211,9 +1211,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1358,9 +1358,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1371,9 +1371,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1394,9 +1394,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1411,9 +1411,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1425,9 +1425,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1693,8 +1693,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 507abcb6c0b..d0b99eb855e 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -920,9 +920,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1052,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1065,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1086,9 +1086,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1103,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 2a969bee39b..4e31ef6aa94 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -976,9 +976,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1111,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1125,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1149,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1167,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1182,9 +1182,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1363,8 +1363,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index d22467aab22..16ee36f8b3e 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -948,9 +948,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1084,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1098,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1121,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1139,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1328,8 +1328,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 0f23bb97571..3f643c1f5c2 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -880,9 +880,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1014,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1028,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1052,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1070,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1085,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 7a56c152560..f92a8147717 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1024,9 +1024,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1157,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1170,9 +1170,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1193,9 +1193,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1210,9 +1210,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 98d6003e4f0..407d8229e20 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1122,9 +1122,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1257,9 +1257,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1270,9 +1270,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1294,9 +1294,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1311,9 +1311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 5ed5b918659..33215fc1fc9 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -958,9 +958,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1091,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1105,9 +1105,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1127,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1145,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index d1704f5dbbe..666d48dc8b6 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -970,9 +970,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1103,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1116,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1139,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1156,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: diff --git a/pkg/workflow/safe_outputs_jobs.go b/pkg/workflow/safe_outputs_jobs.go index 224a904147f..528598824ab 100644 --- a/pkg/workflow/safe_outputs_jobs.go +++ b/pkg/workflow/safe_outputs_jobs.go @@ -610,9 +610,9 @@ func (c *Compiler) buildGitHubScriptStep(data *WorkflowData, config GitHubScript // Use require() if ScriptFile is specified, otherwise inline the script if config.ScriptFile != "" { - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, fmt.Sprintf(" const { main } = require('"+SetupActionDestination+"/%s');\n", config.ScriptFile)) + steps = append(steps, fmt.Sprintf(" const { main } = require(%s);\n", JsRequireGhAw("actions/"+config.ScriptFile))) steps = append(steps, " await main();\n") } else { // Add the formatted JavaScript script (inline) @@ -663,9 +663,9 @@ func (c *Compiler) buildGitHubScriptStepWithoutDownload(data *WorkflowData, conf // Use require() if ScriptFile is specified, otherwise inline the script if config.ScriptFile != "" { - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, fmt.Sprintf(" const { main } = require('"+SetupActionDestination+"/%s');\n", config.ScriptFile)) + steps = append(steps, fmt.Sprintf(" const { main } = require(%s);\n", JsRequireGhAw("actions/"+config.ScriptFile))) steps = append(steps, " await main();\n") } else { // Add the formatted JavaScript script (inline) diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index ce4d14bec43..e456fccaf40 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -286,9 +286,9 @@ func (c *Compiler) buildThreatDetectionAnalysisStep(data *WorkflowData) []string func (c *Compiler) buildSetupScriptRequire() string { // Build a simple require statement that calls the main function // The template is now read from file at runtime by the JavaScript module - script := `const { setupGlobals } = require('` + SetupActionDestination + `/setup_globals.cjs'); + script := `const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); -const { main } = require('` + SetupActionDestination + `/setup_threat_detection.cjs'); +const { main } = require(` + JsRequireGhAw("actions/setup_threat_detection.cjs") + `); await main();` return script diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 6b8ca75dbc1..94522cbbb5a 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -685,7 +685,7 @@ func TestSetupScriptReferencesPromptFile(t *testing.T) { script := compiler.buildSetupScriptRequire() // Verify the script uses require to load setup_threat_detection.cjs - if !strings.Contains(script, "require('"+SetupActionDestination+"/setup_threat_detection.cjs')") { + if !strings.Contains(script, "require("+JsRequireGhAw("actions/setup_threat_detection.cjs")+")") { t.Error("Expected setup script to require setup_threat_detection.cjs") } From e28ccf4eb19f06d6a94964b14001d07f81c4c79b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 04:43:09 +0000 Subject: [PATCH 06/12] fix: address review comments - fix maintenance_workflow.go require() interpolation and strengthen tests - Add maintenanceRequireScript() helper to maintenance_workflow.go The raw YAML strings had literal " + JsRequireGhAw(...) + " text embedded inside backtick string literals instead of being evaluated as Go code. Added helper function and used it in all 7 affected yaml.WriteString() blocks. - Fix compiler_custom_actions_test.go: test #5 duplicated test #4. Updated to verify INPUT_DESTINATION is NOT set in script mode (regression guard for the destination: removal change). - Fix mcp_scripts_generator_test.go: strengthen logDir assertion from just checking "mcp-scripts/logs" to checking full "process.env.GH_AW_HOME + '/mcp-scripts/logs'" expression. - Recompile agentics-maintenance.yml - require() calls now correct. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agentics-maintenance.yml | 28 ++++---- pkg/workflow/compiler_custom_actions_test.go | 6 +- pkg/workflow/maintenance_workflow.go | 69 +++++++------------- pkg/workflow/mcp_scripts_generator_test.go | 4 +- 4 files changed, 43 insertions(+), 64 deletions(-) diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml index fd3e7ec38a4..a1f2120f88f 100644 --- a/.github/workflows/agentics-maintenance.yml +++ b/.github/workflows/agentics-maintenance.yml @@ -77,27 +77,27 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/close_expired_discussions.cjs") + "); + const { main } = require(process.env.GH_AW_HOME + '/actions/close_expired_discussions.cjs'); await main(); - name: Close expired issues uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/close_expired_issues.cjs") + "); + const { main } = require(process.env.GH_AW_HOME + '/actions/close_expired_issues.cjs'); await main(); - name: Close expired pull requests uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/close_expired_pull_requests.cjs") + "); + const { main } = require(process.env.GH_AW_HOME + '/actions/close_expired_pull_requests.cjs'); await main(); run_operation: @@ -123,9 +123,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/check_team_member.cjs") + "); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_team_member.cjs'); await main(); - name: Setup Go @@ -146,9 +146,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/run_operation_update_upgrade.cjs") + "); + const { main } = require(process.env.GH_AW_HOME + '/actions/run_operation_update_upgrade.cjs'); await main(); compile-workflows: @@ -186,9 +186,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/check_workflow_recompile_needed.cjs") + "); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_recompile_needed.cjs'); await main(); zizmor-scan: @@ -254,9 +254,9 @@ jobs: NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} with: script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/validate_secrets.cjs") + "); + const { main } = require(process.env.GH_AW_HOME + '/actions/validate_secrets.cjs'); await main(); - name: Upload secret validation report diff --git a/pkg/workflow/compiler_custom_actions_test.go b/pkg/workflow/compiler_custom_actions_test.go index 345c3d9fb2e..f8a1e0e16da 100644 --- a/pkg/workflow/compiler_custom_actions_test.go +++ b/pkg/workflow/compiler_custom_actions_test.go @@ -217,9 +217,9 @@ Test workflow with script mode. t.Error("Expected setup script to run bash directly in script mode") } - // 5. Setup step should have INPUT_DESTINATION environment variable - if !strings.Contains(lockStr, "bash /tmp/gh-aw/actions-source/actions/setup/setup.sh") { - t.Error("Expected INPUT_DESTINATION environment variable in setup step for script mode") + // 5. Setup step should not pass destination input (GH_AW_HOME is derived from default) + if strings.Contains(lockStr, "INPUT_DESTINATION") { + t.Error("Expected script mode to NOT set INPUT_DESTINATION (GH_AW_HOME is derived from the default destination)") } // 6. Should not use "uses:" for setup action in script mode diff --git a/pkg/workflow/maintenance_workflow.go b/pkg/workflow/maintenance_workflow.go index fbdec037e9d..c32988a25fd 100644 --- a/pkg/workflow/maintenance_workflow.go +++ b/pkg/workflow/maintenance_workflow.go @@ -12,6 +12,15 @@ import ( var maintenanceLog = logger.New("workflow:maintenance_workflow") +// maintenanceRequireScript generates the 4-line JavaScript snippet for a maintenance step +// that requires and invokes a .cjs module from the gh-aw actions directory. +func maintenanceRequireScript(cjsFile string) string { + return " const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n" + + " setupGlobals(core, github, context, exec, io);\n" + + " const { main } = require(" + JsRequireGhAw("actions/"+cjsFile) + ");\n" + + " await main();\n" +} + // generateInstallCLISteps generates YAML steps to install or build the gh-aw CLI. // In dev mode: builds from source using Setup Go + Build gh-aw (./gh-aw binary available) // In release mode: installs the released CLI via the setup-cli action (gh aw available) @@ -234,35 +243,21 @@ jobs: `) // Add the close expired discussions script using require() - yaml.WriteString(` const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); - setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/close_expired_discussions.cjs") + "); - await main(); - - - name: Close expired issues - uses: ` + GetActionPin("actions/github-script") + ` - with: - script: | -`) + yaml.WriteString(maintenanceRequireScript("close_expired_discussions.cjs") + "\n" + + " - name: Close expired issues\n" + + " uses: " + GetActionPin("actions/github-script") + "\n" + + " with:\n" + + " script: |\n") // Add the close expired issues script using require() - yaml.WriteString(` const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); - setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/close_expired_issues.cjs") + "); - await main(); - - - name: Close expired pull requests - uses: ` + GetActionPin("actions/github-script") + ` - with: - script: | -`) + yaml.WriteString(maintenanceRequireScript("close_expired_issues.cjs") + "\n" + + " - name: Close expired pull requests\n" + + " uses: " + GetActionPin("actions/github-script") + "\n" + + " with:\n" + + " script: |\n") // Add the close expired pull requests script using require() - yaml.WriteString(` const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); - setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/close_expired_pull_requests.cjs") + "); - await main(); -`) + yaml.WriteString(maintenanceRequireScript("close_expired_pull_requests.cjs")) // Add unified run_operation job for all dispatch operations yaml.WriteString(` @@ -289,11 +284,7 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); - setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/check_team_member.cjs") + "); - await main(); - +` + maintenanceRequireScript("check_team_member.cjs") + ` `) yaml.WriteString(generateInstallCLISteps(actionMode, version, actionTag)) @@ -306,11 +297,7 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); - setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/run_operation_update_upgrade.cjs") + "); - await main(); -`) +` + maintenanceRequireScript("run_operation_update_upgrade.cjs")) // Add compile-workflows and zizmor-scan jobs only in dev mode // These jobs are specific to the gh-aw repository and require go.mod, make build, etc. @@ -350,11 +337,7 @@ jobs: uses: ` + GetActionPin("actions/github-script") + ` with: script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); - setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/check_workflow_recompile_needed.cjs") + "); - await main(); - +` + maintenanceRequireScript("check_workflow_recompile_needed.cjs") + ` zizmor-scan: if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }} runs-on: ubuntu-slim @@ -425,11 +408,7 @@ jobs: NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} with: script: | - const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + "); - setupGlobals(core, github, context, exec, io); - const { main } = require(" + JsRequireGhAw("actions/validate_secrets.cjs") + "); - await main(); - +` + maintenanceRequireScript("validate_secrets.cjs") + ` - name: Upload secret validation report if: always() uses: ` + GetActionPin("actions/upload-artifact") + ` diff --git a/pkg/workflow/mcp_scripts_generator_test.go b/pkg/workflow/mcp_scripts_generator_test.go index a57cf9fb946..d449ece3346 100644 --- a/pkg/workflow/mcp_scripts_generator_test.go +++ b/pkg/workflow/mcp_scripts_generator_test.go @@ -77,8 +77,8 @@ func TestGenerateMCPScriptsMCPServerScript(t *testing.T) { t.Error("Script should reference tools.json configuration file") } - if !strings.Contains(script, "mcp-scripts/logs") { - t.Error("Script should specify log directory") + if !strings.Contains(script, GhAwHomeJS+" + '/mcp-scripts/logs'") { + t.Error("Script should specify log directory using process.env.GH_AW_HOME + '/mcp-scripts/logs'") } if !strings.Contains(script, "GH_AW_MCP_SCRIPTS_PORT") { From 875da77b92acaa609d34dd55c7525afa7096dd01 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 05:51:18 +0000 Subject: [PATCH 07/12] fix: use ${{ env.GH_AW_HOME }} in YAML env: blocks for safe outputs paths In GitHub Actions, shell variable syntax ${VAR} is NOT expanded in YAML env: blocks - only ${{ expression }} syntax works there. The "Start Safe Outputs MCP HTTP Server" step was setting GH_AW_SAFE_OUTPUTS_TOOLS_PATH and GH_AW_SAFE_OUTPUTS_CONFIG_PATH to literal strings "${GH_AW_HOME}/safeoutputs/..." instead of the actual paths. The node.js safe outputs MCP server received these literal strings, tried to read "${GH_AW_HOME}/safeoutputs/tools.json" (literal), found no file, and fell back to "empty tools array" with 0 registered tools. When Copilot tried to call noop/add_comment/etc., the tools didn't exist and the agent failed. Fix: - Add GhAwHomeExpr = "${{ env.GH_AW_HOME }}" constant to setup_action_paths.go - Use GhAwHomeExpr in the env: block of the Start Safe Outputs step in mcp_setup_generator.go (lines 283-284) - Recompile all 166 workflows Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agent-performance-analyzer.lock.yml | 4 ++-- .github/workflows/agent-persona-explorer.lock.yml | 4 ++-- .github/workflows/ai-moderator.lock.yml | 4 ++-- .github/workflows/archie.lock.yml | 4 ++-- .github/workflows/artifacts-summary.lock.yml | 4 ++-- .github/workflows/audit-workflows.lock.yml | 4 ++-- .github/workflows/auto-triage-issues.lock.yml | 4 ++-- .github/workflows/blog-auditor.lock.yml | 4 ++-- .github/workflows/bot-detection.lock.yml | 4 ++-- .github/workflows/brave.lock.yml | 4 ++-- .github/workflows/breaking-change-checker.lock.yml | 4 ++-- .github/workflows/changeset.lock.yml | 4 ++-- .github/workflows/ci-coach.lock.yml | 4 ++-- .github/workflows/ci-doctor.lock.yml | 4 ++-- .github/workflows/claude-code-user-docs-review.lock.yml | 4 ++-- .github/workflows/cli-consistency-checker.lock.yml | 4 ++-- .github/workflows/cli-version-checker.lock.yml | 4 ++-- .github/workflows/cloclo.lock.yml | 4 ++-- .github/workflows/code-scanning-fixer.lock.yml | 4 ++-- .github/workflows/code-simplifier.lock.yml | 4 ++-- .github/workflows/commit-changes-analyzer.lock.yml | 4 ++-- .github/workflows/constraint-solving-potd.lock.yml | 4 ++-- .github/workflows/contribution-check.lock.yml | 4 ++-- .github/workflows/copilot-agent-analysis.lock.yml | 4 ++-- .github/workflows/copilot-cli-deep-research.lock.yml | 4 ++-- .github/workflows/copilot-pr-merged-report.lock.yml | 4 ++-- .github/workflows/copilot-pr-nlp-analysis.lock.yml | 4 ++-- .github/workflows/copilot-pr-prompt-analysis.lock.yml | 4 ++-- .github/workflows/copilot-session-insights.lock.yml | 4 ++-- .github/workflows/craft.lock.yml | 4 ++-- .github/workflows/daily-architecture-diagram.lock.yml | 4 ++-- .github/workflows/daily-assign-issue-to-user.lock.yml | 4 ++-- .github/workflows/daily-choice-test.lock.yml | 4 ++-- .github/workflows/daily-cli-performance.lock.yml | 4 ++-- .github/workflows/daily-cli-tools-tester.lock.yml | 4 ++-- .github/workflows/daily-code-metrics.lock.yml | 4 ++-- .github/workflows/daily-compiler-quality.lock.yml | 4 ++-- .github/workflows/daily-copilot-token-report.lock.yml | 4 ++-- .github/workflows/daily-doc-healer.lock.yml | 4 ++-- .github/workflows/daily-doc-updater.lock.yml | 4 ++-- .github/workflows/daily-fact.lock.yml | 4 ++-- .github/workflows/daily-file-diet.lock.yml | 4 ++-- .github/workflows/daily-firewall-report.lock.yml | 4 ++-- .github/workflows/daily-issues-report.lock.yml | 4 ++-- .github/workflows/daily-malicious-code-scan.lock.yml | 4 ++-- .github/workflows/daily-mcp-concurrency-analysis.lock.yml | 4 ++-- .github/workflows/daily-multi-device-docs-tester.lock.yml | 4 ++-- .github/workflows/daily-news.lock.yml | 4 ++-- .github/workflows/daily-observability-report.lock.yml | 4 ++-- .github/workflows/daily-performance-summary.lock.yml | 4 ++-- .github/workflows/daily-regulatory.lock.yml | 4 ++-- .github/workflows/daily-rendering-scripts-verifier.lock.yml | 4 ++-- .github/workflows/daily-repo-chronicle.lock.yml | 4 ++-- .github/workflows/daily-safe-output-optimizer.lock.yml | 4 ++-- .github/workflows/daily-safe-outputs-conformance.lock.yml | 4 ++-- .github/workflows/daily-secrets-analysis.lock.yml | 4 ++-- .github/workflows/daily-security-red-team.lock.yml | 4 ++-- .github/workflows/daily-semgrep-scan.lock.yml | 4 ++-- .github/workflows/daily-syntax-error-quality.lock.yml | 4 ++-- .github/workflows/daily-team-evolution-insights.lock.yml | 4 ++-- .github/workflows/daily-team-status.lock.yml | 4 ++-- .github/workflows/daily-testify-uber-super-expert.lock.yml | 4 ++-- .github/workflows/daily-workflow-updater.lock.yml | 4 ++-- .github/workflows/dead-code-remover.lock.yml | 4 ++-- .github/workflows/deep-report.lock.yml | 4 ++-- .github/workflows/delight.lock.yml | 4 ++-- .github/workflows/dependabot-burner.lock.yml | 4 ++-- .github/workflows/dependabot-go-checker.lock.yml | 4 ++-- .github/workflows/dev-hawk.lock.yml | 4 ++-- .github/workflows/dev.lock.yml | 4 ++-- .github/workflows/developer-docs-consolidator.lock.yml | 4 ++-- .github/workflows/dictation-prompt.lock.yml | 4 ++-- .github/workflows/discussion-task-miner.lock.yml | 4 ++-- .github/workflows/docs-noob-tester.lock.yml | 4 ++-- .github/workflows/draft-pr-cleanup.lock.yml | 4 ++-- .github/workflows/duplicate-code-detector.lock.yml | 4 ++-- .github/workflows/example-workflow-analyzer.lock.yml | 4 ++-- .github/workflows/firewall-escape.lock.yml | 4 ++-- .github/workflows/functional-pragmatist.lock.yml | 4 ++-- .github/workflows/github-mcp-structural-analysis.lock.yml | 4 ++-- .github/workflows/github-mcp-tools-report.lock.yml | 4 ++-- .github/workflows/github-remote-mcp-auth-test.lock.yml | 4 ++-- .github/workflows/glossary-maintainer.lock.yml | 4 ++-- .github/workflows/go-fan.lock.yml | 4 ++-- .github/workflows/go-logger.lock.yml | 4 ++-- .github/workflows/go-pattern-detector.lock.yml | 4 ++-- .github/workflows/gpclean.lock.yml | 4 ++-- .github/workflows/grumpy-reviewer.lock.yml | 4 ++-- .github/workflows/hourly-ci-cleaner.lock.yml | 4 ++-- .github/workflows/instructions-janitor.lock.yml | 4 ++-- .github/workflows/issue-arborist.lock.yml | 4 ++-- .github/workflows/issue-monster.lock.yml | 4 ++-- .github/workflows/issue-triage-agent.lock.yml | 4 ++-- .github/workflows/jsweep.lock.yml | 4 ++-- .github/workflows/layout-spec-maintainer.lock.yml | 4 ++-- .github/workflows/lockfile-stats.lock.yml | 4 ++-- .github/workflows/mcp-inspector.lock.yml | 4 ++-- .github/workflows/mergefest.lock.yml | 4 ++-- .github/workflows/notion-issue-summary.lock.yml | 4 ++-- .github/workflows/org-health-report.lock.yml | 4 ++-- .github/workflows/pdf-summary.lock.yml | 4 ++-- .github/workflows/plan.lock.yml | 4 ++-- .github/workflows/poem-bot.lock.yml | 4 ++-- .github/workflows/portfolio-analyst.lock.yml | 4 ++-- .github/workflows/pr-nitpick-reviewer.lock.yml | 4 ++-- .github/workflows/pr-triage-agent.lock.yml | 4 ++-- .github/workflows/prompt-clustering-analysis.lock.yml | 4 ++-- .github/workflows/python-data-charts.lock.yml | 4 ++-- .github/workflows/q.lock.yml | 4 ++-- .github/workflows/refiner.lock.yml | 4 ++-- .github/workflows/release.lock.yml | 4 ++-- .github/workflows/repo-audit-analyzer.lock.yml | 4 ++-- .github/workflows/repo-tree-map.lock.yml | 4 ++-- .github/workflows/repository-quality-improver.lock.yml | 4 ++-- .github/workflows/research.lock.yml | 4 ++-- .github/workflows/safe-output-health.lock.yml | 4 ++-- .github/workflows/schema-consistency-checker.lock.yml | 4 ++-- .github/workflows/scout.lock.yml | 4 ++-- .../workflows/security-alert-burndown.campaign.g.lock.yml | 4 ++-- .github/workflows/security-compliance.lock.yml | 4 ++-- .github/workflows/security-review.lock.yml | 4 ++-- .github/workflows/semantic-function-refactor.lock.yml | 4 ++-- .github/workflows/sergo.lock.yml | 4 ++-- .github/workflows/slide-deck-maintainer.lock.yml | 4 ++-- .github/workflows/smoke-agent.lock.yml | 4 ++-- .github/workflows/smoke-claude.lock.yml | 4 ++-- .github/workflows/smoke-codex.lock.yml | 4 ++-- .github/workflows/smoke-copilot-arm.lock.yml | 4 ++-- .github/workflows/smoke-copilot.lock.yml | 4 ++-- .github/workflows/smoke-create-cross-repo-pr.lock.yml | 4 ++-- .github/workflows/smoke-gemini.lock.yml | 4 ++-- .github/workflows/smoke-multi-pr.lock.yml | 4 ++-- .github/workflows/smoke-project.lock.yml | 4 ++-- .github/workflows/smoke-temporary-id.lock.yml | 4 ++-- .github/workflows/smoke-test-tools.lock.yml | 4 ++-- .github/workflows/smoke-update-cross-repo-pr.lock.yml | 4 ++-- .github/workflows/smoke-workflow-call.lock.yml | 4 ++-- .github/workflows/stale-repo-identifier.lock.yml | 4 ++-- .github/workflows/static-analysis-report.lock.yml | 4 ++-- .github/workflows/step-name-alignment.lock.yml | 4 ++-- .github/workflows/sub-issue-closer.lock.yml | 4 ++-- .github/workflows/super-linter.lock.yml | 4 ++-- .github/workflows/technical-doc-writer.lock.yml | 4 ++-- .github/workflows/terminal-stylist.lock.yml | 4 ++-- .github/workflows/test-create-pr-error-handling.lock.yml | 4 ++-- .github/workflows/test-dispatcher.lock.yml | 4 ++-- .github/workflows/test-project-url-default.lock.yml | 4 ++-- .github/workflows/tidy.lock.yml | 4 ++-- .github/workflows/typist.lock.yml | 4 ++-- .github/workflows/ubuntu-image-analyzer.lock.yml | 4 ++-- .github/workflows/unbloat-docs.lock.yml | 4 ++-- .github/workflows/video-analyzer.lock.yml | 4 ++-- .github/workflows/weekly-editors-health-check.lock.yml | 4 ++-- .github/workflows/weekly-issue-summary.lock.yml | 4 ++-- .github/workflows/weekly-safe-outputs-spec-review.lock.yml | 4 ++-- .github/workflows/workflow-generator.lock.yml | 4 ++-- .github/workflows/workflow-health-manager.lock.yml | 4 ++-- .github/workflows/workflow-normalizer.lock.yml | 4 ++-- .github/workflows/workflow-skill-extractor.lock.yml | 4 ++-- pkg/workflow/mcp_setup_generator.go | 4 ++-- pkg/workflow/setup_action_paths.go | 5 +++++ 161 files changed, 325 insertions(+), 320 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 1455e555700..097b5de7d73 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -804,8 +804,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 6b8b1ea775f..9bada4665ea 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -651,8 +651,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 77c79e96e66..2c835869a4e 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -689,8 +689,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index c476681b2b7..0601df68f6e 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -631,8 +631,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 5cfe79f5e21..1bd398d47c6 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -573,8 +573,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 298681dc294..8072904a07d 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -758,8 +758,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 8d972c90ec5..2d2c0341cf4 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -634,8 +634,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 2f3f1c30bbf..d28bbf744a0 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -585,8 +585,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index 55929187139..fd960992eb3 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -735,8 +735,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index b204d334dd0..03b3a77f9e5 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -615,8 +615,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 4b4aa3e93c3..1a7578b0d14 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -597,8 +597,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 6bafb14c404..422bbf4ce3a 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -717,8 +717,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 1578c56e130..76ca56673bb 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -670,8 +670,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 034764bd6ae..4c751944d16 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -836,8 +836,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index a881604ef8a..16d5d69d687 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -593,8 +593,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 860445c0304..706acfa6dd7 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -586,8 +586,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index e519f5b36d6..39b7bf90dec 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -626,8 +626,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 9dd296f9774..fa805af11ac 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -844,8 +844,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 9c94f40ee56..3f953bb28e2 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -686,8 +686,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index ecb49c30f81..748112235f4 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -609,8 +609,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 45b60c02cdb..eda079ac619 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -584,8 +584,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 9292cfbac25..04d2f8b257b 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -567,8 +567,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 4e40f429a2c..9ce927a34f9 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -689,8 +689,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index db3bb060581..58ba59047b9 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -655,8 +655,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 639164be9a5..799f2a3269c 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -612,8 +612,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index e649cf0cf90..f1cc2447e86 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -612,8 +612,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 2efb4eab56b..311e5536e14 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -715,8 +715,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 6850f609a08..429ccb2a0ce 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -647,8 +647,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index eadf6bbb93e..6c39eed1655 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -726,8 +726,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 3c1d48acf69..2b9da0ea5cc 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -669,8 +669,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 28d99049b6c..8a663670242 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -696,8 +696,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index b91cbb8bb46..18ef5161154 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -617,8 +617,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 1d27ce7db42..bf825317c7b 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -541,8 +541,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index a2bacb668f0..2419e1e5ced 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -694,8 +694,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 927b657924c..57a1e48f67b 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -646,8 +646,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 7b0e34f0f70..3c5751fd114 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -700,8 +700,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 7050fab4580..9e3b842cbd0 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -592,8 +592,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 00005b1f049..54094ad3c7f 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -723,8 +723,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 1fb2943ffa8..68aba7ca281 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -699,8 +699,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 679aef14d97..7ca143da776 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -617,8 +617,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index b5bbfa68df1..bd980f51692 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -548,8 +548,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 5823c7f317a..da4e852160c 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -605,8 +605,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 6f77f06c9de..01655adf805 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -711,8 +711,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 88087cd7d84..4078603a4a0 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -748,8 +748,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 88ad183fc38..a81aaf0ca55 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -609,8 +609,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 81f68953c73..64b514226d1 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -653,8 +653,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index d102305797e..7c5056086f0 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -654,8 +654,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 58630a91028..d8f072b2115 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -768,8 +768,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index f87e1b86c69..164eafedfd2 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -710,8 +710,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index b4f99ee24a3..ae61d8a26ad 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -731,8 +731,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 2ed4c4bded8..3e0bfb8a8bf 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -651,8 +651,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 37c808a1990..2bec8b15e51 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -685,8 +685,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 5dc8568d236..8f35d41798d 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -654,8 +654,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 4071420f7a1..d34221f67a0 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -689,8 +689,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 25a81a81b22..e79c2ecf08a 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -601,8 +601,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 5429bcc9a33..c6b96d5e350 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -641,8 +641,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 3c42796b81f..e1660edcc2b 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -605,8 +605,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 917fdfb8f17..80b4346e548 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -616,8 +616,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 325cb38c95a..caff1360571 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -596,8 +596,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 39a7f836155..fcab1d79360 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -582,8 +582,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index f4ff5641a36..d303da87bf8 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -607,8 +607,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 93a6d9bec2b..37729327a77 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -644,8 +644,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index bc9cd74a61e..9d439b11672 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -590,8 +590,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 5bc642c0a6c..d93d15db877 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -629,8 +629,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 5f84512cc19..710ff242752 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -824,8 +824,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 38f15a87567..8c813547b87 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -699,8 +699,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index cbc5a87072a..f5c5554a8b3 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -592,8 +592,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index c24d66885b7..90dc73d4aad 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -641,8 +641,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index d8eb60d949d..71886981ddc 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -648,8 +648,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index ead75bdeae9..153f2ec22cb 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -583,8 +583,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index bf43d6757d4..ed8bb8ea12d 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -728,8 +728,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 9f3f4b7c3bd..b862c72784c 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -596,8 +596,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 0b41af77569..6ec7991e183 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -685,8 +685,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index e57b4494701..b772aedd1b4 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -608,8 +608,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 9d5fe94bfc2..e1c0beaaa73 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -638,8 +638,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 1fd9a1de590..0d2129e2945 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -608,8 +608,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 48af3363dcb..4f33803b2f3 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -633,8 +633,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index d8758e4168e..117bb41a710 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -642,8 +642,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index e9ae88fd191..49434861c02 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -603,8 +603,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index c10daf66013..f94b3d1e005 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -662,8 +662,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 6d542f49399..08be915d4d4 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -687,8 +687,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 67280a789d4..d82fb6fdaef 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -573,8 +573,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 972646b352f..5e4a2ff8f08 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -677,8 +677,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index e23a5177f3b..a527b138ebe 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -602,8 +602,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index d90e62c2f18..0360328f796 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -639,8 +639,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index a6e1253d815..8a3728e5888 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -608,8 +608,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index f57a69016d5..49324e65d99 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -613,8 +613,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index c479128befc..52e8972d4a9 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -704,8 +704,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 83f3e109ef1..bf9df8b3f91 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -653,8 +653,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index f10397e5d9d..bded0fce007 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -616,8 +616,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index df8cd124615..2ceb05a24bb 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -716,8 +716,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 69c2ccdded7..a3456d6f145 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -645,8 +645,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index cf118183a09..2cb132494cc 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -593,8 +593,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 8519c59aa96..49723f8c821 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -624,8 +624,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index f843249aee1..305c71493bd 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -603,8 +603,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index b60cec91011..89bf5e4789e 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -596,8 +596,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 32f0a7d3302..d7096049093 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -751,8 +751,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index b52201d4483..8d3269c277c 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -613,8 +613,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index e8ae145e198..76a5cb0634d 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -533,8 +533,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index e4f359fc031..cbe4b9ef292 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -655,8 +655,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index cc34fccd756..aff135a1c01 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -725,8 +725,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 2be5f592014..ada0252d25c 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -702,8 +702,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 1f8c0002fed..8b1196a4f49 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1358,8 +1358,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 9b2d2e65e45..b90f8ca4d27 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -722,8 +722,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 3c415602fd8..a956d005a58 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -804,8 +804,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index b97f0236b72..2e45b657911 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -724,8 +724,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 66e9d06fe03..5133d5827b2 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -715,8 +715,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 08e1217417a..5d15be8657a 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -710,8 +710,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 8b09728ba0e..701ee4ac467 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -821,8 +821,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 9658db13818..f19f4f6c338 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -674,8 +674,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 4a27a04ebef..411393a9dbf 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -595,8 +595,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 7ced5799f74..2c5850a8c84 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -598,8 +598,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 4b3f5bb1828..8f1448427dc 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -574,8 +574,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index c5fe34f69c5..6cad6506efd 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -597,8 +597,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 11e3de23fc2..5dda095a2f8 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -584,8 +584,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index c6b2c09cc70..710c963516f 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -662,8 +662,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index d9a6947ef49..66090761d0e 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -596,8 +596,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 465ec08673a..a24eb0b83d3 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -764,8 +764,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index a0cb4a274bb..38da7f909e7 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -976,8 +976,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index e5081aa5867..a9e1dd3f648 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -658,8 +658,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 0f52be82897..b13ac95e9c1 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -769,8 +769,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 1c0c0b2bbee..e0910d60783 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -656,8 +656,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 64d88935111..a3f16df313e 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -602,8 +602,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index e1f01f1bcde..c76ebb0f205 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -644,8 +644,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index 64cfb4601ee..05f638ce0ef 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -669,8 +669,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 44bc5dca09b..b26026006d1 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1575,8 +1575,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 5931461fe1c..61d8b5b3dd6 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -965,8 +965,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index c45e3dc5bba..63be8155139 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1134,8 +1134,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 12d4ad007f7..2a3055cb7df 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1187,8 +1187,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 2373fd1a4d5..4d095bbdeea 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -781,8 +781,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 7ffa16aaf91..4bd0e610bba 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -777,8 +777,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index d539047ef2c..d60e0e8daac 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -701,8 +701,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index f4bd0b8f7c1..d15d295b641 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1159,8 +1159,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 2bda9036455..03b35289cfe 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -747,8 +747,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index db860ac82c9..779b22e5a1e 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -625,8 +625,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 425053bf1f6..927a387a6c4 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -776,8 +776,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index fdbf13b9e99..cd793aa779c 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -568,8 +568,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 719f6cba15d..4c70e6373fb 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -724,8 +724,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 4c903ae2e22..fb91635d97a 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -658,8 +658,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index d31c8240054..345384d315c 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -610,8 +610,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index da0a0f7448d..0b618ac8633 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -688,8 +688,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index ecc0f557bd5..45e978af772 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -628,8 +628,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 075f2742965..c77e3fa22b7 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -784,8 +784,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 40317adfb80..22469eddc7a 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -574,8 +574,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index e071e3e89e9..858ddc2e4b5 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -611,8 +611,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index cdcaeb725fe..d671dbe7820 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -518,8 +518,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index e26a4f87b34..a2b8152d190 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -777,8 +777,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index ed29aae9a8a..5ce22a29350 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -720,8 +720,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 5859759e2d1..e07c9bd16c0 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -583,8 +583,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index f46a026363f..0e7feedba10 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -602,8 +602,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 22f7ace73e0..9534d9c6734 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -777,8 +777,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index d0b99eb855e..1c26d5b6d02 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -610,8 +610,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 4e31ef6aa94..69b169dc888 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -633,8 +633,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 16ee36f8b3e..359503384b7 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -635,8 +635,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 3f643c1f5c2..5177b05cb9a 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -587,8 +587,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index f92a8147717..93cd1a09d68 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -732,8 +732,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 407d8229e20..f318ad1cbd7 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -820,8 +820,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 33215fc1fc9..b77f61f865b 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -652,8 +652,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 666d48dc8b6..1be860714c1 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -657,8 +657,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${GH_AW_HOME}/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${GH_AW_HOME}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 688080abcf2..4b4e32b3c52 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -280,8 +280,8 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" DEBUG: '*'\n") yaml.WriteString(" GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}\n") yaml.WriteString(" GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}\n") - yaml.WriteString(" GH_AW_SAFE_OUTPUTS_TOOLS_PATH: " + GhAwHome + "/safeoutputs/tools.json\n") - yaml.WriteString(" GH_AW_SAFE_OUTPUTS_CONFIG_PATH: " + GhAwHome + "/safeoutputs/config.json\n") + yaml.WriteString(" GH_AW_SAFE_OUTPUTS_TOOLS_PATH: " + GhAwHomeExpr + "/safeoutputs/tools.json\n") + yaml.WriteString(" GH_AW_SAFE_OUTPUTS_CONFIG_PATH: " + GhAwHomeExpr + "/safeoutputs/config.json\n") yaml.WriteString(" GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs\n") yaml.WriteString(" run: |\n") diff --git a/pkg/workflow/setup_action_paths.go b/pkg/workflow/setup_action_paths.go index 6c4e1e32ca1..e9271e766c0 100644 --- a/pkg/workflow/setup_action_paths.go +++ b/pkg/workflow/setup_action_paths.go @@ -12,6 +12,11 @@ const GhAwHome = "${GH_AW_HOME}" // The job-level env sets GH_AW_HOME to /opt/gh-aw by default. const GhAwHomeJS = "process.env.GH_AW_HOME" +// GhAwHomeExpr is the GitHub Actions expression for GH_AW_HOME. +// Use this in YAML env: blocks where shell variable expansion does NOT occur. +// GitHub Actions evaluates ${{ env.VAR }} before passing values to steps. +const GhAwHomeExpr = "${{ env.GH_AW_HOME }}" + // SetupActionDestination is the path where the setup action copies script files // on the agent runner (e.g. /opt/gh-aw/actions). // This is a shell expression expanded at runtime. From a62bde34eae600ae659e64f9e2799bc71e42069a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 9 Mar 2026 10:24:37 +0000 Subject: [PATCH 08/12] Add changeset [skip-ci] --- .changeset/patch-gh-aw-home-portability.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/patch-gh-aw-home-portability.md diff --git a/.changeset/patch-gh-aw-home-portability.md b/.changeset/patch-gh-aw-home-portability.md new file mode 100644 index 00000000000..ed7024c9644 --- /dev/null +++ b/.changeset/patch-gh-aw-home-portability.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Allow gh-aw to derive runtime paths from the new `GH_AW_HOME` environment variable instead of enforcing `/opt/gh-aw`, so self-hosted runners can relocate the installation without recompilation. From ba6840400548c3fd07fce62e852fd0eec42422b7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 10:43:07 +0000 Subject: [PATCH 09/12] fix: use ${{ env.GH_AW_HOME }} in safe-jobs artifact download path The DownloadPath in safe_jobs.go was using GhAwHome (${GH_AW_HOME}) for the artifact download path: value in with: block. GitHub Actions does NOT expand shell variable syntax in with: values, so actions/download-artifact received "${GH_AW_HOME}/safe-jobs/" as a literal relative path and downloaded to: /home/runner/work/gh-aw/gh-aw/${GH_AW_HOME}/safe-jobs Then when the bash run: step executed find "${GH_AW_HOME}/safe-jobs/", the shell expanded it to /opt/gh-aw/safe-jobs/ (the right path) but the files weren't there, causing "No such file or directory". Fix: use GhAwHomeExpr (${{ env.GH_AW_HOME }}) for the DownloadPath so GitHub Actions evaluates it to /opt/gh-aw before passing to the download-artifact action. Recompiled all 166 workflows. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/daily-choice-test.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 4 ++-- .github/workflows/notion-issue-summary.lock.yml | 2 +- .github/workflows/smoke-copilot-arm.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- pkg/workflow/safe_jobs.go | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index bf825317c7b..642ac37a3ac 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -1143,7 +1143,7 @@ jobs: uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: ${GH_AW_HOME}/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | find "${GH_AW_HOME}/safe-jobs/" -type f -print diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index d7096049093..7ed765d4224 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1488,7 +1488,7 @@ jobs: uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: ${GH_AW_HOME}/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | find "${GH_AW_HOME}/safe-jobs/" -type f -print @@ -1618,7 +1618,7 @@ jobs: uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: ${GH_AW_HOME}/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | find "${GH_AW_HOME}/safe-jobs/" -type f -print diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 76a5cb0634d..5952ba6357f 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -921,7 +921,7 @@ jobs: uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: ${GH_AW_HOME}/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | find "${GH_AW_HOME}/safe-jobs/" -type f -print diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 63be8155139..3480474c8e8 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -2317,7 +2317,7 @@ jobs: uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: ${GH_AW_HOME}/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | find "${GH_AW_HOME}/safe-jobs/" -type f -print diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 2a3055cb7df..e4754632b9f 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -2370,7 +2370,7 @@ jobs: uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: name: agent-output - path: ${GH_AW_HOME}/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | find "${GH_AW_HOME}/safe-jobs/" -type f -print diff --git a/pkg/workflow/safe_jobs.go b/pkg/workflow/safe_jobs.go index 3decede8a55..88d75d0de73 100644 --- a/pkg/workflow/safe_jobs.go +++ b/pkg/workflow/safe_jobs.go @@ -222,7 +222,7 @@ func (c *Compiler) buildSafeJobs(data *WorkflowData, threatDetectionEnabled bool // Add step to download agent output artifact using shared helper downloadSteps := buildArtifactDownloadSteps(ArtifactDownloadConfig{ ArtifactName: constants.AgentOutputArtifactName, - DownloadPath: GhAwHome + "/safe-jobs/", + DownloadPath: GhAwHomeExpr + "/safe-jobs/", SetupEnvStep: false, // We'll handle env vars separately to add job-specific ones StepName: "Download agent output artifact", }) From 5296c16ff73d2a5ae228874913117f28393e0053 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 9 Mar 2026 14:38:56 +0000 Subject: [PATCH 10/12] Add changeset [skip-ci] --- .changeset/patch-use-gh-aw-home.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/patch-use-gh-aw-home.md diff --git a/.changeset/patch-use-gh-aw-home.md b/.changeset/patch-use-gh-aw-home.md new file mode 100644 index 00000000000..ac5a307c6b3 --- /dev/null +++ b/.changeset/patch-use-gh-aw-home.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Use the `GH_AW_HOME` environment variable for runtime paths instead of hardcoding `/opt/gh-aw`, improving portability to self-hosted runners. From f14347fb6c92367f08e80e838ec1501a77c380d5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Mar 2026 02:15:13 +0000 Subject: [PATCH 11/12] feat: merge main and fix safe_outputs job to ignore known custom safe job types Merges origin/main into branch. Also adds GH_AW_SAFE_OUTPUT_JOBS to the safe_outputs job env so the handler manager can skip message types handled by custom safe jobs (e.g. send_slack_message), preventing 'No handler loaded' failures when those types appear in agent output. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .changeset/patch-conditional-agent-output.md | 2 +- .../patch-wiki-note-empty-placeholder.md | 5 + .../agent-performance-analyzer.lock.yml | 2 + .../workflows/agent-persona-explorer.lock.yml | 1 + .github/workflows/ai-moderator.lock.yml | 1 + .github/workflows/archie.lock.yml | 1 + .github/workflows/artifacts-summary.lock.yml | 1 + .github/workflows/audit-workflows.lock.yml | 2 + .github/workflows/auto-triage-issues.lock.yml | 1 + .github/workflows/blog-auditor.lock.yml | 1 + .github/workflows/bot-detection.lock.yml | 1 + .github/workflows/brave.lock.yml | 1 + .../breaking-change-checker.lock.yml | 1 + .github/workflows/changeset.lock.yml | 1 + .github/workflows/ci-coach.lock.yml | 1 + .github/workflows/ci-doctor.lock.yml | 1 + .../claude-code-user-docs-review.lock.yml | 1 + .../cli-consistency-checker.lock.yml | 1 + .../workflows/cli-version-checker.lock.yml | 1 + .github/workflows/cloclo.lock.yml | 1 + .../workflows/code-scanning-fixer.lock.yml | 1 + .github/workflows/code-simplifier.lock.yml | 1 + .../commit-changes-analyzer.lock.yml | 1 + .../constraint-solving-potd.lock.yml | 1 + .github/workflows/contribution-check.lock.yml | 1 + .../workflows/copilot-agent-analysis.lock.yml | 2 + .../copilot-cli-deep-research.lock.yml | 2 + .../copilot-pr-merged-report.lock.yml | 1 + .../copilot-pr-nlp-analysis.lock.yml | 2 + .../copilot-pr-prompt-analysis.lock.yml | 2 + .../copilot-session-insights.lock.yml | 2 + .github/workflows/craft.lock.yml | 1 + .../daily-architecture-diagram.lock.yml | 5 +- .../daily-assign-issue-to-user.lock.yml | 1 + .github/workflows/daily-choice-test.lock.yml | 2 + .../workflows/daily-cli-performance.lock.yml | 2 + .../workflows/daily-cli-tools-tester.lock.yml | 1 + .github/workflows/daily-code-metrics.lock.yml | 2 + .../workflows/daily-compiler-quality.lock.yml | 1 + .../daily-copilot-token-report.lock.yml | 2 + .github/workflows/daily-doc-healer.lock.yml | 1 + .github/workflows/daily-doc-updater.lock.yml | 1 + .github/workflows/daily-fact.lock.yml | 1 + .github/workflows/daily-file-diet.lock.yml | 1 + .../workflows/daily-firewall-report.lock.yml | 1 + .../workflows/daily-issues-report.lock.yml | 1 + .../daily-malicious-code-scan.lock.yml | 1 + .../daily-mcp-concurrency-analysis.lock.yml | 1 + .../daily-multi-device-docs-tester.lock.yml | 1 + .github/workflows/daily-news.lock.yml | 2 + .../daily-observability-report.lock.yml | 1 + .../daily-performance-summary.lock.yml | 1 + .github/workflows/daily-regulatory.lock.yml | 1 + .../daily-rendering-scripts-verifier.lock.yml | 1 + .../workflows/daily-repo-chronicle.lock.yml | 1 + .../daily-safe-output-optimizer.lock.yml | 1 + .../daily-safe-outputs-conformance.lock.yml | 1 + .../workflows/daily-secrets-analysis.lock.yml | 1 + .../daily-security-red-team.lock.yml | 1 + .github/workflows/daily-semgrep-scan.lock.yml | 1 + .../daily-syntax-error-quality.lock.yml | 1 + .../daily-team-evolution-insights.lock.yml | 1 + .github/workflows/daily-team-status.lock.yml | 1 + .../daily-testify-uber-super-expert.lock.yml | 2 + .../workflows/daily-workflow-updater.lock.yml | 1 + .github/workflows/dead-code-remover.lock.yml | 1 + .github/workflows/deep-report.lock.yml | 2 + .github/workflows/delight.lock.yml | 2 + .github/workflows/dependabot-burner.lock.yml | 1 + .../workflows/dependabot-go-checker.lock.yml | 1 + .github/workflows/dev-hawk.lock.yml | 1 + .github/workflows/dev.lock.yml | 1 + .../developer-docs-consolidator.lock.yml | 1 + .github/workflows/dictation-prompt.lock.yml | 1 + .../workflows/discussion-task-miner.lock.yml | 2 + .github/workflows/docs-noob-tester.lock.yml | 1 + .github/workflows/draft-pr-cleanup.lock.yml | 1 + .../duplicate-code-detector.lock.yml | 1 + .../example-workflow-analyzer.lock.yml | 1 + .github/workflows/firewall-escape.lock.yml | 2 + .../workflows/functional-pragmatist.lock.yml | 1 + .../github-mcp-structural-analysis.lock.yml | 1 + .../github-mcp-tools-report.lock.yml | 1 + .../github-remote-mcp-auth-test.lock.yml | 1 + .../workflows/glossary-maintainer.lock.yml | 1 + .github/workflows/go-fan.lock.yml | 1 + .github/workflows/go-logger.lock.yml | 1 + .../workflows/go-pattern-detector.lock.yml | 1 + .github/workflows/gpclean.lock.yml | 1 + .github/workflows/grumpy-reviewer.lock.yml | 1 + .github/workflows/hourly-ci-cleaner.lock.yml | 1 + .../workflows/instructions-janitor.lock.yml | 1 + .github/workflows/issue-arborist.lock.yml | 1 + .github/workflows/issue-monster.lock.yml | 1 + .github/workflows/issue-triage-agent.lock.yml | 1 + .github/workflows/jsweep.lock.yml | 1 + .../workflows/layout-spec-maintainer.lock.yml | 1 + .github/workflows/lockfile-stats.lock.yml | 1 + .github/workflows/mcp-inspector.lock.yml | 2 + .github/workflows/mergefest.lock.yml | 1 + .github/workflows/metrics-collector.lock.yml | 1 + .../workflows/notion-issue-summary.lock.yml | 2 + .github/workflows/org-health-report.lock.yml | 1 + .github/workflows/pdf-summary.lock.yml | 1 + .github/workflows/plan.lock.yml | 1 + .github/workflows/poem-bot.lock.yml | 1 + .github/workflows/portfolio-analyst.lock.yml | 1 + .../workflows/pr-nitpick-reviewer.lock.yml | 1 + .github/workflows/pr-triage-agent.lock.yml | 2 + .../prompt-clustering-analysis.lock.yml | 1 + .github/workflows/python-data-charts.lock.yml | 1 + .github/workflows/q.lock.yml | 1 + .github/workflows/refiner.lock.yml | 1 + .github/workflows/release.lock.yml | 1 + .../workflows/repo-audit-analyzer.lock.yml | 1 + .github/workflows/repo-tree-map.lock.yml | 1 + .../repository-quality-improver.lock.yml | 1 + .github/workflows/research.lock.yml | 1 + .github/workflows/safe-output-health.lock.yml | 1 + .../schema-consistency-checker.lock.yml | 1 + .github/workflows/scout.lock.yml | 1 + ...ecurity-alert-burndown.campaign.g.lock.yml | 1 + .../workflows/security-compliance.lock.yml | 2 + .github/workflows/security-review.lock.yml | 1 + .../semantic-function-refactor.lock.yml | 1 + .github/workflows/sergo.lock.yml | 1 + .../workflows/slide-deck-maintainer.lock.yml | 5 +- .github/workflows/slide-deck-maintainer.md | 2 + .github/workflows/smoke-agent.lock.yml | 1 + .github/workflows/smoke-claude.lock.yml | 1 + .github/workflows/smoke-codex.lock.yml | 1 + .github/workflows/smoke-copilot-arm.lock.yml | 2 + .github/workflows/smoke-copilot.lock.yml | 2 + .../smoke-create-cross-repo-pr.lock.yml | 1 + .github/workflows/smoke-gemini.lock.yml | 1 + .github/workflows/smoke-multi-pr.lock.yml | 1 + .github/workflows/smoke-project.lock.yml | 1 + .github/workflows/smoke-temporary-id.lock.yml | 1 + .github/workflows/smoke-test-tools.lock.yml | 1 + .../smoke-update-cross-repo-pr.lock.yml | 1 + .../workflows/smoke-workflow-call.lock.yml | 1 + .../workflows/stale-repo-identifier.lock.yml | 5 +- .github/workflows/stale-repo-identifier.md | 3 + .../workflows/static-analysis-report.lock.yml | 1 + .../workflows/step-name-alignment.lock.yml | 1 + .github/workflows/sub-issue-closer.lock.yml | 1 + .github/workflows/super-linter.lock.yml | 1 + .../workflows/technical-doc-writer.lock.yml | 1 + .github/workflows/terminal-stylist.lock.yml | 1 + .../test-create-pr-error-handling.lock.yml | 1 + .github/workflows/test-dispatcher.lock.yml | 1 + .../test-project-url-default.lock.yml | 1 + .github/workflows/tidy.lock.yml | 1 + .github/workflows/typist.lock.yml | 1 + .../workflows/ubuntu-image-analyzer.lock.yml | 1 + .github/workflows/unbloat-docs.lock.yml | 1 + .github/workflows/video-analyzer.lock.yml | 1 + .../weekly-editors-health-check.lock.yml | 1 + .../workflows/weekly-issue-summary.lock.yml | 1 + .../weekly-safe-outputs-spec-review.lock.yml | 1 + .github/workflows/workflow-generator.lock.yml | 1 + .../workflow-health-manager.lock.yml | 2 + .../workflows/workflow-normalizer.lock.yml | 1 + .../workflow-skill-extractor.lock.yml | 1 + actions/setup/js/assign_to_agent.cjs | 10 +- actions/setup/js/assign_to_agent.test.cjs | 29 ++ actions/setup/js/create_pr_review_comment.cjs | 1 + .../js/create_pr_review_comment.test.cjs | 27 ++ actions/setup/js/handle_agent_failure.cjs | 14 +- actions/setup/js/handle_noop_message.test.cjs | 8 + actions/setup/js/parse_codex_log.cjs | 43 +++ actions/setup/js/parse_codex_log.test.cjs | 103 ++++++ actions/setup/js/safe_output_helpers.cjs | 2 +- actions/setup/js/safe_output_helpers.test.cjs | 26 ++ actions/setup/md/agent_failure_issue.md | 21 +- actions/setup/md/noop_runs_issue.md | 8 + cmd/gh-aw/main.go | 20 +- debug.md | 115 +++++++ docs/astro.config.mjs | 1 + .../images/projectops-write-board_dark.png | Bin 0 -> 189523 bytes .../images/projectops-write-board_light.png | Bin 0 -> 193877 bytes .../images/projectops-write-issue_dark.png | Bin 0 -> 626147 bytes .../images/projectops-write-issue_light.png | Bin 0 -> 272380 bytes .../content/docs/examples/project-tracking.md | 4 +- .../src/content/docs/patterns/project-ops.mdx | 110 +++++-- .../content/docs/reference/auth-projects.mdx | 110 ------- docs/src/content/docs/reference/auth.mdx | 2 +- .../src/content/docs/reference/concurrency.md | 36 +++ .../docs/reference/frontmatter-full.md | 43 +++ docs/src/content/docs/reference/glossary.md | 17 +- .../content/docs/reference/safe-outputs.md | 46 ++- .../src/content/docs/reference/staged-mode.md | 166 ++++++++++ pkg/cli/audit.go | 15 +- pkg/cli/commands.go | 14 +- pkg/cli/commands_test.go | 2 +- pkg/cli/list_workflows_command.go | 12 +- pkg/cli/logs_github_api.go | 18 +- pkg/cli/logs_github_api_test.go | 106 ++++++ pkg/cli/logs_utils.go | 3 + pkg/cli/run_workflow_execution.go | 53 +++ pkg/cli/update_command.go | 3 + pkg/parser/schemas/main_workflow_schema.json | 26 +- pkg/workflow/artifact_manager.go | 1 + pkg/workflow/compiler.go | 7 + pkg/workflow/compiler_jobs.go | 6 + pkg/workflow/compiler_jobs_test.go | 87 +++++ .../compiler_orchestrator_workflow.go | 65 +++- .../compiler_orchestrator_workflow_test.go | 138 ++++++++ pkg/workflow/compiler_safe_outputs_job.go | 25 ++ pkg/workflow/compiler_types.go | 164 +++++----- pkg/workflow/concurrency.go | 6 + pkg/workflow/concurrency_test.go | 88 +++++ pkg/workflow/config_parsing_helpers_test.go | 39 +++ pkg/workflow/create_code_scanning_alert.go | 10 + pkg/workflow/create_pull_request.go | 18 +- pkg/workflow/mcp_config_utils.go | 4 +- pkg/workflow/notify_comment.go | 7 + pkg/workflow/repo_memory_prompt.go | 14 +- pkg/workflow/repo_memory_test.go | 6 +- pkg/workflow/safe_outputs_config.go | 8 + pkg/workflow/safe_outputs_jobs.go | 296 ----------------- pkg/workflow/safe_outputs_permissions.go | 303 ++++++++++++++++++ scratchpad/architecture.md | 2 +- scratchpad/layout.md | 61 +++- 224 files changed, 2180 insertions(+), 597 deletions(-) create mode 100644 .changeset/patch-wiki-note-empty-placeholder.md create mode 100644 debug.md create mode 100644 docs/public/images/projectops-write-board_dark.png create mode 100644 docs/public/images/projectops-write-board_light.png create mode 100644 docs/public/images/projectops-write-issue_dark.png create mode 100644 docs/public/images/projectops-write-issue_light.png delete mode 100644 docs/src/content/docs/reference/auth-projects.mdx create mode 100644 docs/src/content/docs/reference/staged-mode.md create mode 100644 pkg/cli/logs_github_api_test.go create mode 100644 pkg/workflow/safe_outputs_permissions.go diff --git a/.changeset/patch-conditional-agent-output.md b/.changeset/patch-conditional-agent-output.md index c80fe9d391a..6802a8ff667 100644 --- a/.changeset/patch-conditional-agent-output.md +++ b/.changeset/patch-conditional-agent-output.md @@ -2,4 +2,4 @@ "gh-aw": patch --- -Make the agent-output download step conditional so `GH_AW_AGENT_OUTPUT` is only set when the artifact succeeds and label pre-agent failures in the issue title. +Make the agent-output download step conditional so `GH_AW_AGENT_OUTPUT` is only set when the artifact succeeds. diff --git a/.changeset/patch-wiki-note-empty-placeholder.md b/.changeset/patch-wiki-note-empty-placeholder.md new file mode 100644 index 00000000000..4ac06a3e70a --- /dev/null +++ b/.changeset/patch-wiki-note-empty-placeholder.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Fix `__GH_AW_WIKI_NOTE__` placeholder not being substituted when repo-memory is configured without wiki mode. Previously, when `wiki: false`, the variable used a static empty string that could be missing from the substitution step in older compiled workflows. Now it uses `${{ '' }}` (a GitHub expression evaluating to empty string), ensuring expression interpolation always produces an empty value for the placeholder. diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 097b5de7d73..2dce3818f6d 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -119,6 +119,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1289,6 +1290,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 9bada4665ea..77e5d58d876 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1129,6 +1129,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "180" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 2c835869a4e..1504ceaf4fb 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -1032,6 +1032,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "5" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 0601df68f6e..98ac5c24d75 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -1098,6 +1098,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📊 *Diagram rendered by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔧 *Workflow sync report by [{workflow_name}]({run_url}) for {repository}*\",\"footerWorkflowRecompileComment\":\"\\u003e 🔄 *Update from [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"📐 [{workflow_name}]({run_url}) is analyzing the architecture for this {event_type}...\",\"runSuccess\":\"🎨 [{workflow_name}]({run_url}) has completed the architecture visualization. ✅\",\"runFailure\":\"📐 [{workflow_name}]({run_url}) encountered an issue and could not complete the architecture diagram. Check the [run logs]({run_url}) for details.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 1bd398d47c6..f96b73f73b0 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -1031,6 +1031,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 8072904a07d..1a980b9fc9d 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -125,6 +125,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1317,6 +1318,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 2d2c0341cf4..6d239140b77 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -1109,6 +1109,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index d28bbf744a0..3e00e4aa0a1 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1149,6 +1149,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index fd960992eb3..243d2e9b554 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -1069,6 +1069,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 03b3a77f9e5..61ce4f25d7f 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -1086,6 +1086,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦁 *Search results brought to you by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔄 *Maintenance report by [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"🔍 Brave Search activated! [{workflow_name}]({run_url}) is venturing into the web on this {event_type}...\",\"runSuccess\":\"🦁 Mission accomplished! [{workflow_name}]({run_url}) has returned with the findings. Knowledge acquired! 🏆\",\"runFailure\":\"🔍 Search interrupted! [{workflow_name}]({run_url}) {status}. The web remains unexplored...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 1a7578b0d14..1ccc0d18e32 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -1076,6 +1076,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚠️ *Compatibility report by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🛠️ *Workflow maintenance by [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"🔬 Breaking Change Checker online! [{workflow_name}]({run_url}) is analyzing API compatibility on this {event_type}...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has reviewed all changes. Compatibility verdict delivered! 📋\",\"runFailure\":\"🔬 Analysis interrupted! [{workflow_name}]({run_url}) {status}. Compatibility status unknown...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 422bbf4ce3a..dbe58dba57c 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1135,6 +1135,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 76ca56673bb..8543de2f12f 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1139,6 +1139,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 4c751944d16..ae67b9c422a 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1307,6 +1307,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🩺 *Diagnosis provided by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🏥 CI Doctor reporting for duty! [{workflow_name}]({run_url}) is examining the patient on this {event_type}...\",\"runSuccess\":\"🩺 Examination complete! [{workflow_name}]({run_url}) has delivered the diagnosis. Prescription issued! 💊\",\"runFailure\":\"🏥 Medical emergency! [{workflow_name}]({run_url}) {status}. Doctor needs assistance...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 16d5d69d687..10cd5bb9db1 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -1110,6 +1110,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 706acfa6dd7..b9c05399b07 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -1041,6 +1041,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 39b7bf90dec..59966a1c567 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1138,6 +1138,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index fa805af11ac..31a94fa9d59 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1452,6 +1452,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎤 *Magnifique! Performance by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎵 Comme d'habitude! [{workflow_name}]({run_url}) takes the stage on this {event_type}...\",\"runSuccess\":\"🎤 Bravo! [{workflow_name}]({run_url}) has delivered a stunning performance! Standing ovation! 🌟\",\"runFailure\":\"🎵 Intermission... [{workflow_name}]({run_url}) {status}. The show must go on... eventually!\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 3f953bb28e2..1963a8f5a4b 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1165,6 +1165,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_campaigns: ${{ needs.push_repo_memory.outputs.validation_failed_campaigns }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_campaigns: ${{ needs.push_repo_memory.outputs.validation_error_campaigns }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 748112235f4..19dac610918 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -1071,6 +1071,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index eda079ac619..8a8a6a31d1e 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -1088,6 +1088,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 04d2f8b257b..16b8a884f5a 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -1032,6 +1032,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 9ce927a34f9..d07e9b1e406 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -1144,6 +1144,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 58ba59047b9..952c548e363 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -126,6 +126,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1182,6 +1183,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 799f2a3269c..7c6f8edbf5c 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -117,6 +117,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1105,6 +1106,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index f1cc2447e86..0314846f51a 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1201,6 +1201,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 311e5536e14..3918ffcf638 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -120,6 +120,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1209,6 +1210,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 429ccb2a0ce..1e793853421 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -120,6 +120,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1125,6 +1126,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 6c39eed1655..40695098f1f 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -129,6 +129,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1269,6 +1270,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 2b9da0ea5cc..77a5608ea67 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1131,6 +1131,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚒️ *Crafted with care by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🛠️ Master Crafter at work! [{workflow_name}]({run_url}) is forging a new workflow on this {event_type}...\",\"runSuccess\":\"⚒️ Masterpiece complete! [{workflow_name}]({run_url}) has crafted your workflow. May it serve you well! 🎖️\",\"runFailure\":\"🛠️ Forge cooling down! [{workflow_name}]({run_url}) {status}. The anvil awaits another attempt...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 8a663670242..a92a90b652d 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -345,7 +345,7 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' - {"create_issue":{"expires":168,"max":1},"create_pull_request":{"expires":7,"max":1,"title_prefix":"[architecture] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"create_issue":{"expires":168,"max":1},"create_pull_request":{"expires":168,"max":1,"title_prefix":"[architecture] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ @@ -1162,6 +1162,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1288,7 +1289,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":true,\"expires\":168,\"labels\":[\"architecture\",\"diagram\"],\"max\":1,\"title_prefix\":\"🏗️ Architecture Diagram:\"},\"create_pull_request\":{\"expires\":7,\"labels\":[\"architecture\",\"diagram\",\"documentation\"],\"max\":1,\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"title_prefix\":\"[architecture] \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":true,\"expires\":168,\"labels\":[\"architecture\",\"diagram\"],\"max\":1,\"title_prefix\":\"🏗️ Architecture Diagram:\"},\"create_pull_request\":{\"expires\":168,\"labels\":[\"architecture\",\"diagram\",\"documentation\"],\"max\":1,\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"title_prefix\":\"[architecture] \"},\"missing_data\":{},\"missing_tool\":{}}" GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }} with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 18ef5161154..843c547ac48 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -1074,6 +1074,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 642ac37a3ac..f13ddc57bf0 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -1043,6 +1043,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1080,6 +1081,7 @@ jobs: GH_AW_ENGINE_ID: "claude" GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUTS_STAGED: "true" + GH_AW_SAFE_OUTPUT_JOBS: "{\"test_environment\":\"\"}" GH_AW_TRACKER_ID: "daily-choice-test" GH_AW_WORKFLOW_ID: "daily-choice-test" GH_AW_WORKFLOW_NAME: "Daily Choice Type Test" diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 2419e1e5ced..96ba0b01a3d 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -119,6 +119,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1311,6 +1312,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 57a1e48f67b..c9498835f99 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -1114,6 +1114,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "60" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 3c5751fd114..b90decfc232 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -125,6 +125,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1246,6 +1247,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 9e3b842cbd0..796569f1d4c 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -1089,6 +1089,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 54094ad3c7f..1f46f5f80d8 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -118,6 +118,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1220,6 +1221,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 68aba7ca281..f08b20d6500 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -1242,6 +1242,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 7ca143da776..b64022fc90d 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1161,6 +1161,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index bd980f51692..6c4c9b936ab 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -983,6 +983,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Penned with care by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 Hark! The muse awakens — [{workflow_name}]({run_url}) begins its verse upon this {event_type}...\",\"runSuccess\":\"✨ Lo! [{workflow_name}]({run_url}) hath woven its tale to completion, like a sonnet finding its final rhyme. 🌟\",\"runFailure\":\"🌧️ Alas! [{workflow_name}]({run_url}) {status}, its quill fallen mid-verse. The poem remains unfinished...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index da4e852160c..8103c6bf901 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -1093,6 +1093,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 01655adf805..86bb8526592 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1208,6 +1208,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 4078603a4a0..093ebf0b466 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1211,6 +1211,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index a81aaf0ca55..05431307e02 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -945,6 +945,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 64b514226d1..d9cc3349af0 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1148,6 +1148,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 7c5056086f0..ae10e552b11 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1234,6 +1234,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index d8f072b2115..4b4dbc3beb1 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -120,6 +120,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1281,6 +1282,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 164eafedfd2..c226f5adb5b 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1168,6 +1168,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index ae61d8a26ad..89b7530735f 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1692,6 +1692,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 3e0bfb8a8bf..0799cd0627f 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1589,6 +1589,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 2bec8b15e51..c23feef5647 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1245,6 +1245,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 8f35d41798d..076815cac7b 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1138,6 +1138,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index d34221f67a0..8c7a89a7ca8 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1227,6 +1227,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index e79c2ecf08a..06b4d3a560d 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -1104,6 +1104,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index c6b96d5e350..4d54bef653f 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -1102,6 +1102,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index e1660edcc2b..73890569c29 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -1108,6 +1108,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "60" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 80b4346e548..f9e740aeb4c 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -1084,6 +1084,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index caff1360571..1969aee8313 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -1073,6 +1073,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index fcab1d79360..bd28ed27d91 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -1088,6 +1088,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "90" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index d303da87bf8..3bc514a8040 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -1071,6 +1071,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 37729327a77..f48de642ec9 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -122,6 +122,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1144,6 +1145,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 9d439b11672..445e2e2b0e4 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -1052,6 +1052,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index d93d15db877..7943841c905 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -1095,6 +1095,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 710ff242752..c25d9bbc4c1 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -125,6 +125,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1318,6 +1319,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 8c813547b87..c4061102811 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -118,6 +118,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1197,6 +1198,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index f5c5554a8b3..3137744012f 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -1047,6 +1047,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 90dc73d4aad..9b05f31431a 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -1096,6 +1096,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 71886981ddc..f0cab15837e 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1135,6 +1135,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦅 *Observed from above by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🦅 Dev Hawk circles the sky! [{workflow_name}]({run_url}) is monitoring this {event_type} from above...\",\"runSuccess\":\"🦅 Hawk eyes report! [{workflow_name}]({run_url}) has completed reconnaissance. Intel delivered! 🎯\",\"runFailure\":\"🦅 Hawk down! [{workflow_name}]({run_url}) {status}. The skies grow quiet...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 153f2ec22cb..30b8b447e1a 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1038,6 +1038,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index ed8bb8ea12d..2a193749c3e 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1300,6 +1300,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index b862c72784c..a8c7a980d08 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -1055,6 +1055,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 6ec7991e183..5e46469ee09 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -121,6 +121,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1179,6 +1180,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index b772aedd1b4..a99e2c5320f 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -1090,6 +1090,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index e1c0beaaa73..df342d6aa61 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -1112,6 +1112,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🧹 Starting draft PR cleanup... [{workflow_name}]({run_url}) is reviewing draft PRs for staleness\",\"runSuccess\":\"✅ Draft PR cleanup complete! [{workflow_name}]({run_url}) has reviewed and processed stale drafts.\",\"runFailure\":\"❌ Draft PR cleanup failed! [{workflow_name}]({run_url}) {status}. Some draft PRs may not be processed.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 0d2129e2945..1710e42fa94 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -1075,6 +1075,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 4f33803b2f3..2f72429245d 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1148,6 +1148,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 117bb41a710..4a25c82f3f4 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -135,6 +135,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1123,6 +1124,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "60" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 49434861c02..8e2b8fe9dc6 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -1065,6 +1065,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index f94b3d1e005..486e51376c9 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1192,6 +1192,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 08be915d4d4..9ef5b00c1ce 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1206,6 +1206,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index d82fb6fdaef..5f5d1021f79 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -1040,6 +1040,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "5" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 5e4a2ff8f08..32fd5627e8a 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1192,6 +1192,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index a527b138ebe..2f7770416e7 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1153,6 +1153,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 0360328f796..e61905a80b9 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1326,6 +1326,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 8a3728e5888..a9d0548ab26 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1150,6 +1150,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 49324e65d99..e4d146df976 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -1075,6 +1075,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 52e8972d4a9..f6b620887c0 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1167,6 +1167,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 😤 *Reluctantly reviewed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"😤 *sigh* [{workflow_name}]({run_url}) is begrudgingly looking at this {event_type}... This better be worth my time.\",\"runSuccess\":\"😤 Fine. [{workflow_name}]({run_url}) finished the review. It wasn't completely terrible. I guess. 🙄\",\"runFailure\":\"😤 Great. [{workflow_name}]({run_url}) {status}. As if my day couldn't get any worse...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index bf9df8b3f91..0c6bd891306 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1164,6 +1164,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index bded0fce007..f62a7b396aa 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1154,6 +1154,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 2ceb05a24bb..908479c2b93 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1153,6 +1153,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index a3456d6f145..eb9ba78d30f 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1104,6 +1104,7 @@ jobs: GH_AW_ASSIGNMENT_ERROR_COUNT: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_error_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🍪 *Om nom nom by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🍪 ISSUE! ISSUE! [{workflow_name}]({run_url}) hungry for issues on this {event_type}! Om nom nom...\",\"runSuccess\":\"🍪 YUMMY! [{workflow_name}]({run_url}) ate the issues! That was DELICIOUS! Me want MORE! 😋\",\"runFailure\":\"🍪 Aww... [{workflow_name}]({run_url}) {status}. No cookie for monster today... 😢\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 2cb132494cc..1a97d054da6 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -1048,6 +1048,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "5" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 49723f8c821..fb704795093 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -1101,6 +1101,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 305c71493bd..b6fe96f44ce 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -1094,6 +1094,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 89bf5e4789e..f093f896611 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -1110,6 +1110,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 7ed765d4224..a23beebc992 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1447,6 +1447,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1760,6 +1761,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/mcp-inspector" GH_AW_ENGINE_ID: "copilot" GH_AW_HOME: /opt/gh-aw + GH_AW_SAFE_OUTPUT_JOBS: "{\"notion_add_comment\":\"\",\"post_to_slack_channel\":\"\"}" GH_AW_WORKFLOW_ID: "mcp-inspector" GH_AW_WORKFLOW_NAME: "MCP Inspector Agent" outputs: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 8d3269c277c..da4f7ef5197 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -1111,6 +1111,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index b261685cf4a..0ae40cdef24 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -120,6 +120,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 5952ba6357f..455507d7581 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -880,6 +880,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "5" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1045,6 +1046,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/notion-issue-summary" GH_AW_ENGINE_ID: "copilot" GH_AW_HOME: /opt/gh-aw + GH_AW_SAFE_OUTPUT_JOBS: "{\"notion_add_comment\":\"\"}" GH_AW_WORKFLOW_ID: "notion-issue-summary" GH_AW_WORKFLOW_NAME: "Issue Summary to Notion" outputs: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index cbe4b9ef292..435f2a29916 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1135,6 +1135,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "60" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index aff135a1c01..c8ab69ff5b2 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1200,6 +1200,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📄 *Summary compiled by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📖 Page by page! [{workflow_name}]({run_url}) is reading through this {event_type}...\",\"runSuccess\":\"📚 TL;DR ready! [{workflow_name}]({run_url}) has distilled the essence. Knowledge condensed! ✨\",\"runFailure\":\"📖 Reading interrupted! [{workflow_name}]({run_url}) {status}. The document remains unsummarized...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index ada0252d25c..78f177bf3e4 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1157,6 +1157,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 8b1196a4f49..ba2669873cf 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1873,6 +1873,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Verses penned by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎭 Hear ye! The muse stirs! [{workflow_name}]({run_url}) takes quill in hand for this {event_type}...\",\"runSuccess\":\"🪶 The poem is writ! [{workflow_name}]({run_url}) has composed verses most fair. Applause! 👏\",\"runFailure\":\"🎭 Alas! [{workflow_name}]({run_url}) {status}. The muse has fled, leaving verses unsung...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index b90f8ca4d27..97a84bea319 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1219,6 +1219,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index a956d005a58..1f68514dd9e 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1272,6 +1272,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Meticulously inspected by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 Adjusting monocle... [{workflow_name}]({run_url}) is scrutinizing every pixel of this {event_type}...\",\"runSuccess\":\"🔍 Nitpicks catalogued! [{workflow_name}]({run_url}) has documented all the tiny details. Perfection awaits! ✅\",\"runFailure\":\"🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 2e45b657911..4a2dd87dff0 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -121,6 +121,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1194,6 +1195,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 5133d5827b2..4a9307cfeb2 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1241,6 +1241,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 5d15be8657a..9003deb47d6 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1204,6 +1204,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 701ee4ac467..25abfd2c13a 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1311,6 +1311,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎩 *Equipped by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Pay attention, 007! [{workflow_name}]({run_url}) is preparing your gadgets for this {event_type}...\",\"runSuccess\":\"🎩 Mission equipment ready! [{workflow_name}]({run_url}) has optimized your workflow. Use wisely, 007! 🔫\",\"runFailure\":\"🔧 Technical difficulties! [{workflow_name}]({run_url}) {status}. Even Q Branch has bad days...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index f19f4f6c338..f309ac3506e 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1134,6 +1134,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🔍 Starting code refinement... [{workflow_name}]({run_url}) is analyzing PR #${{ github.event.pull_request.number }} for style alignment and security issues\",\"runSuccess\":\"✅ Refinement complete! [{workflow_name}]({run_url}) has created a PR with improvements for PR #${{ github.event.pull_request.number }}\",\"runFailure\":\"❌ Refinement failed! [{workflow_name}]({run_url}) {status} while processing PR #${{ github.event.pull_request.number }}\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 411393a9dbf..0ce8dbaca97 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1049,6 +1049,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 2c5850a8c84..40c75a9e059 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -1066,6 +1066,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 8f1448427dc..5b0761a5eb4 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -1032,6 +1032,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "5" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 6cad6506efd..9a9487626fb 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -1070,6 +1070,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 5dda095a2f8..0c0b1fe122e 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -1058,6 +1058,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 710c963516f..6548a6c7317 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1203,6 +1203,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 66090761d0e..e12ff8c99b0 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -1111,6 +1111,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index a24eb0b83d3..86e447e3b52 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1344,6 +1344,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔭 *Intelligence gathered by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🏕️ Scout on patrol! [{workflow_name}]({run_url}) is blazing trails through this {event_type}...\",\"runSuccess\":\"🔭 Recon complete! [{workflow_name}]({run_url}) has charted the territory. Map ready! 🗺️\",\"runFailure\":\"🏕️ Lost in the wilderness! [{workflow_name}]({run_url}) {status}. Sending search party...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index 38da7f909e7..33956d3e1fe 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -1491,6 +1491,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_campaigns: ${{ needs.push_repo_memory.outputs.validation_failed_campaigns }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_campaigns: ${{ needs.push_repo_memory.outputs.validation_error_campaigns }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index a9e1dd3f648..3a626a293b7 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -143,6 +143,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1126,6 +1127,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index b13ac95e9c1..f57a15a8b58 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1246,6 +1246,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔒 *Security review by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) is analyzing this {event_type} for security implications...\",\"runSuccess\":\"🔒 [{workflow_name}]({run_url}) completed the security review.\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status} during security review.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index e0910d60783..094955671f5 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1191,6 +1191,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index a3f16df313e..6122968a5f9 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1152,6 +1152,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index c76ebb0f205..dce8415ce6a 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -23,7 +23,7 @@ # # Maintains the gh-aw slide deck by scanning repository content and detecting layout issues using Playwright # -# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"0b3d7f1cb6dbc12d69cb6f2f524b6c7eaec295bbc300df932437af7677e97e6c","strict":true} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"52aa9f9c22b63de50f98ab9bb986ccbfaf180e62d4cf90d4c55c5b235fe07769","strict":true} name: "Slide Deck Maintainer" "on": @@ -269,7 +269,7 @@ jobs: issues: read pull-requests: read concurrency: - group: "gh-aw-copilot-${{ github.workflow }}" + group: "gh-aw-copilot-${{ github.workflow }}-${{ inputs.focus || github.run_id }}" env: DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} GH_AW_ASSETS_ALLOWED_EXTS: "" @@ -1161,6 +1161,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/slide-deck-maintainer.md b/.github/workflows/slide-deck-maintainer.md index bb8c3e69212..51af960c278 100644 --- a/.github/workflows/slide-deck-maintainer.md +++ b/.github/workflows/slide-deck-maintainer.md @@ -15,6 +15,8 @@ permissions: contents: read pull-requests: read issues: read +concurrency: + job-discriminator: ${{ inputs.focus || github.run_id }} tracker-id: slide-deck-maintainer engine: copilot timeout-minutes: 45 diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index 05f638ce0ef..e64cd763534 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -1109,6 +1109,7 @@ jobs: GH_AW_ASSIGNMENT_ERROR_COUNT: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_error_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🤖 [{workflow_name}]({run_url}) is looking for a Smoke issue to assign...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed. Issue assigned to the agentic-workflows agent.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index b26026006d1..f68463a6692 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2753,6 +2753,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 💥 *[THE END] — Illustrated by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"💥 **WHOOSH!** [{workflow_name}]({run_url}) springs into action on this {event_type}! *[Panel 1 begins...]*\",\"runSuccess\":\"🎬 **THE END** — [{workflow_name}]({run_url}) **MISSION: ACCOMPLISHED!** The hero saves the day! ✨\",\"runFailure\":\"💫 **TO BE CONTINUED...** [{workflow_name}]({run_url}) {status}! Our hero faces unexpected challenges...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 61d8b5b3dd6..48e4466b028 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1611,6 +1611,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔮 *The oracle has spoken through [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔮 The ancient spirits stir... [{workflow_name}]({run_url}) awakens to divine this {event_type}...\",\"runSuccess\":\"✨ The prophecy is fulfilled... [{workflow_name}]({run_url}) has completed its mystical journey. The stars align. 🌟\",\"runFailure\":\"🌑 The shadows whisper... [{workflow_name}]({run_url}) {status}. The oracle requires further meditation...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 3480474c8e8..2e0f4eebd1e 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -2150,6 +2150,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -2242,6 +2243,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-copilot-arm" GH_AW_ENGINE_ID: "copilot" GH_AW_HOME: /opt/gh-aw + GH_AW_SAFE_OUTPUT_JOBS: "{\"send_slack_message\":\"\"}" GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_WORKFLOW_ID: "smoke-copilot-arm" GH_AW_WORKFLOW_NAME: "Smoke Copilot ARM64" diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index e4754632b9f..35c1d154f0c 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -2203,6 +2203,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -2295,6 +2296,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-copilot" GH_AW_ENGINE_ID: "copilot" GH_AW_HOME: /opt/gh-aw + GH_AW_SAFE_OUTPUT_JOBS: "{\"send_slack_message\":\"\"}" GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_WORKFLOW_ID: "smoke-copilot" GH_AW_WORKFLOW_NAME: "Smoke Copilot" diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 4d095bbdeea..ab59c9e0f5c 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1243,6 +1243,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 4bd0e610bba..de8136aaa75 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1330,6 +1330,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ✨ *[{workflow_name}]({run_url}) — Powered by Gemini*{history_link}\",\"runStarted\":\"✨ Gemini awakens... [{workflow_name}]({run_url}) begins its journey on this {event_type}...\",\"runSuccess\":\"🚀 [{workflow_name}]({run_url}) **MISSION COMPLETE!** Gemini has spoken. ✨\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status}. Gemini encountered unexpected challenges...\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index d60e0e8daac..e71929f98ad 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1187,6 +1187,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Multi PR smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing multiple PR creation...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created multiple PRs.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create multiple PRs. Check the logs.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index d15d295b641..f00941c75da 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1620,6 +1620,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Project smoke test report by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing project operations...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. All project operations validated.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 03b35289cfe..172920f7803 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1205,6 +1205,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Temporary ID smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing temporary ID functionality...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. Temporary ID validation passed.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 779b22e5a1e..215579d90e5 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -1083,6 +1083,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔧 *Tool validation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Starting tool validation... [{workflow_name}]({run_url}) is checking the agent container tools...\",\"runSuccess\":\"✅ All tools validated successfully! [{workflow_name}]({run_url}) confirms agent container is ready.\",\"runFailure\":\"❌ Tool validation failed! [{workflow_name}]({run_url}) detected missing tools: {status}\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "5" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 927a387a6c4..00f65b0379d 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1245,6 +1245,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index cd793aa779c..4d17d21f636 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -1046,6 +1046,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔁 *workflow_call smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🔁 [{workflow_name}]({run_url}) is validating workflow_call checkout...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully validated workflow_call checkout.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to validate workflow_call checkout. Check the logs.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 4c70e6373fb..714d4bfea97 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -29,7 +29,7 @@ # - shared/python-dataviz.md # - shared/trending-charts-simple.md # -# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"cb88eff6090a5e966484e7a4dd6f39dcd1b246e1547c910ce2695d7faf605d00","strict":true} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"cb8216252ac0aead193e61a5e172c70364c2d476bc496fc28e876f124903323c","strict":true} name: "Stale Repository Identifier" "on": @@ -280,7 +280,7 @@ jobs: issues: read pull-requests: read concurrency: - group: "gh-aw-copilot-${{ github.workflow }}" + group: "gh-aw-copilot-${{ github.workflow }}-${{ inputs.organization || github.run_id }}" env: DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" @@ -1202,6 +1202,7 @@ jobs: GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Analysis by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 Stale Repository Identifier starting! [{workflow_name}]({run_url}) is analyzing repository activity...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has finished analyzing stale repositories.\",\"runFailure\":\"⚠️ Analysis interrupted! [{workflow_name}]({run_url}) {status}.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale-repo-identifier.md b/.github/workflows/stale-repo-identifier.md index 3261daf0a72..f9cc3e9ac34 100644 --- a/.github/workflows/stale-repo-identifier.md +++ b/.github/workflows/stale-repo-identifier.md @@ -17,6 +17,9 @@ permissions: pull-requests: read actions: read +concurrency: + job-discriminator: ${{ inputs.organization || github.run_id }} + engine: copilot strict: true timeout-minutes: 45 diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index fb91635d97a..52fe9a8414b 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1185,6 +1185,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "45" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 345384d315c..84a3bc2e810 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1137,6 +1137,7 @@ jobs: GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 0b618ac8633..f031cba437e 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -1145,6 +1145,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 45e978af772..0430eef3e25 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -1090,6 +1090,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index c77e3fa22b7..ed9514634cf 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1281,6 +1281,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 22469eddc7a..f1daa6062e5 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -1040,6 +1040,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 858ddc2e4b5..e77a0ed50f9 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1126,6 +1126,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "5" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index d671dbe7820..d26a2dd0847 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -972,6 +972,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index a2b8152d190..7968670ed40 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1231,6 +1231,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 5ce22a29350..27e46cb536d 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1207,6 +1207,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "10" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index e07c9bd16c0..2f4545b8d09 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -1121,6 +1121,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 0e7feedba10..f46e834175a 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -1090,6 +1090,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 9534d9c6734..8b6484c3407 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1390,6 +1390,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🗜️ *Compressed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📦 Time to slim down! [{workflow_name}]({run_url}) is trimming the excess from this {event_type}...\",\"runSuccess\":\"🗜️ Docs on a diet! [{workflow_name}]({run_url}) has removed the bloat. Lean and mean! 💪\",\"runFailure\":\"📦 Unbloating paused! [{workflow_name}]({run_url}) {status}. The docs remain... fluffy.\"}" GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 1c26d5b6d02..9e3f2c2253d 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -1082,6 +1082,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "15" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 69b169dc888..68c839abe25 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1145,6 +1145,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 359503384b7..ec1cab1d9ea 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -1117,6 +1117,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 5177b05cb9a..4ab71318fed 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -1048,6 +1048,7 @@ jobs: GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }} GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 93cd1a09d68..288351026f2 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1189,6 +1189,7 @@ jobs: GH_AW_ASSIGNMENT_ERRORS: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_errors }} GH_AW_ASSIGNMENT_ERROR_COUNT: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "5" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index f318ad1cbd7..1b8407bfdee 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -125,6 +125,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_WIKI_NOTE: ${{ '' }} run: | bash ${GH_AW_HOME}/actions/create_prompt_first.sh { @@ -1290,6 +1291,7 @@ jobs: GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index b77f61f865b..e3db32f23b8 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1123,6 +1123,7 @@ jobs: GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 1be860714c1..04d96e0562a 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1135,6 +1135,7 @@ jobs: GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" GH_AW_TIMEOUT_MINUTES: "30" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/actions/setup/js/assign_to_agent.cjs b/actions/setup/js/assign_to_agent.cjs index a0a32e37546..aa407c4f91e 100644 --- a/actions/setup/js/assign_to_agent.cjs +++ b/actions/setup/js/assign_to_agent.cjs @@ -191,8 +191,7 @@ async function main() { // Process each agent assignment const results = []; - for (let i = 0; i < itemsToProcess.length; i++) { - const item = itemsToProcess[i]; + for (const [i, item] of itemsToProcess.entries()) { const agentName = item.agent ?? defaultAgent; // Model, custom agent, and custom instructions are only configurable via frontmatter defaults // They are NOT available as per-item overrides in the tool call @@ -478,12 +477,7 @@ async function main() { let errorMessage = getErrorMessage(error); // Check if this is a token authentication error - const isAuthError = - errorMessage.includes("Bad credentials") || - errorMessage.includes("Not Authenticated") || - errorMessage.includes("Resource not accessible") || - errorMessage.includes("Insufficient permissions") || - errorMessage.includes("requires authentication"); + const isAuthError = ["Bad credentials", "Not Authenticated", "Resource not accessible", "Insufficient permissions", "requires authentication"].some(msg => errorMessage.includes(msg)); // If ignore-if-error is enabled and this is an auth error, log warning and skip if (ignoreIfError && isAuthError) { diff --git a/actions/setup/js/assign_to_agent.test.cjs b/actions/setup/js/assign_to_agent.test.cjs index 71a0ba67af8..47bfa8f2887 100644 --- a/actions/setup/js/assign_to_agent.test.cjs +++ b/actions/setup/js/assign_to_agent.test.cjs @@ -1270,6 +1270,35 @@ describe("assign_to_agent", () => { expect(lastGraphQLCall[1].targetRepoId).toBe("item-pull-request-repo-id"); }); + it("should reject per-item pull_request_repo not in allowed list", async () => { + process.env.GH_AW_AGENT_PULL_REQUEST_REPO = "test-owner/default-pr-repo"; + process.env.GH_AW_AGENT_ALLOWED_PULL_REQUEST_REPOS = "test-owner/allowed-pr-repo"; + setAgentOutput({ + items: [ + { + type: "assign_to_agent", + issue_number: 42, + agent: "copilot", + pull_request_repo: "test-owner/not-allowed-repo", + }, + ], + errors: [], + }); + + // Mock global PR repo lookup + mockGithub.graphql.mockResolvedValueOnce({ + repository: { + id: "default-pr-repo-id", + defaultBranchRef: { name: "main" }, + }, + }); + + await eval(`(async () => { ${assignToAgentScript}; await main(); })()`); + + expect(mockCore.error).toHaveBeenCalledWith(expect.stringContaining("E004:")); + expect(mockCore.warning).toHaveBeenCalledWith(expect.stringContaining("Failed to assign 1 agent(s)")); + }); + it("should allow pull-request-repo without it being in allowed-pull-request-repos", async () => { // Set pull-request-repo but DO NOT set allowed-pull-request-repos // This tests that pull-request-repo is automatically allowed (like target-repo behavior) diff --git a/actions/setup/js/create_pr_review_comment.cjs b/actions/setup/js/create_pr_review_comment.cjs index 3f98016d19e..902286028f5 100644 --- a/actions/setup/js/create_pr_review_comment.cjs +++ b/actions/setup/js/create_pr_review_comment.cjs @@ -107,6 +107,7 @@ async function main(config = {}) { // Check if we're in a pull request context, or an issue comment context on a PR const isPRContext = context.eventName === "pull_request" || + context.eventName === "pull_request_target" || context.eventName === "pull_request_review" || context.eventName === "pull_request_review_comment" || (context.eventName === "issue_comment" && context.payload.issue && context.payload.issue.pull_request); diff --git a/actions/setup/js/create_pr_review_comment.test.cjs b/actions/setup/js/create_pr_review_comment.test.cjs index 0e35baffe9c..02ea89436ec 100644 --- a/actions/setup/js/create_pr_review_comment.test.cjs +++ b/actions/setup/js/create_pr_review_comment.test.cjs @@ -412,6 +412,33 @@ describe("create_pr_review_comment.cjs", () => { expect(buffer.getBufferedCount()).toBe(0); }); + it("should succeed when target is triggering and event is pull_request_target", async () => { + global.context = { + eventName: "pull_request_target", + runId: 12345, + repo: { owner: "testowner", repo: "testrepo" }, + payload: { + pull_request: { number: 99, head: { sha: "prt123abc456" } }, + repository: { + html_url: "https://github.com/testowner/testrepo", + }, + }, + }; + const handler = await createHandler({ target: "triggering" }); + const message = { + type: "create_pull_request_review_comment", + path: "src/main.js", + line: 5, + body: "Review comment from pull_request_target trigger", + }; + const result = await handler(message, {}); + + expect(result.success).toBe(true); + expect(result.buffered).toBe(true); + expect(result.pull_request_number).toBe(99); + expect(buffer.getBufferedCount()).toBe(1); + }); + it("should reject comments targeting a different PR than the first comment", async () => { // First comment sets context to PR #123 const handler = await createHandler(); diff --git a/actions/setup/js/handle_agent_failure.cjs b/actions/setup/js/handle_agent_failure.cjs index 25730be485b..833e020e36f 100644 --- a/actions/setup/js/handle_agent_failure.cjs +++ b/actions/setup/js/handle_agent_failure.cjs @@ -543,6 +543,7 @@ async function main() { const timeoutMinutes = process.env.GH_AW_TIMEOUT_MINUTES || ""; const inferenceAccessError = process.env.GH_AW_INFERENCE_ACCESS_ERROR === "true"; const pushRepoMemoryResult = process.env.GH_AW_PUSH_REPO_MEMORY_RESULT || ""; + const reportFailureAsIssue = process.env.GH_AW_FAILURE_REPORT_AS_ISSUE !== "false"; // Default to true // Collect repo-memory validation errors from all memory configurations const repoMemoryValidationErrors = []; @@ -617,6 +618,12 @@ async function main() { return; } + // Check if failure issue reporting is disabled + if (!reportFailureAsIssue) { + core.info("Failure issue reporting is disabled (report-failure-as-issue: false), skipping failure issue creation"); + return; + } + // Check if the failure was due to PR checkout (e.g., PR was merged and branch deleted) // If checkout_pr_success is "false", skip creating an issue as this is expected behavior if (agentConclusion === "failure" && checkoutPRSuccess === "false") { @@ -647,12 +654,7 @@ async function main() { // Sanitize workflow name for title const sanitizedWorkflowName = sanitizeContent(workflowName, { maxLength: 100 }); - // Detect pre-agent failure: agent never produced output (artifact was not downloaded). - // When the artifact download succeeds, GH_AW_AGENT_OUTPUT is set; when it fails the - // env var is absent, indicating the agent did not reach output-production. - const isPreAgentFailure = agentConclusion === "failure" && !process.env.GH_AW_AGENT_OUTPUT; - const failureStage = isPreAgentFailure ? " (pre-agent)" : ""; - const issueTitle = `[aw] ${sanitizedWorkflowName} failed${failureStage}`; + const issueTitle = `[aw] ${sanitizedWorkflowName} failed`; core.info(`Checking for existing issue with title: "${issueTitle}"`); diff --git a/actions/setup/js/handle_noop_message.test.cjs b/actions/setup/js/handle_noop_message.test.cjs index a0dcd5c08e7..3ce309ddac4 100644 --- a/actions/setup/js/handle_noop_message.test.cjs +++ b/actions/setup/js/handle_noop_message.test.cjs @@ -55,6 +55,14 @@ This issue helps you: +> [!TIP] +> To stop a workflow from posting here, set \`report-as-issue: false\` in its frontmatter: +> \`\`\`yaml +> safe-outputs: +> noop: +> report-as-issue: false +> \`\`\` + --- > This issue is automatically managed by GitHub Agentic Workflows. Do not close this issue manually. diff --git a/actions/setup/js/parse_codex_log.cjs b/actions/setup/js/parse_codex_log.cjs index 686cc618b95..5f5c82df7b1 100644 --- a/actions/setup/js/parse_codex_log.cjs +++ b/actions/setup/js/parse_codex_log.cjs @@ -260,6 +260,17 @@ function convertToLogEntries(parsedData) { return logEntries; } +/** + * Extract the model name from Codex log header lines. + * Codex logs include a line like "model: o4-mini" near the top. + * @param {string} logContent - The raw log content + * @returns {string|null} The model name, or null if not found + */ +function extractCodexModel(logContent) { + const match = logContent.match(/^model:\s*(.+)$/m); + return match ? match[1].trim() : null; +} + /** * Parse codex log content and format as markdown * @param {string} logContent - The raw log content to parse @@ -598,6 +609,37 @@ function parseCodexLog(logContent) { // Convert parsed data to logEntries format const logEntries = convertToLogEntries(parsedData); + // Always prepend a system init entry so the session preview is shown even for + // failed or sparse runs (matches behaviour of Claude, Copilot, and Gemini parsers). + const model = extractCodexModel(logContent); + logEntries.unshift({ + type: "system", + subtype: "init", + model: model || undefined, + }); + + // When there are no tool calls or thinking entries, surface error messages in the + // preview so users can see why the session failed. + const hasConversationEntries = logEntries.some(e => e.type !== "system"); + if (!hasConversationEntries && errorInfo.hasErrors) { + for (const message of errorInfo.messages) { + logEntries.push({ + type: "assistant", + message: { + content: [{ type: "text", text: message }], + }, + }); + } + if (errorInfo.reconnectCount > 0) { + logEntries.push({ + type: "assistant", + message: { + content: [{ type: "text", text: `Reconnect attempts: ${errorInfo.reconnectCount}/${errorInfo.maxReconnects}` }], + }, + }); + } + } + // Check for MCP failures const mcpFailures = mcpInfo.servers.filter(server => server.status === "failed").map(server => server.name); @@ -711,5 +753,6 @@ if (typeof module !== "undefined" && module.exports) { formatCodexBashCall, extractMCPInitialization, extractCodexErrorMessages, + extractCodexModel, }; } diff --git a/actions/setup/js/parse_codex_log.test.cjs b/actions/setup/js/parse_codex_log.test.cjs index 481b82802a4..cb88672670a 100644 --- a/actions/setup/js/parse_codex_log.test.cjs +++ b/actions/setup/js/parse_codex_log.test.cjs @@ -658,4 +658,107 @@ github.list_pull_requests(...) success in 123ms: expect(errorsIndex).toBeLessThan(reasoningIndex); }); }); + + describe("session preview (logEntries always populated)", () => { + let extractCodexModel; + + beforeEach(async () => { + const module = await import("./parse_codex_log.cjs"); + extractCodexModel = module.extractCodexModel; + }); + + it("should always include a system init entry", () => { + const result = parseCodexLog("thinking\nsome thinking here"); + + const initEntry = result.logEntries.find(e => e.type === "system" && e.subtype === "init"); + expect(initEntry).toBeDefined(); + }); + + it("should extract model from Codex log header", () => { + const logContent = `OpenAI Codex v1.0 +-------- +workdir: /tmp/test +model: o4-mini +provider: openai`; + + const model = extractCodexModel(logContent); + expect(model).toBe("o4-mini"); + }); + + it("should include model in system init entry when present in log", () => { + const logContent = `model: gpt-4o +thinking +Some analysis here`; + + const result = parseCodexLog(logContent); + + const initEntry = result.logEntries.find(e => e.type === "system" && e.subtype === "init"); + expect(initEntry).toBeDefined(); + expect(initEntry.model).toBe("gpt-4o"); + }); + + it("should still include system init entry when model is absent from log", () => { + const logContent = `thinking +Some analysis here`; + + const result = parseCodexLog(logContent); + + const initEntry = result.logEntries.find(e => e.type === "system" && e.subtype === "init"); + expect(initEntry).toBeDefined(); + expect(initEntry.model).toBeUndefined(); + }); + + it("should add error messages as assistant entries when there are no tool calls", () => { + const logContent = `model: o4-mini +ERROR: cyber_policy_violation`; + + const result = parseCodexLog(logContent); + + const assistantEntries = result.logEntries.filter(e => e.type === "assistant"); + expect(assistantEntries.length).toBeGreaterThan(0); + const textContent = assistantEntries.flatMap(e => e.message?.content || []).find(c => c.type === "text"); + expect(textContent).toBeDefined(); + expect(textContent.text).toContain("cyber_policy_violation"); + }); + + it("should add reconnect count as assistant entry when no tool calls and reconnects occurred", () => { + const logContent = `Reconnecting... 1/3 (connection lost) +Reconnecting... 2/3 (connection lost) +ERROR: connection lost`; + + const result = parseCodexLog(logContent); + + const assistantEntries = result.logEntries.filter(e => e.type === "assistant"); + const textContents = assistantEntries.flatMap(e => e.message?.content || []).filter(c => c.type === "text"); + const reconnectEntry = textContents.find(c => c.text.includes("Reconnect attempts:")); + expect(reconnectEntry).toBeDefined(); + expect(reconnectEntry.text).toContain("2/3"); + }); + + it("should not add error assistant entries when tool calls are present", () => { + const logContent = `ERROR: some error +tool github.list_issues({}) +github.list_issues(...) success in 50ms: +{"items":[]}`; + + const result = parseCodexLog(logContent); + + const assistantEntries = result.logEntries.filter(e => e.type === "assistant"); + const toolUseEntries = assistantEntries.filter(e => e.message?.content?.some(c => c.type === "tool_use")); + expect(toolUseEntries.length).toBeGreaterThan(0); + + // Error messages should NOT be added as extra assistant text entries + const errorTextEntries = assistantEntries.filter(e => e.message?.content?.some(c => c.type === "text" && c.text.includes("some error"))); + expect(errorTextEntries.length).toBe(0); + }); + + it("should have non-empty logEntries for a failed run with only error output", () => { + const logContent = `model: o4-mini +ERROR: This user's access to o4-mini has been temporarily limited`; + + const result = parseCodexLog(logContent); + + expect(result.logEntries.length).toBeGreaterThan(0); + }); + }); }); diff --git a/actions/setup/js/safe_output_helpers.cjs b/actions/setup/js/safe_output_helpers.cjs index 0d97fa86b55..3dc9897fb14 100644 --- a/actions/setup/js/safe_output_helpers.cjs +++ b/actions/setup/js/safe_output_helpers.cjs @@ -69,7 +69,7 @@ function resolveTarget(params) { // Check context type const isIssueContext = context.eventName === "issues" || context.eventName === "issue_comment"; - const isPRContext = context.eventName === "pull_request" || context.eventName === "pull_request_review" || context.eventName === "pull_request_review_comment"; + const isPRContext = context.eventName === "pull_request" || context.eventName === "pull_request_target" || context.eventName === "pull_request_review" || context.eventName === "pull_request_review_comment"; // Default target is "triggering" const target = targetConfig || "triggering"; diff --git a/actions/setup/js/safe_output_helpers.test.cjs b/actions/setup/js/safe_output_helpers.test.cjs index b7296a9ef2d..6cc63b22912 100644 --- a/actions/setup/js/safe_output_helpers.test.cjs +++ b/actions/setup/js/safe_output_helpers.test.cjs @@ -200,6 +200,19 @@ describe("safe_output_helpers", () => { expect(result.contextType).toBe("pull request"); }); + it("should handle pull_request_target event", () => { + const result = helpers.resolveTarget({ + ...baseParams, + context: { + eventName: "pull_request_target", + payload: { pull_request: { number: 654 } }, + }, + }); + expect(result.success).toBe(true); + expect(result.number).toBe(654); + expect(result.contextType).toBe("pull request"); + }); + it("should fail when issue context but no issue in payload", () => { const result = helpers.resolveTarget({ ...baseParams, @@ -246,6 +259,19 @@ describe("safe_output_helpers", () => { expect(result.contextType).toBe("pull request"); }); + it("should resolve triggering pull_request_target context", () => { + const result = helpers.resolveTarget({ + ...baseParams, + context: { + eventName: "pull_request_target", + payload: { pull_request: { number: 987 } }, + }, + }); + expect(result.success).toBe(true); + expect(result.number).toBe(987); + expect(result.contextType).toBe("pull request"); + }); + it("should fail when triggering and not in PR context", () => { const result = helpers.resolveTarget({ ...baseParams, diff --git a/actions/setup/md/agent_failure_issue.md b/actions/setup/md/agent_failure_issue.md index 37460db6461..1837481a6fb 100644 --- a/actions/setup/md/agent_failure_issue.md +++ b/actions/setup/md/agent_failure_issue.md @@ -8,14 +8,31 @@ ### Action Required -**Option 1: Assign this issue to Copilot** +**Option 1: Debug using any coding agent** + +Use this prompt with any coding agent (GitHub Copilot, Claude, Gemini, etc.): + +```` +Debug the agentic workflow failure using https://raw.githubusercontent.com/github/gh-aw/main/debug.md + +The failed workflow run is at {run_url} +```` + +**Option 2: Assign this issue to Copilot** Assign this issue to Copilot using the `agentic-workflows` sub-agent to automatically debug and fix the workflow failure. -**Option 2: Manually invoke the agent** +**Option 3: Manually invoke the agent** Debug this workflow failure using your favorite Agent CLI and the `agentic-workflows` prompt. - Start your agent - Load the `agentic-workflows` prompt from `.github/agents/agentic-workflows.agent.md` or - Type `debug the agentic workflow {workflow_id} failure in {run_url}` + +> [!TIP] +> To stop a workflow from creating failure issues, set `report-failure-as-issue: false` in its frontmatter: +> ```yaml +> safe-outputs: +> report-failure-as-issue: false +> ``` diff --git a/actions/setup/md/noop_runs_issue.md b/actions/setup/md/noop_runs_issue.md index a09c5ceaf01..7fd91e3ccba 100644 --- a/actions/setup/md/noop_runs_issue.md +++ b/actions/setup/md/noop_runs_issue.md @@ -29,6 +29,14 @@ This issue helps you: +> [!TIP] +> To stop a workflow from posting here, set `report-as-issue: false` in its frontmatter: +> ```yaml +> safe-outputs: +> noop: +> report-as-issue: false +> ``` + --- > This issue is automatically managed by GitHub Agentic Workflows. Do not close this issue manually. diff --git a/cmd/gh-aw/main.go b/cmd/gh-aw/main.go index 1ce23131789..9ac47884696 100644 --- a/cmd/gh-aw/main.go +++ b/cmd/gh-aw/main.go @@ -122,12 +122,20 @@ Examples: ` + string(constants.CLIExtensionPrefix) + ` new # Interactive mode ` + string(constants.CLIExtensionPrefix) + ` new my-workflow # Create template file ` + string(constants.CLIExtensionPrefix) + ` new my-workflow.md # Same as above (.md extension stripped) - ` + string(constants.CLIExtensionPrefix) + ` new my-workflow --force # Overwrite if exists`, + ` + string(constants.CLIExtensionPrefix) + ` new my-workflow --force # Overwrite if exists + ` + string(constants.CLIExtensionPrefix) + ` new my-workflow --engine copilot # Create template with specific engine`, Args: cobra.MaximumNArgs(1), RunE: func(cmd *cobra.Command, args []string) error { forceFlag, _ := cmd.Flags().GetBool("force") verbose, _ := cmd.Flags().GetBool("verbose") interactiveFlag, _ := cmd.Flags().GetBool("interactive") + engineOverride, _ := cmd.Flags().GetString("engine") + + if engineOverride != "" { + if err := validateEngine(engineOverride); err != nil { + return err + } + } // If no arguments provided or interactive flag is set, use interactive mode if len(args) == 0 || interactiveFlag { @@ -147,7 +155,7 @@ Examples: // Template mode with workflow name workflowName := args[0] - return cli.NewWorkflow(workflowName, verbose, forceFlag) + return cli.NewWorkflow(workflowName, verbose, forceFlag, engineOverride) }, } @@ -360,7 +368,8 @@ Examples: gh aw run daily-perf-improver --auto-merge-prs # Auto-merge any PRs created during execution gh aw run daily-perf-improver -F name=value -F env=prod # Pass workflow inputs gh aw run daily-perf-improver --push # Commit and push workflow files before running - gh aw run daily-perf-improver --dry-run # Validate without actually running`, + gh aw run daily-perf-improver --dry-run # Validate without actually running + gh aw run daily-perf-improver --json # Output results in JSON format`, Args: cobra.ArbitraryArgs, RunE: func(cmd *cobra.Command, args []string) error { repeatCount, _ := cmd.Flags().GetInt("repeat") @@ -372,6 +381,7 @@ Examples: inputs, _ := cmd.Flags().GetStringArray("raw-field") push, _ := cmd.Flags().GetBool("push") dryRun, _ := cmd.Flags().GetBool("dry-run") + jsonOutput, _ := cmd.Flags().GetBool("json") if err := validateEngine(engineOverride); err != nil { return err @@ -409,6 +419,7 @@ Examples: Inputs: inputs, Verbose: verboseFlag, DryRun: dryRun, + JSON: jsonOutput, }) }, } @@ -623,6 +634,8 @@ Use "` + string(constants.CLIExtensionPrefix) + ` help all" to show help for all // Add flags to new command newCmd.Flags().BoolP("force", "f", false, "Overwrite existing files without confirmation") newCmd.Flags().BoolP("interactive", "i", false, "Launch interactive workflow creation wizard") + newCmd.Flags().StringP("engine", "e", "", "Override AI engine (claude, codex, copilot, custom)") + cli.RegisterEngineFlagCompletion(newCmd) // Add AI flag to compile and add commands compileCmd.Flags().StringP("engine", "e", "", "Override AI engine (claude, codex, copilot, custom)") @@ -681,6 +694,7 @@ Use "` + string(constants.CLIExtensionPrefix) + ` help all" to show help for all runCmd.Flags().StringArrayP("raw-field", "F", []string{}, "Add a string parameter in key=value format (can be used multiple times)") runCmd.Flags().Bool("push", false, "Commit and push workflow files (including transitive imports) before running") runCmd.Flags().Bool("dry-run", false, "Validate workflow without actually triggering execution on GitHub Actions") + runCmd.Flags().BoolP("json", "j", false, "Output results in JSON format") // Register completions for run command runCmd.ValidArgsFunction = cli.CompleteWorkflowNames cli.RegisterEngineFlagCompletion(runCmd) diff --git a/debug.md b/debug.md new file mode 100644 index 00000000000..84a186af571 --- /dev/null +++ b/debug.md @@ -0,0 +1,115 @@ +# Debugging Agentic Workflows + +This prompt guides you, a coding agent, to debug workflow failures in **GitHub Agentic Workflows (gh-aw)**. + +## Step 1: Install GitHub Agentic Workflows CLI Extension + +Check if `gh aw` is installed by running + +```bash +gh aw version +``` + +If it is installed, run: + +```bash +gh extension upgrade aw +``` + +to upgrade to latest. If it is not installed, run the installation script from the main branch of the gh-aw repository: + +```bash +curl -sL https://raw.githubusercontent.com/github/gh-aw/main/install-gh-aw.sh | bash +``` + +**What this does**: Downloads and installs the gh-aw binary to `~/.local/share/gh/extensions/gh-aw/` + +**Verify installation**: + +```bash +gh aw version +``` + +You should see version information displayed. If you encounter an error, check that: + +- GitHub CLI (`gh`) is installed and authenticated +- The installation script completed without errors +- `~/.local/share/gh/extensions` is in your PATH + +## Step 2: Debug the Workflow Failure + +Follow carefully the instructions in the appropriate prompt file. Read ALL the instructions in the prompt file before taking any action. + +Below, ROOT is the location where you found this file. For example, + +- if this file is at `https://raw.githubusercontent.com/github/gh-aw/main/debug.md` then the ROOT is `https://raw.githubusercontent.com/github/gh-aw/main` +- if this file is at `https://raw.githubusercontent.com/github/gh-aw/v0.35.1/debug.md` then the ROOT is `https://raw.githubusercontent.com/github/gh-aw/v0.35.1` + +**Prompt file**: `ROOT/.github/aw/debug-agentic-workflow.md` + +**Use cases**: + +- "Why is this workflow failing?" +- "Analyze the logs for workflow X" +- "Investigate missing tool calls in run #12345" +- "Debug this workflow run: https://github.com/owner/repo/actions/runs/12345" + +## Step 3: Apply Fixes + +After identifying the root cause: + +1. Edit the workflow markdown file (`.github/workflows/.md`) +2. Recompile the workflow: + +```bash +gh aw compile +``` + +3. Check for syntax errors or validation warnings. + +## Step 4: Commit and Push Changes + +Commit the changes, e.g. + +```bash +git add .github/workflows/.md .github/workflows/.lock.yml +git commit -m "Fix agentic workflow: " +git push +``` + +If there is branch protection on the default branch, create a pull request instead and report the link to the pull request. + +## Troubleshooting + +See the separate guides on troubleshooting common issues. + +## Instructions + +When a user interacts with you: + +1. **Extract the run URL or workflow name** from the user's request +2. **Fetch and read the debug prompt** from `ROOT/.github/aw/debug-agentic-workflow.md` +3. **Follow the loaded prompt's instructions** exactly +4. **If uncertain**, ask clarifying questions + +## Quick Reference + +```bash +# Download and analyze workflow logs +gh aw logs + +# Audit a specific workflow run +gh aw audit + +# Compile workflows after fixing +gh aw compile + +# Show status of all workflows +gh aw status +``` + +## Key Debugging Commands + +- `gh aw audit --json` → Detailed run analysis with missing tools and errors +- `gh aw logs --json` → Download and analyze recent workflow logs +- `gh aw compile --strict` → Validate workflow with strict security checks diff --git a/docs/astro.config.mjs b/docs/astro.config.mjs index a61a8c6f9fc..b22f23eef08 100644 --- a/docs/astro.config.mjs +++ b/docs/astro.config.mjs @@ -320,6 +320,7 @@ export default defineConfig({ { label: 'Safe Outputs', link: '/reference/safe-outputs/' }, { label: 'Safe Outputs (Pull Requests)', link: '/reference/safe-outputs-pull-requests/' }, { label: 'Safe Outputs (Spec)', link: '/reference/safe-outputs-specification/' }, + { label: 'Safe Outputs (Staged Mode)', link: '/reference/staged-mode/' }, { label: 'Sandbox', link: '/reference/sandbox/' }, { label: 'Schedule Syntax', link: '/reference/schedule-syntax/' }, { label: 'Templating', link: '/reference/templating/' }, diff --git a/docs/public/images/projectops-write-board_dark.png b/docs/public/images/projectops-write-board_dark.png new file mode 100644 index 0000000000000000000000000000000000000000..95ce9995d6c84b8cd412a913cc0cf387e02060db GIT binary patch literal 189523 zcmeFZXH-+&);~%W1rd}gT@euw5a}I6Ktw>L*HENM?;S)$RJsUA4TymB-b;`wz4sF7 zEf9KukmT<8ob$Zr{_hy?lXE}a50^0@nW!J zc%%_{c*N9~F9Gks&A$oa;ayd?RZw`YqM*R`+||j-*4`2i@5#q_T@pRbZrXIimnxSj zKfL)el)`qK+f%N(8WGR&3fXp9;@m@4YZQyUxO>)Zb*D8Bz`zUn@$ z))$X5Q{9Dkc=a$IXbL<<5`$XrlU+}hL@eCIqh}^ax=%Mwz^0MRA5DJ6RO5-dSzJ27 z)fhZ-dc116A2BXjS?qZCLw2CODRy`-suG#C4KOfFiK5{hoy+)g-)^bXalP}Q#1P>v z-2c*jh|ku;<|H5u%4xN`H4(2sa;sQp@tLrr&Z4_;^OO@6Yj4QuExcFBa%_V{aup;8 zFaoo?V`eQj!4+C}VjsaM%A8CVw63=w-l`52aaMo-6dZ?+R9}M%jfM#kzwNtK7?ll) zA><&{FE(AnBt>D24_xCz+@@Nd_I?iQ%r}4Ux3eTH$R)kllQS2@O7_u zDHKw;ROwx(7BzJZDBrvaau1gkO zQPwJ_v4p2D19kj=Na#)}WM)8v=*cG76I`h-d9;7Jay_K%Lwm6N)|5-RUNU9wnoEFw zpj@HveMkP@NS4wr!uGmb+zU)g-iq>bzo*{%*NTmwdzampl`z@iG>PTC9Ik^5fsQRV_WT*?hyq&x^wAMrVBo* z$^1Fq*0JFtfuY=&-T2XL1B8ogbPGJl`0olVcix7@#9p+q;}<@nSKuqm zM+Xg3l!I>ay}Esge)V^ReP;%Tzz6y#S2-?G?KmsU(IGn7e~+{3(4~g>UF+N*Pv846 zq+Y90`*eeCF7-CoXNp5tsf{=1KMBuNFe0+G!ej1jgwCu#uEo31I$maS(G{bhLxc!6 z$R~*YuHoi^nau=+|4!i)GF5iT$@p@eI_T5RUTpG7vZDfbzEMyLYgNgn!r2=6@l`Mw zp?0EJO3v!|k@x2{bLDe=Oac6jzM`iT!!=E_>$HXYJ1kV{BK#|biy(BpkcQi+C6 zyh^BBkz3*+rw6FnTd8@=az!n^|BLFwii2sR(=N)2vzM8p_o~Ay!X@$YG12FTC)_z0 z$lFo_h$|TeuVq~i1cDBN>Pju}E;jIGuY^HdtC>#ihVg#G%rak^WUM)lhvGq)uAZLU z#G^9Bw>OjGYhm^#45B1zm81SZ(rxh zn1L@8LiL-@nZ<}m_a|?yuf$KmA;N_>(U;%GP)f8uzDlXtPU<3OM0sr~oaol|C-*-` ze7}|Sf%?VmirCO6T;&XTa@Dtle?|W?TOo42W~=OY8xg~|!f}A#@th$)oFQvs!{$qf z>#(yBOWHfDZ=*wx+^^R&@hTS#N!v*K5=cjzC`t}l+wfm{KpqjAWEMqFvTXK3k2E2; zyR1&{iq3m&GY>r~|AEA^YlVz{(Nr#X2RfM-Nw0NKIp2~Y2Z!^w@$9{BWRVR8b;1{= zPw5EKOdmV5d0#($cjeu)R`*8&nGvON&L5l^npM-@i9Ws^t5|u8o0*qLI?v z<2hw1b$d=3wv*3K?ht+^><*(=yb*Jt((#@AyYzR9@2cO`MrEfgvwLSZ&IHcb6~oOH_rE=U@%T&97n(23U+(r0KjmCy*G_q@aGcqxS&>KfV|7eo z%XZ6Qi-(+?+>Kl#lAioyr+=htB#OaWc-OWucXJ44D`mi~redf*t0<}7pyH>PJ6g1f zKBD%O2@r33ANV;i5v?AVxB0z$lG=7)v~a9&vhn*_s=S$=Ky5^K#3QAf%WTU8S%%@? zEQ>luZ`kyY=Z{GgdKeezrsPR0Nj{a-@Jl*z+;N-HaDO5(At5huJ55ny)IipC>cGLMjBD#ifD zX0=SUqJ9U%`Xca-&@A^XkLP2_DC4O4yA9zdKblek5(2VO#3W-s=jE45yE6l*&AzPP z+x(ILVv^Z5%BYK=%b?3o{eJG{+}pXAa@VtXm2)FZgwOjn_y-&Z>INiJog#;CQiIpy4cNKd^puIwIZEp5O2^Yy+0k^G}m;{bj=&Jy0ekC+%${q7E5tia*^zm-V;Dv zKea#H+_OaHoH-uv>Ei5ST*!fV8ht3LZ{dr>6j z!MB1rf*s@~LM8WayeONJR(}3t2*_rS~`h)0FakJc3 z+eMc}nneUVjD6+0+Vb$e+45urgxQvcE7JZ0!HbI@!Y{nOIeg1i#4ssDe2mJA@S&Ex z>*)zg60@57QakVBv_!b1+YWtNs`mVD<(-E&G^y-vK<^UYEmGh5`oOm}^~!o2c^pS~ zB-i&Z?O)Qkny5nV7N<-lZ6z3_`Z|2>|9&%WKushyRr2f?btm=DFCn(?D!*6G+k%N+ zyycd6l8_Cs@Qse)G~)Nadq7u2}w^7`5{A!|h!Z`1u3iloU za)pYTSCIaXJ=5`{i78(i_@h%36TI~D+52PDlV3md=p6G*3Mtf^5a_p?skfCra6VHf z{`U2|P2XfFBT6T`=sblLuCnlG^xsZ%g*D_b`g; zIqKCdYAWh~P*~7YO;tl@ zA5_Wi(v`$2COZZbn$xd8JmlLfj@p{q(iCP97H)|2Ecu~m7hh%U_Yz?=$5>laHc;j` zD>KnNf-;4;Vn$g<0~ZCyaa^!+(9s8p{fgI$`FKn(#C7Y(zd@`$)p8Y2cWa>U_|X_f^v&w@m|# z;y6u=v#zy{N;?*x^&i-tTLg(iL{hzELC~!U-wn|k=(Vc4nsLxx?U48Ip}8iq_9QFu zf-kL>$@?sk=YnUwM9IVflHk14c|5kwEc#e9eXg(RYzgreD!Y&zl;Yg55;c)l-k{`F zfG$N^fWrK`V*P><2Jo(V$g$k%?`egOHjT7!mSNU-X^{Yt zG938-lck=Dm6{qJH*kF!j|iUuj~KYZ2YzMn8UMak!oP<{_~(5BJiIVlJfeSnM;&;@ z{=@*k*fD>-5`KPnkgXmyebHH5~X)`nHX`yR!s8zn7O6pO+w?ldCnqfVj9g|AUA84gzz&CH!V+@){d#!mG2&tL1b^tSztX@;`>^ z{m;;cqW|}y|MAiPIaJ%t(pAC90hrWX=6@LWuX+FT!+#Bw;>Yg&KWOn6q5r%KP+Epm zivMq}$&luqW)=X9WU_s%p#{7GVut-8_yqj9_tz_MO+evP?9HEohbM=p@>pKW8y`0B zRZBfSPqN3V_WZFN@pVN?KP~&=51n@szP3|aeB11QoW&(ls$AO1H(?Wz*PPIvY;OKh zDUw(f*2%}MW;+tUD{0+*t)Z8gZ>|Zk+vLCIV>&1<=w`Jh*n2)W3AG)q4#=fwReFPm zPe62;l1&bWi=o%VGnXT(XS}w5;yB{ZU5W97Ux0{ko<;7B91k5Oy~8U1)be$l*7eug ziIf6J{+neL8OfPe#zRb_m2uemzsW;Mf6V+}tm$&4D}L~>4*IP$3+`l=lQSLj`Y+bR zHq=8*q-1zTcH)gICxPt*CzC}KS9uO@Oa%0Aj95l)RBpWAyMJDa$e+GjwWyOHB3}_&1CH_r0~06DJElnDJ_hG!H2(x0%UNPh(i_jEuZFn#+$YW|jvCYelQq zq?)K_owlIwU1_(du4EOj1od4$wrb`{&IgKktd90YkYHke3}$djF!(5G2NE7`tRak_8Ovy5)Std3F}SO3*`x==;K zX}X?eNx508XT9h_B( zE(<-$sFgy^)g3OCEn=dG$!LXaWH@n@$qWMmH3oWK9lA6LkJpXpnci{VONW5@%djF6 znendJn5inr-n3hbti6uYo{2uo#a&VgA6Mj6g!d}Hk+Y+@$EOC)kB~VS3Me`jkfy_J zo4f$&2(pYDJfiVucPRy}2O<(d=T2l6t_@gafwWkqINeN>^opWO4-&bn#stDpF{|Ka zA%c}|*p#=}xQL&ZStxf&Iz>Bt?-JkzR+S9On5=Kg@`4{*{7Zs_G30fGxb0fUH~21D zM9$W?yq+Jc8@lIkCOm>7lZ@K?s3Y6arAi?hK7mV0TfQlWGlTvDimOPbfs6Y|4=1V@Jp~+=c9S}V0%!ZTjplY8qF`T0vAy4iV-U-Hw%C3&|#vXcW9v-%=_o*uuIZ12KKY{ z{qCJ138IOeroh4mM|f*nqpY3IGq4P=p+ul(maI`%6mynpqOke6dK&4ZFLI}B|72=7 zGI0Ji2pBx`Z4K~yI4~*W7Qj&QVK=^D9qyrA4d}+OTiPj`UvqaHXIEd6VDg2Eq?d_w zy%(Itp`1s9UY1WO(zl=+o_ULon%?0bR`^jhq{x03u=ab~k>!2zH#WR|Xswmlkc> z12g}M_ln_KMuzaxRI8Z?SaAmIZr`&PEUG&9XXTO14tuxmUyUA{2x<+5}mnY zHJC)T+!bAL02@y!wjT5VbgQ8K!z3t@OY^R-(~{Cx71PS=&(&~qf-R(Emm_qBB3T4Q zSo1>PSXsXDKpp$8BXZ?|XdpmjgHF19D@`+3J<@hGSKDqTf3QL+QTUtPWU;`lg0~W{ zS5maWkYuXr>Xr>N<*T0}MW=;!PrDpk{7$-Xb4YT%HvpUO4I;>*VXNl}{o9)x7)Ldq z-uTozGMFkZXcD*y=~zs@um>#EAndU2)cqv4*4THy)O%-K_meT0Xp6U0iS`t|6o~9f zFeLvVs?<#V$Wy*qg+%`*F~$Y*SR*e}Z8C&+1dfJ(AX zx7|w}Pd9B5k$j9i*)i{%5-2nM`S!I2sOk)BTDOl)_<_)xbx`K;@%WlU#780}Mg@3+W7^QM5H@hie^3I0OVcH^L7NxpwAa-*o)uqR(Y{ z;iI62EC<{U7tbq{4p@*-hXBGXLXzDZZDF!TE}lN3%!1B|!2+fl=nVV$?an37qCOPrwh_ryfu zlaI3K9hroEwRq+4>sFQdk5AdBG&U@%5s#&TYM8SQ#Y*x4RE%DOKf*_SD~NaF;}X%_4G9 zm9NA>4I}RWs)26^Zn4=EAb~-G(tZxhhmdq-$cK5+_XFgeC_dA3_=7Sff+NViSkn}DDgRVVY3g43Go5BzgDHR~K0rnSL z2UywV1rN7HF)=YZHL6UrFSxg{E(Zrebw#Sb4|Jy3GlVe<+=EK<7pO~|egLloM6S}& z`@^o3{k#-#NM+sk^}4JidZV!fNOk_vi4J)KK8B{c1J9bFn5R97`|X1FsM?vnDrpFx zUAmCG?GK^jZBnp^wrQnuG|T?jC{MN4c|l3z4J7RFCe6}_YM})ntc2P43V^3-G5o1% zsA=jhPwS02%Turb3}5dU5T4u}c4Zx^ae|2LWhi{}L+tJ^_`y4lCs80NgP=`_&YI@q{&In|%fZ82fn)$PxAno(28O0W(uXJnipQ~T^L@5VbIZm{ zAJ`on+`o+(c6R<}rtY_Xk&9k%U1Ijo3RU+(z}yD93BExGNPrZXit%JS5g|-VTDjJ; zalT!`3b0XO0kNn2eiC`Kbes-oi7$ARiNq1orXJcW;|!hecR9;9sSv)TL^Y(?HV_V& zsOHB7?}?NeJhy3^CiF$?Emcc2(j+)KqZ#SqI3W#v`8leMN%8*5*yw3pqRBiBrZEF3 zD;-t2Y=!lpNw=kx%sq0fAF6i{nl8XYJ+>ziO0^2u*ibURe|IWD$bc=$~N5WY;;i=IQ}02b?J@}oD+6KmvDo7vxNPf!~4YV7YBcfpz8~YyJ9e z!%|65Gj2BiwKkxAOZ}H4_=xhHOphiEF-(%Xm8GA}CEQZ*4ZFUp#BpoUc_1xmo`hY! z$XY#r-RQIbigrYNyH9YrtZPeG`d}7{R%g0s3$d8@@Jl5A2ILpommOtJ zHnLn`WnG;B&O|%^SY}$L5C^y z67EkHG$Q$oCq8IuND80y4{%AJguo2AhKU)Wf7X+S#OJpW+KB!+yw(Iz9p>dDQWkTFm

YG zh}YAYsW>C}C0ANPu6=Z4BeKU46`$r?*FU$$Fr=f7G`*J>as;5dTT zE>=yiU#QeWem=4@zQHmGdYoo|u3~Uya`=D8$^Q6;v3$UFccfgWH@^H5+Oi>yxZn|) z^*?M?aa-$)LNhw*-KzhAj00cXiIQDxx6yoA+*J2R*i2228PZ*0H`pw@})UKtYV}?ipQt8nR+J`r}Q( zoW#f?AjuLq8WRL&TmN#4vvZ{zo)B4*uC0#p(UGsJ}ITht{V#w;!dnDn@dU)1!dZLm|+Xkeha4vqJV&}HfcDUXeh0uEba z7gJ+DoJ`$^1iF-=&8VJ%0K~l4GLYQ#aN9NCV04_4tsY2_1X-tf^hEhAM_zXsCSG5& zV3u(IaL9kZ6E+36)>f_I$}{i4Ic9=@mqf}CVaNv!uv+nKul%}aJ%kwe=QY(Ei6tbVYUBcy=B@;Z{ zj1q~ES7uEF$1!mIIPX#A?-WehynqFe)0aBfm#yjyHybyUFAvBf3h9Lpiu_?KqXQAb zlSYDY5Hcv}Ll+BkIzrQ8P$Q7LIfmB{REJufNLdCUE-LK3bJHsFv!MoBRYz%F3sDsV zVpTApUh*HI3b`UuAfal!89W@y)=L_(Ti#pjGG0>hso0o~Pdhci4AW;Vlg10b@DH_V z2W;(4uQ?xG{TSC3LnlksQHqbq-G&-Uv`X&-uzyc?*>Y5PLX8F$v)j?{TJ-sL@7hHx zT{C4OXusG0KCdNa7K#$tZ9E*ffBDGf`k|7y{b@CmcZU-CgvT~=C_U-&5i zJTr40oq@Ypqe)m!y-wDHA5Cp^bAltZlK34E7$nrvtmp_fY2>Gt8noaeU_0`?b-#1B2G;-9Ly4^HNEqlv~4|AAB}ttZrNBf^uHH)6xY_f=4t+2ND#*}S*_ezEmJg+iHiCrRRNQKJh=OpF7PH@aV{JwuYxouqE z@Op0voH%p(RAby>X+nJ4kOtjCHpJx9*QMO9mC zu<7@bx#&n)Nc5@7LWz^bdT>MMB;;)8Vh@Oe+XX^;6v}PaIc1NNPUqGU{n4tloM3l< zfaR9NO53DqXwb<8rkiPNrh48nOl*&YBymULWP{z}q)CMVMP;XZ_+)QY8dsRwyGX7Vjsj;10v*K~IG7MMEGE;K{+d{c6IAoovO(#DJku0zr~KkgCQ%@Z-K9JquWpSm$#&vjjJ2? zs5GSXtLH9suZgj-1fFJIoZ=H+YOmieHr#-qPGBLSAN5b~ zLFEOF45~*!F=#}d{<`P9$7ENR40_)m$}0+G3S$k_TPU$NifKZY1nz8GwiSs#NM>T!sF%z2uyp5~$S{dJaYfrjbP1sQ+%HRc(* zD2fS2g0~x#&u)Iy@!pK?{HBj=ikY7*v6l2mzTYGk(q|}-Ko-D9to$#fawkh z6NYRiivv=<7CC%=JY@D9EklvV#XJD}+pE?iR=-bC=T+X4+zgm6>UQ+12_tQc!~=AyG2LL+U}OvxJn}p`PJ} zn>P@D`M$==TAl>z)P9N~T%y6R*l3U}Psg;Do>F#92;!WUW56637x`?8XC z_9}%t3 z+b%KIa;US&Rd)emIY8T&+m|n4QTg7^1R8qOZZJv5iKKrmEY%&VI@?@{(e3fnz4V1A zF%`4An%EJ}F9i}?4+lxGc|t7)A4w9+Mfc{%-Nh_DL|}l#?6kLtjOR&^O>fas3@a}w za0q^&>T;I7I%wp{E`ft(XQ0Ab_FDv5;c@_InXQ))7YGSqqD6yI?&A4hE0 zj7)=ni3IuYbL_98=(Oz&M-FzfIgdAn+0%W`ll<>#3(VUMh6bnmmqsZi^4YzLSN7|e zu|s@Fm-cHnuq$C!cz?CKEg1+da-IefRxjj7CDD;bGDzPoNszEzYM-)7QB-}wFOlDP z4CYL~S5RN`kVq*`PC&?@ztkpK*Hnm0Xh%ms_GlzLOwsL<{5J9kdncchsl&K3cp!)` zrM&jpML9v1v|llmETix1={lYf@vS{pI)eNTHy$|hK$Sl#5fmu!QhRLV!E&Ui5i5oC z9=x11nTyiks$RPLf$cDGys%U$aEGi_Jw-wo&aYu{$SXrFd*1!cas%oIZxUOaQj{Op zT0JTNVXR~<&%J^crma^{<`((@^j5LDEZUP0>+}mSu5HWpcIX(5vMv+9u4d51%LNPq zh3M!PMVAf9y8Oy38<5zhp5brYgVr7#s4jn9*5JMf%>MZ=2sOJj2vg$E>xrD=B;7fh z1Q$a@SOPbKaRTRlcmR0+C(%0(>M2*=Goq1+2+S6Hp) z`ooqRx)Lc)UoSx53w}!zDNcRd{*E+ZXduMzH76d-D(4tSTB;W0I<&sK;?kL?KueZ5 z@Ku04(DP#WER|Sg{TXD?R?>B-tjr99KC7GrBIx~JdtnEGWo3ZX zv?U&267NNx9gS*qzykv;0}T+ncAZ?g;3NdpXMIO(J3rw8exKzlz)T#jO8d9}QyU4C)t*H-Gv3|{HF7KK>gDalBNkKtlQGq7e< z6`NF-18a)iVV`z|i_ZJ2ns^BEuBRt>@H=`fc<9>6yXR}4zC z<|W(CSiMqx?9_Z_W!VMt9#(W|!C&pAOk{qpoSPXutR^}yg!X_3ob??GODsnSF8PrJ z%F1e(3gzl$zHiweEfe1OKEXn79B|C1pRre1=<14`yvmCNHO47dT_mxLDt>1=8?tB+tkx0E#lQ zPWzY!zILfQ@!XlQ{Mp-k@O!m2X4TAcP)o`d(6yf5wi5irQi;_?b!!It&WBB3g||_y zX3k$a02bPb_{j8669m#!I659tRrEm$H8#`BCWH8-36az`QI7%%(E z{cjxaWE z*kHWCFM>UBAI(+cCko3M{K~@hTzD^NG2i`}0%6vCgIDx=I>u?=b>Erx>3I)6$qI@? z80~yKUbdd@x7uJQ@Ib;eh51_m(o^7WL3uqJndbObLc)qk3Bnh^QZBqtk~m)50HEC{Ew#E@0HYagcH^(Dt!>!z z38Y0c0oiML8O>&@%Y;vCK0|I1y|WYmePtQeIEI#uSWY$obp*NTE;?pXsN~-$mG2K7PLon?v?D=Oh zfK?ZXS%x+MD3kAuZEhDLXfI^WY-8xw{w(x<;VUlyr0$|SL76wh!(^qz(6PiaiPhO# zzWmKcF9Uzsl{7PePusi5P(7B507w#|OZs%>1}owSbPEHJ^+Qyg#955!w2MLS_$MyRR|1I?8&~ z#%g(M$$=DgB+Dvw@f)%{iuC7$f;Pc$oTArKtl915A}125d~4G&7VcrFYFg>)b2`$p z@w<>=`-Q&n#8SfB@3xqcYK@@t(fw`cg^2758o3+p6nMxOiVh}Wq0a^HANoUqxR!C! z#7zyzF{BU|hr>-5a~os57ZA}bi^PZ1S;dFrNbxGBClWpFj(WI6+M^y}@{ zyz}kK&C!J8C;inyk@ugaw!Wq+H{Jdb>m)K8Ft*-Gkahgx^_&H8=rB`kj1)ulxgGqr zT%8{WLdMPOA?9&vBK;I;Lbfk2E-EvpU15iZWg|+Y?LppMq2t!GKwXp*M7nywc{Rb% zfmv4Si1REjOF25~coGB|(!d}3seJLhkYUdY67<|2f(j!;0!M+d+DbcLv~3+h8@U|w zgA&VQ{>ATw{?2m1OVtn*hs^Qj;M$~tPKz60j*leWUv|6hZ9amaj!Tx3a>0Ei`qNLw z%_av3$~$%z!&oDxr$-L54S@rpB_Mz54_gRC?&x{VdmILmu3%NnCn$^pP7OUg>y$Mj)BS*x@|s_R;zuzGOVzVzoehv%f7SlSd9OjlF|-tv7OyypFYSBu zAvfKmlE_V%APWmTFSW5Q2td%{>#59%Cayp}ZqMYqk?ArLlWEyjMNhA$YJh;+#C=WE zK4g>)G@3?DyyOf3OB9zsjqpZ|e|>1_$~!+}j=24xo?a!6;=U7*7Mp^}&l7m1O?*c^ zh?Q!fW?iSd!QtHZbC*HAZ^II;@Y{PF;$aPbuqz6r5Vei~fPJ412TZ8n@<-L!P4W#u zHp*>MLZ9-~)DNg+c83Id+pK1WqK&;4Sb_%Mrj1YOz(+U&11EgWw7A%k(+g^|S7%F5 z5GY+kcmQBFlhv^jb=U*W0}~|EQAmm|^bsKAXFc_wocQVMRl75KE==zOz*fRFni(=r4ns|s1m_!G!^r%nU7TTet7vi0c3r4{E2O~(!xf*eesaACkdv?rR z2r+>-8ruW^`~j8BMYkmGLZ{y-S=N>VP-*q_!@i)?w(&9~i{FZ_y0)n3g3a<1aL10U zhSc>YU*7zc6KwFdE`yw2+ASZf7?6={M(w~?EaJ7L_#0q!`yHs0UIZ%^1VYN9V*$`! zTh~|^?Sq&fE`h%9$h@y7A$jgp`vdGLbw0IRw%|)v(3wr@D!Eg8?`kqwZ{&1lvYB=r z^x!_L3Vs&<4x+>RV!!LK%-o`3r#c#f-f@b}zntKRWj;dmU(Qsx;eG&6p6PSA)>Sbm z_2Q{PoI~*NS`aVK4SF>%L^YKMEUy-1x??6(n@_9hP zMD=&%(?kAkgX1d^j#bBR#7<*a6XzXCJ(@3;$o7F_vCgkA*s(=M7P)C8ot=zMFFoh} zI-=MvHgAFhMJOzOyV{=qTaEjjA8I$=y3sMpZmx{>wl;MTqW2Myj*dH$muqYGEQA?p!P?z#7+aC!Aj%P;qNm$&U*f;EWX6N!%q%COVPb3Gj zZ_P}=E99Bn=01k+oc9)qc0qQ}*3Fke7bE!77|Jr>()tyeYHJS!lOx0-r1=*lpvFvJ zRC{4Q4=|3;ll_?98%TGSQlO_weETsOB93n z!-C>^w`p-M%JY%llJ?gHMLHts5`xx!AI2rT_zE_}gBBWXCYu8mrvSXrYua+McCnL@ zt|2i0y@c0p<0ImqCp(fWNb6Vf6O|EeE?6#<&%fT@A=Orbrb&rg4WzzkT(!c$=6sIz z1j%@Ex4sR^BDC)R$|s*Vzx!b3!s*AY;9;POuxn^EkY%Slh_1r{%Zs3?`_vb0jw3SyVh79PR1kmITdUc=q=-V6gxbF5Fzk`GaB+JdCU}t_4rxb&&R@@~g#< zWVN3+Vc~_SpbKdvm}YI<=h^0O4GLDRAD@kxQpDY?QoZMXn|qZF_Pp6V9F%6%HTF3( z@4AUYLSIRQ1!8I{%Kn=SWk7%iBBCfBKFIBtRgLHNVC3BT^3-xv zBpM}}f4GOu?@9taER9?g=YxMNsTh}kN)w%Pwy@vNUWQe>@7j=wY9MmKOYtG9s4omvmQ-7b9`pk@&|z&24&@gVGjLI+7-@zsYF&4KM%%0g*%tZd;|09n zbD)A&N35t2sONgG1P8zYVKM_pniR)+TeGBn0gKM|!$DbApv2U0*AB5g$xr6H%j7Uy z6^@ZYdp90D9eqDNQej^+?>U@1cqz2>HR*5^lelXgI4ePYV>H+4XroR&b7W)1${<~a zR{<(*_+CbvHZ3NAUn$by{N-rXO5$!da8hm8KZ$E|fj`y>nqU>To~KBzY{Z7ZJ7}V? z_2sBq+2eqG?wRafhO*bW>cq$d9sSDF(ChTPPfu|v^a46tXo1>4o`tt9HpCxxpYjeB z86u`KoG>=fX5*h`C#m8BJcb0mC#lo=!sB(?`X&tyv(>`@8oyEdv}@xFujIT-yf*1% zvZzyFgumTmv(3$f(;Gmy*^;5#;6FPCpqRj*1e-TCH0|f4Sp04YKHJz^Y&-OH6XJ%i zzCl6em}(Z2dCKHS-A}g0B`0>v)LEDuo<&hpr-_*v0jIuG`9v=n4^0w9YFai%++jEs zPs?TGVG9)6Nyu54LN1XP(-%eVmYUJEmy+@Qh)i*zK`TTMfI#o-?QcP%#AA8@EY!xsDXa{)PhSfFM6u*5angG{YWEsx>5 z)?V@iJokY*@>X|s9C>ve;8o(AWbR08z&m|#q$*bVB24qS`{`boHm!q}WgOLyW`Lf@ zYW+`es4Qs`?u4#^VLkvI89y<|grsIJMW6z69nhrY@OQ045y+G(wGc*B7TbFW*;_Gj+F> zI01SWO^Jc!>QWBa;xu%MyYYJcBI`FG4Ij{v&dPEzK!}0c7Dpinbh5u?^h=t|MDt zzr<;^L^{ub-4QQhyQqS*0qe-8)+K}6$YcWmz|89~js{5d2)IeMcRveG9Yk{B*MT-5 zfs&p`fT5qUBpR7@Ey0aM5P(G6L0#!FKu0AdaFbSx1k6$45gupG>;Su_D!x`cr{6s>9dQsP9}B7mBe+KoyS z^4QKapygwR(M1*~^5{4M${deG`S}tMF<|lKSW`7soYvby3QSZ?nGy%cTd6y6mu%z| zZX@MJNh>#N_QPasKB)rTqY&pLPOx_&7vDMquw)yZU~|)>B2i_b?SNXbf370?v)0dY zDbeuby1Q2*Xo1qn@EbB$C~f))fMa#LK&3%kn=7y)CJygO14QgCR>X#ST?=rdAwjT+ zaXrF*gfxpMI8PZj8TpIGV_yL2RBO5>s(=&C|EiS#FHCnHcX8#vp9S!D2>F8x;8wCP zv*Y`}?)Ucx|J%j$0ASEoN^Gunk8-h03C4_!hC*UP=KZ&(9ntVnAh08(;Snqlv}uuxvYh4 zs5sBD`u~zr{k`Y^Uy=R@=l`!re+2sfr6N6d`-2%NCkoehzAo^Hiei>j1p4OkF=PLQ z(DT%_H2NG`oWS&fwk1J}^U6E{%bt~F+E{-3sqMUvEjF{&4q3V-3uT_s9z>5BPh`?? z=`H$8Pj#NK5kKKnr>BEA3X0I)*DHPGriHw7*1Gjk1So&v2o&9zm8JMJ0Q4RL53yhZ zda$GQE37&iecTEVmDpZ+Tpb1}0Z>!*;qT{b=qHo_m1Cj%)J)806CbQf#0--7Q>Crd z`+PB|uhQ0@eQA<4R*#B!SGUK28v!RGDTB|s8y05MJv$8{Qm?{fJfGeKEuz=`|G@RxX{ z@Uzx4GTQdpl4WKfbga)&&K=(5w8!KdSY=uKYh~3iQ5m3DtL7 z8B%jc<}AekP13~^V;%#V$^5A?MFx&n&Lxs`yh~LGvj9LKvZ#82PnD@AJT@T{w3xW| z7)MG0i4iq{t=4*x|YAkgg}sh*zL=%{7@ zTLC(jGM^hC(WnmVZljWLdz1lIDunXo43Yy!|L%FV`C>2));AI|4ik!*hE= z`rN5f1?Woo)5#loB6s&L?kbeeQ#!q7s01|KSpbsK3BbPv5%*tvC&- z>WwV}oW=i*TsWmoA(N@g!iy~Bs>@*szHz|AIF9@4oN$-zcLW`#)>UN6wClh_9_A9c z9?aA>TjBVKA7GP3k22_Cz{3=hN;FL?Et^HXaJTKrT0nTEQdbZt5Ime8mmGtuQMp_x z1Ed29D0N~b!xN+%0%vk%r~r|A%DcK@KH!N?HkJQ{a2F{9OWpOV1A05UTGB|A&hO8& z_^iazqkrv<{9o+7c|6o>A3uB&B@!jsvXrE{=Bb56D#6Ce%88x zUu5qAnTrU3o~hh*e|#SaT2@?t&@nTC4ot&9deKUwWY=g`EB#`xqagbqBv=e*@f6kF z>(YTQL>Y$u-h`Z3y(^%%h2v2E-pW_R6^3lXxrP9aY{O!+*J_yn?frJ6Vv&Woq3Qk7 zhjLWKBK(>}x z?~BDam$sd<1qINno1~nkN*rp*jHR&FW8Q3qi$ZL-i2M~+g6R-qLbtgq5wa!-ZPT2s-Dy1W4x!e)!S8k*x` zzQLd|4kqxuHz013s_t!8Uaebpty^S6iAkrMc(28)(-y3kj$Mhj>Kd=GYwLlREG-`NMv}g5|jAK=g>grF%izwnP5F`*5QRZgFmodu4Un9|;vmTx*L z9Yn8M+V2rsp34QDFWgRPNp-!G7aEbHnAo>HLZy{;K5&p?M;n=7%D0%gK>UP)^L4z( z3X!7gD!V|-Y=}7Io>ynd;5$T!SgvI*?V+Qm2yR<>Z@BHMkY%8)%7rofARr-pr)=c) z9su2WR=REnZPN_sqWbsfSiz2LVRaVqNvJFXr@jDuRxulwTWLM?^yGWxe{w4&X3u4x z2e8q$L^Lv+l?@_dBehWVBbAnxnRoQgX@qIKlQpvPdqt7~a^{AUpR||fKsY*61rm!G zg`17cUz1eOoHjc;Sk#&+kfFR8FYLHPCaEYWIvTFRTCE7bZxF1&QS9@J@YGw&t6w0ESUL|pBku&Fp7 zG9G@%PF=~A7+SotLBxVgvjbSKn&;601 zh*H*=5eqs39bp{qsr&vH6z|zRa$N3Bv9%`RCuxt!wOQ6Oe1(YaO|C`d-bS^SL`wrh zFn>l`yZ{?tfSH81)!hQXF4J)rlqhIMF36rj^%`a&tpleX`XJ4#sU805MEW#SLIJY0 zP2ZHrI#pa4RlW7R+|0u@B1F+4%}UlGWqwtzY#(1qE+kK}N|itwAZ2b{5ZZlTxG47H zm0|ln$?{c??}#`d+abUxU0vC+< z`qEKVSy8mkOsb#-!m7dtiK5%}9d_*N+(b2Gq@52MDKeeMEm(rONm{MNKbbV21&W`; z2eu%w^LauMpdNYNzobM0;jX=>?iO?VMRX~zGf?c8N1N(0Yj{1ghyvBrPUWaMA+N)X z8A}AS0@cn)qw0=o%eR8PF58r>z<&-?Ew1)6`5=&?-3K?*1&@tAEtRNw&t1^45Ypgs zhh55Rvchzr0|UT|Cc1vK|CrN}=je$(jR^PY?9GRICI;N^p&$td!_O@~= zhf8>^u^-~fqz&d#VlG&@q1E{4&4lI)fmb|+Ab`X%E@n^REveXU!fl4Uk-ULp7RkXH z_hO4Nj!93KUVGIIo!(B)ZkJL3)I)-rCN#{mZYqv9!?G=vFwl9qP}*^$8lqZvbgb-? zT}?aPyejIH_4ZZ-o{w3TvES=xtqn^%kJF5jEz|++Aq=B{n;m$!Bp zaa16HZSynaS*{hf%glzkdu4LP=DO}^nqH1@n8XC=wKb$oY&A}~t>%<(M%I1BqRsj# zf*<>oa&BPehwlM!myqMvv?u{DSoQV{F+jsvv*Isp(rGgJ6+I&uyl^CZ7$hM5Wx#7! zXZe~_Y2AK_P4hyGjqb33&1Chxt;IBU^;-^RsNBt$fUd#RW6co$^)-v}sW0suHMdZd zw6{AVtIt{%S&eL^;cmad0N$D}jijPv4n_64%WCqzXzcb|l-JQWkA1zP{Whwty3LNg zZ$~s$8Z4{~UHAnz@*9H-On08>3~4aI`El-1pe1kI6+1P% zoCbf_OcwDqLcDOR8!vwN9Yw5XtzC6#kVP(g)ls@k zd8&(WA58CV9_j_#_eXddXMrB*Nb-A#8MQ#|e(gF95abGb6-`(i zcIxPgjmZ%`YgsXy2T=1wjms|cu|;0B9bWFj8@r*yi$(DEw8wR>%Vl|DT14_Y8xvKw zOT93;G=(@CN@I>DE6uv8rrBOokajXWhCGYyBPR+IY!-WULh(wwjizF%j$GAuM5EP8 z^NN*+Y@RP4_B!w5=q_RpY#684`8fkL`3 zMni3wCoZf3IJ5Ux-F(eP_NGJ5cSpkWRzFofNNcZz>1?rCWe>2)PN@LtH%1*B%ex>I zBFAI>(Q^Pek*wK8#XZy0fK*EtU^BM_Sxg65x`h`znu5n%rf@{}bDNx1&IeNS+=MyJ z&jkwKqJ}k!%HvYRjqv>o=tnrKw(v+ud}QM*a#X)#i@>=;#Xp-wuP4It#|v- z$FXPR1sSt}ddChkpr8dEBDBMKRr5s9+dNypO&kLn8w?i1J1ergdM9<3E8xSPA;az{ z#YIVnBHNYuNS&*I+qJ#rnPI)R)eNg1w)q)coKC=EFnhPjIPy3Xqbx9$Y21_1mkC;? zl($?_RjA2wfcM%03@Q0c!S9^hb7Dv*9Q#Oq0GN9#HYEri=V(u#Oe?sVvpY{Qe`=Q0 z>qXk`Ok{0!$D*Qx*f!|;$BZ39gghs8ktjvPZ<4Uf;nzkgFDM>`%6;By>#_YY%+n>pBJe~ZV`b4KhW)%W zWr!@Cgd|WmmVmX-M#cEIqHUTC+^}KDm4<+nSvYQ-^7)XCcr+_HLxeD_EQmR?2~ z>A<5Xo zisx0YR}$V&ADolN>&3?pO})Mo?6gi&wK_VMdF#z(cTNkhbpR4{Zo2TCK<()%;_KI$ zpOHUed__k1J$`ZKJV-g#RD@}9%fhzy%3az(4?`_at6TL^tnY7lgpA&Q^XD^JdaI8T zg|p(hJnZwJ&1F^H?jI0dMTCM*%b{ekY8+*v>mLliW+ zk}WAiLFYC+y~9D0ynK0hBY!csYMrAcI#hL5$FaB*+p*P~v690ab*3?|?tWqCR*#fS zGn$43ysN(_XDg~Ribn?U5SnGl?xbNCR~kttBlBwa8^ku83rW9d>@BA;%!_l@kSQf` zqq2k9+|YbOvH@4vudi&47JLb`T{#$WtP9ayd^i?4R)Em9on|%&R?{TG33}$>ghrQj zZr-SEtvkc(aDSZ7wFvTKvZJ4eAQflBENXyeU z$)KpOB8iLCc21!aD^mb&lxu~rE&bipQ9bVBcin4>Bz`N8k}BxzCFjqQ(qDDfExsrT=s7a;?JK99I^R4H za{>I{=cM%=SwHbOru$S^I`KR>n@b0)5fwuC3m+Ljcs*EXrtGR=o9%)U<6hh5$!SdN z21)hSkRp?>Hg%n$dg!@8H4FN4o6NY-CdsZ>4?LdK{R}Y0cPJf2V+`B z5o{|c%#-yfUmut2M2wr}y*uSEWPZYv!_xy3UQE=o67b!*xf$2?7G5YF+HyiNo;JGM_Wl;qzhTm#VpXc$af-t&twI>|FVa1*oH@8(6oxS?v zDb(D_be^a4Rw>-0dR?@C(KC5fw75-%_%}!k!gJ+O8I$xR^vKep!s+H4!O6h*%x+zo zp8mzUNY}`nQFk~OlM7*Ar9Tgs`Fh{t=4^Hp_s|p7+VQ~mqvdwwQ8uaX)W=>>E`HqZ za^MxgP72!u94hokoz9nG@XQt^s8-zxl{sV%=mcoRcJVxVdK#Qc8K1Y%LUZUvAE&If zc=ruK!=^DauG zO%MEOTONCEnX%Il4ZqDvT9DK#wp+bMi9iNF8Dc<)%; zGkbOWI@}3FC$1^xaqA{Nb0O>3X(ozWF)fUwA*XUWE2zw;TJ3(L?=87__*-%@`5lLh zd@;6rs6G z&p^?;>Uy5H8DLzK9By3|i*lHau?Gpr)D#y*8F8CQ5m&%8w&pgY^A^3fGv1Cr9z1-- zw(sfCY0MOBQ$T#*vc&p-_w>~NOn#RMP!2}X@EbInTx{C_W z2s>_EKiX~aQ!6ofg*@B&2obPurStX*qsMn2cjLWH&^oFph<02aE3<*>$;!SRH*c^X zv`02Y`akFxbcVrd3o2W9L|$y(ZhS&!O_`ORzS=1eR8Z#Bgc8m&Xebbvpt&*}$8B6# z4MuN(UhyAtPsg&-f~8gEd-S4P$K^#W3+~C%&JCF*wLJGly0Uk{jLX{NK1%38?~0+S zMUlKDr@X}+A34uSt&XY%ZO1Qzta+8v_V)H`6YUY~JnQA%ll0t1oaFVQqm#jW>@^NT zZkSsM&IES3(0e21L(j%|FyA*)5+@GAdPD z%p(NNq@w~0N^FDTN(p_e`=}e{GG?PbUHGZ_Kv-Zm4K0U*AaA0;{+J496Kz4-YY z0li3u&UEjtl%#s4?4HD;_!p-Uaq>MV51AgD2x_Mdz<_42Mp3$PA-m>q)N3A#N*gmC zpBAQb`Z1t>Xvm;w)I=TJ>o(40Qn@;K@xGJMQwz-+lOW*4vk#`Ol^c=@Vq>?~)}ej9 zRh@9JL(QnIRZDF33-xid2275NTtuZ7;_2NP45j?_hL zr$h_wjeSh}w#9O3?>^>U9U`T3Ih*E`w&jwfuCLNT4#W@NAJef1 z^WZ21j}C}a9KZ!+vP?4P%ZBV^C z8-l_lc{x;Uu-NG36*bQSv5EVVB!SMTT0~SZmI}*D0u_ZytFi@M@^&2h(aORQgVbjk zU3Aa6=Nm1QQsVzTR<7_oNBQ?l%l#S3=_}RMBCcylD`l6}M=>CCM?}|mkzoq9N+P&7 zrz|-pw2~Z5X3icJMPk%39Fr|?7kood{~M#=^s6us{(AB&-SpTms97&5Gz^Ki-x*mP zeO-&2QgOwu3#?n!0ne*23$YFf5cW1-cYz66IeHlba3>Al2PG3XJBznFwU8FH^68?o zaktks7V~Z4_9#)8(Xq;z^MO~cTxpxQ=^Y!`gsWnX5A`P%G)iA9J36&9Kjks&6eWh! za>rKJ=`n(QJc*S|Oa$y}{Pd|c>_&|i5z*$l&_V7ER<0FT9wmo1RQe3;hKYlJ94vKv zW1@v)mj2q{o-mS*YT&orGkG~FN!~RP7JaGmP$T8lt9XbAeE2Vkh9V%yA2fZYMA*MK zcZVqQ5|xwro`#~#r>)Yl#xxBUE}BE{89IaQLe|_5&Q@b1EUPO0*QfiW#?Br=kjwEo zQZnzVk7}!OI^QhU*j(kizOod#BWss?uTe?Jb3Z+FNcF{nT?_n{@0oS;NNnAayY`ii zqsB?+;QA##<|=ogeUKwl(DhnZ#d?Ud0@oQ(<1)KPWh~{S7G+DL;wK^F;;gOQ!+qoJ7iF$eR0jI*NynJluy+|2 znI2uDX>yK@8q}e5VsMy!gcV(`k`ou4|JWxIQjsV{R(?&g13YG2f@sZVB zI&E%br%CZwjR5ybR2#muu+!*$AY{+6+&_Y2Gp;F<#H`Fvyl_4v{kzxvBib|Qp&HNu z@1!LMEYQ67$9d!#halUgbH13VBK{PaZe9C9&BfudF0O)-zCGa_D0-!buz0Yb&EqEM z+B|mJ9g!){;lNZxGwyq%i(7hwR2rY26`p(-^8{0%&}o@2=Py;c%05%}TN+j6 zJRX!b>3w1qFDXp50s;c&cgC!9zn#C^XNTedTC!Saqb{$OjmP9b-=@qw+%T1`Zg6ri zl*I}EvBmO)sVO!8+Ib5eUe$xm`Sx`yu=(}r*zvr&!`@f3%~dY1t>Bg~KURH`FuvX{ zKPw$`yQR$US(x#+t5Pas7*3vNnF>R>0S>P^)phqmI-&(7WA9f->K>FG9Be5j7IwL7 zS6XI>Tqe5v`aC#1mF<{(%umIc^@ypx(lok&`b7tUu8VnLJ^l_`}_G(G2I<2bz#vtyFN6+;q?V4$W}N3 zLD!uJt6e>cK7ug#?ZuLNX-pU)U8ET1jo&g+U^7o#QR#$e<`mYXxWT3)-LGqYbXEHC z*4kPR2ZncQG1k2{ioe!?z7!=F$-Aer);;t1 zoW~)G&1*tLck<`hAx1jaR~CP;#NIf4_CjHZ*5P2VBR)7fU67%jeaBMM$!gclZDqw* z6b`{OYwyc&l>FodZXq_@CVaSSoP{D+=&78}9Q3nua^^j#jg7skSz@jVCHm3O(2#%eH=IA} zPW2~*H!#wDWmBGuR>6qLEZjcn`!EHeCb8Z9)uV7!U5vHOYFjOqj`20U5O1-fRZJxYkY-~Je(yzFf{*hHZ_oF+iqK{)06X$f;QQny5oRS-^ zD~yid>AKfGsTEbfOVW)j|6K)uG|4*uGvpx4rP*S{-c9U7XI&FoJYs{!Y~g zz;5vy`KajUS1!Q*?G3Dp1h;E8#vRU6Vohp-`_^$ZTKjeQkfgNRs>eq89lfGYjlBeEC6>if3ul3H}Cs4 zB3Mj%XV~zK&c<@uAt#${%2^s-C?lf9lGd&_Izrbsil(PH;zgQxSzDF(gby-lAZtFp z%37eWM31eaf^L0=<^gb>4ca@mY&m7<(E`-mMvCqjK$^|k9?4l&##;4(&6i%(y%jJF zkemCX#poP5>F9R%iR}(O#_dOOJCB!=B~ciawC#DC#)9`m^;_#xMLF~~=7H4}0wfL};s&ms`H7ku0{~#d}xMe&{bBB%A&A>NigDXZuZPZPg zfL<15uEDw?*(Qc+_6CL5klyD4E1iBh)EDGh5n#(yY_iyQ%S%g{?tYgVg{g!U%24On z`6xAseNXV6uRl#1Y>N>VtvQoY9N(o=`D#FQ01;qrnCY&+9qVvpovJ;BbgsdbY9*Iz z$RuTt&j@%dF5c;~{TQEisxc|4;gjldGO#zJZ*V!hEZ!kTFzwdNRZ~F=h+A4v3Fpj1 z24Uc{U{O^qfn4Pecza$1uJi@lm1!S;w?+D z`{Y#TEx1lu(57ZoJ+v>ib8i2lfJS7AjBSa_LruFg57c9nOif1rJObTqsFIN}2CP+S~)W8T=#+21x2iiZed1Z+5lE-)A{T<0=Z z&VTtg8S6itZi#RB=JxviqHU(d%d<7~@6?C;?nFKkg>{wWQmz(BpOHrUBmAWK)-sra z4-H=0AtRvol}ughrj-{fS~c=6_$cMQ|Kx<)Fw31_l7P&|!a-#=+zq|@+Bt^I&WV|P|=Qm2uqrFl; z+5T|9X|$%@OF=d8eR{&=;RLk%4igj8W!vHn#jzJ-IRbBk%U5-QdV@+6(3_$L&6Y`p zcFBPCdIu9228#z&dAjanFK4u=MkEQXKpS1z1lv9jwG}ed3ysl$-t`@>lz}=ODmb2% zM#s|1gcSKM?bkxf1;yLC>mppvlsm=Lr{Br{6_rl*#Aoy})qr+r@b_g?WRIEkYwcDn z52s`F;IygTSw(7t{@1$2J?W}`{xWfLkzHCcGY%oQR@i2>^8gF?)6)pRj$Bg=MPC1s z+*h^=b=SSmPGS~Rv#chplELzYs0jT>LNCz`?NxhpDC`O@AOMl;v@rI|J+;{BTUomR zgTZ_hBh)lnEWSFBMM=}Cc-nt(bHb%>K4|F3!ph%sxHbGl=s~qQ{aIrN`QD;_kV`1z83VvoZJ5(0E zOSRQy&6_BMnK}P`xd0I2e%D4n`%m@MS1uRF7rrLyCX4AWn7CN zyd39M5yzYAa@HnICDQ| zYnum>-cNUBpb#T&TL-&gl~KSH2zjvaEuv%!l@|PXh2lm|=1;lVFe~!fn_ukV9q-By zHTD{wmT3cpD?=-PX^z!TMx+605X^xa{fDlF55Y$gCN?C#KrYCmexz#A# z95X}QJvJ7uV|Vt!gpX1V<`K`t0U6JFbqTZzRkg@rSlu?tym5OFT@QFu=f{rZ@AiG< zBou@WTlVBuwNA@iWk$b!5n%?`Jcb0w9LksZ){@fan8iFRXk zZRYjSQev=o^N%Yq@xp+0k5>2oqc{`T!LCb6KmLp(l5txMyJ7k=>$OIjpIAx9oJ~X8 zy}S-#_wgSrZ9x5uI<;WwAuKBVT+vY@64Jpm?C1`hW;>`8%nhjP7J8{U)zws3(K|1x`BY?Vf=btV^Xg(f zHZv~1=DY0L-f76RqwXxjeHtP3e2I|faW-~unL+-*q@h^teUZZ=hka5-nI%sUV65@8 zimM~9!9xf^R-KrnM-r`a;S+KYUTfA7?#Oh%c?`L-5bFh2MPi ziTda2)8D!K@$+3>IUfK~luip6GJe-m@2f_=m^PS*mdTRC2!}Ac3%Oaz1(60qzJ-$n zn?F^Nk&3pG#l&}o83CFOkD^<9R&!zM2k*$)X)^Z{i`b*K%ObrdPgXbW% zAPdLl2&KdBuX4_xCLeU<2tPL^*d0=`ab9M5dy|Bgzc|1mzffBSF>Wo~nyoiAX_Moz zJ$-g_J`%1K6AvGYVc3@As1TVM2E@@fi77imhEXmuB0z$+p7)(u8vcRZmsYlrC-ch8o5B@Md|RX#xbRr-U^uK$7leyFN(tG4t^B)`N6xT)^R^eK3(FUDnb>L0c0xssk7w9!QUB$TDHM&`K_L zV!#yZP5sufg!Iv;I*(KagIgY^Z0;T&cR#tZuNUr;q_2_TH${x zEFG7f2m>YLNdxa}zh#M~ia=x%ipT4xsgso?xrK>Vrt9Vn;!C4V_`YW#UeQBSb913~ zXQbkceJ|0FnCq)Fs(>mU)m@5G8aH`#HWQ_;?R1j?!d|FmVl}LDdu+CocYGs-ds^6q z4p}-eovsJllMUu#f~pmJ9PZuNo0}zNy>mq<_nHJsz38T!rhmX+O#{-2jkW0{55`^R!2jhRPo-^JX=DtfD3 zi7T9U(Oo(>hxZfMGz;%p!rdE1X|k~84p>t1dtQL$QWRBJh_ZBcF4cD4Q#I&rb(Oc! zNelAYs7PyU_zJE?E7A3gRN!Ztsr2<5ZtBl-mq%2wT?;1O`&mXP;;N=D;-Kqg3M|PQD{H z{UwaGxTlaN8y9(QS6GI65La35#gbVtWdHS=q;VaN^t;gIQWUs~f=9f}GZ}y)5^?y_ zjW34(p*Z-nbjbJ=ujCq6rtgLsw7>fjD=#D}ADX>?P~5Ilss?g50(ppFAxe_BD@lmA z&5)O5Gy}K&WkA*5dchPf|M46gW@&@fu~T41QLL>QKX_sKi7UROJndE4&T85jh7j@T z8_T0PpswPpi#B(qi?aLrzQzdUxf2e+AS=0VjD4uhwkBLAiR3M=+V!m2o(XeQ`K-j0 zw{=G?!*eK_%-Dgvx34K$S6HA75$n-r)|(_1@J5K3i0I+zrw*_A{@ zYNwSRdGwkd`!^yXt6dK#HF0|kZo?P3d!8twuBIrh4q&|Aom2DLp2jA^(=0k~)eb&G zIlC>4;M&Dpw-G1+Rj|%3Q@}XdbIA=nF zi5$bdy*>Ln>bE>m?ehzZ`M|qRyhF*U%Lce__4`*?_i^hYchj6KsD-v|myt!0i(7pO zOEBrIeLB9~C z{D!woo=)PUG|=CZ?!NybE?PGY-o5^w)fX_RNqDWJhaR@yi-Z~|v1g%|X0qEW{j2Cr z2@TT5aaK?9nh^JM*ddW-nRVO{`%O>yq2+S7 zoPxsY`-(G^#6+8Yn_EdkgJcPlRSKNC<{O%M3|0@3$x|N8cl!CutcEzYYa?R3zuRx+ zt_ZKX{F#x)76Y`PR%-NnOD9P7;!s<)u+V;HZPh*&^jKtQY#$MWUICV%!ouV)2f_Vb z8Mj&WwKRkN@~;N_xVT@?>}9f;RwqNm5dt-EK$(s zjZh$HsdQYv<0XFd^35|v(Y=R$h>y~-UxFd5Ptz3WsNMT=cA(kED2B5eb!lp@`cJdy zT}tXk0yrx~E?*v^MJ8;^8`=a4Mw^$^8Cd^4^x!|A?#cnygxxILfpGN^;c7fY*DU1w z;n|I{cJ(GAA0+-j%>x95yl>n$X2BZ&bLBFF9_WEcj>x^uQekEE4qS|kC3J)=@i1|XUP<)oYk7>hfISxd@5@s)~GN!I` zMdKT~KtI+)FFm!er8q9V;Yja2Dl95W!3K*a*G6@XK^!4VKruIsW*5Mz`iEt-m~7S( zd@qEic1Fu~$JabeQ!9(;)GGZ7GR}7ZBq3Ypm$I)QLCXg@UYObSopp zOi52kMtts*xV|r$Xv&Bpdbjy7}uI+Y5V{M$YZALM-GV+7g* zj$jH49eV?cd>^I$v;TiCYLNcl#JY{)jKootG^qtACWb*%;?0*^#b};Li_zw$k zC*t^fnqOOoKZlt9OiTMt1PyzJ}PsfMj;AQI|-c51~rxCY=ZO z+u8+E*Zk9|{(Q@Sruz4T`@s4>R7r7vqjzfVh(GG;Hy7EQaiXLJTvTMgTLzmpBj8H~ z$zVAkBnSMarP(@KS0{-||NfExk53u%@c_;(l+Jzo!-o%-08*q|)+&vUaejt5z<6t+ zQ#L22t@Iq2PV|`F+16GwcDaay+wBn?BZGK@|Bq+={bDip-~m${xijYS{@{S(LmBk` zvoUj$M->hII$#FX5~FyCk&(_6xuK2QvXnMebpP`^M)1_qw?bSUQqt48G6u9x zKg-pvfec>GlQo}EDU}B+rc{&6XUW#rYvcY~_OGBN|0`HzMyD)<_BS`>xh)o4WNk9} z7>$pEl;=&G$wP{MS_Hi`R8~{9zQtBUx@vhGA6)B>nt6V4qyJn1{aQn7q%sZ{j z0jE@e(HmXw=-)p6H$OkW*-~BcO4M@yZCD_`;XjK6L52{$O0TvvR&BCn>R+a3kwS$ z5VW@ow9YgI7#ZKM#k@5eUcLIhu;1uhK)?`ak$$4SgGnAn$0~|We9Q)DX&q#b! zK;OmxJoJ|)UjN$rj1=)^BuE#@85Kocs?DUtcz-me<^Q_h`|S4E)0?yc*5@D6W{rOB zMxO>2lV5|uHY~L>SqZ_`+F>c--T$^x=zo(_*-Jg%P|XoH&9dBw?}oA?uJZ`L=(%zx z`N<^tIc|%U&EG@bocZ4@ zAkYAB&jG{T5mNL&uK901^~7XUBnM1MKL6uPy(OLl+ef}NYxyfl*S`t?<9G1G(?@Th zjQ`ti5i-921RSR?2lr_IN0}xgtOh@<7r##P<`?(zKRWfsvA6W^R{p>2@xNR7_owFH zQ~7r%_1{zZw+irI1^c)D!@sujZ*AGXw(_q&#|bYBeDJT^^WR|Y|Mb8APuw1S4zB2l z>Iz=7-X}DC<~Kll!3_XEDG;7J>0%~aA^aE_DfiQFw~o6^nHQ1N&>%6z=UFEqPEYgt z=c$nRR3DMg&QB)6c+qG5l3MJ~K;+zXNuGT{@=`M#}Ij}Z^yRGP(PHEP8vC@6^k z(Bcr=LHAb&T!IF_m?;Vl=WLJU09jA|wCQ&gdM|7BnxsGeuAvfc5~=XpLZb9_jPoci zW7@_Yo{lPja$WseV8gpU<`o-26k1hLwxH>H0NE)Pw$tS^~Fv@ z{7xtr6(*lbYIFy~;yNRpy|5porvJchvX|LQt(C3^lXc0NXG??2j6~oEP)uvVV0~)A4+awsDy^xXgn%lp&Bi zJhkwf^Rxmgrx+q1o_MSIYYFL^{a%~;+}?ZxN!i6mh;5vC3${t;ge-7@EhU&0>>>K= zJ0uvx@!sy>dg-Y;yR11tGJ-USO$Z&s32s;4Tu-n*@zrmfr`AO-Ogg}O9wEFsVpyf5 z{BD=n?ch=sangf%obt=)^s6WKNRKJ2zZ%Ci%LW8^rs53{?gM0jEZ z>4SLT>(~@NaM_w?Zn4FX0@0@W*EP7Qs)a30$X|D!P({Y4%cS}Bg^D&i23ot%-1mQUL@4y4uAtJ=MLmXgBi4j=G`+hmva@Sa?f z^jthAo|V@3H9I6h+(H%$nA;U3|EJklAJ0ZviR|QTO7X&%u_++K36u?>@zIH3*SYSn zc<{_B)a>4gQ9hj@sKgA*j+R<*dL7(Ve@8?d<|e$2`_Lw9{MU2oEs;V1&Uth&`HAS; z$DHX~87dOcF_g9ZQ(qI{BVH{Am962%UY>4}T^~Z9;1Go(X20 zKRNPZuxgL{>`t63#-~>J2SE0&P^}{!SX$f6*`CPgSxqw2oH&zwD)rIvNy$bz9eaEg zJQCp4CUTOLojBzK3gFn5xEt}F%vyhE|6>+YI%gh9OZ$7E_Z~VZYk5pjvHagG#|=4s z;Su+`(;SyN_D)Kk_w7;IK-|z+=*6U4if(-Ym(=NoP zVCcP9=6JF^Cs#C@H6H^z>u0@zMb*l$$oFF8?y!WPOzNIH*MpIJ6B2gvhvwJ5rJ-c> ziy@)fRNlrCb6B^miG`KJ{jl~=aWZ-5Dx~bKhnP6zd%o){JzO4 zaXJ}sc_ywEnSjER5@HS{BxNvi^yIJ@33r#V7pX`Z$PpwbzaLF-;CL0s8&sdpz}|Lp zp)x4I@PnIfPGX9()FQH-}|H*wZyYjuyZo7{c4*@H_6>wtm$!cKB%{?JQUWXlea}1-=i#}1owlvb2)BC_0Tfs zsNNh;&*e|bdZR|BkDS$X%%0k;E*-22ScfKkkT0xG*S<1u^L{GwlUKy%Syk9118^cF z4)8KIrerM6;SQnPYrne>jGsVUdrWYn* zVb)g`Zp5E~%1SMqAu04w^I_YA`F+g2p|MCD(hz>BCu5Nk}N+-!vX{;ZeG5>uRqi=ks&%E8ufrq`ur*94;uYvo!w z#~2wn^_Wo{t&!Ew4sE$$PLHpXX@TikG6es}{fhYM7b(egwwTuVQ}^z9YmdN&_{F;3 z={o)>p65O)5*g8Gi+qg?zxUydw}S9gv02f>%=GOFfRIY=c%s_dM(+-z2IwrcD3G=Og>w4d#8xxf49-33=R& zs2c9;Y~i3gQi>}*9CA5&Pa&QYcyt5I{j~%_TC?{StDv53i=ANi_0`9ZjV3BDbsMhz zS0dACexF75Z6Bo11Wl_M)?}=&6MOfKs#;pkQ8%U3<^*c>ImIj$I6`FC$X*?KK13Xj z-mepnK9Bv~5l(jlE_MO@vrmrJ*RS+(Ys(9Uk-2v4YH&_sE zycAUk@6uqkQPf$-iYOdIr*4xaA9@zENc?pM$3X%T$GJRuUja4D@8)yks;eE6+tp|i zE}MS4Toq)q9@^VC$e8LBnFL+Fd>OwCDF#u?(-m#)>?9FJjN`wgWQS0d=H0Z!pT{ci zi}Oue&CvfbQO1eiLycJvAz`{H`O&rUJ0{Bwdlp8WaElZpsf>>~x5GBkF%RZ>xK|&W z6g_D*pLiPW3}x#S76{Vp-ee%2ixhx`X!`rUJ=dX?{}fUTrB-XTae#$SxX@iL%@eZ0 zFW_l z{~YBGfowgQXn|bTb%@cU#X)pR%MRLbaBF@1nJer%qVvnc8Ad$9M`TzGlAic43MXL& zBv4$(LPj!*&RdZmiiTFr^{ZMKEv%Gmy0;2xmco25$AE5DdG3|RV`tDQT53!qDVm1V z;I`{nCBcTa)#uUt5iW0R|YcX z(z-NRrn)TNo%yIUms~ z*TvnWroQ=REF}vNwzODB@61+5G&DTe$<` zqdVRXZSm*H+NOtgoHg#~_sjv5RW9nQ>zRj#9}g8vV4hHsKcZ)qg5Tp!B6_uKvn65} z`^V~5Ip)cPbnG*ltDSVc3J|pAhS=p%g`w^35RskoSpGG~ZvGpUTfUf<_IzbU+2ZJA zxZVI=eDc(LL_?+1>SKqYrHtT49}RZxl4tx@?>P18-kj+p{L`EyocU?+D{w0`R6%?s zxIlu{`JyOhyR%Xgx-?fs^&{Dq%Op=@5__C0)6y_2qy(p>(U86GG$il(*U>wD~5R zn{$h^{Zk7R3fC(tTBAPIJ+bhvv@S+W-apRSyrcFqpg*~s)oqvOa#QE@M$b`(80sAR zpAL>b7&%B71pPSgbh&4e#Sz0+@I8w;QAtXabbmZ!Xt~(My}Jko^R({Gopn7`6jr~a z7Uk&lB1!bM(Ynnjo7T!uh$z~)FjsZNjo)&Z(L#+ChbzKj3>2(Rvxz+L%)BK^)U;g2fwK-%BaY^o!XVxu#{J-dW>!_&usC(Q70}xRf zQ9!yogc0eEp=+eOJ7z{yx?8%tl$2KK?v4@Z?wVnk-^Iu0dEa-f-*>IMSo0q<_nv#s z-uvv&IR|k0u9!II7&15OX<^-Z@>sHA($qs(4;s|fF>)Aa+&v@u&ZXF-Uhs9dmz}|h zi5YJstwORFMbU9H42>llFlW1GCey8x$nE$xcdJs7*}yn2kImT1tM{YQzoB)Vv4J`= zqcMLgTN`JyOQChfOOXU~ikavd4C%R?gZY_yyZ6N!yG2~Oy8-|ESgtq61ikuTOS^k*K&1q>_o*d7t{3Yc4-PXgItQJmpJC+JeYTJ@_nNNe>RP(@R?|1XT|>;e zmQ6xpVb49A>3nyMHWpfE6BYNBVM$W-;o1|=lj3EV%tmvKo%czA6|l*~2JN*`XUxaI zDBDz>075+ulzNefMgi;9du8%d2pSq)`!qRXN&jpiL`e(ZtG?HhvgXD zt(=7JUwM$YZ8G5R(6Ez=s@l4HG;wWUhtgJJM#mnN9G$`SXtY=HR*YC6J{&U5m#;nH z^0FAZc;3!`9?3pHW!837rW`?G1$ z?|1619;%+@CtK#Sqh|flPC*pz+b=uQJu1x4xwQd*>3Y(5v1zOSa`;s2(;JMUf7!$L z`xf~st!cXwtx0&o9_ik-Yo{OaK+nG-1}{hnDXf4p;)UKMCOsK-bU`?m>})DfWZp;Y2TLRCP8&z-W?o#6I92eylOXfc2snEHo0T2`>=59x;W|z!lkl&)yo( zqT6#lR#q$k7YA)Cg38SjR;aX`ib5S|tG?d7EeJN$ta@J5K zhb2(px_kzsOH`3Ok_DsCfrw^^nOWYPOD~Jlg6CR@CPcP{$Y#FCFBv!#O)XxuhYO_s zao=H+Q#dJ~9TkzjR~r6}xv&`n7`&NJh7j9FrB%;(oyV43XN zw{!y|rWkW`x1yc!U`&=)d1?ie=2-MP^MbGD5#a&@bKqq-|JMN-vv)3H+KGvWhSlmk z|IJZ*qvmU2s380@?Ymjln$*^}%@gz|#cCgA!fOfLwoK7?*!Uh_%tw?T#xO+@2eXb< zoZ}*9mG5t_)e^4fhch-B<}Ub<|grGp5}~ z^Lr(^^bITG1zk70da}9-e_x-)v97Tge%qXQ2(p|lOLca)Xad?IE*6u#MsNwCs=={J zO}1f?HDHpKY52x%jjHuAccIhum%@D@U~WY`Fup$-LFO!0$*1OGC(${cCpDNh(sz0A z3l9NjGtG;L>yg;g-GhI;$U4__raZXxEf5K4ZrG;UnW@HWq6A@%!Fp@$^%3`QNTnz3 z=1l@9+_2G(TbMk>I6pI;AL8+9W7^ZFG}-X-$q5qavL-u|Hp-7>0E&rc)3<{0&V-0i zu4RE5+!3C-stZb`39uG$g6nnh@%6a#WT)Ykmk6}QBW+}YbG&fRU1k#3$*Xf8j$z{f zw?f#B!%KM53-yu!BY7w4B$D}PL(f33O8$9b!ps*dQxpt~!sScj>8kF)>de-TPHpsw z*~GoI=n{NM@I|UFa0c{v#*%I{V4c~|&o49TWGz|L{`W?M!T*AI`{Akum z;o>YppTnR|6M(rHuBo|wyizh<;r~O@GI$@*%(%-PU(PI?0sWN&FyHd#&FJYI*i=+I zf;Hh4q7-{Jp(yP1wr=lfgI|ObSff#t7J-5mv1%JO#qFroGwmYa??aypX`Iej+jp}= zk~~>FJwuj(GqO<_@86CPi1PKQ*}9$6+1$#DXw??(N<#EoyNe1_PNz24!&6;dp>GCf z1i)lwO#R_VFI&RVV9T4CDjZD2!-ekxxZ@% z9>PY6D+VTX~tc+W>Effptk&aQLLi8yPQu^*p7e{SR()k2eWw|D=_`~Ve zLV_*WvNhpdOzcJIbkB!`{wL*C1IhB~y9b@m<1zy%Sl#Db6V?;Fb|tpFmrf>EdV1L& z`q9jHqHQ#J*^4IE&EEPUU}s`l=^gc_yC3g$*{|YZN>;YI!TsB0`X&8CYilvI-In<& z%$?-kC38Mowj-Hhc2frln4@StpT)a|C>JqQNVXk03oy1$ug!)+!!Y&UA#nIVUPuAt zHeRGYvHJkz3Y;9bYtUEZKWH0D2pAwZ#v{&`Ph(z7am~9}YUFX6JLv3fjSyL7ezFPQ z5p;MnMU*T>0j+v{unfju@!xK4u$-0kTwj!04x|R)NT)TZOrnz3a7~M>VYeoE&ZoCD zbJ!pi?Y#AE-2S=n<~?9Q%6Z{P1_tR~tZtPr zR|ci~@5q^agu$u2Qm%VzVwziykGuYQP*6<4>P^sUb)+F&{ zS4|Mu^gRKu!;)o?gH+hTDVjWgsu+{ZJAb*Ts|3v0A>s7kOGNjwO_;4$R`?F9!Png0 zU!2WtNrlJyesl|4pR{VNR>~Ir35)}>ufsHZx9)b=sQ_cTip!f=z4t03DwBqg>7Jey zvl+hlDA&%ye4LoYNeJbpu~17w<%4p4U1p5uhD6=TYO)ww*cvX8zHxq4mBlMAl-73@ zaa9|{H7LTjtqN>!icB!@7`WPdLQ&nPz4i&s_rY{kXc^dr&Ar_y&I`c2tj@YW!a=pn zbrDRjx$YaPB)|a~bOe)_iwR!ZF$cv7>WOLlp%ALq5y5wRPi`R%Wzw$j))oHr)R;eAeC%2FJ{?^>WHr}oad zo=5vC+>8%GHz8_QYjK*n2IzfE!Q-v0>oGnq>Y~Ehurm=~3JDe*; zE!8s<`z;f@-sYw~Qbg6PMcJWONA@hG3aFzi_Xo>oxrJm5oC{Z};U*O(p36i9q=e{S z=!3%n@4WzMw-MsKaqbHcBwS=OFp%vjg#@FX0u6gnoD%YoY4GZ|fO)DRMkO;|H}Wi> zq>xKjbH{X`ymIAa5)wlu8CG*9pm~MbWODj(0e9bh;73|c0@L^7osdDkS_$0p?Td*hN-sMuPzM~0*eNL^gncG*1HzU@;HTs6(=%ZGzj?GKkn zmE=O=qd-gszA8KE5tv`Cfssby?co%IAXKQHXZuRHa8$APBN8eM6dg7c$Q~utbhe%_ zg+=+TB{nwJgHT!`HI3-7j!PTu-LxG@CK(XMnq=Ob0^3cbqtR@+oRyig}p4w)vnMiqhhTQ(9#adQ~$i0Zz1+0t_aO``6U) zb4lEmRFrT*4(=?ADV(;cF38unih_$Ci5yD-fvT|E*+?nxR>g=*J7u(@;MKRG46cEY zbxK-A47v@-10;4GkkpJr%?;Z$5dHV^e?8AZ{D;FexY!;aKw9$ z`Ab#q5{T}yJ8wZ@SAo@i+CB{{Cb3VR*1lrWN5Fj5L90=ArI+Nbiv{D|&q0CG5)7@a zx3~SI-H1)|htkc_G;d$+KF+)?7s7s`5ZgTOM%+Y5#`MTTGxqB1?OQKy{JqTX_>}Hj zc506%wB}O;s63Auw~=bt=`Y)Y#S7qvD|RF*hx(uN%d>P~vVV_PjyCcWR_uZ7SZF;aHCrpG(&} zQVyHXoVZ*8!!dM<(l2-VHQX2dy#iF+vPunFuf%0mmW|A7w4$oV$;yjExKZ}aCxl_- zJd)s5rdG+e4TwVSB*Mb9z--bmmQF(?y5)VQFwr`Nq(IdL#QN%MXoulUH|8NdDtmi-k+S1HtYj9=Fftu18#W}jPz%V^ZUY4z(pBB!wYT5U^Y|DV1PhGZrJR=78d46F)V+cEbpshW+L*X9F_r1xxM{8WKa}+5g zo2u%7xiS$NC0C=vCR`UEJbnY?pNfW0ZD*IMEVtSWt8^otk2OiLDR>Wjfq4O7fIEh; zu2FTRhg)e~x&fIq+hsX7#WB{BezDx~Zdz&O>v@B#9A^K*`(&ehILvzTQlSN1-^E^) zBNG!GXO6O<^(@nB4%H~rvMbn9x_KM{8XLNI=go~fZ(eXbd4KARDH9roIS`K@uq`w` zmUyO^&mi2mc_($+O%c56N(=t_D7Ha|x8E|$T|c9g%grl&u=L+q0M`0BKM{1l(5BhUi7F_&zw;S>pjs(HH zaM>bF!MIg!%=3E17((xS(Va~prT~@xceZ9;ZhMjhBB(JlTifb46p|p)GmdJDLL9kH zb7Bz}Y#aj2vdJntBW2}G5rrgH@Z;^B8TT(mR>h6pldO46VP^gDVKqBbxg4q}BkJuT?4=3!;gHs`3 zAGI5TU4fni>7#Ji($b5hEUE9yzxMb*n0l({oH$>a&uN~)>sjsA5;x2-X1gU)xmgxF zJq|<0@K~RcLpj>NMLsOIn68gg(G_qcKABmqF`j&GgkH8cn$;@Xo(?2Zii*(>7}hj^ zhIPQLp3gMSH|!1ZL6j02Vrv*wb6zw{l{BFh!oGNkq(aCswpR3c$(t^gvk9o1x*J zAu7|&Vp62+7GEsO`N|;qz&M7H2^L*?M#kWz*C^%{Z<-d%`O$numBkM;#^hOsy{8mO zB=0sm_}U*(0c*|Ueh#kmo?)8~;u9Gt=qoMoITI_yGn4FqTt2JjPYfVqXKiNd;{avB z53r7k0~61)@8OWCs1A29SHrS%pY{xGYh{>jjF`VjVK_MC~sVM|KB1eMMMVQn|q!$(M1h~hnTKbWzTCt9HWs*{>WSGUw zB!U!ast83L=UE!vRp;&Cv6zZ9@Va2sbu3w&b_G0R$Xsm92^K3agSgw#n0ae2GbY(K^e4)z#F`)Ro9)bI6>?V-NZ$2I(cz-%d zZ~#i5sz!tcx6`|SbE|llV2iTYi~FSrAZ*50Va$2e&J^KIiv5#Tnw7^GMKax)ahOx@ zT;0*oV|>5GLZlMe@q^h7j}sV_-^~1+|Q(Z z&{Pn{`;yZB)W_NDc$ms5zU+STNx`Bcfo$Au*!COD`Ar;!e=_P5o|_h+GrJao9jpKq zinC4OUU2lXPG^Gx*llQs%#o|xMd5WftwPi%+1gNVm6e#eI?n(NTUYOmhZNQcJ<|xKIcYOOB?2 zmkM>{?}q?%VMh)$>0$|OeH!HG)OiY6EKlB28z{LjM9o+g{Ao~l}tMkf6ZNKc#4NLS6FPm>H z2C{z)=SAySp~}5}%Q6HqLgaIaEAf~bHoLJV;=+k|pnsVnR7ae)HRXO?&tN>0$}KKkq)HG)z5Y(o_>uME4%zU%7HEZ8Ely3jhZIevtpt%3aW)a#}jIQ7&QkuHE{AvbR7c+uws4NLbb@<{#&Dtl${d_OOgdgP5)a=K;PoEPf6dBQ1H2Y|3pQfYm7RVD!cZi) z0&>nP4#8{RBA3W%s=>MlY^djUJtX>*im(1l#W%3;D8Be=-I6;l3-(Ygo!=Wj5n4ao z`89)94dL+7SF}D0d1hSDWCi}kH=TvWwbQ9S-L0JJAsYRZK~-lau}nWCSG7H4m;^t1 zfqB~Xx~jNs%5(b#sSBM1rRs+~WtA=&91F4ywXq({2gWGN6o>Y#90-IS-ud~ANi%tK z!0@M~d({l%NHHn2+Mbyrz@0=E0X09^28;1{iYkM;x?K9Te#}(pI0Av z`>{X0|0nJ@lF&>WvVju{Q&#j3B}Ff4L&y}5q%b`G74M#Y4wB{lY&!VFTz)7bTd(f0 z%4C`nX(SVwNYb|)3@^P1c+Qgbtl!7xq$qCe*9OvwXQp!RhUwD|5LD3TJd#H5WF-ZD zQcZY#K(~7D34nRw6ZRRm?mi@`KYV7?>=j1JeU`xAso`o&n1hTn8tX*QNAy@M|FVZ5 z-3)|64==I?li(&p5qCYW)78J%*>$ih4qO)skS*Do^eYG=05qQ-B;SgasBumo01#TUTpK-!Q2P?;`1`q3 zV^=hTtTQiDe&<7?0q{!jv%s)Wv!G6QLGg?q-TOwonMUa*F>tzpNb0>3X4u z2oX71!lv1aZ-&?EOBtCP3+ya3g}_n{Qd4+rARY&%j0MOmM@9K#w9O^Im@xcd1`7Qu z!0m62c+BtHR))SR(;m3-^&kmle3lIEwm2)k?DT3qpJQYng()J<=D9r&6Mil_1|Evo zPArtQ79{Z2&QxznGx=6Wm48dw|Ym-(e;np6O+MCAXvqMgf zsl-vM9&ZlMZ&z_U><5gML9trDe$AE|{(cjUv!eH%>3bRCTX%-A04bG}btIU5JO8lm z)_i>~d=oSp*%Kdz(v7fh9~v?335wHQqGdXCeMCCMH`J>#BZi@;|MDMKdn|rSv5Jyh z(v|NXZnoeH%wSSb&pEkdOVSk&kJVh;(BgSSrwU@B>CuYQO)_o|4GOaPF&SI_-*K<; zD1|abn0G4omxfM;hll-*oqmK;!n5eMgkPD*l`a@^Gc$)O22Tg#3Fqj$28zwE^+ff% zsFT!j6yRuX#LZT;m@iHqB9}bD z4MQ?L=Q^dfn%-1^ax|U)JZc+$kwTk~n@tXjXblH8Q%!OsZ>M8ADb19VCuTTw1VVXz z@PDQV26=5|WAYWb$Pr(mLh7Y@!^&l>Q`P2_rUTIu`ZPP5@RA3%^A!>^wN97h zL*;BxZnx0PQoYExB_+<{>#HW+F})H!6J@RIKW?L5EftLnnV63x#B9{9LD8I6L zfiw)PSIuU?pfimZ3!CK{z+J008ZK{1EJI%OPmTuB>FDIz3c0ll`3{uq3_7n3FY#Dg z;ucbS-D!mt33$FIsXbQ8?if@Jiq4H4)_bDkIQKb9)}RHPBdubEOws84X{e@j|G%u_ z`$_V9(CNq4g5BLD|D1Hjw<8cdJB#2PLn<0HnFM#XoW;uxO-!{v|D%s0P!Y3?OJMIc(1KYC=0X+#U#`Ky*U*4H47AOG(-(V$H zQ)oQD$=eO==VW@)p46yL90C&m)?rS@H!|i*y`<4~ukx$M4twy>BeOA;d;cR(ED$(Q zk*9{zX7Yzp(KJn1Sn$3avhq`bFi9O&jvz~UxsApwT8&$AleP;sxU~gBoj|X@DyK#V zt4o~3T#a>lVopnS+n9c=w=yINgcjl0BVo&z-$g$b>IZ}a84<>@;k-FhR~gMWdtujs zcdUla#|aSeXt}Kb_-GhwofxYLe*Cn$O9=qx(R`=`#Y~eqaeDo`@pSk@DX}G4nexUl zJ^lVK=}ek-q?|V2G8@g$?6?;zy`w}QJY$u&zTzOYufw;NnOF-UWX*xB_Gjae^=)k^ z{gOyWI^T(QmqXM-*MxxukdjX4`-VwZ<4xv0Ha;vmHB`-XPQh%Sn)C(-2>%yoy>W97 zo5pP?Ao5seXKgR0W2OMsL}#%>YD^<8gqv+JJ2!Dz8UElIY|O!Pd#q0PlM@~da7)ra zL<$>R7Sx*ip1@XXF%|=8`x?Wbcsif_t}%4>@MO}b#(MPBwn(GNKU1-6TRZo@>yIz# zq>9hq`066_cL`1kR96^#r0wp{gKWB9yedZ&s#cSZmw`1I%=&*beQE+I5$3!{WvXbyL!&X993i6R$THebtHH29d_N?gg~Pk@rwE4 z2W;1XJO6%DKm~iOcT4e8c1+Z(rvbwv{aoPquAC&fr@B>yAeo+@@wE#p57TTb5eG>?MF>tdvyPPULW~=v$?f6skQI5^~$g zESat-47oLv&h2>1b!$XoqjkHP9!p)w=DUd3F?Rp?t`PD#=0HS~63`sRm2b_s${|{2 ze&h7S&_!?(;^qs$Qci+1cLZIsy1Kq0vH$=&R11OUR^gdo)q@^;Sv>rE%X|r>w`c4n z+l^v{Ui;lM`G+!DCvlc@-Br!aiE2NzR&?e+736^cOk&lnLmuUb0pJ5qiofOzGb`0b@nlVnO~d+>JW_aHriS6a#p*?=UilMQAryDOm@+s?^bAI962d zVp)akFIl(N4gV`@m3hs3l-<-c*KagGt#>-`3x~! zgWNXqxpJK>Z(P9qTey^hS|a2_gh;vDK#d zehF5YGRFHlX^xWW{nfseIE4|QDx4jv^=Fi+JBr#r{eL)UqWvOa~9~?Qe>*s$X z;+5NF7uP(+k9J%Q$10vY(|>3?w6$s1*LvG z+nF^l*px{3k2%-=72j+>axB28QSyy5`211Ey!UCQiIJayz=7;fXXvLd30u?CZ_j2k zKMDQ?BfluFk)A)%pwf8uZ`uy_jUX(gp{&sbOV-MU3$@ipW3=THyS1Ex{`Iyz&E-ke zXZd|)r=w^3U*3u8d|B5Vm3~j;Crk&h>m*t?a>=HeItq|$($7|E?j=sL;=B+2q2PdF zUo>iXiX)rFdoc3l?HwVHsl#s|ES+i_(Mt3F2f^sE^aJf`M>)(>2A$9(UT*{EqzDkH z*yW?oxth9FPYJdU83TSlG%Q!E`g$8}eEUh!Kk^Xp*W>NqB22hk7?pZB(O1aOc|K&5Gz`xLcg*b~D? zv!t8dAM%|i%f^b`A*~0jsY1gEF|;H-CwI+^M}63`YTaDs9Q$@2D&k?~^9-;~%^|9xNJ!#COQfa>b> z8{pkK!DT$uXxWvAO^vn8@RjIqLXdFhY|{j7E}R_mU*zNv9{yy({T z<|gm;6{6(PG+}RM733DX)w7q>?%_6oL*!NO(SffMRYk`Wd_%GHF~t}&+(b7`Vzkc) z(ec|OqLcZUWZY~z#q^gjjX7ChczVKaTs_Eb|I%|nk5Q}OOFjPr6nEoXJar~dvE1O8 zWbeI=nu8pIh)pG!bW5X|g2M)T{+r`Gd+<}Ex3&p(!aOUW!8DoK8oS}xi)7#3vjp;) zzwg+4p*v3+POTH^n404F8t$zo9VJ*yr2%BPo~TbDZp4~rJ?CSm~uSN=7Ydw6noSx(eBw1otT9n?P%61 z`RKFo{v(BOZ2mtIK7M##s=sV4a~9L98E#Xo`Q}BT(E7}%^t&>x(aIZq@*V81SncGe zwl;@Hu?M_IQfj-??(aFxdU7^q?al)(9uldHcNSUBIOS=CZB|*1N_uUqXs(amPbUk< zoVPwQQdwp?2qrNf&}Ua02I9!i_I#t0a=nyKmt>~+;Yhxc5(6E zo6}!0jo(m5Nq@b(b)63ZRZ;?tzL}4!!T{?UMt@6mjEjvwLs(Cy-GlOr1AId1(&s}J zDWkdD&a_lwr3uH_*UAqYGp<_-sm${(#5|){ucxZ5uXsbXA(2Av&##$%p2v(PWcUmL zEe2{#;}fN|viSnbQL_;%DLmohNS`hz@3m9go>Z=e&jlXiRpCU?q_i%xOkJc1z_RMy z_HqTb4ngrFMR82rrYVI6*|g&xjd^(~tsI9v{J^7y{jW#6pZ>;Z5|&E^9{n`p_vi*h zzvUw<0ylh~&2@z4*i|5Ves4#i!P2=8oz86W{s{9Su@as)yOiCUBSs#uHt^OUg*iswX9)p*ac@bm@_9KvNJ^=V7ezjIsi|FoQ zS1)`kAX8PawRz^gJtL-FX*x;-2EgbB;Q0EPc+8R1;_!9x9B7iQe`Soj#(BjxKs6o7 z?H#Ik#x$;wi?-FRRjn?H!&%w<0O<51$M(%&AQo*tTb}og`X9b|I3*qblF>M0{&UUQ zjN!4~v9{50`2Pb2sx;@}L3(AQ7V)fE?JsJIkJkpY6cRNPiz56-m)fgd9vKRZ>5t{CO{nQFZT;VZ#VTr!U6nW}NpWDn(~j_}MYbZ8XE*zGjV6DBLF z6v~rAsoJtONi9VtO^iglTET$NyJvc*^2bh!fF`&dmOQr4=C0vV>-A>a3RHYb>9YH_33bXv zJ|T7YA8Ok#pRoVEH=a=x3zwW-?_Fc*36-ApQ5@-OYLUldd`Eypa^!YQIP zzzG8LwH3bgmLOL_TFA-#7)a^$#Z&c?oN5FN)$bzs1)gq(ZQnAPmc`ko@S@rKjP>A? zz=YiYD+lttyp*2Ti!Cmi&^{RG7phuGo=+?1>?sb3_sD(xO6K`lW?F#9@*qJKJjk(K zHfGUVbvdFS<>ZLGNWCH4@b!V8i#c_BA=mJ|%r>@d5~@AFt-#>mtR^g65@fR@T5#p5 zVlJ@Ho|8Q0p=1P!oPFc8&H$rsQ!720LU`)yQt|}%zttGnxHhYj-KktWVNVjSkbe5i z)#5BIb1v)yaPUag$?&m@kmm-w7r3uvISwBA_vZg;bbe5}uBx2%pO)EYzNzXI=`yn3 zA%U!&=wgP=9}apq_t2NKA{Eicu~dm}er>Ok%ZE~U7Mic~p#$+Nj%i0a^&;hkwe;^> zEV?68j!QVM8s$1NIB8|}039!x{StLZL|?!feM%+*hLqg#w7+FMxjSDdHMrm}*yuzn z1lt8PV~5a(@#Q)SujJx6g;(=h*KP0_(Qg#E@ZZa4Ae z(GmDvvy9YP1i&)zlx}Q~l;)dplF!By0iD4byJ_YP=Cm(~!rr+3%9^D*qP+<$fnE%1b~%9|ABY+4`NAFm2=%Bvt^IV9=hz~*|+O1Bni+LIS95EOoSrjCkOQTVzG+9 zQ!W}+_s|NtI;}T;{!Bc&2djDy;tSzdmX1f6~S?g_iv9p z8C91$#?974SmloX?K*!8e!0>e6ToY;Koum57BxV}njd&Z%{`jUc%Ghsn~mL@K^q4B z4@f-5X1z)GbGW zm5n%nV@eBpv|Z}n2@qh`Euu*U!3_!rg_s4(q-%ukuEF1#L!q*@w@*#v~| zg#<-7G6~N&yC#b~VX9oHb7teVXv*INdw9qypiZ_XMx&?$cubx0lox+it)`y<+RpBD zQwU=`8{JCNI#?h|PRMQ(l>mXJ0`n_2J~D7i%sq&ZyO)p?gc1v1WUiZCn3uwgvc|NKSzKL zFd>}K)B$Rq$|<>yl(=0lZb(TBzh0xDwnVZ8T2d}a;E2vuy&qPyJ-snLX#nndo)z#( zL@+C;;PE3=A?FPux4ALUGe(U(K+84tR-63P@733}_*-OtG^2)0NA1(q*Bc*={(Zi_ z8IS)d(2jBsL{bwf68K1Q@yZ27&1+ICEuLvP<{6RDyYuYy0wy)cZE@Y^`-jp>7KPA5k;hfG zYph1u`P!V$#1#A%?A2RC!zK0DER?msL-c%c446H*%!dcmR+enKdXt&*^~PgtP3n(h zxh+*SQKvnIv0_4PdPAf<`V{?Y?^pwC^%olv$#Sh{A^S?+*V~ z(6nf6w)S`8d(gA0By%Ebt;xFr)3j@m1(k57Ypr#7u83@J3h{@|I1`(e6=QV7Bto9W z;4|s+DiZdkD~W4-%ZWWu1QNLA(kh%GCVdTx|=AD!rhBWW)!5UkA~W#gDekIP$fLlZeS@MJvEzvdKiM+1pm0W*jx z-RQjc8Ce@u?czS1OMD6km(TIy(6mS|_kruiNdJqm<*NWZinpz8AU3d;)&tp8+OXn$ zdX2_AJf1a)BXkebGAVJ@4zG6g2=9%O@$Djt>aN1cfa9kBI+}iozWgQ5FIczwX_cKc z>bD{3xf7w7g-7$MfHm9jDfMpIxhl6NF;AI=k9iAh3$%&aVW{_-r;uWSob{D81A;v? zU>K9GVQ3GNQwdP;35CK07oD&9oxDNv9X*>OUE-kt=!+3w4F?S?y%N8M0zwB9x$@5wdPh`Z z$-eHCsyXhM2sHeW!t-D}VWgnhF$Y^chyCv`QdZi^0}~;)Po}e`&R+w=rfHff;h#lq zby^CKjXMovnVi#Yh)dAp57vQ+4%e&s8vP{sg7QJ!j3am=T`70H$1qh7B;);; zblzB-$nN$wL1+@{$i}NlVy-9~zzCb2k1ZAy(5=P{+C`7Xp%u?_tA^$qB%TKQQK>cQ z4rKW#u2bf{|BrJxfbRdH?I(`;9_@o!{SQ7*I5_936vs(iw9T6Dp4do$M;}(wa}&gU z{i?~}O}N9%3w1W=Hrl(o9V;Rhdli{|dDNdY5{-cIRDIQnYEvGT^i6D~=kv~1XCf7L zO9^{kQvBsH3-!-C_o#Da$Yi=>=)VcmgV=QXxMG8X^Zj?`_h=Q4@BXV&lgM&4LqSPVDM?b9ej z^L{;}n`8!El8QjCth=g33}yf?A2r{&&1}mVD^wVo1RMr}i0IThR@#Q;bF1y_dxSiL z#(Es43f=|Uaw6$uD7!7ntbp~X%Zpr#hfz^cBU$44O6hrGSZAZ{Aw=`U6(d;35g%>| z{YR(IqW+i^hCS@Ys9l{^%8EK1@aLGlChrO&CuQoPONy_XK2s`^#(#3s=$2LS>&J7x?hw)pbTA(SGYfys~Aj$G|eqV*0$p`zUj(Y8z4PvXcidhUdv& zv5zy7h~^%CE~l?EIeL~<*`aUjSMF{0C!&A|4iG|A*amF$BsT8``1B>v#%(!RbWJ<2 zK0%N{f?O?TYjwaKp(K`LpCcZr10l6S07!00Fch>9F@s?ALDS+-a44lU`dfbif4{fG zhw#u}`qZ=2xIQ}Ikuo8Jja=AF%0QKNWsv_(#2=Jy%qaC<&PzEBG1XOAJjA4<(0zB2 zn_V*XR2nx==yC~*6KcBR;xOfSl~b%ovZ$4M=-o1o4%YeDOWAlvddd!ZKHI!%6LL#0Vl|WmT?DA9`Bm;rlnqK zHIGCshT;fa+d6{MmG-;ei)ocym^TeRCUL@gy&AmIGu#8hT2>_{*9rbDZ$O>W(QYJ$sPD-K2+0(qiV$Y&!>^uUVoO3Xb=rxvS3j)Qt`>INqjBhYa zSneU=chZVMeBB)NXg27ga@)*NK1MCGaBlfyKr?`WJU$02@VJh{HAbWpw! zwT7wB$_kO?JP7ld*BwygQh}i9Wz&c=!O4X1cew0h*p{tJ3`&a(a}`ClfuPzVV%Cbh zB6O3RutTSwvV zTS8CY76^nKp6pD!fBzNPZA7E#b~LVOO1sHIHZbG9E^S|JDW_dwrcODsU8%A*2_XWv zh%{|{_r0A2Y%AtHJzk#11x^#r*~{^7j4X~JaWd4V6Skv;0~`3Y4VDjvLw3y zzhdmy)jtLS-j{%9$`$EE8Yi$V0*k>-tCOJ{MC3ix+@;6O*?y74s{W)WNrYjgKQ`ro zsS+z6$NU1Gxytjv#O4O470#8uym3p0Hu0($^DG==N+GYOIOIbJWmcm7VAc?rK9zag z4$#jv*=)>L`!Z!nJzMu#&Of_Yvozfqa|>XGS79JkdwOlhl<@K&}a3+d>jBcYdnkk z+w58hwDd0YvOB-W(KBDwNqnhRK4_aYmiQkiIk)t2)JeSl&LHMyyFK7^3q;gZ}* zIxOiPE-AA>ZUz1@<3VNPyDJ~B7BMUZVwp_)Or}$@r5bYFf&6m_$ttWF_HI~y6oQUt~)42;(`>2WFK1%-3f-v zGMILwCZ^Jj1#nAD=Yy%vD$i?QseM&7RY))+1%pLR8msCY?*y{yH>iY6>XL5zZaVI_ zH6Y*+DurJSugYebU42>zP6%p5p^TAicoI@%JY193Xbmz_4y&r>pjb*)+TIPiJ_!j4 znKg@DWlgoZAf<^l4hhCjiNL)aV@{hNEv2pC4euJq(?y_7@`yc7MDRpyU^~SPD0Z=(I zg#e@1lyth|>|U)ws0HxroS%LV!M-2-0`IN>#oBVREVT-T_8KJ#bnDzRYYGfhi{+ei zFL=v0xK>=gHCcuafAQwlzl`QEmh<*4%B&|PF`7vY1<_Q=@Vls&2M@ozzc5A6VI{mFU-&z2QS#p7TpkzPa zGadCVAk&?6p~`Y$wlOWW7t_O7$g(-ivmfNA~j1!jmB?P zs)e6@rH84a+wO5pJAC{CGH8M6tB+3G0T#FcNfUiCWM>ji_4J8unXpKB01Iq zRG$oM;Sa#Nc3Z2C`#iT~`2jo3JDD5E&L=py|LZ3*{PPp@u%Se>atuEoPV~r3_nM#T z53dd{Z7GiaFqPVvsGjB3%^=0*r~bZ(RLwu7c+##NacT|0&%9d>X)$ZLY4zcM`vCm@ zbkE-41-H^eoW+9!HWCjl3%rK0>9Co%%I08ktK|*in&pV zc7Ol>{MCO8b43OZtmrsgi9`EhQ{I`&zy77fK+i1iKw~8woC>pFr~M(RpWjPY{2DVIcZ#5H0c(M#k$M*nHxrw1GMQd5xV9rqH1q zna7)lhKoTyI%Hk`YwSh$;zT|WE)OQ8Ihe{RBvZw{GkNvo`i)Wb9>EHovw2kJw!VNOx64= zl|FRhOn?#6zLV)=WhhSbPXz4uO76OlZt=qVt=)P^s_5>LVVrnCks>+%3f8AoUYk!p z_a@d?oLq4?>AffMi_1NTKQ`4$7G|2^A~zma+S zp3c0CSZiD>uwMC9cMJ`|WsK63iVgZ;m-(>|b+gPnMO>sE(GvZL$HgIY!1TshqqNTd z(T9w-yM}m|VO`;Avsmx*(fuCoEq{vwc`-O9FvkEPSlf@Vmt3|;osC^Fy2p2K#h!Xr zcsz>aA4986{2zaCG&`o~DNWyLkP;BP9?{-7Urfb~{MT|&gZ@N>c!)herhEUxS6x?H z9RL-Y|JYW5r&aLamfz#9cqU#|udSDi`Yl4H-6^WCJnN+M71FbfrJ`gav!x)~Ie;%alx|4QaicSKkm|cI(e?2@0 z3_;BWkUQGXxyg#zN&v>Z0~-={+P z^bh<4J5Vs_<-c$G`-5ooH99-!Ua%5f^;?4f_{u-0)Iu=2x{iA2} zvoFJM{`XTK0VM=_lw5q_0$G6#|DMU;ALdyA=V*JJ?fU=vzPo=UPU2Uj;luxa>XFGG z4F$qBOqS7q2Q~hY9$P@1+|8N2PF|Ge=QU9-S`q3y2H@7>l^TOf=JoY-|LnA>XzweW?yo&>dTEvUh zSzU8sqW9tev}=*h@=GjS-28Z^i_Fc5a*Sc!><_8@viL?pY1xArxj;#PR^T4y_DB1{ zC(~qYZq3xujLz?6Vre6sLO)bYtbGsM)62l|`s35@ytxkj82Q5Ia_(-gE)|ODa^D;$ z1Sk;{v@hUtr-w)-3alxw@d_auhI1*Wh4!6O&^S<{R_^&7H_Uf6qOZ=X--0q8#-)5d z_u-tI(w6#nrYGH}(4IHlZ85S0gpSXHjEu{P+3;!pXes8$s~`=Ec@+a-HlyEqtfIxC z?nCD6D0guRSc+<`)l>+1gSx}XC_@8~W}dJg{u_Bc0Sen!^DVTvuPRNt>6u?+#ZnD~ z0SuF`c~ul*%bVvydlHz~oZAO{bp>i%=L(BnkF2IB9}q_|(d0-z%*~O)VLCQI?IU@k zIn4T~(+|f>XGRbF51r6RxB)JeSO)4>FhyPkg->3%*Ie3E^*$OAC*;zH$qxPf>He|- zdxUSDIhMsXsCV%2O@uaIDWr+j8@z7U8Vg-v!A8h9@ z|57Xao%4Ea+jX%8k6DWkf*qZY*PCaNz0J`9h6Q3&1^Ayu#($%|KL zwngX>Uk7;#LoV=K=Qy&W^jnN-`}Yti1@>vI)7ejH+jTPp_I2e=kvv_mki$Rk8`kt@X&tjuGhv$SF&*3rUn4L- z`vOo@NMnuSY73@(HUqzyL^qAd-Pp1dF(<6!>Y!h^T-)?rDfhpd7fd8(c znOW_}7Ca{`26rs|EmtLg|FjTqp2#|R7}Qfo{sndCeee+W=ETr`Ic+eOS@`Yi@Urze z5EZ|$5DCWZzbuwGJ?@mZdG;Q4rnkn!b`p1d*EscOCmSb_aLL`${u{o&nf>Q5m{8T5 zZvwHN@$fG+y|JCOpE0bKLV3s0$f}td0Ig|RS#RAhSLeXV75o5WoZ9Gz6hHR49c8+J zyZC_2jMY??@}fCJxySnmNh09Ns?|+5o{rI7@Td>0QRtxRv9qimuN+Ci+reQ)CE|K^ zW-s70e}hGbUD0xN5C@qoGK#cK#d^l1T#xlES8TS)-oGV{>(>QNSH~3G+r~O=7{zEu zctAo%e3h`YdR=20h_0|XfrpL`=8GEuXM#P;6Lbb1b|1={`@@);FWJ+E<(!vPah?Up zfb7pKqhykJ8_hUl=IkmR2b5lPzHJr-LaKxqS9fto;l^~-{pms2YFF8zW48MliS&1? zf6wjV3S41rF;VlIp$e_vA371>`fUDW8S)v=cms1Ln8H`U)FL$&$F#YR4aafFghcT` zL{g+17v8xW-0$D{OUkePqLyAmiKq_&xMsqjcX?LsFIUuLj?EW4hmdf=cuym^dvrL~ zx2E9S-ng6zgqt$|a=~MX^|jA!GJ4IN7G3wR44O*&ugCmyMwFOn=0_gre3nbS1O{yd ze)nMXG~;Pj!{VXi=Cbp5!%^9WHIgfNn5DbQANj#X&cHcwz89ez?DyB12)P#tfOKnL zPIR{~@A8L(ym z^5LhqTy}BcdU{Cd|!vR#F&0hAP!Q5m3$UFHNsif(X$-kMU=)&JJ`I4q|G6&7; zS6?{z9m>~Ap@^KmWKLNkmjP1HE0Q2x`0ta5O{doZ(Xp{JOyND}p#7f``v{-Q?y2ZG zalRBp1|UlY-hp#*_$+E^bMH^fhL3}9pAG@IjQA#xPU}v=Sx#?{yXRZqjs|s&$a&~kHs`Whs>}GNN+B5wmhPo1fN&Rgh ziGoC{3-xaCD1q|Xyw3xtZ_0F(& zP%t5<6J-UAc!fPsUNtmzH+hq58em_U7@(XTbFg zwb@^3%YBw>;rrZXxKGZaAA1)s?2r>|bLJk*x!GxxtUVn(NVgvEv`)Hd!OQg(zUiEk zA%cp`vM>o7G#s4(mnug}$53Y#gcIeWm`cpIH}LXTl_p%3eR5@Js?AckoKE&Fcf6Ks zPq=XVK$rMmo(u)_IfcUrx{1?ai#zB?$1R;`>rRAY;Y|IpwJ%Kb70|6Q4=fw^(cS~7 zuhcyjZNZ6bx_JOcMj_h}%4-Fpx28I`%R6Xr#&RO8aShq=qXf!UVH7-D-aDMTs%_Z) zi-G+M-ZST(FZZ1LtY=a^Sp^$d7#VZ+ah&x$FQI#^rumA;XD2KlQXVdNT7CG8$UksS zTgr76GhA(Evg#1>7G#LtnOR53mv#-_g>CL8STAne30C69-uhc{5nTYV9al}YsMU7s zUrAI_3LY0f5*b{PLOmA9(BHdf6)u-8&DHaX?oP`xIvU{Im`MipmKVb4@3QZP;Ek>Y z>gWL=zR`7lW(so)d8e|tqZP*jb_xCT>1~gD{3xfn!q6}cY-mNEB+kLdMbGn?o8c)L zRM=(fe#E6k^{D&`vu1(vDpcd#9CigZmz>HNZ@a&ziJ4;v?osrq(HS^L2UmzNp&j|L_;+6Py7PLM>l)AS9HQq=n~ z_mAJ(+HxH(a7DDYJkNV)r>ec-A~Noog3b`nP?pcE=Q-Bk*O(i zE}Gx2mR>YbAg#!2!TgK{SGG*3N+;9%-X!~U)eOc)UJpp5agYa`Q5niYvbqHR2Giei z^E&$Zd;z9ejM&&%fTGvUiKWj0`;mTfxFH#Z&%k)DTS=9lhC|LLN)bUMW+MbWBjtHN z97o=*FSqP;owBSJbpLXUnCe!>hoy0#CZ@K-4b) z!0H2Yjj!zpo27dD47pxfh*X*XfVlEid2hwl7kV9e(#XbVc^p7!y(!`lH|x)O;+dSz zj$Tf;I6o)_nD)ZBy7jU96s(28Xo7p0;FRsK5Qq%we3l>PI^n*+uqNJRcmo)a`MeoF4)#I3C5-=cOB$yZzTbU zmPXG#0{zE`yX0eQnBL_GTIBL9#C-VJ@$g}oXSqgkJd3v82tiZ?1b3zBEGoB$_wIR; z7yLtgS>j1C5dRm5<(TK%zS=NPrL!$NK2?Y$9O!hN=DFw<|$o2rTCz zxj;-zXg5G2s@)`dGGI6k(yrYa%~Doh{y8y{_X)gPe#OtT*O8Js;&Tbl^*i?jzwK?$xejrJ>0q+*USkLPVo;SS7u<)Qvkq4B zCO?`{gwt&jc`GOP-reyEy)?VfsrkN(3ffHenqkr^;p4VEX-Xo6d@iOBfk8@j_n<#F ztGE!MaafaA3}Ak*#BWTqU65cmLb$0W&(ENzQ|_yY-55sT*wat8A981U5{gB!Nkn9Y z^lErMJsvv4XE}P^qe?Lzl- zCkax5=87+Wt7I${Z_OKwL;l4Sc4=0ao*sS~;&D*ul1>*d8x{$YpbGXXSXw3{SEkfb zLIy+6aC9r)J@eRDzxR~Es?uS2W`3TXG4>n&bp`=MJ-mO?PH!P58?4S>68DsFcXo8Q zMGGmOl;21HYHbNpU9Hoz{`KVt+m6GqV6QztOb&!NqbYh zlX+ItF?kj+=BJUN?ls>ljrWjZi_;w70nqihFU4Kj25BHe?LF9yW22QB$T%@hL(LUK z?2dXE$pFrFYL+CCC@suj@#6LY6JWhgg4@?2g>#NF+cq3eK)7>^zq^k@Ow3fen9~** zv4Yj~L&%oYu>1p6jie0qR9`0BjUL1&!PR47nLfO>)g@{z;xr!XWBA11EYyxmH01Y2 zqB=vP&R4mE_k?300!zn|WSoEvHmbAUCYJs{zp6g8-cg;i*89S;Yq`ZyhmQ*8{IV$qh~?)>VObT6bo6L_9`DMVlj_rSqzDlr-i}@WkL9(yFL};j6Tfcv05c{! zCJoE0ZY_3mdW@hOT_HYH$IxMgVG)tD)9&vrk#&*>!B47Mj?hMtn6+5R@e7wV^?!F z_mm&W^JL(Mt`guBrLkfK8@hzQ{sSqwuX`Q56#KTV32OmEknP#$qk}S(D7y{sEo5V% zm)n8#_*a+e_UA8mA`fsC^FGJIh$j<2=Zk(5-`6`uFDu`d8WXWN?4yWlno`(H)XVKr zEn*Dr2q(5lqF?K1%weM<5zGgsHKd8!5Z{UHJD~bZ?p0(NB`U>-&1iGbz_dLo18%0u z(hJNQG2Jbn(5{I@Hy>`6=d}yIj7^`@`!LmGt}n#S;}-d3dXTvxxE#!)A4hN!#*O1c zMbAP??nOf`cxhA7Rv@GqMYo}F`M$E;EXa6^z320DK7gcNj!*@IWW!DjNX@=rHtc=_ zWF(tGUm>n4g+=gT0<)?Xqp`$q46?Z~Qgf;G!-W}tkA>2_kBn`x_U@HcCn$C2qu>}$>gfFuB zMBFWK1uf`GbHVdi--vFoVgVYO6Ou%84sD(iIe!CW;Rb4|42!nKXZ;G7=`w}BWLL4I zTPx6;`r+emh^{ib(+IhA5fMb4$${R^q#nRW$cHv-fjNLL>e@|@%i)3Bg;paRVDoYG zRk1~x1alK$^0pKM@I}KoJ=Er%dfoj!@#Ugyu<>_$3f9Bv)i-+8m0L1d#EsWt;X8Y; zCe4XwwVwu@&cAk&j36}9Xl=(XrH}gTOnAw&bBnQM7#OLeNgtPJg7sP!eMR4EcoR2E z@E?FK=ARa|k_fU``}=2oH~us>lA#6J)pjfb0EEoTcL0nGd%+xe0Y;GWm8YIa?e9sZ zhdVkh8pB*)lPjJ?HhH|yXN6lIaM*vRt2RF6$z>&36L3Z4YSxSKTT~byyePRS=*=`erh!gI+;0WD`wCjO-MCxFt>-F6 z0^h9$qhPtP3!PlR9%k&QE1r$e@lYr6?^fDvjo0Ux-NgW=ECns|6d`(uT+0me_2g3V zSaCv!;HU;D2ffGy3JTU9$xzP?8SIWGc_k$^l6hgzGzs8Hy4FxcVU=4(clDhYUKV1D z?!NR^yN5;@zb~1O7d_plU{SxG-Rxc4SV2TjYjjk}dhsh2V+da+)<>$}iJ956 zHMtaPsw^BgOe4B*MT;n#TO0rz-6u7)BBYUn6KW{-laCr+S45ef+(V>`FC*|NFcm(T zi=~eOGhhQS5i{8NF3Og2kfmHfYvZy*`GBzG@OX+sC^M>1qWr=*M3q8kU{Ii3gZWav z&2W@}h4h+g_$SbQ20F|yNhMK3?*MG$B^{8Y#6sdl5xUvUDS5SNwia;zIXDZZ1@%e{4H+ZcrXKffVk{Qwo}vKAo+6Zau=ZZfD7;|&q`5I= z?rTTeS3xTEc2fT_B9zLYz(iTeilVG&(aCb;}UX> zs@&Fw<9VwE;S$l8PBWsZY{w9XN9gC8yCyr{GmEvAa|x$^eCZRsn?TZy0RLV$yTKgG{iCQ|zaZy3}Y0s0H94SRc}~0(y$n&h6VmUCh`zP7+nlv2vO=#8RP% zSVfwCw-lZOS<|};IP&@>Zqgolgn~;^tvc?a2)!3gbdo|^ zcfISq(vXo1xZrZha}{2a4HFFNvUZA6^->*$RGyN=v@)3lRu;8ku#P5w+~)7TGCg4d zSxL=-Ug>isP1ePWmBCbrR37VS@%}xzmJ=gOpQ?5ybJnNDF*b}g3lVqU+e6cSM$n%~Dn9k; z+w=1j(1ea-xp&eI*?Eme?kx8@ndI{A##e7PVQS^sx`I&I*LNQXGm1CW{3OKV8+{RM zHbTeE%ekl=LoNO4sPW6Ys+QXzm2eqm8}}a%`Qa^IQiQ=ay_(wE2lZpvZltoWCf)V? zlwBT{C{^*;*J0K8bCkboFE(3?ozCp&oNVp#>zCReUM&IhELujU*07z z54)!{8OC}cXv~*w$_nonUm$?glz#_-6I`8$C$j0#z|>Kor<#_0z$DGO`(lM7z1wuSHR+G!JHhJ5ufjZ@z9T72Yk7M0Gb`M{wI6q%5jG5WNSO6>4Ik{vqd<54l3>np{4HpPxM^SfwhaGyrO(MP zLDN|mSHR3}@OVOw;ONlI^$C+fCT6UaGWbj0KIK@+8{Goh? zSLE(WZ>Od_u=F6sA3s?t>}hT-s#-a6H?&ylM^VN``?T@s`!|8e_Di=kn(>iVYGx~8Ta+TvEHC=d5iXjDSQ`p6~RJD_0m`y_CMqoh}_WD!@6_`h>+hcqWh#m1LUGq?@zJEB|FM3F98wvDL z*38oW)RFynO~wI371mX2XG0UqqLk+y3I$W6agp#MgqR9 z-kzlhBdFnQsA%?hGU6n16o& zFG{D6b|#hbA~X9lY+3med*l1dy0>A^n=8W8d4nHrm=lM70s2)bZ;9|g=NcRZ-HSDi z%jPmJ(PqY4tC8Ds>EHteOtaO+pJApw3Caqk`bsMNlrEEx-)#ppXn5Y&qy~Lj!xMC^ zd?}z>q%!=RJjXj%n-iFu2WVeGWA1c=r5?+)$hHmA6ND$Z1M2s5F9?j}w zdUeJ^_ZftQ#7mA|zP0BvF;?S!`CM8UGh~KusC9?v>A^r8QvzFT+OK`%#ion%I>mAu zVu{pLROHT84d?LL^Q6$i9`TouS2_JzCgP zgd_{JP6ql@42Z0Mj-mWN++aw`|_O zUSWSHSD-v2<^DW3S>(O-oDe%FOYgEBp()mzzp$U^qd!Q@gT-SzWj?Lur@d{&LQY?* z-`!m8Py4puNN7!^W>5d_OTjGJdOBA8ZKGgp<6UNIP@;E7LPObD%glGBZMzQf0QID5 zj;A|vLN3{H>h`~)j+z@>#~-S)k$ROfx8B2^+W9PK=!Z%Z`(j?k z-v=(J*`d+LQKvsic=reFo5V3lsFs{GO3Vs*b$UAYBhwJxoDmnAdr(gxbNS6*(G!s7 ziHVI*$NZ7Mf(p5=oWEoi^h}a}OB<4*8^3r$rnj8y5y3~t<%1pQ08=1EE%CI}o`5@? z6VGZjv?|7n(&sR3;UeE3dwQf%)y*aC98@!0Re#msN}ae3@8+89nP6+?QVr+4Uw9J^ z)=vC#V{L#5nziOb`z+ek(0ElhRoZ;Z$*zi?_f@1%D)dpvJl)^H7<$-JdP)iErN83! zN4rDX=tX*yIp7aMx_kuBcunH>akAj;2&8j`Rzcc+XFB1`76^L$nlI7iMM>}FWFxL! zVMvYN;@)$O=(!T#f=_q9DsRC*pgtO*?mmlVRb8k2WTd{;ys26q8cIg;$rlU%m6FG2 zvv0fosfz(q{N2cbjDG$HtB}>t^2u^$KHcP;$-JCqJx`mEJb9pf-wU`;-HI!lkK#54 zClW#ENV*4XFjPvP!o<-Z%=GcY_-y6?s`g4>Yc(u_16%@}B&H>wFEXAz@aC+cc?Na{Q= zz>gBI*|cfIu!IW$2LATDAgge&rNE@-<;bCv@T*h34?z}D#O~jOG2o3(jE7IEx)nk2 z)jPBXDrLdNPUmp0lO9e;sx9fWeP0ul?aJPxWO$j##N&WrB!TU#M#yju-Yc{xdAV9O&4@58{7yntEmUrqeFpB4S~BP~xYgpu zbyz0&aqe_+*Xgz-JW?eaxg)Q)3#=6>%|yQ)0WqQb(*>(>{l#)GM68w~44awZvPQJ} z?n5Kh+A_FVaDno|wno~#Gh{S+c!l{}wi5d1aT!yCX^awf5RR5|A}6BPv%%WF5~M3w zHWl^Ha$*hi9nTH#JK-yK7kiraas*%LUsoaC#H21L0NeTAEy&%>x#Zuqa1OW_l#9*v z6GyMC9a0+9Chl`Wo=Kto4*O6oBh4>yWVPG(oT%CcE_pcKh(lfP3mT|+IMkgK^|r|b zrP@!BH;>_KKRsxn6yB7ct}Aq$$SCsmzxQpW?$@uyL+(wu1!mVdnz3yrVs2dJrhq+ftYFq%tbQuW*iGd;Uy}?P73;#?G%!I(6Km$$_sbnd z`$b6w*#%3tR-u1c{#ZROKCc~-Z@84dJ__wqgaSZ$TIA3iO`wb z@IGz|-mAah$aO}2hBpkhKBpQ!B&CRlaSe1em&-XImUt+a1r0{Gm)p54rc52d2jH!t z;IUIw3mL6_`C!bfpiG_(oTW(4ramVqw_LTccB2>^_c9iPml5l0}_dJMD za-Z^xsDyhzA3TrbC~3X}%T3+d?6ywo8+BtoUa7ip2DT~|?J@EX2!%hJ*F?eLaXql5SGkHMOn6HKDK+3i6F~yRUeG9vv zXK#Ic9j^3_I^7GW67#9uUfc(_j_~y&<5inqjyK#}cu!6YWh6g_0B?tW8N4^Um&9P9 z++zaa)EqdNoq_oktfs_31?&A_>HB+pjRZ`mQyE*EEnnAH%rUZh_n6nk!Z3kF-}JV( zM$b7Q_S5GJ5f*6WhLLd9BB=@Pbnf;Kxi;NSgOKuC=x9y{TfK9N)pYpmW8pkckfyYD zdh)CgydiVOhC~&Y%RN~U{d!==sr*de`z6cdR_%|bGC_vVV5F0BsaB0@vwWxk2CzU9 zp)9!{#s~{%W}rGtmYx;}T02ardyE4YlF?FcnqTNusWR*D|8?*{#XsIDI>u(>r?e|; z)j`UD>3u@^{2x4jR(+1^-h?zz+|1$E!8k7Ab7?5@va)^pu3CAfRvC;^9&HQ}qIV7E zA9%{XG1n!V;lRl(Jm{4T<~c*o*c#oYr71F zA^YK^`IRd_5SDp4&?5CAr8wwWklOSwenP{(1MkHAje$-7+&3wusi&o^Lk zeoD5#EeUbkdVGKswEgi#?VFwD?qPQF@By*m@R!qSl7wuJEqSQzC=WVKT9JPEflXdF zS;okP?o5Qz@Mh#gDTqyxa(RY;K88%H^vBl_k8F!iKd8MWT#lD`-A_x6`?9D+wlh39 z@7|X(%T#ZWXp`8*p`)oim(>Dn#j@mlTj)pDI#`uS<4|0tY1e=BH`8=OBNja$C!n*H%2F2r|8 zg(Bfu97l;MJXt9xl@azRXkD#P*w>*jY| zaMRUmVAOIMg*zHgrYDT0H}#ROy?H}J*z^6|7GGVq1w1UeZ~k(HO4(IFlUEsB(x=E< zJa5C5SJ;d56Fe2{_e zwUZ40<0SQw+ul>Nd#gFyEEik3Hujs=Q`JljXee^+nN5a`?$7P4>Kr5?!}~S2#xKYR ziic~?HmjtrbKb=*&~z&lk{gwvA5k)dR8J5hVA08> z=G%coJ2wq$ylZ&DgR4~wb(=Qe0>^>I*2ag2IJhEiunQYhaPd}fk4-ME+&)T96C)f{ z?r*H`v;7RJ!O(l?kFE<%e>nJc0(4rKcVf-8o~uN>&LOXKGsh;kyI&%xDwg+wY1dBR zNlIwStnZMVgzhA^RE&NWM!3S+KAtl|*!8v7L7X$e2K4r_XHubKC)39cZOm7s`~qG# z@}}sJdwboG!bTJ`7PZ0xZ(KjOd7^b4IdS_#ss1o;?5dHx01dXrhYtvW_xHfFvD;}0So4OZ1jlD3A)Et~{ zh9fJ?A2_c}tp=WgPP+Uz{LypRiHl}il~34-^V>au8_l%4V<$3!dQs6EZghNViTQ5-?!(*(X$NhxV7UV~L)F8bri=1(pA3lBEp z6ZPZ97=$%b1ZtXoGD?W{><$r!gN`8DvwYJqF^}u5JZSRpK;(v z@AA607jXN4E6-Cm4sG6J+>_PZG6zpJ)y-VUoTD8Yvk8Q%b`p)*ua<>wrrdCb^_j=H zz}%=#$wA0u+gfMxQ*YLbPwUVU`D-0%bY?)$n2#K;An~AE!9_Chj19qW zG&4ZwOwNfmk76qULW`<}H5~OsS@$JcJ)4z&6A=~GBVQ%qfR7JzqirflShH_QZjQ~o z(#-`=7QD-qX|M{l4#Oghf7PFY%AU^fmh3n)A%qGZM9=Kb&t;4s_zqbGB|pMNTT9^S ztR2o7&6o;a9)uIU?~9=FUy?ox+WNqn+EM9wC%h-|a}X_2g9#YkYU%MVl;iXKkgF40 zvHdeQgs)Ql%3$++_E+Ad0%OTi&ec(?DujnTqk#(XUM1#zUQ-8=?Mu4)iGhO6;3Aay zfRigj?d-4j!ducgrTz!@xVT~4?O0bH+m8e9$}v2RxpEAR-&!v&t~ z`6JKQFYvdlrv_#Q?`?gU$OpZTB8-u3EjShKSWnF6j3A{(D0&dY>q+*TVA%8uK+M50 z8NNzN2I4pTc3DN?Y^ZnOmu|ic*?t5z&%%W z$GjV4PwrvYhGLV)KhItYI)@^>_r|-;e<*qEf5@kpO_lcel_cVmp&5Qw^4sT`iY^&7 zzwKO_L8H*83y+R{_R>L#We${Kb->LWZD6z3l9sdo<`;smeFrJM7$Mv@-9XOHD0~1qoA*jk*)KW0X99qN zKO$x%NvxmlHyEL4A`FuA0Nx~b%oQu2 zqfNzcY>^i@z4=j-?kYbS&WYH!T2vU8m;@+CL%k)6_if)?PKcuCw3|H+*ex~hgyWEM zyr4-EO#L8ri|Na^6Si}(Zpq~#Lhx{4Ua)Rr;5Hhb13Erx`+fSOf4|u!x(HYX`Zd{i zh>vER3NTTDRP)OA`wZMSb6#tiK4WK;VvB2l)Z55-;F|A-oc5{1JGYe-CEwOP}JApT#*$GVbXKMU<~P8(A4Xw_Grrj@mSl@d@^>%w)=;u5l%+U zo(5qj_Jw2t`XM>o^%J;MLk3-JQ)}%W>}FJDTK~BVz(C@USgbUK-4QmNbJ>gFN3&}U z6C462C+~gp#N4}mgPxUKcBr3VVy2j*&?)iDX4YN=Bc@E;D*lr$df}iHN08BI(rgNv^&<_XC#Uur8`fWW2B^>ECz9_%3mfZ(AAQVmgw`I>u<53(^S~u` z6C3h@ExkfBv0ht_Rv472XV=MMkN>rQNWSt9)8{d`gxn|fwav-roL`W)OAfNgkVM~VU~a=o_vV9lcj8OT{rF1egJ zTz18H{d*bqyZ2IXan3fex-2Oy`E>Z%%^akr5z&=80b2chUKvegz!m(#$hwrTLBB=; z?jdFzd`GWdLU@K3f%INa07?mQzaTT4&Bf95{%}Vt*J^?KI-f#R^bSoHN*^ak+ZM?&|w{vOHn|6n!vR8fho-DMfrFVFe*)OFLRgoVPq+5@_-EFNB zV-2W-%kP}6Qy@QKIu?9-@cWx}8grQMP)74DB_J zUwBukq|Q}JJ_w}*LYZP_peVDas^%;LC9O>B71mJ!9X5E5du^TSx+m{Ww@ge1_gG%Z zIK!Jp&Os#>Ct*2SaMyvDL^&=hVwwCfq>~(Hc=B>-Z%%2qfAoz7#SAM{nAr=qd9OHy z`@=nHx((5WQzubfX#o_cr67=7I&FJ-`@7TO+ex~NSxMYjZ-Y9PnK`%b zWNAdagq%fUgDvE;T9*PxKikGCI@2E|e8;YP$g9B#UQaxjt`-*7iIx4CIW|lj<8*x`6A0i4_mzHtMDAoDla~LyKXCJ*PRu)oE+s>Q>dlE3zt8yClwH|J>p zlaTrBE}Ld0wHpp)4zEovDx{zKTiNcDg^jV|{-WQU2b)iHXg#k6%h-d@hy;wPr|sIXKkCj}+klc20B0~2AxvZa zwNJ$xvi-!3@>`~hV!e_d3JBU8gd051hJrV~ouWcmV&H2mAw4e)_5nJNcQdH35*m`0 zaXN>+Y`-c8<@!@L!$VD@IB^Ha&IXJCR0qs`lohwtMJ;=?rtvgW; z)vB`-t1wyy#Gk{JWNKDYyzxe=ZOdyJB2$eMRVMYKmI<7Pv4Bi!U_2VYN_0%FxGiaV zdEr&26h^=%ld2l5psNa`t~eu;Vj)lL==@yGJa%`a#sqDnc*Eu(xn%5G#cJD6jWNf! zCmN-;);M;JED;yC+vbgrKi1#FCMIpHIC2+$5gwjk_%Xxu*jd=5K6xu~x8?khrSF=wiRvYY<5ZzAQ2B*S}nc~J096B(V$Jv0_ zU>{o-xtih5(S@pH5-6aRuf^Rh4ky;dr=Lde_E41Jtn5aBdZ-VJWs2&;wz=s5`+`y%;MK&NlbS1y+d(9QT{NT3$ix z26yNjkJpL%MndZN{(Xv?a&6SvMlsu1sj+0RH2kV;)kJBgcPBP|Hqq~UcnJ~Fu{_eS z|Eiokx->|8FRTh(T3TCeP++GJ~`i zIb(VM&72mA;Phhu*RB;o=F84gM9Q1>;v#xIkwE(gg@&10y?und@ zMD*4NTus9GMD65sj%7#ZiEU_rG~Dr}L;Fvo3Hv0C!8cUkw$fTG_5R~ya~i*5vmUf< z7qp_}i^Onm4fD4!4(a(FHW)K@Fg+Jy$kV1;$&}mVD5a-iMk3-1@cM0Ev)Cxl2C>og zpa*gLwN=b?&)8Ft4K*Yxxeup==s$Oy9Pn!B$6#DW9lhp_PU*%;h=yteKiq;07l%ok zgWw+$eU+%%=x*Jod|P)5^h^q3E7of9Il)Vx**TdNC<*nt&0^9O`{RJ9-%wqmw%vZ@ zGOXi*me`%QcIbjO1vd2f`+oLURz?HW-dt>SVppZ6>?egCxve~tt9s?x2EdVcE3W0{RKU5=cD zFKd1j;$#&2P7VFoh%)b(H++EJXJ;l@Ri zjN-S0;7tnG%YeE%P5E1(feD89nW-96I zgYja*I|KlmpYSZ*gd+-vC}lla`urYtyigP;tnKcDmCer|P6C#riT=NnneMycE5-j- zsfO{H(R~hs&v({Q;fx_Ucd_g!vvVAs+(??}A9N;Ck*l;v_Xoz1P1y=38yzU3_nTP@CNVvl4TdAro6qNoH?!vZoaE804Yz8AG?+Jihvv@j6#!uVJEosQ z?Fitqf$Qg^aTBW}*7sw)MvmVER?9}|F^s#y?Tb@(kC%Rb1w2+x!~QN)o2eyXEEZU$ zTr_5Fw03)R?sSVJ52mgD|FHMoQB5~n8>lFXN>db2x>5vDK&pVDh|+tNj;|EyNR@;t z0xBTVJ3)E}=|!4|^q$Z|QIQ@L2$4YG4xs0g_j|vy*17l3d;W2;O#98uo;`a%``OQw zi4RlS@y%`vnHuYiZWR8tXBfx-L&IftL{zE21UHdm$>-9~8WU(as1=MlH4HievqkM| zg(q~($L57pumkof@e2WA%}7ws5(t{f5>1@Z|1zZs!lDONsAORyY>i_I+7kd$mwDn> zTsXbg0~fB)C^g4NUPDRwW_G)3QyaZ!J2#s~el0tYp-O0n2HjW4=~ARJa3YNGebu1Y zHo8dJ(n+tw3g9ZYAMAV4v+9jmpXb+4o(9#P>)k&6ck{Mqw;8wwF&0y4(Pikt;u&qp z;&9Kd1nE%CDGx}q5oK2=vBEGJUFwi=!~99Q9O4ahzd-(8EWO8KBN}2`vn|}d_nrCm z*}&@P?V?wdoB@!#V%RQ?#gJiRz82Z7E^OVS8tID26MMDa;mo1hGV^<;;SwF-mYbV& zuf-A`p5No0#J`IO@-cUXRE2YB)i23`Vjo9JrpvWcX| zHv_*@-Mb0)Z(%V=-)vsFq={hV&w^v|8x@sFlLayf8+I!9!i!>MAVf}Z6gk6SW>bQ2$C0y54kq}TX7VN{0N#a_brN-QvjWzbnfd$mKEA^_D^eC=% zDeu~iY5+jGK)-XUeMUr9_gNH5Za1?-R%#$2B5rv`rh6Z(C?O|ElYR}LX!hQNx{>E$ z-ADnzpT@TKKPGLYOQoxWTHDS9HL;x2{}7x*Y+|jQ;9e=STJ@60{i#eNf~P6>&O5t`f_@C}fm_q3@B-7g%Gi)}c#EI+vx z+bv)JrCaE=y80Quh)Cn(pEk!}O5anhX9U|m3cQcMV?A7$MmusU_CBW3^AYkIqxVIw z?VhUU+p;O&PC#RSWY0{Mw2wn9%o#1ezh6zR^|MCgM_dsCh-|7umAfvZo8hRvsJuw~ zYD2GhUf@J*I*?0e%X=oBIXIqFKx1FYc3Wq_Wp&`zh}~{Gh!^U=t@WE&c3j4CK(ggq zM)*G{h*(N^tsrAG0+b^gjH#F2DlMOyY-Mnlt=pRv<>8YxR$|U7)r5-UR3X_*-_Xv%USv;RcriRwaU>IUdlMrb6q>?Z zM@o9>PU;9BOAb5%_vS0>aNZrM61YGMY3l-vY+{bk4$O>qAbmov0+%&+=?sfm+1{tN z01q+RH!=R)Rgb%g{lXin6q?tI8VbYjqk=TdSS2gLb;xI1@c&X+eaZ%|GvAcbAKVxoC57Ql}0iB++k9w++%`@?iN^mFnS z4&lCrGM{m>R~=jNibHR$BR8qMH`ObvFoLB5Pto3$Ug#oGco@f1bdlfvQ1OMx$hln* z*%?FD`tatJ(}Uf7xm@$7Y^9N%xmraG&Tl?fRNkvYur{SShFYo&uG$kbwc&lBpFv{I&ZvImmsiqQ2!@m|~`<)#`6wSL%rlvmm25!8O+r>@8lgSi|-i}z_xNCKU=TS-LffW@Un~6B@s6p`Cx=shtb`lWo^`>nKrZ@MKFvZ6{!~`aG5oM8gAhd^B9-Dj0Fzaica@;F{o*UT55ISXwi@P zFcR44Tuqd<`lNiJZfR!HeID*syc1@z_}#EFQ*(@bbG2x-6o356nvk|d*7X8oj#<5n zv`$?6gs(flSR=3l)`;akYox@lME;R1ZaTE>r7gfRw-2q*sfm)nD!o zp%3o6g>SDk?C#`^xG*oI6KF%<-;&HN;Yx5y(!_Vtzr5S=MVVK=Th&kojdGLtxs$>o z>BqLGuo2|7b~gipa_v;Y`FC1w=9(BuFT6>SgLOEEEWhuxljNza3++;%m)_xAm?|=K zi?Cf2s_7Nr4K`DoPS59yI7kXU8Y;*zxa6a+{FHTyZR?j`!`n1^nNu@>?C@BYBCTCj zriIE63eNTS#Vm71$q;$+EVL8JRzi*5xWc3QGxB6-*H*=!a9;+@?}+@Y?siuNGKf#+?GlVd&(8XQ7A>u92WZeFJ9F8T;57|r0`%Ch#X+M zR>)lc+7<{lhS0HhBu{4UuR3h4yEG`TBt!?Nn@jWZ6Ge(37#sH9j??Ut1*Qm%f8|5X zUvNzbstbMZ%)(5pJ%oWeaa&g?w2ELSJOe=xRth#z*`9P;NtucqZ6qXKvVQSZc!L4$ z8gHU!DA&@L#S(Nii-~3#a6<g*mYE9`QGbQ z+L_Mz_0^+_kh9-v+pAG2>b@5P@R3&xo?97{fGx9aWsivN=0lfClgIEhBRPw6?Ao(k&{zcH^s`ozeb zpufCY3xu*ZB;w=maxA=)?Rlwx*?F+NfgfWu3W@Qvx^$vn#nXPYWp!Q-fc*6 zi{uif&MreIDNn>jZsAIMB~|h6 z@`GZ?>BzzZ-lgfm0gSByN?Vppk#amo9o*W-xDUhz`(`@P?mCU1>{s^CR+8DR|~Zsp;?6A@u`8?j77%me9iP^^tVJNjKWhSAF=jkD_gr|>XOjh z5p{bErvUo|!N>dgIeiMgqmw%)#>it*S>48{u(hM$%wO~obLWHFflZ9Mw z-G&$9ol|9-#IeeA1E;xqBU7KfU@hn^g~C(Vn$L%(sB7d>`xUHKH)OFV)U^vdgnwk*>KlHn@f48@JW^}HP&GbAm;3GdYzx(u)*uIMy)hP!TLlSKoUk=IKs@K`N2NLAr!TGQ*SVU^t8X=A!se>d-vJt?e-<2iw+;ZJ z?-tCOWl^UeLLWc%oXC^pW=E5$kA_`o$z7VEo3I3&y~Qx1Rq_B~##@V-4(k!2;<=OV zFpnx5^CA7BR4W+nvZQJ(3GHX)fvQ_e+p9=Cb}}QqACUwunsN6VR7@*m%&mtD58j~K z&R0vzM2}iHRCz5My3Icvy%x|}-POi3o&|prJ!ZE}uMVYbcdnDB=R_x#+my$MEJO-& zgy@-jU;c&$84_vWhTu|~nAz zO;{IYQzyedK@>YmP*sA4aW52z}qC3`G~rBtR>eTm12q7nQ*MX!d8q01a*?&1>~^!GL` zuEY0;sIKXK54jb&Gsx*Rqx6ei(E?i)eT~G^^Z)@>l()KRWpHIr)0c^fE*{_W5|} zBC|5kjvMb<^S;$C(-=K+9a`JDn+%hs=S8g!W9dFZt`&#ce#;nUs#abJlh2%|W?HTB zRBFsg@183q*s5cE+IK}>y2N3r$}zvF9;Xi3Xsl~eO?EA|LwrvQpR@=+hS{TYFC(j% z6k2nCiC7X(_-T2rn4Y?kvvu9Q;@ZNBk!{SP&wPDNeb4iKF1--JqE}q+ZI_0pX*Nq< z;ZlNtgCo23xb%Cq5c`U2gAIDCB`w|7zQVF*D;qk_t>CTJ%HVysFL}D6t^+?B2)zV# zKXW}-$V*sTGdak`klk*~q5+S*61aQKF_M2&W^shO{(B-$xzgB_&o)i8`1ZGv3m;rz zFh=()cKsht*3d7Fj!<9s?BM2hYCnCtVvv~}qMEOio9=RdTeJ=yC zp+JvY`C&i5z8=h=RtD`TeO^`JTFMPSXl|R3UcgRy zDbyOfPq9Pf_y-7zK}!^AmsdRg(U^3YqLCv*MZU4IP$QD;xH9X58-+5hitbU!O~A}t z3@Ca9ZTtDEDIttk@xEA=m58j)Gt(BUg@G3NfS%4-k*KBjfV+sRnPPd|r(157fwKgm zJ|t$XkhtN>nP)K#kM`z?sKoL7`WdieVLh@m`GS*G@_n)Opj*f!_CwW1xb|^|>+@3s zA3$0)QSH?6)jn(0g>(2J#B-(1e$O6K*4Zoaz=$DyCykNqr?TVnO~EO3TZ0UF2R!~~ z^9}m^-YFwvnSldh!_@;~!+H%MkFM7d-?DuRn4d1>G3_E#E{wv-{2Oxgn#U`nZ|LTG z^-0=Q4>5WyHOAH3i&f68Pu|j~{<;gD2gQ8TfrONeSL!qobo$V>FzQn6#YW@Hyk6i2 zM`3!swQ%dS=)%(W(kOqN5e%gMPW57r*YDjGt>%7GpXURR+QU)R-% zbh>J^Mn9YQA}V%vpeN#^8|&}h0(O!^;+X%F9`=*_aP$EtecYnSEV28N49b%xXsoD_yK(y__vkj|LhTkJjit_0?M*>DIj2Qiy(%^bL;`81VyyjD}z#+s9S z!XTmtdfSb!zzCnU2*pI1@pe4pIPrViy-5Hy?1_mH;@^*R5R5-aI83Vxl`Nu54tjR} z^;qr{`^8qea33|sn*&!>y$JQnYzhK>0XA*Zkj5Zy9}&r|+#AI~_wr^NPk@w6@Q_rg zj-v3VslA;vs+$Jc+Bb{~tq}P+K-%i<_4z9tD+}$dj9RPjA(KWecYcjNpA~?dL*WQW?z;8We^E9gwMMTxS?-F@1~e&O&2aH#$+V(g@Ut_9PZ=RPW^ zP@jI5o@4GufBYoZ0jzbMFc|kZjLLV7`5Yw=ZjqBakJ|WY;SSTqHlYH|oNy6*a4C|j zcEu?Fnp*9P^>5u;`&c#3>zg7>VEwlXj6S1^)$dfk)N=oD#J|?W@!a>E?ejeGCwOZA zwG0Ozv93KBckRE%-B?(=@>X!_FXD1ss5pXLybJX4!*jeqXVBUS)s(3+uqi=PO8~Cn zRPJ9b@>ZaFY4s!Zz7DH)j$em%-GvjnPFCaCNWa|DH&F^+>mjq}Q#)<~Ko z2E!h9@FWt4lW^oES#6&hPJi?RguiyM!zcC=N8Yd6aj=6@f9>GI1wL412_{{z%HlSDosB<{5Ih8~?|5fxp_%s$vy}VkVC6 zp}U8+q<7jPnD?kLW!yM8QfLU$#PrgS8eljjsQKq}SN|&5{aQ$WrUPpzJJ)l`?9V|E z5X$TB*Nrp)F6CJ!8+2sdSvUbcp=<0YbHu{WN*?;aD~Y!{jtt^-WXVC!`uM+w_1n5q z{%ctOHLQQ_Db@datp9qffB91O{~m?^JqrJIfc`he`cGr54yDG&D}*T~=}um|YWUmMnYiuMh9FxNEB}2F1(N?PFtSe~y;NYB zRcJL~n#H5)JX&Im_RxT++dqpHy zuYA$hhw!x*#8Xezf`gP|za!lJKMU8VL@x7;7559~`l59;+0IZT;lJF#bPllkJJ|g# zhJSNawN6^8+zcNe`90g_rzDnN#QIw$hh_MKgFF=epGCd}P6TP={F6qu^)1nhjGk=u zaX+Hsx7U~N-oEy?G(?sY^la8|Lj5yDwSoCwiJ>`oZUom)jbad}evOF#u<*Frugm~R@DFGsVzHSVo%OC;hViS)D z0OZi7eRAl(JPDKPCdhF*cIi}){|-YB&KxF7ka|stoafPdd-o(V72{Pyo&0LiI^eAe z4tLf2&$r4xkO;`K&kxKpuEVKd`iboGK;c|;Rc2!!Oi26>7x4l?nmIeJC5S55QbUaM zxs$|^&3Vk1;>R%Dw{vxn26|dXDazT+ck2}+=km_b4e3*GZi6m3} z56uwg({D>-Uj#4$1q{B+9vNC{PW4RuZ~5EWRn>-v%;j2XwuoNwZtW>Ayq3`#e;oM1 zZn04h3ZD273d^H;=)n0Dw2nv*-N~bwxx&7A=rQutblTn2L|P#cS&S;GdD?~S3U04M zj*RfDR?6BZEd&}?q23vDQvsq%g znUe(ltN#BB(>TX0(fF8zB=1OCPe90f z_9s7$c~_TwW9KufQ>90r{W9?Zw0`qTM9a*P&-pqZCk)OUd`SD}n3#MdL=Yk3Ik|=-mL=mL6Ny3%{eAX7tQCp7^8-Ie+`MSHxhTR8yi}qy%X{1Z{pbyZkac zdHus@vxL*X4m`3@PfwrYS@gZH{-;j@ts@ur2O3GwcLV$u!He#r)5dXFk+|7%q5196 zr!Xb}{-i}V^vF*znd}er|K1^o0~MKjp7w`h1(PSdKhO)bqWc`VKOW#Qcr+?#zxafl6?_MZG3 z!0EFZPINb7^CV*mf^RITpiBJ;5-B`q8sp2H}8LcY~t#+cz|R^-$8;k)6N zk4*cUGzoPV28}0)8w)bR(Kn!#>5E?dGLMeptosgN(QCnZB;bfe=F=Xcqr)LiJ(YhV ze!ec6V2NEeKCYD?*(bj0=l0EogN&Pa9~(b%Hpu?!PAi#v_BV)<0_+F9t75Kyb35fe zDrs-YFaBd}eTa`QSHI}?EH!uWv#m|8(1wz^b z$8D%RJu*8fiU<4l?60cS5i>A7Y+`47$~Azwe!b~!1VbDZ2$hpV<5@vW!SL^oUl6l=n<=1LiJ{WY6b zDE$R$tAXbGkmyVslOt7&AuHf6hZhHB{&v3dQXXso_J3owb57@}Z{XB>f4D=`5l>Fj zbaUQ{`{O83JqN}>_0clr-2Xg3_^VOxU<~Ug|II4jNe&ty`y4DX*(t&!5Ho{bZ_79{EC09ouY-GaU^9`C6Y^=Tz05@Psy0t??^^GKsgqIt zv9b~-E0jzo&MOeNNV=m-d*H9(K#k>~u=?jmKw0KsY28Jr?d;)BSvOR-7y`r!v+epG zTN37eit@*_pP_U8c|I3V!*kCtzR#NUoGbWBcJGg4>g4{emP{f$dsue;?ZNW34tBM1 z@c(@Zb`Msw2Tk5r>KC%s)}en3qba`zy<9FZw7X^KiZV=s?fTD9Ulub>iHB^rI>cQj z?1*S2AfitdMA`6R)|W>YS1KnJw-#mST!M3r(gJWm`wAg*K}>ekoLe(jQ%+9orv6HX z6(T!lKQ#5)UU9=TlTYOp)$iQ({Moc^)$(d~lk44jf=x{hpcE!)e)%+>b8|^Zm6B6i zQ+%PsbGw^F0JK+H4Pp5nVar6pz|??~Ofg&)^-Z-yc)b?rcrXY0Pi5crKWl{usU+-#E5&D{tG8b}BtT00rK7Y! zF;)v`Caxek)45&S zq&98fg={ipk4AG$)BE9W&32|fn+bms+4!F(bj){v^49>J4hC2UtEmg_Nh*=3LpXUb z)YI!;d?pc8lVG zjSYf}Huou!2q1^CjO;oLACqvwM-WoiGUuX8fQ64?<>cpiE$hG82|A{z0rW&*-Kgv zSgcc*NEq$w5fAr-)#+U}-ZgzrA;2TvSGT~3R)DlYF_FO;bfl4Nmg4S>(`%6o@>rXG z`6RDTx@-#c)71u;MYW61X$ld1cD<>k=AK3Ab5qq$US#3OTtj_&r-?IGm8i|rZV@vJ z_SFjk``hSX@k)TJ;MeCE_`~zYI@B`O3!U!bc_mLvsbs+kJs2Uhc)ppI#WG zmS+yrvl(~LYUD&Z5NXnDs4_0s9jAw2o(FM@drTMUrS6Q%LA`RTrH8#jBmr82kXgAR zm{P@*q`*XO7}%L`M5S@BDyL4NBFEGzC|o+ELK{QNugR&Ce;SI{fB#fXo<{f0OiG@O z0sqB~feZy?u2#<0h-ljrA(V5eNfe>~%?CVFlZk^nnF+QGB*J)rG3MP5qB`X++c&Ho zQlW-f8rJci|I&s{ehWLUNR6PJEt`Z=B7tbtrQ0_RiY4})MH}x>fxb%Cs5}w?Q23ls zA@5xe464$Yn$N{;(sWP>!!x{;Bfk4n>ZU<#{oDh&@#2Tfp1~qbTd`>k5rm&Iww2L8 zay4^u1IH(&k>jQpFrj1)+j?*;+MYZe;%pDHg|0Gv z4zauIxFYa)MAf!b=@DiQ?!9=Wy+NZC=ve+CGYnM(A+xi9Q=U_0ZOHSXq)TZXY?BbS+ z7E0ttsf@TWi#e}E$hSykixP;}zt@(NBhqxHrdOZskS>m{SivG_ZkyiYLF^p&TqeN7 zvTP#!@tfkRNzU>KCV1|Kom8B`V8H_#-5=i22e>dmNG4O+Ym*|+2B%p}xa&sj_=j20 zPl+(%`(Or>?wOr_I2@RFiu}FcvOm8;JIP@%e;LF~-N!zfABoJ4`99dsW=9mS3ZCPk z@%?c9$g3&AhkS(S?=02LjiHclXIAM@DH`o21I)(R2G68>!GZq$XEjjVp@G(oJ^d2m zcL#^9mZtYy{$VwY!k#{nW$H)rz|M9eR_GqVbxq zrfaVUVC~ACJAG}O_1Kf(Nd}>nLs_!9lL@Rvg*wKRG5mQLic8n)j(4zZfnGK>df1Mf z)!qqm`7N&!!)LU6+dHL;fY09c*E^1uoK=C`ZcB^o6&KZlIF>%;waTnd;{s;}kOlg~ zM)W;Ft$?#z5WOHF=oWsgg4V7^-~m31Oz%CAbVac=tqG0`4ndfcGXf{Lyhyf`xf?c& zF`ue*n6Uz!tl8N7(q5gA%JH83v*NQ8y>KBNl*l(}(BvKNP)B%~oIcDed!@=T<|8Y7 zPP0CkP|VnIl+wzYo}E@eY1bwkI$i&cqfSpcqti7>e|Ogtn#+ZPd_a2bmp1Haw{|2i>;uVqxMc1o+2yUjjA!ZF?hj-PCe02WYc+D)mk4?ISwA2zSCixH?HEc< zXNQ_NmbOaJ>SKP(Y<$`mk30)0+i419CO`GTDGx=?Rq7Sv zfX<8BYW=#le7G78`#^G!%Z!FU1s*TtX2-L-%k2A=S*A!B9K%yVEkUn{25Yz99VXm9 zHzgXg3z~lOw0^-DKA{KsM*TllA`bDGGrjlaPDrOcyRQ`HxKO|kCrI1x87sG{i{Vgy zr*h^}lo9V>M%df8G9>ibUb_ofCf;YrY`o3Xm@)_%UD17F6~mu4bzIa#XsJ)$l-Ff( zC}0_srqu$XV)qGhDR@Mruwx_ny6a`S_3N8YF<-xgQYkzlLMd%|lvoXU%mGQu#(6Iy zx^!icEkq>08u32jCml+YOkv8o00b;-`%B8L+`f&fjb`Stt~o*>5r`DlcE z7X%zqsxIXgM-#mA^=0}~1m9?Q^weWKk~J0TfN8nbn?2JLB4-`n3|W zlsg|L4Qz~{v~^x1DQ!%n1vCN!4Rd*XM%>|+ntf*P{O;$^4|=EM8rHggj9%7$=}-7z zd!vw3Sb;o^?X=g(8(+!Qn$7duhC;VVmg)DtEdhppsxj5b@59|Ssv$6GDI+eTWq#(SQ5>RT2gZx<+IFd1i0Jh zo{-IGZFz~eDw*`jVX4zZA&fNLDa_7wF3L($j zw`87us^8wE6>#a8le90~m+=!Ew<&d~B}~{vj|#9#a087e!ppA1QZ5M$yN4O;W zhcQcrH;M%o$D*v!o!nVDMHXGBNnA%BW<@rRVy9p_kj*x~nI~q_ulY>Ae~)Y+65rd2 z*oEEFB{yr37eGoPLY!3!*yhzYFN@5Juv&U#5_8q?&$no9=1iqXR^@p#Y^{Iu@7xsJ zy2)j%eX+0BWX8i~YNYmq^Jv$I)Nt#`M0CY=^5U{nFL^0!b~Xl~z%9ne)fr3}R3W;Q z_#NCv8}ejvGz+dM*L?i&to#3v;^=)?*BJ0o6KWjfQs!zNsND*Iu+s#PprO#Ih2@lnsN7?)2YGf%Fv-`gAD_o%^%mS^Gqa{eA#SOlmvpRJGyQG+nh|s{!xZ~2b znB@Y&DUTqgI>I0zH707-_H?wtsdB$>-|ljH7{lFK*BagoH=XVGvR9v+XM_R2pltH! zxP~!8GOB2Il~wd*4N!RgkgPxT)H4x^j+;ML?NRl0DN(*LkB~iK`crn}C(lh}Q#^Fu zHSS}TQ|l(jlxWP!${mWtr`tD$?vq^uj!deEkv>}OnR`Z}Yi}Ho*VCxOlv@YHz#%Z# zzQJrmLF`!6l`k2snxc$9s-*XNx?MQ8vGth=dYOT>LK+E!V>xx3lfyT1v!_>q{>Pc) zaUpqxA3EMSCiV0|T+lgwJZ6i|Q5(uT7O_Z5`a+w#}=+dm=&XN1EZaU+s({HN+t*{&#CtcjvRq7i(%&wf8H7f=+QO#eHYN!XYbEHG! zMSj{iR4o*W+L1!}NOd0YStMro&FEb`*<4^yt&UlCb*U0C1Rkr36aj(6TYfBVY6&Qd zv88zLib|PzNS=yCIaS90Txc~H0@^{@#X9Z#t?lUAYc)Eb{Kz2&^stFDO#&CTo9gvY{oQOP!%~GH zZE!CWUk@3TH-Iugi;)m!+rA;LdnRjxeY`+s)u9>|qbwN;H~05kk)O715Q89I&31Nw z`(7H44y#x#_xsS;z6V-Mpi1Nq?b)`WFBg3g>EmX@C}j1V@nb5`JZ>0-fzsG@@eJmz zmP@Xdce=R4F!SNzW05k)Es4nI;Uzc6PYPF3ubCVdY8Xbc(t}4`D7f!{>&~u_z z#jZns;fxMIz~q0GvCg#t0J@)N{0=MqKO}77hY*6^2PZY)K!iQOX0Ij;k~ad~mvw+& z-~6_i)t-;uq3_D#^9w3uR2JPhqYyf=k2dmK@4Ys<9~Q^amJQ{tx`=$wvwJhS5~muF z#wfO!Sv*|NU|6IL#G^>oqgNKbk}k!ZGt>9M^S=m7(@^+E|;%nZJbah=LZ5OJn!j_CCvH z5iX=cr3ALx=UQSa$OCT1Z1u7!Y3}#scAb)ZN)c?qRw*P`I_Y6oH51U3Z+(Na6jVH8 z6zY3&e!hPHBidp9`)d8Rc1Yd&X8s9UGw;E?tXr>ek&VqDcVnIay1e+L=VvfoW;)KQ zO7S*~`6azcNuRnBrsZ_Kz!8pYWmMuxP=~hS9X=2(&Je86HWA4Y8SagOGRea?61WlR9R& zX+JC?jT~Yk=^to6bYRb9pH2$e@&Ik(K zUZp`vJ=E-dWgd7K2isHM@WQpXLfckqyE7wGYOS|7)q$o5N#!WtW-)5YTU;ZA<`x2k zl9PlV+XHR^#S-JChxumm)I3nDaaXHV&mj`h-L0>^&pcCiEyq0Oc-RNHdS8nQkUo<$ zgI5_nN?Qxkivji8dV@80WzcfgjSZg}W4-+(9(~{S(?-!>uy|)!KmT?u+NAKb!0 zRanu1M`1aHs zT&t)K*Wln*duQQzRWton^B&0F)p8)-WNJ zukAfAfw8R^)s|Cfp)jz{e0jm8x9(9I3@u=Js8ArmBoA;#cFLi@;ZLUfv2d)C7aOQH z|J`^}mVe_<9@UcZ)u)1^i!U{y?Nl;Y$u6y=osg!!c7f-*Z@QH9#5qFln&tsxFEg2P zl&jLS)r*unE}PZV*(ld3X68}Q2JO-~@57TspBSU`X8gys*g|E*8eM z&CU`S6_H{QyD{_ePm3L7Iz$O8Yg(Ujw@Z5`tZkf6>m^(I1Dn|UAjQ><3^JUxCDoLC@+n!L2Ieb4?los20~Zc z8#E_GtNKVMf;#5XHO6uQD#SFhfz&b1)o;B>>VA{6-VqE$tQL8FE+@3om5DF zTT=@tz>VwzJt2%Lmht2|kcn-;Z^CSLm+XtZ&ZTo&ns>+N*a0Y&$+lA)mIGS4Ib)3v zbs%9j3~_=ZQ(Ga!tvNshvSftIH9oxR>w04RUHLa(uK+=!6#yV=Atck$EW(7(CNR%{Lw|DEUDL0hIO#S47vs&}@Kk+)Xe z+FH;<<;`+Y$Dijs={*>M0|5A{q@nA5wR3rNMf!88?pyezA#@kh7J#?4_Qb58T|?b5 z9Ys?7&?A$>94f-5xQ?sRL9X|T z(R0ak%dWN!D3mCU?ig{^rutb8m~J!So$+q%JLqSWJBQh-1QjTnnfudw z8_8eV;39w%%~nTVO(8i1$iB@GR{O@AAv@>Yxf8?JY|lbW%HkLp@Xvy{NIPsmP#3rv z{T8`8RJS<`)F0MadVd|jt>#lRi-oyrK#6^Y(et(>mgK2@>=0Q^5OIFgN7r8eQWuri z%`Ty@7c$j^P&8zh#i5AP03DqoY#%%soILQ&xxBZ2`{cqzvg#mx=j6}>?EIJ!cKLb) zA&u+%)cN-#mL*A*ev)5)?OYlR9@L$jkOszCwX367mr?2i2MvA`?;gu;X5&i?En@a1 ziyvkqvxj-LruK4>0LErjJ(Wv z;7Z?JLXAA78iZV`;mFxuegT^*t-deTna&Fp7H6d=EvE2D4qIj7(x=-6KNk1<+`$bC zHJkGV6(fHInXLa-rZX5Y@eGRIj}&{!zO6Klmx;bRe^?Au@bOV2_R~GG2FD1v566H-_OJS<6v{_YJ4|7%TB{LVDa}zoHkWE@kz|%lWs5~o+f$>UC zPQvnixQZv&yC+)tCQE2YZIV+Ntv|)3kVplVR)pA|34FIGiE-=eqY@5Q;Row)hH87o zD;u+G<;`wCw8FZ%O-?x>S4|B1oa%N15;Dy4hK4rFt%ur(A4%)4gF<7t4E)lZ3Q5m;J zX7Gf|>Iv=A`^0-%zP)KP-2kL|I(}A)>BeyrCdCe4B6Z zZempI^N%p~oPjW($xk7)W*cp-Nw(-X0w6zCS7KN+USbw>=f}Jhx?3Chz!0LX(iwd- zY7aJhAHD*;qRtgYGYG}d$~H@f6s#Lm{}q?7Un@8+yhND>hpEX&->|fWVOP$qVJCzM z#{FvsJa?;4N{hNKUX3w)5``=;bijRmL{3!jCXdtNlUB}O<#;8nMnx4BC*^iL3W+qu zaE@yTnUND+V?n&BMZ@}Xo{H*fG2^?nLN;E8^~!Fo%@%k$LA!Aa78_x^7VssyJs?#c z;|arxbiVCk$+k+yX6GhDack@CYwIfFw`HU~bJTEvIgWymvK!!QQ z)+fH#rbcepG@I^Tk*hOQ3Crcl-5z*b218>>=@v1ATG?w(l!d`xzmm<3;<@y5kB2<+ zJP{&bjf|dgo0@yxJ}@xw^_|RXO`b9=aZ9^h-Zns8Ue{&k@|zbWj@dT~JAR7uOcFF! z*}CiX(<{C-QNu)2$dPEk`Sf>x3wSgrqzP{?#hoIhZ9j(@bEj`Z4sKtV3KRD3DfxyG zuTv3~>JfHJDcu<_YWS&Xji7ZdUfX==CTuH)oA!*`YF+IqNxtmdpW&#EjVN&0#;(S| zG$nXcW4S1RacE%kh6~QkUbud5LFZw)T^-c1^*b!lx_k9(8mQ$(^gl9+{Of*@-dsvv zyO`K#$0e%scV12AY*z z){b{0*J&NI6$-1zpOS^w;}d7?>yxiescaAF4)KYAOCD@x{HCmj@}sGd*ePd`46LQ& zWFv7tD)}-dorTrbp{9@0!=*(Jvanc#gF41r;mHdP0o|f)BdzPZ(popn55b+rdp?cXFR5&g za2yB-Cyuj`lcKg~1yxM=g|1W_B}8srGjUv%G2wsq<+HIFzxds>T}drZVfO;AT&zoA z`x-M(Zs=AlloEOpBkzpm|NM5_Pg}*gk}r<@A{SzN$tnblvE;4`M$2DiTWipD>XGwL z$0YlfcGbjXJg3gN&AK7DHUV`jh#2awe)o=qhpXShi3TE>EO7UUL$&;Efs3!&yTd*t0P}m|?Y2T%1OFN#SMpFQ6_KkY<9xsO>a}ca z;y$_}AH@7Co9xkZveEyu<=1CsnaJLe7PQTI)v(W4Ez{0iQY)!rR4_gb}-igd- zgBUHJvE&Vmt*k-Ou6Di#o<5u=H}!Fnh)cm#70SH!EPC;ceM;^pS6Z<{t2oUfVZ#6B z?4Pu={rvy#dEh`U$$Puf9#5+v{H=&^$ikIqB95KdK7T1>`l*(Vme_W#6&%fx2>$Up z-c58iC;)cHE%rvk@ifogMQ%@o_hy+{r#U8mJ#eMvg(og>{oAfUYtHk_%S>?Z%^bzO ztyY@^sV9!BhF26OAMa&vx-T|!6WeYlHTIRKd$mBCA2xx2vjM31nF zvM9dGV7$PvR61#{bTqfNrlA%mus&zZ!`@mSeZz>w{=J}}Np^{&O+LnxL#NQ-wdXv~ zEbSil)eZd`mR8p$K{4D%_9fArW`v0IVsf(QE~Qp`X{?r-TNhv2L_$gT(k%v$9~q-V za}`%drqZ2=jM(d-@c41`kn75AbjYw~?52tAisdi*gg)5K`hM{v8;#POhA z>Z~gk7A%aN@A~1&zrwKS?jh+ScKwQcEll6!&$zSi@FI8%*sZ_dz8~BTYm!+`XqhPM z#5$|gJo}o(=*=YZmGbe~mUi!ks_Q>ejp3*=-F2I{_Y7y9H}fyA&CW%f&}Qr^_>k?H z4~l~A5-uc$qzJ<+>h{B}KV5Jtyes2HCm5R1Qbb}ziF~TgRmwy^CL#(ySLtacD)^mAUd4<%TnMtB<9g*B(5#koT z8@l$~RVUI!E*eQ{vD7WU%JaP5xmW?sZ_p@;-CGD;T{b-770s@8*V#c`M;xOG`VLhW{F;4;ck^gQ`Wh`BKE-`~q@a~8OKxwHyMALW zF`jTDI=)6O8R~Jb(H4i-`TZpoOW*{`wiS5BRHN$p!&f7 z$YIWOE*!*v&2L0@iq8A0UAQ^+2MZQ#*U7U7TNPt+D#%7!W;Ca$5mCE3Pq3=15pRefRsWZeroPZ;k!l?aaz zl1_)Fqy8WE-a0G_HF_6Sl#PObg&=7V(kdk&pd#Hd3=K-R0z(go2q-Bn-CdF+Lkt$p z&|OM1bW03#KTz*)v+v!W=Q-#6x&PxqA7H*%-@D%RzH1?HnIwj4N}kei*^ojOLhldX>Dhx8Cg|fcUFs_o zVPqA>EZg^(Lm;!rILfhj%;pA_9d_{tfp}L}7n=x{CReAj;4<`NyIia?z194cRQ&gw@29+{G+-Oa*$Gx{fG@VU7X1-^o|)ExpsnZ<%Km z;k*0X-28w2VTnzTmN2vFh+myt+hBC@R!4r%C0`Rhq~pA(tkz%*464x|^heV7j+eA2gMK``xORcZIZU{|);&Z?ROYCNkZFInwH=##B&(h-t%rH( zWu?OVjtc8DSaur)r><(2ly&br+V_s~24x01UmVq5D2TmZOms>)F4x^*pDns^TeJOU z?ds3h?l$?g+ve7Fw8undC-5Xr%hFQDyu0wPF;vN>{?ptD{XNXWWy6fyP_mw=%PPq) z?;lKd2}8HHhf#*(f|n*&zJC^;zgeM3@!5N+*0eWSbPZc-V>F1+lL$>$+=ftqo&9(= z;L66CXKp`Nr3L>?Kul~A!SRHy_QFv_H$E*cS894(zV5_&1kSpLiW+)db-hxzSQlm# zG~@EyK9#2!Hip`M|0Xk8>xm7GiDAiw=7$r%nFoWaFR6-k@mdYZgxnA_++Nc0PLVe8 z4T{fyVTH-KtWn|;0XWuryUb7aFFxJNz+W87dVYynPqixJ;7sl;k`dxLI<|l;~j9$$h@dERsW|g=5g6!(tPO_UMizz z>G6gxRX;Ok%%Xbxaof-NNbvdJ|LFfYMeDa}`?dMeZYlop(RNxXvsZq+%``UJ8lK3)jApGDuS0f8iZecJcW32_B;i#e{lTqpPzMf zOz_0?yC3_PANvq55I;jzH4Tx=alZM}#cQ`Iul&=qrNn+1OHTX!F_vr`@2T{P0fbPt ze;Q{}G;1f5lh0oM??C>m43aW=~=M|&x11@|k)+T7kA~16PzBR#HBGDtw)wg?> zuibW`CSi&C4Xu7g-^s8;P!gu{$H&&Y%XRbBX=cr|EY&RahrINR(#FOaCG6qRpu@Fv zh3!;&3?cJUe}$;SLVt)A;j>8s35m1^%$wJ2lLzdNqfV-(}{f@mm-OYr5#3gZJFU z05t5|&P?+U#OU)aKpeQ?~13sy4o&Wq#_L(JS=b2VGq_EDtcG zfk}IS32bcQnU7msmUDwz)7X}jSl;E@tXxi)>9fARXgk|}y|F)%BaBflv?EpguX8A$ zZl#mFE{0!HZTH@P7dC0na@QHid4#B+*cb|k?#zK%%yc>|G=vZGT#TEVFk;j!Sa-V0 zS#atI`gxjO0N8~6W-IJ?!W}|>gof?^h%D8sJ+{6^b>?no3rk=+v%T2#%3DlyCGB8b z3)Mtjv$t1JY0nVoI?5O?=&)j=HXD^XB|wCI@ciV@-Fh4i0PiiTXB_0e!S2znz6Rw3 za7;h{JL7biEx8yuVlx*w&N;5Po;c_*EmsB5m7T%|^B#>3AJ9r5%f^nJc& zevF$SET-G0UD4iqn6>bOtZ{4H+=6RW%j0GkE$75n*w1|8JUhV0sYYoP^2Y)4+7Z+a zlK&$Zt=RWtol1w+84EVmRJ-Q;g%9wa*7!~mkdc`w)wVPO*Sx~6sT#v$!?8Goi1O#C zcno@wESA8R^z0@#R9yG+*6-dP%yH&QG??=ifXz3&VRAUH6JKH%RUkYBGc6VCV)S0x z+z|7-93tvVvZF2YMC10^fI-0d753HmC<=qU5G_g~{*@bEt^#}UlI|4xxN7rO-q8ms z2>IhpTC2|!Nq6?Yax&QVt5H+~R3+o|@HDEEhC)tOo6}13ucfZh<&0S029?x=a`ODP z1g1oK+`)Qq2|BlS_WNhwbX)H=^mDvc`=w5?n%!M3X5ExmB^uCKw;vw~;*5-|$Qoqy zyN9?^{wK-td;pgHRQ7w4V+ZHKwabUOQu2lg;`(iKnU$Y<)Zc8@<*FmLQi-%a_vu%^ zVq@%I{NG<)%1d?In#;WVZJ{Lo?d0z(F?UY(R4THIROH|>dZDXt&SS9KW@`MSSKQRg za{-vJmBJb%toe#rcT$3#`$ywai_boRlZhTz8az)CyyPJ=gM$E?4W_lQ?QiQ1>Kq?dwZx-$o2aoEV((9rOe+u0p53U(c205`P9#&Kzo`OrHy zues>&pO!dcaxW2i!z`B9%ILGt;{hbhBB8QVja{oub?l8;u}Ry~{q2dbL1%f)C5bo3 z){L6zxwyLgMcaS(5ITJrMo#oSq#`5vQa?L^Nr&R-dnLiMb`DU6kqSHCJdF}@P+mLb z3|nB`;^22DxsP*mcKVX4Tveadd?9Zb<&tA9Nl>j5U2G6*7#^Z4>W%8RcH^`A18P_6)eHZ5!o>rrWPoLrrrC?-OO=>+ zA_`|6bFOk?%hKSR-Gj0uuP$8Wckyf}Dj}R*3q6omZ!l3ue|4{^`RK8&%&+4LXGL8NBsJCk&E z<~m9;-FABT&`NYvtFP~iO!J%Y_situMzBN?EBUHag6vYPVkqLIPk(CZ5p!=XO>SB_jKzBei zgfM9^tCm;lc?8|DDUO7_*z9T(j&i`^E1lxqwVB%8oS#hNh&Sph(2*~J>bdH0)J!Uy z@MlI#-;wz2pRb9C95ZgQj~U}%aJVXB9am!6W;zip63>>I;DD@VnVkW_%&31+bPBl9 z3H$4aP%j8<^UrMxz|^r_x?xyyF-cDf$!r2L*fmq*JF z9S+rpCb*nb6z+};gx<<%F#{zCv*s>ag1KFxQz+R+tq(8riQjwJnXnDt@b@(2j zn1|NDuseEO<z+y{&2?m2{efXP2NU$h$U6a3!M+VZ50mU#pZjc9#qZgMRF`vW)>Hh1hemj%u}x zBKsR9_Ot!W-*|BmL*?l*vO5%+0>&Ram2}vZeHCDmw-IJv*Ni$V418a-s^w|kgoMjv zh1CS9wZ`&ia0bI69F_ZiZynlX^zG|f20BxWn&0jssPKv8Do>?`td#^`UEm6@oqac> z_cj;InARfSrIv|giLk0BG453yn?IGamgTxTzwF%kUddparQ^Ehh%VG)GZ7EYIgFyi zjUjLcF8txOSq18qhC8;|>P5;)9C!t>yqj7TPAf?-hSYz*9N&om(=_&$_L%y?)0FJ+ zN<4l1hbuwpj~H`?qWNu-x?KH@<>;L!#4Y$UtePA$fsOBW}ByRe+a7%7@w z?GndEbfv{{tBWg2+a)>xi|TXhW!I=uU#hYA(4t&u)7QnExe*$oAi^FPYv>{82o`^@ zb{95vi7_B7xF`1u?!dJGq63?3$V@jW)OENtzwXz}5mJ~TyQ;yb2zf`1>lH*J^SlVA zfO{#-2DLMY{7YyQs%Mu!+lQ|7@&}&Il>7VNPW8G2$PXzL;*l5h`Ot;|6L<#U* zirdM{V`DPRf%;rbqjsOs!SHMZ--FLyU39>~x0^Z{WYRw5*b9P(cd9W{T&fJy6Yt=djB76*1+UIl z@zbw_nRJ|Zsfn@&vY-fiZiZslb!!u52y3o7yZA@dW3=?7NOjdcyE|Z@zkk_m7;me3HTm87 z;QZ@20DBuWIxih7k({?WLcNxMV9E&$Ito2JoNYRN<=fhXxHJ=-_U{0NM4m?C?CI&B zNnMbdL@rF!G}fo@+HFyrXrPdl z8WVK@1zMZLyJm#D%MV%StWxAa{T=BWMjiV(e51V$r0{_j+)o3jCrI>Y^N4# z((&wGt@vIS8&{x9u^x9{VBAzp*~H6YdP~r!@n$eB@s9Y7+k;8gi`0c}G&kfGhFFL( zJ+SzYfdxcYO<2K*e6hnI$|g}Y-5_e#-86slb@}87zWxZO8P7-x+ zD$c4;&#ugEca8~N?4i#svJYfV4j`$@fa6l_f?VQ|u*Hk-*Ydk=)wb9fBt%&hRE`d$ zh@!D=7*>IM7I(!2Zet3*xUSTm%uab!#V>~-sg|R41(v2pE`{LG%mlYj8peP93V1he zf_lf@ppD}#86T$}mA&Zxot&WjUesPVBriWQ{^~lkP?MQv5Yg;#SqJ{iGbhGO0d=tE zALokhSc$71J+LPb-xQ#EyqP%M^LS*)UhET^g$=2IPcRY&B@^GgBa2q>6{~cdzX2>= zwu!p!J0CvW%T9QEZ51-kP-711XkKcM@zC$aZH}32i^#a+77b!N5<% z0T}ZPq@SUDSiy%u026YhZb3{IYo0!R8swD45)PS&kcePe`#`ulQ0UthTsw>MkCM#S zEL&75&he&I^!yyhh*Ja}-s)RmmPn~frr>Q%dg30n9Z>+L-0W&JdRdEe{_PANM96-; za=F1Ij7bL2Xu9ze_O`*accQrK<<`<4$6A zB$|bXv?0sz@9EGuVm&urje;7C^#A!yFnv}3N#yi4rXM;P*r!Y66n+)6x#9qk)oE3L zdY)5z(k^nF^8M!%tX|$?Fcr>IsVC(bzOm4R3T9i(P=8M8({{~|<6Ch9GPd{$viBu8 zwOs;nkA#EVQVWk#q`7uF;dSrT;g7Y?PNnYhj38f{%ZCZ>N2%yG7Kr>!C&^+Q^VhN@;Mb_h%^jZ~(Im*s4I_j1QT^Kn_at=0+$PedK{xkKHzR`K9I z7b&W@kn@uRcQ{WEj%Xs_u0CXvy%D^dtdm}H%N{GqaXp;RuBi|d@MUH+k?Xl}Ak9rQ zH8pFkhsUnMhmmFGe_5Io+Cw9R-g}_F)I-Yoq(GxzdZYDh)`hy?y#Ulq_&K>sOj^T1 zhz^O;86fy|)c=npu%zJylsUP+(?-B7uXU6ce8@G^S0x}3+1C%fzfpT?fW?21;8p{8 zigU3WUBR|(I*w9L$6fZq-GpINve?~a;~c-_#z{H~td#e~q15kC6&CiH&4`86Q+q zBN=idvZ#6-OzMg#+1oB5|4IWi?1|v?zGL63^krl;!}lf{WOs_dN; zT(xT~v+d`)?|eI00`Ohjr6(eaz!Jf16vn1oCApQ;S2e@ye3hblA=Dp_Ru@&^3MTA? zCM3{4tE?_gBcvz7vbi4W%C?U#W(GIfn97n%(Xw3 z0TipLLRI2c4Bx-cwR?nX{XuXUbzttN?LNmKUt++2+dR>5c{H=>z2LGcndOklUcsPM zF$rz>0d}{^5~6gkUA5FysRDz^of@1!U<#zO*)WBAcJ%kFYn1i! zRaLw6G(E^%C@E0OA3W57mRV!Evsu#IQEd*to4{Rj0}_DmRGr7#Twgn%fAmrY{QFA@ zR(t$wlwJsHK~+gyGZGM0hC|@25SP6)D3{+?b0VYY=~JqBy5vzjE})#jaC z_9s{%=ix#8a(u&1VF8rbfUe2Sz5|7&>OBsVirc5fB_yo&IYpUZnS$w`5E4#Zm9p%2aq%34k2eltW62 z%912e0gKt)lxjo^;A%}L>H??QD%Rr`UAGn@BU@v3Rn6^ra}G;2O)2TkX_f=FXv|BJ z09_o4%5bBkjeo|j-U`t)WK%uGw%3-Yi_m3(29>GJNa%0O%%O5vVwnUoJ1R{`qeXC8 z6(t{exZFPt-CcP}6vuPWr`nH~iuTUBs*~)nYr~ZWVh9>z4taXY$2I=1lg9S#8UzW8 zQmFA!n)@(<2e1cxL&7U|U*&Y>f2Ptjd~ zK^UzYn+?BrFQ4wXLIES7<+@ugRXtc%9No`qT>;Ai3M-YZ6d>-~{L9h9MFaJy(keG{ z0Izy?^Bd6>j?fq$crdixvqM2-Pg`DS(H@TJ4OjWmjbu`nzoH2EvG zm(g1B`m}VfF-|e7;8Sky>Y&P{O@u+oF4aZTPBMLRPMxLw{Ii!SV9<;nc$~))|Jr(+ z2tEd_nR%+H+GW$B9Jkp=-PqD%9~u3tBdce_p&TmUX7%4SQYY{_ZXHSLeE*&L7dK@S z#@YJCjT6f2+;@5_8@p>IS>5)Ie`toRcLZr4nl2OhV}Z)bvqMZKQYtWphy4^yXfCwU zxb~W6$#m;fre22NN6~80q}tiq^|q*0o9YPzq?HzOf47-)?IQu5$xjcx@^dmA z?zN440BNvIP~tUm?RyRU>8u=;k85J?eg&za{fYHpjgmB7Y-*th=@kk%&Wm&^&mFs{ zGxf=HrZHHAmRLxTs$16DvqL$D#mE+Og()Cw8}2fxa#tElZW<$KQ^RfA-!O1_c5|lw zslNRbrtBg#-48Y@FzMp5th=^7W*0yItnCM`AePUHjk&S0*O7;R(=^Kt)Wys)@Y0sv z=T#=QYIUVMy}8(%1L$UrkD9KP2lBJaK0&FqubmnPL+c zKP%nH?6PgWHaSFr{}qRT~K~K z*k;e#zCWj+$;De6WMEs`YJMoYYzp_>83+%(K|1VF=(h8fJTxLAU6))>?Jqt1kO22- z{!Hc6k$Z~zsy6GSn}ds|;2D`#5o=QhaY?!l3B(I4wltlWcF5yZdY+&z1m9=7GzLF} z1W&4W_rq0OvRA%2WmC`ZQLgHHb`a3HsQZk;5M7xy(Cfm^QygQyWX;G#~GHNU1t-t&+N+&8^;>WuCefu9)fr zT7_C9>Mv?TKCW-51gmXyM`-pjG7eO#C)(7k#tg$};?YO}7^aB{;P%uyxj2{$BUph# zoa5@nY)Ec-LK!2CA^iK!ox5|@+YHQRUS$PRT^V<+_q95UA-OosH)Kw7fXQa#`rW_j ze~*owve4gnk6gOiykYv}KVmvM_HxP3|YoK__jd#vGm?`er%Q6miu#Ik7_&bNhWLwPv5pvuB0qE}0 zeUG%XoVe^v@K#_H*L)@~Gpl6e;pUpq@q%omd%LhxI#)Xngz-T(c@%7;s#CJcyK!ID z0-gtvfowT(Vl5&!o-l3;jpT%r_>$1AWuLaN@xWETv2AYU1H8}7VYGWV^(By5?Li;E z5>F~Bii(d>Dmyfto|l7TXsdFWnggsnvP1@TfSm%_tU&WtfI}x%H7GFR-8(|Gqb3mX z&kiS7=V_KTSzE&o?#wHgjiz|F30M_~0t0Qh{mTWU=aOh}SOSnXQ{|dxmQ1(61~me4 zdlDXn@``&y@DGTQXIR+Us>DEHkSwj}@1Yo5P% zqqdrE?6_e2+Yj=ezDLhxFORZXF8O(OkJd(7hn6|Tt{U7!0mnHEH@NpQMom$A0?pv* z=^=OD;-ATq4!m^Ar;D0`hifgHX);pFSCj1F<}UCqy13TM#~XHcrKXGdN6KGQCHM{m z<%~9R6r2h|JFl!6V|i_0<>dBYtrbR)Fr(dNuCzzqelB-r({dG;21+F4mpZ!4FR|SQ z(}Zyo3QehYwKXhXsfnjR;?xuW<;$0bjWPEq;9ooqTI5V=P1HBO7qs5ivtp<7_f&#E z6>`}Mm!fkIXD_9my+M-Gl+&l@80fYNn$Gf$x!2!zo(;KB;f~r2(n45{~u@BFR`4sK3nJAyYcN&1zYL>w>>Wu zpx!}$*^bA$@2(QeL;AJ|b##igE7p3)2YGVS;X}Mz8TUQva#(zFdkY-5JZAFG9##(z zRStzUJ8H@#O^aS8 zX;7}qADO`lLFE@=emrzdBD-YcTdZ9pi--)9dk_JSogJpDPD}j2L<;G@2xj+WE~8=@ zy*R6CP4@OZ$aCJB2wCWW{LZYa6G51!U{JQQzM+?{vv(=K=detI6_C&)vPQ7$)l|tU z^|C|y%iamtY^R-i(IzaY3Hs(SB*ItIH!$#=G7YF9@m9_=8eTW&h1^b$+835RA|swk zSi-e|988+fh`^+=v(0$r*3BbL#Nchu)W?OfaOza>EFBMVi%T5;F$9(5{Ygsn~>UGkNYqK zokfS;Hj(DCK5cdl4UK^<1avm3fYwgOtkiz)?w0wy3W303hD!(|iP#qTp?CIvhVC z=YJ?19TCcZhlQI!rY-am4|&&gzBfN#I>}>y)i?8c87S{Hj}aZf(4Z=?+|aJ&bFaDn zQ-E;2H4`i&I;EUA84M)-F6U&ok0sKz&)E*4+AGh0hibt6u;CtXCQrLsZ9GS{2rUjB z&x2;F1tr%cx<_*?DlB}9!^VHMj#{0l<8N;H8xVY}2c#D3GBFc>`yTN9)F&Q^baI*g zEZnBMi5D!inl>!3!8>Eg3%HpGs5T?uSZsUeqCv~fMk*GHK?o$EG}DWKMDkJDj~9jc zh@rm=H(o%&udfbG*E^=KISjv`1efyg-%D_ZVs8=g)4-X{EY%pBroK8ZY-0ao<;g&? zbBUp$WeLk$&_hr|{@(Y~iM$HIZqnk}xOacceLa_WB!JXt! zCosn!(XH)*4#D7fu3A|C2PbB&a?2pARI`Z!ol4+HHXevW&b=cI#=JGH1{F~qel_pM z&D2q!OW|$SQnCtRWm*W@_3ujVD)m#)+mrq*vL1quYHm^fRGB9MJ^dQbKk#-#?h)2A zIR7Wmb3=dmPEM$4U`!c9fpk>~R$mSD$bQ%;loK;i19vq-PM1vgE5DZGJ-qtl4rKPeDt8?hBU|DH<9njbwTV7oo*-ne4`*e%W7I4u8*M9`S>Tl_qY`T5pL5@ZO>RFU zD7|ClK$~!VjAR*h@2IJ9?dq)u`WsHvkb>jdod&uiEM)QrRTqGiiKCmW)AKy0^q|1t z*lS{FC}}+H&=IlvF6hjxdG4J%WNAQKOd@sYe64gz-z0Q3F*?~2uKc}s3x<(|L&$m) z>?OIGVI_oqw221lCFYQMWeX%8+Cmk--x=uWb;&F_8s3blKE%+u)(c1C9H?D2<1QSX zmM6ffsQFIZ-|o1ZG>HA@pZ#a0dFJ*97D)Q@t}Du=rWY)90Nb3FYaU1dAydkz#rvwd z+0lf7EEg3Osd?q)i55Q{cshV&;8`J|EzHkHr)qimDCaeV5N6f8DsrFCBnck;*x}_{ zY&ea9gl5$=3NI6qK(9N#R;~f^BiOZ0CfG@>@(|Q;I_8t$Xq!o{qH3x z;6i<}sf%zI&4yGK@FYe@GspH=^pY-&C6Y=A3zH~SJwE#e+QV+}^l2W^;M))Kz4;mu zh2(wZ4m4)bik}6Hx&IOy>EG?y+>O|DcxJD(Ca&@J!|2GDb!T^#giCbf1oy5SI8c+n z)joZ+uAV^R$G&p?+p+xOgy$pH!;EV3#vib%uYppU|9KX7HI_GppX=y)@SgfzS zu6OJ^?B@k0o@kL*INRmqsrHDI(g;k>iIGDL`pX`k%BIr#Dj*+9xW|}&Mb=wIfs>mw zzA`tkKxXJhiCSSKTX4PCm@4gGemZH_4jgKK8ciS20|+m!99Hu`FdKa3IeYOi5xODz z?+9Lql8DCAVz4UWOC2Nx3(~B$y1+xhP;k%{p^->XC%I_e{q`b=V}rfy#g>ha+8(6} zunkr#8DvAUi}9-r7bzQu%UE6Bi+)gcG`0U+ZXaD_>ur(@0?74qXXIWIPR@)4B{6;c zH8Xh)+%E3mXA8dzzrQyB+M)CK!yoos!l2_ZkQ^9wz(M@%hOe6-Wv)6 zgkJ$SQrla+`W=$bd{Xra0~@8bIx3~cxq4Ual#ZEwT~owID&HdSF;xnu1@p6$ePbja zen!>Tr9d$x>EB6rTrnhcR0mc4!yiOop!DkqLNvJVJQsSRL>d5F$#qy1P)qLs#&^S! z7{~=7X{{c|=2w(ziLb=$GGV^r?(X$poJ(XGoKsxE{4hE zxY{MmSk%`^2aC()VZ+KTBh$JYHezQkvCs=5MN?7v+8l4p%r5ZTxvN}wl6EQT1=K@O z+gJam5!~}ND9{JqVv0ZBgH?&)$O-N9@4SNeGd4eR&g(Rl_J<6L*s zPY>=7xPE(4!p_OHpRtxwC!Bod@ve=;t@^ZIRu$*NS|OBw>$q6p{1G4U2lMyMdshNu z%ireo&7ZzAA_Mj z&@K;zQ?lhi(M<(<@9%sOnM4Me2IAM0Jp_ZIiN+rv1(P7H!%)50Zu{g|sD3eXbV=m@ zwEI9UUS`Vv90M5!zP@5-JM&jAf!cgf9e7}Ojz$;e8H%t(czd|ScIDg02AbL)l_7`4 zG^wx*bc{Fd;HHeKWKT1*a81say1J%b_E@92agTNTEZV?W$;GB3=K>DRN7d+qj}`?X zm*nq#6gc?krLi{qfp6WO!yC?2*<||EC1$_;sdECyjQYMD*%!y5%bY;?W!C*Zgr1&W zQd^shl{z7=N-0Bjr?WIS%ara7ibm<=SFt0cb2$sd1-z-5Z^u6JgXEvRCX)YM!OM+j zpoEmwm}}3@?dby6mo@4ymZMb_-GyVd{Hd_{zQz=9qWCF&u0Tk8(esHq^mH2N)un&n zX2Q?GA#aVGGX^SAHyn0*Z6>h<-YaJQWaXQ`8`=c43tsDis@&*-*Sdr9J!2px&7F6G zCXovRR%$fd8TMxUm2!f)%LD$le5Cdlk;T)KnTcBi_PgweA8ZoMFDsj7!#$>DrW1t3 zqiD0o!Vh%goQ>(2but3DEnMioR5`6a?MOD;E;X1Tky22I0;M;jp=oRA`7x{QRl8W5 zuJZgip>GS8ty@b&Ol<*MSZia8%jvA2utOKpEwy=%9!g>GP_~*pBRM_|j#}dAkZ{EQ zAw=l2VY)4@mCbjD1q7Uvl9EE(1%t*kZ*tB#P4-}rVViH>tbuNZGlOHbo-;C_lXjc~ zGc)sDG-RL{OxC$;_}b>#bD(cI6e**HL*kgT6m>Q+XO)Ydib-js)Orhbtn8(%%zHxB zc+96NkXgbMo=SSQU_m|wQcWfjQ@Qa?7hldEQ`I0Fr{T49;*bzT?to4z#j4)oBC-3~ zkm&W<$eVUMJ0sTJSs~#{PwZVgpKJi+Kjc3k4A^6)C_Q)Q@=X_f&yE*t=%!}}4)@}3 z|E%l1@CEdp(3f$lz>Q*oL06X@|L zTr&wXdXp1GX^H8|EVN(f?=V>hT`|R=s;w=<95PWHn*(*9lsv%)re5^s|M?NCfU5)( z&n|SlA4h%Vk?ND^530{;_5MP%@Vf{GRwx^3E*}sU?tU4cm`FElR0aa3r|L7&L+G8W zIqM=(;^6idrHFlEIj5B`vaOJm;OE5W8T@pP>1g?IGW4BBgNr(wCk+ z-q$!0N=e*QAdOXx@bP2>i3-EizuXCx+cxdvNcZa`wN1;*SmTf6L zFpJ{{-I4xenI#8INSZy4UH(15*>UF~6#!f8ZWeOU> zEi!O15kcAjQi49M5yq{t&5a`pSE?5hYU0+?_xIXF&^ciLV*e8NC8n~52$U;qm9z<~ z^oWrU_`6NtcpHVHsjzSSHI?iJBS2wK!|jjzzaPgR?GyDM_letbST%>KJG{GFmF$rW z(a~NVvA)s~rRe3ACm|KUH++hKZv5^6hRFU- zW}b4PFe!J$EnRK&;(*E|uynS9POM?fDD0K2Yj_s$nc-mO^G%C8oEO^zkTQjwHi<-m_OApnbmPiObNBM_9xR3hQptuj}86GfIC zYlt4?;V-?9WDZ4T1JQy+FiY~* zbRgwf0D@i~%3OD;l2OZ4y!2Ai(!~m!%GDNPJdCXnCx`-&EbA!`HZs(UP5u6GTXhYY8hZld%uKYDPv;27m%H0wElb#!64 zOr_jPCJKL@TzzJCY*ZJh17o@i^~Q9=Cnqm&#_C#ltHttIZ~$Rp=#8dtZ389oC>pu$ zWjzA>MJc^7lI6phN}8pn*NLfk$`3dgm~6uNG22C;BXVW-CL#+=&A}{N5i=JaxYK99 zI56MbHpt&SpuO+ZZWh%SUA4d1FkjS9`cuE90`Nq})6%~cAP)KN_lG!laPQTcls@-m zhQZ_Yq@9~T+k&>-F&o)>oUK?CO3zrZeU@)3T?+&Y()%k(3O^RgfXvVSb&CgP%;QC= zMIYLutSrwfbs2?AICs_7KV0#nsB6r<=P6{DOQKGBV|w#6Zi0ha8vDZyqu9?{Sj7ff zwr*=AM&Z+(&jW2^E!+ATaU4Gc(>Ua9Mjz$WslH`kX@56InB`qslB<+dYl;(GdMkl* z^or}x%g&wZ7%*btcHM5~Y^EhU15@Zx&9WX(4Hn2H$qrwRMvP+EDosY+Cog0xrTdj& zdK5$=+A~;nJd1f9`qh6j3Ct6&geZ$=C@OHfY0e)bl~rVizBma_7ZXU)fGg~nWzpXjmgYcIJW$P^gaz=s0-PlZBaO(&>pn)LCoe5iQ3V>_2x zBf4aUj^ke&aqP;2@a3XtiXvDAV^Mocf~;AC8gM==6U`0W{(2iw1u%4~VdVsJmo-vE zKOBS|?5$#Q4UCpYs}EuWBG=atpJz{S{~R!W?Ho8MPreng9?#CEjxa^mzh`Hl^>9a# zjAQQF2n%F!`N2ESdZ1i!fJQLEAV8Q;W83vHXFLZlLul#>g`AYs1)aclor;dpzJqSa zU$ECatgOwt5t(h{Ec?9xM6=%C>RY&aee=0)<(6`}A+rKrst2de6>c{3#NkM*p-I0B zHz$+k2XE3)SS7PO3{v{ubE5zgy|ucip!0A2A+WZm%bH}&yTKw*989^pdY`#ivud6g!#H(5#WZM2?ehkU$1 zbF@i9bXPY2Q0Yg|_haS~VILLtRH{R|B5urC-m?RsOBo%gnAS`Zu64G3HZ#%vhSy)j zTVs_5Nok)&FgT@|oJ-nrT}Nvh3FY#^HW)&v$wF7ijO8 z%88sEe?ciw3ZZ`hk*<7h?Wt55e^9C?M3;riR>^D{uJEXcrD~gZ-<&TiDJE%b8S@}9 z!}+T^6{v@#B!KSX0w;SUp{IKy9xgJ60htbV+U(ld zkD?lD-{V9Ut?l*$CT*IyZx8Nut4yU?Gx5)4o@!AL+Dt2n)6!S$Yt~ktfGCbL$AE%?}`7W)~!G&OEWUOOK%3yT~qT0@A zv#zKP)%6`7E{yII!~rYGU5j4Xf#jTR2!!lW+db?#Fzcs40p)TX7+u}Vw!b)zMTCbN zTHr1zEL<~*heayr`IB>&KYAw2y8gaBPs7fla4Zu?(K#9gn=>wptu}okx#-11xFPK_ z!mCr=yB85G5~)E%F71{seK$#hv?2*%!vLijUf{CN>VnaqN>#{(4pi!K6_OS^wQ9oT z=^As==sP?+*X8-e{)%@fEzW@7`2LqTOhiYsycp?fvn5+OL@jc2=MbarqVDRTmb3{N z7MVf6e3EBd^L=gB*7#|#so~O6Zj1PWmRzrarLhi6Cl@uQV*?EUs0Z}uaT2MSw-Zux2w1sEF|ca92GHky|y>+4^OfBJC1<;vqJx#i~IRdH$JS6U*+yGJ&wBz860WVWFK z^a=G;a&P11&`8O?p{b-J>fttRmadt8-}fqFL>#K?QiEg^8I8b8ov7E72c3nY_|xj) zY)K!0KX6Lj)wAQ-)~KYUr0Om?Ik}Rvb476*UkdvbWFq8;Dk4f(Q<6y`L6z)u{BJ@pwrLIR4y$Yat@g=~W%n}y z0?wQP+QM3TPr5s@2MFcMAWt?fmY?3ny-)wp6Uh0wHR^RQ;=>20nETGf)6c*{^uA0w zML?Wl(Z-HyC9t%#OaqRmhg{{eK{uPFV=L&f7*150mu6jKoB9>X@Hqh_c( zr|aUrO(3?V$!k&(HRBcT3i9cq-BEx*hB|#~kd^!1e8M2iQ{Uk<1wD zj~_pB8`O!$80_xVDjWpCjdhxYD<{>Il%!ap98r$mbTm5)=WEU+{952=ihxcf_`bsZ zKg<1dd9Q`g5sQ5|PeIo4Nbev2Hcj~2Z5xo~jjnerCyl=3ZcR})CI3~vfaGdb(=Sa< zP9C`qcXNA9aDIxBlA_w}6Bq!qdV6P1wT*?QriF!e(EPsY*U#3NUR{0en>W3LcMS7) znLBw4zuYtHq@Vf#8YJt9h)BfBfTm;vVZE<#50bbVul79tMbUS z#Al+;AH>*!zWB*`d9s_=uO#j3Nz2Hn1c3<~ zvAmW)v2*a% zj$nG072VxyHr(L)-MuqGw#jx>yS1}@dLD8j*iyN!*5IqH(d${${Z-CwQZgO6q(KyS zLIH7*No~t}8`EIoYx~^tFzA5uFMH*Iez&3iInsX|doTRQ?%bE3JkVEtOa#CF_xp14 z%sbX=Ya^tdN=(aNYd?}JnW~c(Yp&0|y7WX;m>90lJ!YQXvs^W@bk63(cX7-Z3f0-B z_Dn{vW2LN5jYY;t&v9gvTfg?i)Xvlt*~Xv+Yd9QRml`ZAUQ<)k^nD92HQyUEK0dBq z)>#?xe2}n^Ieu{9+jYd3FZ4Ot!qTpe%a)nj16>Atn@lp2S6PqabIRMPEG-yH}l!-xI@lutPl)gmCARtAhUti3Sd;q)O1A%s(?-|nu z?>M{Ofw@Ij=%?@Z={XRaiTRoEnVc@nsniNz(k_uvSLl-Yx)L45NU7N+tFeQyjKXTq zj*y!Yo&801_~PKQw98Tp{tEe*@BtRNKrSkJ{AE~qcJlDD-1=W!mXOfisHd)VDrRQP z5C}woM^gfvngEKAESrJQY4;e2w9b3|n&QII_hi$ynYE@)PNy~0d(ffdkD40M$_mvz zi{C99H@Icakwr!+U9Sud;?*J(XA<6_kAOmlsBKRYS(C^qK+!Y}Lb6=CJGrGcs`}lZ zShQ-kqfoc{zEOENOy_**|jWUUQBVkUUviFCYvELhaj93R`}- zn+`Ijt`xDtTYDH{-LfBzOo_^LDZqB1XgocTlbZl+Lz5+|MW&nXG>OCNQ;ogD9)KJQ9S@c*^`#ywu2d z6v*Y#J#IS>Z+vnqh^(B#vJ7I_)<2_A5X9>7apqU}w4?_yQWDaB-0PNBObh}s;#=~` zgUE^SkB?%(VtRJWj5>Mo;@13IuZy@HIQyL;hM=uRs(q&mb}LH@NdwlrCg|MWI`u1# z^`a9Ml1D08eW7_eGV?Wi@&jWZ4BwQVL%Qj&6414ik9lw|vjjgpd2(Z*f-rOKp~1NdZ>vOc=fZfh>gWcUhYlG94UhR{?7_Cd)SOh0>W=MlIb~tEfKgK-cjgBjDXAj+ zmM#E5+#F1wy+8FcUffm!0shkSJKX z!L%D3x%+eJcX2E89vxJP9*nSwlZv#bAqc@lc%&aIOSf;sSYMQ|#}rxXJrG4%)TX%K zc)y%-KqiMQ#qF^{vRD$=Tv4`YYRn}%PRB6Xc;bMds%I~_(KD{@$%DHtt^N6n6i3TF zCG&ngy`RR+>i=o)J;0jE+I{g6aYPWYQ4|Fo3o6xuAT6k47)3w@r4te9B?w4pNkm0P zq^N*MS5OftQL2;>6ancXO$ZQ_5?T@nkdS_NaKJD#XU_MXbN=`L+(J9onOC_V_d}F_`Q_#d!{oiBGf@;luo}~QCBb7)P~+7nj zP^KQKLG(5D+thaeKQ9*;|8RGcYHj<@b8~CpZ(~v|-+Hd7`)Xk%60Sk+eoA?N^t+@h z&#n*zH?>!P`IEn>WvM%)cXGoTLGY=9Pm;@A%o{gK1b)G>0FoK7S-bt{8DSUm9NN(= zub#lWk!!;Z;}6BArTwC6tY{~`6GrUae{u8B@%($CqUj#Tk0U>G?sTHcgu zShT#l@6qz{N&9U<=e2ON7|^@;%9rKa;0EyR?qBjPy;&6B@BpKdLn>Q8-mC@Qa@$#6 zP>e&|6BZUeQtNSpFeF^2X zy%GU&mS$#B28om#dzlu0I5TDUQkj!_Bj;{lFk}rE7uT_@2%s1Lg6GoAL)`?qWV^wT=*>0ghVya!6@ z|1OUD9xwgeE8@S#U8nust?u?OUq(N@+`dI>cvIxPd+BAwglzK!8_tPChY#FXR6TKZaY;C0{a|=>xGTfvQGe@!bO6g*3a@N@Z7NdO)6?SePOC*$zQVRAdZbO5 zSDq^vTba(J^_k7-+jJcH0uC|rXVxcdt#{n{;px~Id1uCfaE-ie=pftle&gJA;r(6> zIWf89Xoyi@6mVZPT#(2d0oyfVd@two*gw?WIKXt9{r_U~JgoL{7zKTm!tAr2ni zBr$S$f&%(9aK!!M1sNBX2j0+v(yBN6<=N>YR)toj>A-h}M{_R5793-k`U{_k0+(l4 zZI=RkX3ahrj`abBwP?@|dK|E4kMpBIAXpS#v*zhon{4}Rbgj=`mHOJ>!^5AQR@jz{ z`sF|r3ZbBkdIGRRv|)-?rq1L+{m;_V-A{wxt^0#c1pzuW(5=4zCpsTISaAje5NyCqlUfYC zV*0}-BbS?w4RM$=7u~jucUtVo`fbaWEvHtjU@QD&30BRfKkJnVoV?cbc`nNobCO1* zk)2ELUIdrxUfgm`(((lBo-#W#DNgOm6}z$iKw>N`^Xb#zkrw3n?qXO~S4-3d`m^8q zs7&(Vj!qLS!^8mda^Uh-949+{*F|vI;r#2$=x1BJCs&GndcJaXYa>=}qgc!zuwJH#(i$PrruKv3MJxs+g>*pYOxEAi?Z?Z4Wp=0kx_A zd-9$W(*tIod?S11J$iJ(+dIE~7Fzf(7JG*eVviyWqaHpEWs6jeEF_ZvJE8$}~e!30F;XX(-$L+=Z7ougsefg(_sx9;NLothkt~y)y+uHySN+R7jcnWt z!dUR_3j3aDSXb+nq_VGFb~$kB&Yc6H-ohev^^a1ziaA$iEQ+W06a~R=c!in%Hhd9$ zD#6P7NO4*?;_}WDjuwsxqv@`uto}QBD*mD(2WQ5snvWup$o=a6J;AyGmR%#_dR6Av ztwBi8D^!-Fcg~Y>m)e_M?$)(^&0A>QUp-KwGrxp3jVfT^D7w!Yq{4$VPk`Qb;!?&X-hNlHjah!I)6YE|n{ z9n4tlQv3yvpiDY9Mbm$sW@lz57G}S*@x=>=o;U9DSr-o2bYIjS`{`2ORO!x>b)g}S zBHd(4h{BidZftb4T-)QPCu8GUKN83KW=2kToEpAW9x%2G)_WX-9{q)Of7XvQ(_$>c zuq-OBvu&*z*=xaRP|~P-Rin|SF%wuH-xYyRP`*6t7)m=_BfgNBdLl2fL!~E{q+_G` zCjsCExj}i!#(xA)kn%6-3O?^j?3-rDWV6_2ja#V8&7P7Ft?<2PA3xcWq`U$?J9_@r zRsAlQV?%iDhY#yfCo(-Oi#(o^Dp;4`AMLTh!N=RPOqIt1;@!q(!o2L>C*RFJFf`ik z<7}n(=ml)cjbzC%TNEDX4Qn|&5_?8WQquS*%Y-CTrD6S!EbMXD6$aLCb>T0Y+>a^L zYr5;q%bSb7d|6jJo=w`X13N<9tTK^br43PZShe6*rR)GSMXvW$`Oixc!uNE;_FY_6 z`M7q&KV^w-2exLxg!k;Gq_t(2rgbD3iT;69G`Hs={%(gFi?O%PxFz{O69^g&V zzErimbY&5>y?ggQkj)aZxZIRpZiRoO)79dxBF%W8a_zINkx)c)Ims-nH4W0qK%TjJ`9jo&tX#Nkrw>(7jJg~MN1G4k3?#>F@6i6E?b+PXo~ z<~O6>>yoPu6?a-3&N{&O+68H|ls;O}`Mmntb+aR=yrd!-tuJX&8&+#f1lIrF6?rgx zgJ*|h=)wHzecx?i@C*=5rxaI8{0WRgzpq(P$3y>w#snYb^78VR$|4cqU%{ti!T0Wk zX*7{%SFBjEx#iJ5Qg^-_;8T7$dFkTCSQ9g|-$GWcGO@OHe`vv|B0ql?SW|sE_LRJQ z{r-C)rxFtrvBGT{vUSTN20jF}Xwl>YLr>Fngw zs`mls+}yHffAP0(y=A`o_WOv)(Wy_PFLmHCXVO#FZ@vEEU8naqMTxMeut$c|^=Y8I z%1m?H^EA4jQQbzr%^OC4Z&~+%wwSqiq7Aq#*iG;K|D-nSoeY2wu&T4>_4RGR=PeJY z|NMPg-}fVgbf4G>e$RB=3~c|dIuCPAEG_lzvoF|JjkPJg&2zN6X{sLK@b1Ik3E27E&JA;{dsv{s++Nqn=Tj%*{O0MEu`X4K3Jpp zdKwXEaZ*A(u|@k({R!vno|nbNaX#6A^J+1Ie)H!1*e%hV8&OeWA)$Kbe*N{fPg-VX ze4hEm)-ZCUxrEMxroo3g`-cXH6`L}$E=qT-J|&%)I2wBL*j0OE!}ivxlyRZC=4%Ep z#^mTWm&bb+VE#7$CxLWg5KKkwPtqkSE|8M^@qbccZ&HYZ4+H`_LySK2=y86-tC{GI zjt)S`C*?|=3eSjsDoOUpzG?s4Z~H<*LiT6qN5y>ldU7@3!P&{@|2$9s{OQ^5@$LS; z`+aqe%WR94(bwGj@ql&j2TtqiQ?%z^^7T%p2%Tg%Cza`Xf>;FAgaNkB4An&X`aEac z=n`I#bPZraT*~)@Z!b^1e7d+`K@R?BqiAK$vHs)}rK|QgG&j@& zPJfK~g|ox8k##^zstu(5#cxHG5`T4MPkL_Is3f>BMHw!b^!g0TrT(-;N&sG3&t1Lp zk3KsQ?c_aM`NU(h``xEPmvSDO)|}LouguE1lqdYi{<+@E3gT_c{M)bZyLw%Hwt1VV z=vuFd5)F-#1iHqzTV;wB9OO~l@*6fb<49lKYf4Y1!^-wG^X$L}G4ofIFnX^Un1 zOe=)mUgG9v9>o90D5uK)^wUoqj^CK@-Nlx7lYJbNqTj{->88rf$E7ykFA#cO^ZCO0 zXB*duc6|B(N__U~5mhN>_DLnm$W zx{ZiI%4BT`%AbhGO;bC`z5`1^BzX)7myC<=XBJ~++lr{_aU%ZGuBV{<4>IlJ3Y85KBEhzf(?8Op2y zGFmT63CHfIDz#wdzYR;{Xq4fsC@A^;AO@+*o;$)OwP#Hmf|{De2pnJLk)IKFfEQv4 zrYHqxHqOY(I%alhyMegpC~U_tAoz!K7+@D9?R&OqqzpD2s~3ymx9nr2k_iKLwiyKV)qNJ3_x+ z|1oAkpRhPFhdv4gyK zWX1>>$7cxE=F$7&?!b_J8jRTOjT^tq=#P1FHr;12)q;5+DF%6R6%^7M%E7J1>|7Kd z@CDSB6(Oyr)6?08ymOILI9G8*A&ZWbP_S^|oxO_uxxCc(qmzo|%f27DW?y*!y%w=e zJi{2sl-LK^DzPu5HO>AJ?@;mu_AvH`H}}7v;9Y{ZaW~$NqUV_^JcAQVapA65@C7MF z{xASV;Y))@5&ln=Mz1&+IX@r5Wo^=2Gl=auHcI|0tis!*Xnh(b(~C-YHdOg4#)Z_o!A__QD6ERT$Y!iBVE8eNrTSp<%c|LiCu z4m8g)>YY7&##2EyTg9Sa8F5^`q)SPho73Rcz@tJjlhjwr;fN_Uogn`i?-pwvRw&Yw zMub(M-{ICR)8M<6(nyLyoEU3FPYDu8Dc9pbjA$cB3TFhTb2>29fENXc zLgmAF1e+Wzh8QJ}wo;XmQ;gKNb%{VV!e4*X#~FyDT_8*9oCLww$4V$XqPg(TA1C# zG$@-8U2?-{4-dR5jdpsPO0ZxgPURp-`)l_bP#8P5@Qi2BuwyRGG^Euvrtyb=vqN_v z9C%($cgC`7r-gy%JprCKiedIst@~;BNCC9eBXkgRde(@H3Drsbfrj86p48e;oQYcG zT2>#(e0E8BrrO{Ig0w79R?E9-jbf4t_M=$d=L;?3f z`{Vo3z772p3gm4$6<5KTmK~lijRPD_krs@V42#~y9wEb&EByS&p3Azujor?pdw%tT z016A^QvIu>ZJHHeds^`+fej4;Q8I82xr9TBZ?JYaHf_2l(q8soW{=gDQfSQ&hg-C~ z{i%V7F|u+$jmUv)>+{^9xomaBgUixJIrRECB}f3%NCH0gJkEwzT+1m0yt(jyUD`_F z?9qe3?DF6m2m@fss6#lT%d@OL?H@+13Qdo4O_*md$fscj1gkb;Q_>PDPJIoAOjy;_L zy544VNeaC`qn0-Y@l;+&;qT~1ImIuFowIf85W?yC#Z$|&SC@qMh39JBd%o-z#tXOj zyWG&<<)zK`0~-lsg-5^eM(PHu>f`PV-x3Gkdt|x?Z zyFTA6j5lUd69=;6kHjwhi>d8c0pWD{mMi;tpVn*gB*@uJ$IP~XFAO2RFqZNxz^)S? z89!8>FAP31ehTIj=nw1j9|%L2QuZfv`})Gdu5qkf!DgO3uAl=q*_Jq;(YX1~+vxmk z8@HH%F9p67zH1vF3tWelF9p677Q-h#7Wi1;V}Zvb=dZjfzJ#4A`*Tb zivYixhg<&1mjYi3i)m~=7Wi1;W8p^%o6nBl%gp(_z~==%FZ?%nVY^~Dd+JRy3I1(R zI(%|50$nJ1%CG>c(gm)YO2x9m9xt!+Saa3^QyfL=hZueCxj@YbXj#q3z}AK1q^J$5C%FLsBQ6YHz4sh&uBqd13QxEL zY7z%KlJLvUpIYr&IIyXjw(LyORHY!WgNON>6CS~Jld$3v;Dje@`3X-~p!VNb3Jq=t z`pN$YQe__Nu8ABrHT`Q5i%L9;c+^xX8J)W9u$5=TLY+?6?+MFJe68HH@7){bxN!QZ z1_j>xJFME9kLw!&3VWzC%L;pPH*gQ^&Tc(__{U&`*85!+*rWakV*S^Gn98e^GOQJF z!WXgpgsi17?Wpe{+r`x|`(T9n#v(@K64+x+?^_fa5|LDghBMx9|vANK1ta9#k$LJpbo` zXW+J&`eHADAJ}*-&Ii)^9skd<(2Ys8iHT+O?6!WP@jzAea?4Z2<*|;xjOZff*-$wBLg&&D1zK!792)>Qr+X#MsfuChr&(Ae+ll6Ql@TIW0d&tMae-{f( z2!$xvL&?jPp05fQ3KJ5Riay;eY;G98W!>qkk4{#MXhoU6Xt3Y7Vf8uP`#al?H01Ty z?^N~btRL_2Jh4ULUH8wYE?+x86(-q_MkP0O11;X(LYiqT|K{QRF0W*5Eygj-j6cOa z2g+#ZUvTU%Uk=`_zBhe;_+E=n-mZR6fS#CHbA_6V-VS%SE@1s{KoeXiF*%2ydAI4- zD%=;Wy?P|1_16Xq-s|nc9}$HWzPz1J z%X$l2tmsB{b`igaAm29(N00B|c0ABddc0+E+micZmDjo(w?(&Z25(Yy)_u3{`8WxSmYo~#bu4RjHs zcwTY%UXJp8gq4*7r#;Vtjin3GHe&r>Wh0v{Crqo9ylT|1$NnJI5cEqjJB zxAi%F%zfGGb55=Kh`9G{<|=OzNa+-ySe{Of1G>Xn%iMdq zl&%9lynZH7mw2a6`ES6xknD7AdA~fNd_mW?puz6ovQB@GOcn-G{Wp2og&a7+{L8YG zvNh0f*VkX+&a!T~4~2I_x9-K5{Y@s8n+4C&7FnKD)(;NVn%v-?-+C3oWR~b_q^gO= z#k4sr5hn1#Eat{!@je}+y+4w*H!AZM^75m3>K9J(rtmL2bF=D92YzDy#{UR(`HA`O zY8L#zf42tu>HVk_K9w^)s4ca8v!mFFyMJ|V@crogFN{4d%lEK=H;`prE0kX(u!TLW zjSKo~BOFV0LbN8@z^HqhfDnD!q-}EnP4xc}lwnzD(;Ddr+0hJr3K7KLwqAu`@ zv6l#v4~qX1DCRptwXgI+ncwg&)}L|NDy7eoj_%^E#7Yyqia9mye`s-wl(Po-)0YQC5sBT>Z{;$9`18M zPsCyfaO0=o=Nq`iETf+vx0E#mV`!Fy)^tvjRkOxmfp1+kB)Mb^4;Jbr5UEa<9wo!2 zv94XY?vRqv_Yr=b@AZqieX&KPmmf5}OI+s0DLGKM_s9sC(;GC?goUy@p~b7U=Xbi# zjmu+?$@)Rcrf$xt(PdW39<5rh7`s*u%*CXoWud)mCa7-oQk7LiT%~o_n-`rHw zf>6rdeS2XO&GLAagx|1q%-GCq;UKq&rP6q-fug!cQMUu36AQ&O4_(6czsjN2CHOXV zm=?RD(7xvlr31)s@B7o^p$P$g9bZ=$tGafc?ThRG0_89Y9kucP(HX3%P>@@#Ore)o zpdCtU>Nw_e3Nt3d;1LQ>MQ#QQd%O zlkr#@pn@_m{;}o;2I5}+Yz6KcQ!DYuZ=YB=$8Pg@K0-98;4r=*P`}g|(0<cR{y!j@=8SGIZErHG2sex4<4 z+Rv4oAs{(xKysbP!Un`d;@i;0Rk}$#f3o}+9F0Rs^EVqcUiO7`t>zV(aV z_G@NkBMDh*^YaG&mrDd|r5V`GVCdP8gG&?mu{5v+z96)@+GCu>ikEOjUw@zVh`6mB zfQ&wgq1fD#|Ks4l!tRCM10lO5X9xUxvVAG9kp4YCTY@ERIka+!A+^N48l$f{Zkzd*%~5QFjFxfLSY!e=|dF_%9!%x zsW7{}#ge6Y)e@EkD`lo%QhwLdDRnO+95vSOimd2iwQ=am1UL!aReES>%(23GeEMRj zY;R|_`Qhuh#s~uJ%TpG`PPPj%#ujt3bgQ5>_Dvwz^R=!$IQRgX0MVH9{wPXJhIYO?hDC{H)R@-brwa9zJfMtpwW#Lt4CAPh zp+Uy-QYY0o@>S?R)+u;+CwCE!`QxAn0Gp7RXxBS*uPJZ-GA? z{hAf&0V^NO70H#3+h7#Xw1yCi(z)i+cSktAj93(?8D#RQH((+sqq7A)-A6(c!@t?d zI=A?BdhZqMYd4ZYWBW+0HnR`o3@BUTE<{=RPnBX}-Bih*uv=n@T1B5?yIT^?)szA% zhU`NNQaQA;#@@nrse>CwvB1!L*>NqF(56e4?j45Otn5riE#9a7Aj-+oy>Pgll@DcN z9d-KHA0;aSrgaAM*&dTx z@)7u;)4SLlWz?EWE1LkLKz{_#8}0*R8S_2)j^7acoBe{dC8^I2u?6d6L(2=SK?nBB zcztfEgBw;)>j+xsunjb!1fV+qn~R_fTNBPW7RBPB{NrW0`0Aa&;v|mqdskjtq=3` zOU-bdh`Aai&TLew8;0_FrH5O0X{~bU=zGc|H3Lawweh z_HlzBVIFxnP7FDf6rUwMH*@kUJ)-A`)od>w^RkbjLrvD2xGB;M1?WmPyG)y1I=f(Q zYI93Q5`5b?gc^FZpvm_`*%pD{NZS6yK6hq0l2d=m-D;>Dk0usgKJQiWepJM!Jgsj~ zhH3@HO(P^DN46uyYvx@$@CX*Yank|ebgW02dl_e?Y;O%j5JOV#ycAX>vjeJ-_vgqVQSN9T>rA&A)x z1UV3`ZYXmGc<+e}lTwUPrJHu{eX|El z+MI-@>KMD$ocdNJhNx?Ydn}1|RuQnIL(1JI!s%Q^ohgO91SH$Ek9K-Vqq6|vPt|=y zAFR+1ijE)9oCx?_38cA)tP~4J1pwjY}*grOVRJ zF&LOY&QOJ@I2bpRi}6UMXCNPEOUJp0X)`}AcvZy25;B{LE{2l_Ws^%vi1_FfW;<~S4{caExr;rYGojfxhNn1XMQZqtI8PvKyy~h6*=iNG;}!AJ zgPb&PAR1}vO=2clN+pxp)baA_&2FBb>}0SqbJDAud#$MX8Sh7Lf%i0W4j-^(5O8o z&Ol*=5%6yM)@iQ)=~;SW5sv2+b}-zf%qY=-tTX@>%fq?Z{&?ZefmPhoLR*tQeBwO+ z+GH)IJv4REJrz#W+Mt0nITD0TO8crDQ6FX`9V_9eGxfjJv^R#N>dXy{*5s!!ZWiGX41n8;RRV?%))w}`Fl|?xdfyKX1)G}!>}ZUo zV4Q90pww%H1)Fx9Y z)(os14JYQ~4YeIdYMj$Ij!qiIuqsE}PJs^M+fF%lR*XC|?pdcfsp6fVJQGYUjDpWr zMPqaSqPv^F>n=kTGX3J|q?+ZIr5A1lpWyM`aRCJezW27H+!!dynhwegmqnZ#xnZV;Kt7-3k@Vaz(& zV&x!qzVSqg_5ox+>=JEeJPYNahqB;o`qdHST!FGm1rTP*PC~V71h!1iNut!B_08qN z5_|iMZD%{=QhGhS6R~FA~6?0I97kR=4%bqF2nZs~FA+2^% zI%%w_S6MGo4to#Av^Bd~LeX=LO}?F5G73e}68J~g#ldoJOOgQsZ@>uwIT`N@Z)T$N zXL=jqGprbv$GHcrl!Ncg@*NDM9ly|&@^C>1h)YrYOTcaRu(}9@tREQ&eFkA;9!?ac z*tO&ux-3A;!cW4R)9@jr9u{KP`z%LH3chvJPA^qhgF&Wmg7oDk&c)t79EF~$mhT~W zz{=ti-7Ac$tw?Rg6$j})0zU9lquW5ao9?r@K@_ANQB0jSV##VA9zh=u zxAh9FkjDgZRu^UHu;Qab0}g~YvjX>?{MnTKt%Vyf78{`g@4R>V$#MT51Un$H7nsj& zux)|j{At$R;q^cSByE~IZ*iiVRMVI9Bhj!GfWPy$TENF7)owaVVz^sz*`)lc)l!(Y zPh!Ds_-d=rHSo60uozm4885u|(4T{=$bgeK$tF%-`}j4hM~Bht4-C_2XR_8j#+35K z8&%}h(P|6>j8etda1fAYc~gD0=@^pAro4#?a^lWtwf4vx!g!-J0jW+Z8*eHHXTxKb+D zDH_oCCtp6rox{{}MpWGXn#w9CsUcMRI4i_ljQo3Q!~ysFIfLpbx8x#)EFie_^>CVu zb?&=qm@MZ5E29h0Bew_l25RB`mEEW%Bt$e8L~o7iIjAS2!v$j~y9ZTV z3z|M{EY_qLo-$8YE3m}TJEK(xQCDP^h;^J^$CY=BUfClhoO&OO1kRXDvN1F)0sz4B#g+`p617nfqXdy@BA5>WO0Ti<7= zxSMM!Mj%nCOW){N@IDl^B8InaGt!_H6!rOH4Xy$qR$D)Vh>7n_A=SgFSWMqw3N;~M zG`4noTkhL$0I=}f{FJvJ8qhY>)P8#;9F=`H{vdW7%%KcD^wL73uAMGMt z%Secfx`ZDAAHIy75N+tJIr+M3VQuxcU3X)Y05pFHTP=w!OorDuM`OptLt0H51O5| zxRCS_F|s@Mb1jJK90kgp zBR41|_Np=J9TMF;5pz$)TW zrMBS_ukeLk?1CJv+2?BX;z-GIzv`WYTo@XAmC%by2GK+v3*3RcBYA$lp24AL6QWb+ zzqG@#?yw0;y=m&({+{Wyl8{y`4uPkHZL&E$$GoPZNr>qxBn2@n0f*Bb2XT^Lr{gwW zFfeiTiFr&7v+hm2EGRO#)X^uehz8q`BoA zzCjW*MWbXukrRzgtB}NE4yz|WWu`n+H6tbH^Ru_KPodjC$#4K)IUp!#@Ksi>i=>Sw zyVR(*7iKbE-X;@R(4?2&2m_dXJIcRRUktE$*uE}H#MpBjR1ye4Mx)g%%WAbreZKwv z__@w-(o3aq;@d$&&l=P*=W#$XIfExAXb=sQ^|fkof_EybxNguWfNb1z3ps2mS6pj~ zU=FGhfOtqchjYOaO|LHkI-3@9b1g-Kk(!1%j5s9QB(Mv@86MIJXTklsabBkPIQl3Rd%yGDmke1lBg2U-1xjy zMT4!Kk>u-u1(Fqxh~f5@Yg=YN#;!IZN^3@PQo0Wt%2*B55640J4Fj6wu|^1Tblrh} zan_Nk`xrU3_;pLxAkmzgNmw~m0dei8GP);Db5+Xphf0}k{oWxWf>vIpP(1MV+x;r6 zH8GDg1l=Mj79|Bo`+LPR3ISRu0DXHcPN28SxkM^s-OAiGzkRfW797z)^uJ}QQzu67 z^5K!xK9(WOB{WAXU{-w6G7{=BMMjfYMvRZ4I$u)QjgCg0YtKuesc<4Tg~60GK;S3k zy+zUoYdx-KSr(pL2kG$byI$O_uja?fYfy5{C?~3>qjE3~E)nlXH-}0ut$99o%_p4I z0xsGXZ~#Str7I6+u38|{H1EG(a*`uT4gdh#y8G@TBrZEI+DuzW<#PUv~7+N8r2NoXB^2u=!I;7QyJBiNxTknWTZ3|szr#QM4*uFUN{L$w{96$ z;_AXs7QG73YHw;m67vaA_PBB<{KCjsdb|VVl1%B9&0thAylaT=4o(Hr%c781u)xMf z4mFknvMwuv&)>oqL?LIZ2sYG;788GO=IIwGb;`#&9qB-OBFzRq*FhM)sFpS^;)Uj87yK7~6DJ%;i9Vd`Lx}SI0s3C~ay| z?_347qKs7~2Lc`_yr?O)9hL-HLWkRGQR}O`O?W^^b*yA@{q0VBFA`gJfram`$ ztcRq}5%Of2PgpG+CajEDIw5iDAi~(ItIyX}lioU!Urj^xmg0w3-{S}P zR?3f?>fX=|<;tuE^IQVFY1gv;#oVnwwU`3jvbW(T8ZG3f)o{mXO-nKZKD_M)kpFmX zCclsJdVU|}C5r#w->%{R&*s{d94Lv6On>!R{U?mEgN4(WkFfjG*sxI-D)5Y3^LrEB@>-w#+BJHh^zD;RpM9P5F>8~xVZVF~I|J3EHYZcI9P-i7_9h0Vwn22h z4sYWM^W{z5l*tU+0%7?V%leC^Ja@vi9S`0{(facUli*Ki;~; zEZhg?>81=k&Nw2P?q3l8V<#Tqmp4G~?>7|=%Q#0|kbD&+ntsvjpz2aG3Hb2jYOvP3 zgGSC_Sy}shI6mSC{bn68CZ`!4NJ`z6C zdT3b}@@k+fd^J5`Df`LI=v`d@F`9KG{E}^TJ5M#mPr(mYkp*kDo;yo5rQ0uiKXw?< z4Lxj5by;`%S3B;@F`T7x-iKu_Ylpr^WN1yK|Cu(G1ic2cMWx^xtIa^7Lwv&3m-m{< z@f}8#HWiByapPsZ;m=5X+_Y^b=7sH%s7G&>ts8J&N4~RblK0yGjX=SC-U>$9V7AN! zXtSrOm}(-?P&{e*YT51oHd`w?`%Q4cL^?A7S4EJjw9t^Dowp-M)W;wx^L>aPBN?^}YdxE91g*A#q3&DWX9?S?F6RCg_5mn+b}$I{>UQuxdu?Im@q9?8 zXnMS7mg@Gn{s7I=u{naJY<16g{kbanltmwndxNSS_qU(EHdn(quV39yqi2~Zs^63ui*9t6mtRc*YDDcm#B*tdz)5A#FOzEb z@3fv}z5iDII9am`>pY8#%#fu+epTZkOI_7fd4v1d_amRS_)5U%2WscpMA&nQ1B}>u z!WEu{*k-(nwDi~)dh!8ONDnXG&aDXs+a0Nq+naW*V_fy_(L`f(sYbG4 zFN8HNT|Is+Fi<|l%>&Gsw#d#| z>#Ns_+c!hQ=Ha}Bm3bxb8VV#Pa3(+VD(hvZRbjxRT&1@6T)ePMb$EZ12ONu2e3B-x z6)az>QoocjHm`(=wbwqgj4iC zYyH!W|1^oY!;$nG=l)p~#pKi5I{#+TQe|6t#F`1f?kr7)w+5g`d?N7nN z!tFZD21wb&#KZ&Dh$1XO_|ePV|JEI#+xk4HD&F*E zKGvUR{g)-z4H0zNv}sdcb(eBYFRd%UUQt=OmQ3EI*KX?cAZBT&_HSVLCxES257%|~ z@W?GIDw4oACr8mjL=O78XceWnRj0?snw@Ux>+7p(B<25;T>moIl@c$lD}qYO-n`k+ z5G7OXl)gbku5js>Y7ib{4n|7xO4DI;r0={WNBMl&ZuwM z*gpEOQ!(}$W%6uea$;0n<|Sy4Tw-D?f~hW(fv3}JRwxhK{Tp{*A#iK`%jbH<-EQEl zj;qwlx;?Wfg_9<@8H`p{ue`!6E+ zr{}(sKd1lvdOq1ONqs|fbo4=gy3g69l(TxDNX&xt(SU*%8Ev`g`D2d8=Vhhg2sKTt z=JeHx({AqWwG_&w0OE({=E%W`R1yEBim!iRnWf4rXYRB*K7Y1dFHkeWp)4XrOT`6F0^Bbr4z*t-QC8k+{An_i~A)O$9~q5fv)>kCWI$KExRgBxhx*C9M}q^J_k zl@?QvXqSzZ#EmpmkSHTfBmFIh%Pt*lUdrwL8DW1%bC;0<%BtZN^KY{KeSCZhx{hch z_)569OQXRpZj!A80-?Vpp()enD$B&>Q1b6@-b5dK=zE|kK^Nk(8-DFuRYmhwFtYn) zz?Wn2W!CSXqz){R=dY^}#kR9uME|Q-pTUCQXd5H#L=Z_SfgnYnj8~0!XiB$}tG!b2 zz$U}`jGpwI`h%^8`Hrj)zqu$F;JUzRkI*ui&r86chx1U~htZQSFgA}t=m+d)R78(; v0d*MPz_G~eU)s(7yLtavHopmQR-Vq>M|FO1_4QA{f2U6w{+fH@^3DGRb?XjS literal 0 HcmV?d00001 diff --git a/docs/public/images/projectops-write-board_light.png b/docs/public/images/projectops-write-board_light.png new file mode 100644 index 0000000000000000000000000000000000000000..f62da3478ac86820cad1896a0513e9a1f1b7612a GIT binary patch literal 193877 zcmeEubyQScyeJZ)AQlqR>IWz_pp& zyLIUzaAn)#+an^PE9!Rg^3Rp!<=LLQI9l5|SP>CD{Sd21uCLWWn`)$~eChi8*I)XR z*zU5w{&L-rXjS2Q>_^f|>}_w;ER^VIjO*W5-zn0aeI^9eoplpJ{Bopb?Fv4=L-aCHhOLiOrks3lgV>y7 z$h^rms9gJxPjVaAN*zt7wQscS->C`_c2a+*0*g71R9~7A91ImCd((ZVASw&_k%XPX zpvY_qmk@i~vcKy|)()BsCE#Kmux9`_SLdGF>*O4*VN{X@tBt&7VPtK0Gx;r)B zapZ2kFiL+z?s`%GdbHL;+b;RB{wFqmCX0LTA7$2lxw?xcbjirPyRdk^4!rvjeVR6a`_`@eJO5B1g-0MzhSim;J51xvR|;pd zpg#m|TByChNAuWumP9x&#Gv7)EMx6MU7B$A7MD`NKV%A{W37G$Tas^hEWl6zVV7?Nm%eWal3n}dT&ACRJ!i?;-ylGy zz=sD4>WXA3X(wr^y~8!lH0PxtJNf(98^0RS;S;Y?9%(VtO-|EKyqCgtPlLC~Z@eZa zzQB0jT#Z~yR`_FuyNKHlad!>=>qL)#l3M&0ZMqWmbZz@nvpv&&(m=UCE{3H$UpQ;D zcus`r`=L+6d3$b1PwAsTe~xCyg=n^3l36yoY3|e5OnH_+-h_Vqg#B^vLV+B;JYPZn zd0^kQGVpD_mv=AHFaC~jXiH-kcu)WI3j0OsO(*$DI&|B;-@~lBbjiWKSKD@nQ+M9? ztJi4MsI0I}Cf|MV`P#mV#LDZF?<5#yoUn9_(2&~?5+~N&tFg|s&`V6tdZO3p(7})D zW#dGCS95W1n2!gB|4!l*G*fcUPWy7>R$$oX&ZoqqM5sJhzHwj@Yi04OJZ6dN@Cpou zRy$HCp<;!8;QfBp!ls1!*W-fQ_CyXF^ds*pEtIsqY+EHaz|O(ttw*OZB<}Bu6N)u- zW0gZ(3ti*)Io-hsFGa+f)q+}V&llB)<$Ghs$L-h4F`DUv_p8Fo!^Mg6anUFHM_k!B z4~GB$!9hlh2#K(5HwC z>L{(%zpVRC$J||?+OIdh^lAa4Z#1toJ|JFpaqP>6+*OX8k68u^KA3P8AjpX ztO{EPZ`$?@=MRY$xSPQBlJX=K#Z|;Ld=rkKo37&;ZcoKV#ALVioF00PheZtN6!0o{J@aCcQiq0A{YTeA7$DS4z+hzD& ztf{W;gumH~)bp)Z%fJoydwh{zaB0mMFt`Bx4XJ_4KPM-tlKm(f^_?sDVzBtTn)F8V zh*`HEJ@0a;>Xp`_4p<&A89dx;`Z*K%{GM-yeujbKM5JM)Po!Fee1ugSV}u5SXHv;C ztXi4cNFtNa>O-rK=SZ&FIgF zP)k=U?13276~Z>JlASB*NcX>G{$=_8 zYHt3EQD(a+<96b9!**YFo}5cLcXKZ0ENAd4UQH~<6h%cud~I?m6Z9$iPH|zBBDV;- z6T}__krk7@EK4Kn8Qc^6DA+#OS8h_yI)v#O``dS+MHG#_B1@DQA#5stbjf4$oMyXO z=UJLr^u3LH3pdo}QM=~zqY+4EJDLZP4)2LyU~`3Dcz%O?%Td5F$wz#M%8T&6CC=gD zv5_EZJ^7_(%Gq&_WKOSTMx{jUIY-4G4{vHw+uxkwAmb=hU;E1M)0}*HIfg2Ry(98L z=9iW)DGwT{gE@+lekH8M87BKcKKEqaj_FksPEHob{Jhn6>-(2rySEjY6;pOF(id;I zWF5t%{Vjc>KXMv_{5baL3TfOw__x4YqaXP_)U}c5IOs5r8H-(v*NGeEomJ-g15_qo zUi}i;^PzJrb}&BaOFbw$IX=!)KmT6Or_{t(58c~_JQ9Kn^hX4G?8ocuB=?*!>SW)( zX4-a-hA^J#W)<#dP=+$-8@54*wiGfm85uP*6yIh#cq1uXqgTaThWnd)hzCQ---}NZ2y3h$+ z>do$)<+fO<69CWGvoGc|J~Qh%7CN*avsWEKn2K0U)jk|8<6X~Nk6jn-RaL5Da=9!-nALNhv|dH;_+Va5Y*?8t+1~GUu!4YbulL@$nJjrQgPFmP!~LkQlfME)H=I;sJO|TZ zDFM^N4kO0iPqu%CWejD6M;$S9ON{s$do-LrS^7ZEt7QmHNp{-n%=@YZ$@!rHJ7YhN zkFlw-iAp(qJmJ^7J~<11j1*4xlm^eNjrgpHRL@+ktgRjf@6_~rq4q7bPHT=b;<0=w zHB4TZcy28Ba*Uz&MfjoBz3a85i^H=Gb25n7?|W#zYsN&QdY0%2|q76 zwFHOywtw;sLK|+kPazLwj(?BIxBk#b31>mE#!3qN8}GL)D!b}Ajke}c!#t#7Bu{^t zU~`UOjIaqQ+$so%H1y>-a6^1VuK3n&#D0gH6q|sn4;0bU{xRsK`H9b-7q|0gT&H1} zj|a26?W?e-uuka-f9T20^F{PD*cu=KfGOrY)VmOo*Zm<`!UtyPIRe0 z5GyxxHZO<+)K$z&^6sB^hymyL%b>e#f8OF|FL_sA?Kzvgql*=rFdsi3|6M5xHa0d1 zmzUOJnokt}9u9nyyld;`<|GCJd3t*Cc|PKEbg=;mJbwHb#QzZV@F6d72d}F))Xm(B z7wUTNuZR5eoF`VUmM(TqZg!4PHvDtVEgaq5B=6qEPxK#uf34HX%kDpCg1Y{_EntHn z{4XE@K7P=DJR2A)fxjyD+|J9&!QhD<1b`VZhm^o0etwBR2mD_@{pXbbWvKpt4t*%{ zzYqN{KmDIWbzH4n%WPvD%Gw$||Ht_2a143Y8^S#7Ti8&jSQ#tKv9 zzrjA+e;nNO0crB&UV8e8Bkj$lpWy=}cMfFO+~hdjo?KA4L7M4F`b73Y7*!_OYS15< zo&(b|3#z*$7}m7X z;Jt4#+0r54yf@@0Q-LKTRqRq2x_sT%Hs}`HCaO^NU<;*|+nCPzWB)Qiu*rRq_MId{ zE2r=M3s_{|n{O#%9`CnI#FduSnZL=OdZ4P*7|jb9a$b-Slg3pwZ9I0hSXwT(7(Yl5 zu-z;=q>6}25`EC7_BEN+znU+_GGTfO ze#OMV+-;ZhR|@GR9_FB19yo`|%&!vehUXU=eLcDgg~$C@C7u-%Nd5Y9K^G|_qL`&0 zv}q)=(wdl$Nns!?yTX{DDlhZUudz1+GJ#6=1O$A4M3 zdlAM|Pl*p%=y~5N4E{JRZZM8CM`78FDpgpo0@6j$Fz6P8Kl+Ep{=5+a3^P2d5*m*e z;3rJ(B&NtTk}E1T;G9`Xvmql(RQ^`67Sn3p`k7%j} zfh6A`(|A#l5*|L{!F|%qbUA|d55Jpi{lCa4j0SUb6!pN~m^LZndBWsPTF9j#BQv*? zh=kqU+`eyG?N>|NxZEjUT#l&v=$JA3NB=X@Y0U4Kr%3Ov!%b=vaZd*h$3-E+aAn&` zd`L^r>!5_(c-Z*Oaht{cAvJv=b$lCutCFU#&eWDeHuC^|@zu`Mr&38UM05VXdHo;F zA@ih>OmT4Sn_X*T9aIU%p=>s!7fTeB{m1iPaR~X-qtd-S|D=Kb$XG(q1gHV7=i5Oj z_fh@F<5hNAoa#X+F=smf^CXnrsgF3Py_SF2PSv>=AolkDJ8P6I;uo7ci{77RENV1N znIcnMf3|cHz`XwN;p*wGXtN$2J%`_)yd?hF)W59tZ?#jRO-ia5PXSjaP?|go@|pNN zO_34)SRQ&$CQX^*QiO1a-6LCqn4(7)P+eo{g>=BkJAg=K)SM|NY~K5H*XeobUI6%% zAp;i7{W_PDpczTIIN10N1yq;;jcgY5x@m=&lAW-D45q+ZXP28UT@t(% z1)i!g1!Dq$ox;xInwaj zWf=GvVi+Z1lFeR^P3EAzKNWUB2g~>x)v}MGeMe;?YS(V)+sF3!em@;0^5;;TA?mu z^wyFoKOC)1^HxLrPP5L#25tOU<~h}(>}q#x#ZC@a6L952tj4qCmm+lOwLJ-f+$Ek* z077r>)+Wg8-#UJIP(v?nu6e$Aa+ya4GzlVWS!+OT}`FmsOV{aynq5xKjg8o%^*Zw~u2%J|RWiJ%Z-sFi#&D zyJowvQYrvBiCCGax8bRO)~DiLKXh_~-sDw<7zaT@+)MzNv8#We^V^T&y6g>y`P{1v zUKO#5jP2TjT`wBWdqXk93XEO42a7*L3RefYGS&-AT`-G^dcd~av@B!@+LmDjU>1)Z z#251=>K-}#oDZP`cd|Ifq9Wwdn~7txpM_sjjEah49&cCaIxKYBj$Pl%&}awDR9HI~ z_dz&d@97oIXZ6Q4t!T;&vlAw$!+8O0Dvk#B9F{$bypv|YV&?DJvOacv>yoyL*}{sm z0JJ%CWw6}$U=3BMIi=eG+ok4g|1~M2 zswwNPEZ!76DX#FVup6u!n9?giK6YJdt7rAU2{EjWIvg?1vN+?5i~_XZyH`^u$&$Vv z-N_hl53L+^<_!0(daZcNwIMr${i<3dl37e}TE<8~kYs=wjx{rR*Xi6dg+Yj87bfwN6aHsvkTqA;lRT}Qwr=AZ z=eC2}s9M)$uHfJY4#Qch@d}Mq_EyBv5-0jsM3-tdHr|VXd&a6d)*{pUzcfeQo5qQ1 zRLzdVg)Y{;YVZH@4DSB{#3wjRqZoMJH8Iy35AHDCR!wrarNn#`XwaD59Lnm?WOJ=v z!aj~TM-S{1psSZ#-}EW?Vtau>xeB!5XpfTAS@nrF0ozhl0!X8~QaA`TCtN*q1m_CQ z&@*+1TtTiS`fUeaWHEu*R`lypz_JmY(I*rU>Pb?P!oOBj7o&^IQi041q*B45V)kO` zSawoNbrr@sb~8B{1d#ifR7Jvg80SIvgl3^t#pM zU$-&5As8Y`spM|npLn8-rVCZkYRuoU^CwfxQBR^}gf@6HD5gY{9O2B9z1u$8PEaqc$>I`VMD0N#666Z9_z8y+2LTY%=UvKAtfBvb5aLgWVcuNSvcjha~1pKy5r z0$0Z1jTUi+>g(#S)xtSVws-a2V`JwIV#pQXx`nh4?()|?O=YhWbzOQk(GU8RmPCN< z<&NjJN7VEw*IZ8Qg6Bh}v9fu+4c@zBze;y!Ls{FIk@b&Q0v1X?ujeGY`7t>kr?W3> z-vzYhDeraq!U7wJk3BR9bE zU;>tk0e+B)%19~y6CM}8)iKMqh!1=z;>&X8Q>v+`WRi@~E28NOCUiMvy@vKJ%E3|j zhlRu$mD&0FKb9EiH;2n@jGadEP<&|5hWw18Ae2G5bvrCI@D7XjT;5kv=K(nrkL?j5 zkCUUS-9pCzUNP+(ZcHAl!@Irp+g51ilfcvV_-d@CE{HGLW2A&$a;bb{2o=i8lmu-s z$6pj&n536Bm-ASQ_}<={&t3dw7|xvunI}*6^4SvcfsQPEy%%sZ$)Q44w>Y1FVT00g zXhmQwYkR9sYvWwuK6Y0cE3j3E{=PBpF*7L^P_aF2(Acmu+kS68T?uzR5Z8|E1TC&7 zIn)Gf9HlUS!@Yv@xSgGcvV@bf`acxM9Tr1raGp&FgT|VjB=G>&KRp6yoR z8g2r1OXu2R$SuP<^z^B#(fACFWAuHK1ee;yxXA55$Kqeh9ay!cGScd~B1h?&u`;)O$P>(XvxBRXPD_ppAh6F&ce6ZaA6cnYbGq}HIn z6)kb(wUts7E;8-Ky}q448{fKBzxjDs>rP1CmhbQH$BV@QCIeL(u<6|%M?c9ZW>Gd> z6RTM3Ms|NglY`H*qp>wZS(>9IwrfUa6@1OHb`!?L8C^%~MmJwR6Pr06kDpIFL+9Ph z=Ls_jcF0p}2*n0#nnc z@Yh#ad;&UF?{G3Fk%@I7Rl%oww7W5^+j;|t=a?Ul0;9yY5XH|;7M9V7dV4>c_Dz*> z?EXw~n~-!pyLdctb9{23BA()$#>d$2%+ys#?*6)GIaN8zv!$N!@1nE+J|3aj3V$P1 zzE6TPz<**BlQd%J8tFAx8ru1UP8)}v+;?7hZ3$@pJW6$4Eiv>)x^vUHPU!mq-a#OA zH>+pDEOL%rdgY_<F}LaWh^=1~x4ZYl&80TSj&9MgA;o9?y=0mspGNE;hp*8{-3; z6XCi@Nl$lq{mK57IUq7c4@mZ;4_TfFiG_IGw`%*NzoKDN2kTy#*g)$a&)~+{I*-AA znAi#@nIvEvsNbDkwI<@BYx}6jIp|?2BvCGsdqbvrnS5m-PnzPw%&NHmeB44O_TD85i@33tNLw&hzcdU<)n%+&7WEAdIw34~>$dSLePQwt zSyS1`I}UmrXnU|WmXWy$snt=1Jus|v+m`hBVB#^3$n5#XHJGi@=co#vw0;pZTMnw> z84%tJv8+zx_x{sMvW~oUiM1`kb#_0PN3R$jI*p&{ba4W|5?&}dtxc}_0nfLUhNmTMd-^oe2DZW`F z@3uAc0NMH5QbXd#GT7-wL=U9TI6$zy$=0WR{GDRFpcy;A;dx}fZ=*zo9-3v%qx~E4 zJNNZGXdyr_**f=U{I`Qeai6(W#f%(ND(Bt?Wx**&IrvWi1>RnwTFkY&{*Ud?zO1>J z4W42N^j~#kU+!aZ(JZKGe)D=BxGTzY+8<=EHN2KX5+w~uPkUK6+kSe+hQJ&azeHy@ ze=G-epIwaZ=#7;I)t9`NGdvV53@{W$97YzmUXaF`rYHJm$Lf-&JQRfIG>6o(K@F{H zoxTL3^9{`_CfN$-yiXnkTP#j)JMHc&Z?SS`nymtcPx&BY5fXZZ!O2!PaOV@}+<7Q# z-`YgrI%Da~wWIE}Jg3db>K5tq!&e=(+Ig>79FgnOUTe{PRuJ^rw5Mh0CL)0#*DKNh z@KGE*xM=979C5*Oc$Xb*I;E0;cT}K8hxTPRCV{}j95K26MCkcEji&tV)e`5+}6yD(TWs{??RBi&1PkpPx^Bf?Wz6x z`gWRl6XTj>9M83g?44yu_4Lj4f^rY#dO3E8EONfLo+cmDce-8sNO;;SST#DcbVHdx8+o}1p`}6kt!LUrK(oS3VAe12Xl*NyS z#b=}Av&iG$p)=8r{`2s$T7Zik&o)hVbC$tBw+!q;7UuyoPN!A@GihA1+YlZaU*J`{ ze|4e_jW*s%(nMsPMok2AAC38<3vjnSOUzG_Aua9Phnl&P@D>`A>w-pk6>PccrF6cn z>e0~Aco*nr(P-62U8TmYWn_1vXHUplD7ayVb}P_lD+F+*$&jNRa|L%etYC))c zxf~ML?F#3useCcbk3wXI;nDWR^t8<5)qOA(czCvsBBhd!rI<_qZ>+T7Q%IO3e2>9r znqA-_`Wh2OJI3Z}@0t7uL`c2{0a1huT6`2CRfSAZOJ9&oZqOMBj8T%w4r1Dv=+)-o zJ-hQH=xEF6$6P*W(~>vFyZ#SK4zhTWafN*2c&FpHzo(L6YkB@Xviz&!b1R=Wmtfv& zyZVq}ow6lZ6ax)4r+Vk8@4*U77jM0TM`6Qrrb|u#@2eh@D zoHd2jPi>+K98alQ^=gzLOp?oSrty$g{CvWD48+MRotaTm)rD3-HVcBuh%tk z61Gnxz`eJ9iT9bQHS?Nm4XSl?ljH$l{t`j%9v+{gkHV%rC#=%Zep?u1TM+r#AL4;y z>~w9@zWyR`J)QgD1lN_-oVM>c^n8Beh}TvacX1TF2*Ec4EfgAk&&lGOyO6rqv@+p{ z<)r)LmC-aQFiv6?;i zd`Y+VIyP!%nxnVg)@x)YA%_J9nKDI$t=%C%yN@UveiNHnp7iQP4Q51q4g^9ZS58{x zY+7zh(qfnTy3gicUr>N2WWUoh@c~S=p$GMxG_NQk&bPKs=R0i9wOuqA(BGoK*!%-l zVyrE!(V`xLNS)F|EMgzDvohNkqND>Gy%a`o5jA3)%jbR?->)d?@i#mZDkM&ds#d~+ z`06aqrAd_!iybgoq6@eq4Fz%nRKN12OA&EuKq!^?BMExOQFbw0({ReQMI0CIIpgn` zZl9CtV!`CG@@Dg+RB}3;ZhglHx+IjP^Q=#5|6q zFr$F|`p=A>=N{0c<3U6rtwD7rdN>*^G(gea zYTouEz(pogM?PGyf0CPSZc>PD=^0+dM|p+?z(c`q>Ta8chiknUM%rDN=Q-N+O8v%K zfdW3vG`CNS<-={p2DVa(OeLDkm^Hf3)nr`jS__fGc;@+qpwOa0F1>m{X zC)s84wIAlYQtJCt*V)x(=N64XCL=$)7`b6i0x*gKl2vhPpYZlNWoQcH>G|(dD>2Ia za#y2U(g*$boF^}5!PiX!#uQ3NJ<&fIO#OS@oiRIPcQW*Fht;pDGy0&NG+}y+lithB z^C$L2Jcwiv5^&IW4;}?ZAhCz7UbC(7Wo*lGR7lYmT4rveCLU4tMTR9)e%{isW!-)w zn=`W6w2UZG9(A$ZnmudE;Vvpe6*IRx?S(?G89r_^))=lu@3zlg!X7h~6@$0{?fo*|D1vKg%o<vRnz+z5ur5P8gdLu3}c{n*#b-df{hNVVN1bAv7{F5eC%16Q8F9JeF zE9z_wtty<1{l_psezX0*jlo19t66nT3d`>?1}Ww#sGYsI-X4s`A)FrfN(Smr`gLJ- zmg^R(P5}-ZXClWPlpN2O2lk3gxpei+1FBKWWrEprnmH%cL$RYakxP||<(!C`li zY=UWYWF?54HOewtT!1mP$yTvcpDYN~YGL#(sZ&0nhnHUrGJYUxwc;({e-hFC0HP7F zkWRi>{Th@ESXWUP2Zv;zC9;q%Okc%at99K%mEKrA#f3L8`+!n*A0Xv5_bcP-hXVuA z>}M&o!Rn?vr&Z^5_U*gvOe|=Lou?9e$66TcF3<$1m)S=JVT^dQM5SlS1Y6JzmO6dY zMPbqwHQ`8oy3xqi4KvA=pGBi3nWCjIZXQbJ^+$WL8d^X1>SpQU8nkA!_qH{?%_=0k z61P+@^eHgoL&H8tE2*dLms0k7s?IxgcPon>Ubu91(In9FH z4|@=jZGb77QTmR$)Y)Y7>eCr?rR%;SQ)=*!Sq-2a)HwRv`RW||L(8_KfM znflpbH`fQVLw9>zSzNo16)!{5snA?r6o!R%< z6^W(X0#lROHrULqAAEI!^^^1@893%$*?{`>b8cQ3rFUg-+xRaE*QM@APwA6CkmECe z6d3sRPVZr=-i!|j40au+QSB9JRq_5=Tnp5DBsc6Xy{|dQUsuh}@vSZru-p5xVeD-t zSSXfU6%3NvR{S)89*3LmjIn`2`+OJ7*`}STY ziGCmLy17+zdcI-IzEmK=R=*d<-I9=#avkSCUs!`(gIV=)T??|Na|yxYeqv_Y+fm|d z!*z_85mEx>d+uwi3!ZG=^qgYUICGXo+NEmtAAQI<|GMoG8><(Q9vt0QCp}wHZaLSY zj5+C@nHFZ1VFt|KvBQcvdqd2y?7v6UZB_85P`M5emmcE{H-P}5KXO;2!D~!za!XF_ zj*gKa$4V>2dC~+l`cbb0XZ_KNJh~N#R>lm&xw?}dKN^`b8{8N;mmU}C6<;p!YxFZZ zma5(S7@88O?ohv3{SAVm@DE7}CxHX}s^(7{DD5%r-ClE^$W0lYf3$y0t?|Kk+n23= z8bF*Q67AfL_0uh=*?3sX8z=tK65E}6`Qs(2GE}^X-&?v#5Sj3tzG2k~+U|=wa*GE<7uk3cD>-9sMP0&*G z(YV>@F=m@9QhdFQJ7EO@YnR(w7~sWm!{pZ_rKK3f`M@*g6OL^w06s(Kw4u<) z2*}iBR`J5M1@PPj$6fk~nx~XwDUPXF+ z$Ax}z(+ySe&UMH6AN7)JN#7O{o9SYy-EIXArP<@dP0#l7zB3`P8oU+?Si_&13qt0H zsL9(H&h&V-{crwzC0ycLJg*AUkQ2wdk)g_p=<rClv3jr& zw(OUGwL)>{(NdCQYj1skNd58xb#(N-=NmbAp@6j15Xsoh+8w+tb&mw~dSkocy zGr8@g@8(GNfpv;*2B84i%R9}otByeH=$bxA^IZ0k!!#%T!}Th+hn-n0dmVS_LS|>=u_EA_nF|a@>djIBe&?8MWBAker?_%Tl=tfR#&eAn2~H<-MzxANmZXf zOi6)u^TxRi{^^N0ATg}Ywlay0}W>SEC|MTg4?jTqS! zdY$!D?;qx4%imG_YZjX*NRbCfbP7Kv&e)e-D`P)1SGw|^6Sw2Wf!TPZ(Za=DoLsDt zA|@m}`7(UNkYe`yWF!f0OjXgp(p}ycZWQQml+F+>;pJFRJza-6p^`rJHg@Y+9ILFJ z@v9t1WdEJ09H|0usS09b88t)j)}#%ozs~}$7NmS!WID`Ixoqig-2yY znlf%GTb>A~jfNjpyJwP~+}d;}00$;QMdy>lzm@FS~|=TAqq>YHEaBsEvEV|cFVjd1+wo7e0v zi?jk^r#MNm!aB?WD@(Yr!o-hjqSntP_EzQ%l73t}wYwsPX(=!@u0fxZ&mB|KzIE%= z+ilpa_H0>|@9Tx;LBmhS%5B>7!6MCb-QcZ*f}7|yV6;$0E(!|Z?diPIB)$iKZTa&5$p=g zj#WffthSW~K&?6t&})s?q{2>Fd<2a?l=s*8*<+e92i{{kA}`^Fv@q#^0#2Av>>JSQWEknksNzL1Mene%fMtl7+2xex9f-s-)aeA@_+&3>=> zL-c3-(T$>Ltod%c&9Y;kv90lkCfl`j&QO*ceG>Z)=@a@Q)jE5vbf(uCAvLldThhe{ z+MGpVcrijaaD8<{uBac-wjF^(Hq;i_%m=7it#mZ^EG9eu1tRr&iAM9UL9J~ZKj4Z2bvK?1E1M(8N4-0B@tEbM5z|m&`C3=-=oz;OL z!G`08N8db)Q-NGjf-XqSylXBan|CgJVx%frF0rEus~<2H;JnpO7KGbd&ojj*#nBTp zQ`8!`Rg8AQ;iskLf|K_v~)v1 zCLCW-f!?a@_vR#^IwjHsANhT^CeCkobR3dTRoT2EN0Qh2VLqCXo+L^_0!jSRdmlFA zrfSUZFq_uFL?si8*j0m_LVd)+-Xa4g@uNd zuU5=?_b|j6;R|{3;i^DcfuOfbvP&BVpM`KJ7zW~(!9aR3D!jNxm_se~b0t{Yynd1* zR=TrLyEfMnD00}B9hwuC^l^*s;u9@D*48b0Wi?a`tyI7sq@9%s$KLNwmE^q0RK4>m zTN-=rIX^KG;QA>#7h)#p?$SpR-EuEly7K2a1>K;doMEAR$Rgcz7^0uUpT%|VV~DOd zKBV)_w;I~ov$yyO=Eor4SD(3n{f1R#$S1)2U`WTaTPEQ42Mv{-gfkY0Z&puud@6K2 z>v5d#F7GvYnbh1G9N;IDEcMc*cCPg-L97z%fz!L;%93MapLdvH|n(M-;Bla>9=8@O<#R4=ac{c%Q06IIRu ziu`(io6t$xU2wRt4i=|?Q4^WQCV8!H<9@1x26H@(y?Q?a3Hkfiz6Q9i7q>(Q9t7`M zuMuFeaNNOLENZ+${E52p#(^0~(S zH!{Hj zrZ|e~XWMEP2Dk@SpTZNQyaHEUH6$=Y$7ho0#o}$u)YN=f7p*CoP+(~o&QI)>Hg=A# zx<#!T`zjs&AX)4n;tmGwHP<2CGONTAQ|Y~2IGS%9B4pn$69Ux#Ey-uhbEtPXs?F57 zuj?ZmVJkzW{v?t2?}jKy-+m;FT(cVwLwH6PVM=V1gbNuRo>lrg0o9Dzp6cB42+YX) zUzVdO7Ach@xxDh>4)MAh%pw7De!?EcP@%3>RFO%&K3}zo@3??Mv1~kj3 zDqd)q62)Bh?-iSQPNngSQq2CR3spJWhG=ht0W?hXaW&Oh&1DR9U_X9!n0I-iPPu?D z@#54ZP*Wxb+aj!+BF!9MX@La_)MT`czQ`Ef7ARbZKYibc>=$EQnXwFzI_lG8JsyI-=bOp}CKdhKRyZ0I2x zbabKb7sORkT^uJx>-FiDx*Qd&>Plk*s?QGMKG)t`Q)9B8Kkwf?lVG zNVuB+K^Un$0eUEDud_Yp47$Yvmqu0*3PRA~e0S&sMi(_C|E+cV{$EXA1R(3R zj6A+M06@9gP1zw*Mu-VM!Z9w?!`y|C!wu=!+^PsO8kw8wddL zI`%dSTp&JV1LVuKpDYB#jqvC!1m?6?%en(_-79>Jt}iz)0mYC2X!TEkIaOzVQD3@l z8-$`j1xzhnjwBCIc6&&5Y)*l!&I;0$^QO!@G-&c8d8_{}hA z12f8EB$J7Pmbico8{3Td5{Aq~JWO1tBN72n;X99ia{k;QXt5RizyfK7XHDaYf=+G# zyJWS|xI+l#$)tGzb5^*m<>!b^~_DM*(nD^8XJm2QzK+FKa7 zrBxhnt;qp}_^m3PfGX7sk~6EQMZnMm2_cy@yUUl9$ENT6^Dcl0;X=$qLjXtb0Z3CP z-2d?hAr#dwM{3xUClh4YL3Ge`F!)Pw>lqheEmeO_Wr)vasD8ED zCZxLj@6}b<;(0;x%rq6xj0E5bxX1P~UXGc^HQpn52wVR*K!6$@9Qb+@Itx(l&kiKH ztKJ$MMG?3#yr2#TDqA3^!RrS1=7X4JcN72DOu5qvqra4S1Ex~i-K9HmVnq^UzoNa(E-oJoyaScMb+;AsY zkUuxTzcpkk!{}grFayPNps$4}DI@Nwuf7P>d$w!?-M-ecs4v>;4;Fh<#GZs6ZGMAn zQQqetZ$Q4Cjv`bot%1!vpyWFVu)Z+6K^w)+y{we)gP;Ct;r_12#M?*bf%k*m*60C0 zxZb1IxvD6zf&<%ve>(_^_?_yqmA4Y$zuykBA7iiuguwW|5%|&+JRrIGfv)l6zuzK) zm=EyxS<+?PG#CpVDyyFJGha4-3Y0HHfnt(V!|6f;9bzh4`m?{AwgaAVFMR%KcY9*( z>fbL6A;1gzQ=`Pv(2F>`M09U5rAA3f*0=AS`RE;85IWFJ25kVH#0M)QS?|P+iy~!$ zNfjwOW-1&ufkxay7ai2xcghG_`}+i27eQIvA9Wee%oe_WjhU!INa-=~E>Id(Lz%nK zo0d8#3UycDZ6BO!32~=4BYTl@xY&5O08b(V&=&60=B_~Kc1T~{`6!pM9dK-iSp2(V zcyz9))loAUWDK;2H-8J)Fj!1EWS~zGaWrk%MMm#^m`|)q2eA}3*_OT|$gBEO4dt>1 zH6I<=Deb!Jf$j2mi45@I;;g3f*PH0q^Le)pBy88pFAG>tz6Aj2T2NxOtR-_gck2J>6kPCMyLWK^v2KmIeLA8nYFB6cj`DW(S9!Qr*RTh7*M= zl-mH+5gK8@Gsc=;T8WUqp_N;skgh4$HP8YjL;CQ5Hfq(%|~=VfO0%&@=popJu1wa)&-%96 z?`mbWM;*YDXhG=zMQ{g1H@SIawVt~OX%CrJsir-&e-oQEcigCI;5pBQzL>-MoK=K3 zH*~}(;cydH;8ob(!^4;+uVb_lAWh_WD}H$^tpgW~U$cG7`>em@3k*Fm*B2j6xvymH zb^7@9ubV5=P^HUbO+cHkP^*!CipIsuW1+`V5Nt_5gA zdN>duf85+^<ywrP!@pj&@I}X<2 z>+xOZ_`pgaFr@0&3|mMFH*j^b==riJhN>&3aCz`UfP1-xOuwC1peKXixnY_d z>G_W;`G*<$IsmW~8g_d?$EJ$ANZnI9--&eiFo1dsCgdccn|Om5RRE z6J~$?90YZMEB6}dX@m&VL>Hz+Q6;79=quLS0@cVu0_hFu+Nzh2H3J6>GJPQdOrRam zuXL0gSYTtx68Cj&*~15a1_mbpnWph8vOY`kc)mSe3l8yx+Q52%ov3z3z+Y(e?t22Y zXuvRt=)C|R%!FjK&+=40s)@VbA~C(VKw?Y>((wtHqqYIVW1#oy9H#xR$(Oi$$pK}V zZ*Dl~28m!M8{<$gf2r6I!S8%P@{$b)$J+quNV#U;RR*WZYSVo5jMvZ>5%xUJa%rbv zJ>$mXmAW@#kJa~0fbnV3m*ks;x6J=J5gZZ@bYxqIP|i;xan-9@)j+eBkbOLVG9{?Y zQO~1Iw^CxV)!x7cdGVs=+y0B^Dwc~^_Pw+pQpFTLS)39MwU&fw?`{L>`^PpAFU*>a z(WgmVONQG>lU~vL@7*@YWM|$p|GaI|E0|-qizF zE0jm=jfEd!8AAaLb4^aVboCcc${m(`1Jy0H+1fJL;xYR$?^=IP0idN4w!TEyKWA0p zG%DoY_QOV#Acl(At>nl0a7lh$^ zaeGUKmhLZ@e0IK3Me8&EqYwfkZh#_Z2^Zc2U|2`0vvkhK>}55x9!57wE0N0UXHDUP zVE4%(?OpMKrXg*DIg4uT*=R%h9rLMNJ8oj>97W$7QE?g>LVi2e<6DB_s|qQ!MDW4; zb-D-N?kZ~#WZl1guU`Jl`e@PAW9f;*bBNfOKVRKkQyC=+L;}hT3fY-R+ZaS#M~;6( zH_rI7h-n5IcU{gnG!fWR^$n5c0ji#k7mJzA6kJ~X|L98J)lrxN6jtE;*9l`odIrI% z#v7z8iKXI#3oI@vAxLr>X5)8#!9uRabzkoqyhUE-r7j;HLDya!)@D}p1ke5`|d4LxDo9Az1U^x#|PD%=s1OJ1j`~&xEICVcwqZB ziig-F@lj{{mCj^SS-+^CAqk*uq^4V!h#Wy|%6;(Sxu}8Q;pB(y^eIt>O$Y4$KjJpZ zltvfu(ELOy{glscd9C&*ctHPnS-F=E_qP>)oOkH1hmH;MwyHOEOd-%DVqZ6)T6-os zB| z0bYFVTMBG!Zm>TtAt$yQ4IN=2&3@5~<6kbiW|#uHQL4c1DCfH^!_!~N0dQr7tW03S z_~Pt>)qxN(59rPTKZLq8^sThNNDo3pO&aF4NCeRVgD^zJ3IAxTG^}!)C_z18S=Zh- z^-VY}G{y>#R;=!(&ou;lB8JVktTB1|93~(bj=@ethy9Y_ z=^u3*TIhJRqO;}w??ljGoFoeg&UJOiu#cZ8i_D zqI=kv*@T1|#n}%Q_Fjl95kik|?VYCMX>XZ2@W-#1Y^)JZMQdf>mIp%ALcN7WZ$9%(M28vIek#WR zP;W>V7RPaa{rfyZj*ho|ZQL`@7nfac>D^q2{FK9oH|BCl>J$0~yS?oAPiKS?uMtC+M-K`Xb1aMQFXSy$?)hnx)_33IKd9CY z9=4xn-dySg%I@yYIFX9@hd&U;wEn_{i7 z{Ty;=1^I)_4TFRl>+$S}U`{KyETWc0AS&K5tPO!UNO-!S9o*HZNh%2HiF=jE(~+os zAd}q(I{@ZRXb2VIT1VkEDuH$pE)RF-3CZUCl>%M9QZoA(j)T|$Y_NpF-qS}TE(BuD z$BmwLIC@fk0Po}gR57Ca7xxJs3P~~>gF552dY9#c+osTi7QPb-BUZi@ubt+T_4->x zc(l`AE5dO2oz9GDcRXo5!Y(^%2K|g*=%zS9Xs~E+$8pu*Hw^ho@g{5B0=#zivvwy| zFd9!8fMqG0H(VD`9BBBljMJ7Kz;(Z?r5yd~D@@{j2WaQw?PiQNS= z++2phN~72AV`6)JBI6$Ut3&&lllJi~Ft#ab{p&;RcA(=RQh1)cZqjXYdu(@d@=l|x zg+?X4Q7J)F0B&inWwSzgDd-CRODa&On>Jo>ab((YQ}baC%(wrb?N|sh8uX8`jD%yz z0vnT{m5qev9Zj2luYPh`Ma!D&_6Brs3|Te7^bI*xrJ4qB2h+2y3>2eeN1Yq;tAO6N z-3Gj}77NpAMeRafbZU3KIwi=7YE|I6*NwFrr^6EM(sg+wv&RKD+?Kk|)bmSQ6n|jk zl^VAv-4J5j5um+X*h4E%h!8mU=C<{d+RD^B_l%`83} z4`Fm3gdM;G=9SaO!y>7G`YV?f0$RFOyn`KV?+jlC0V8Ifd~{f}z13U_7rw>@?xk)V z`ng}y58jy&TdR03(gOZSlq%2!3Z=GkYf?y<1j|q z&AP+_Qd&{?+DPu~k~G?VXIlb|59s&__YLM)>Hpc;aWVr}{u7ktO(~icMJRu&sui_;;r54| zru}D!H`a@CdQz=|-Pj$6a^ds@-_(cf$0^P!9s8#r1IoD)lpupKIqnv0lvH<-m7jcv z8}eQ8$b4h|6@k)GLCFvuwr)4<^<$N6AlT56Du|6va=h3 zZ6fa~zPTy+$f}OI0-_yPX#?47YV-Anhtp4Uou2R}oH&Mgn4mEIosSyUmw^y*Jl1Uy zC!LGmH9~j4``$0BQn?z~#OC+&a$kdQJL}Hc1CaeNl0QrUC40#~SKIjI=4?q$&r3Ti zpVDC^(_lL6cDOuZZy~_%({t`w3$MD~5BQzerIiV`bPiAKa*m7nqR3W#XvV6VaQ4M4 zEZ8U8f|p%<_C!_Hi};1k2Asw98vq|(&&J7oyte4=L378%VS3|f)7Hlw8*Zx2zLm~A zUp$8ZP`^rD*6$V(t~{-nfx;tknQFv^bUb`ip7!~TiN}&#i_~_j)hD-Cy1}+}R`OVj zsSq7-zn6qQqJR(hbg%_&mAg=i_Vz+E+dleskQQGBv+vw$u9U}U%6uQ=nlJ5XL$gAk z#paG9DOxb|K(AbCSyjs?RP^q0P!5E?Qn#t*=8ko6k=o4=9qKtBX-IRks+;%qm+vkt zgWZF9K~&NH2;VE_A15ks5wRa-?XZDPKs~U8VC>~*$H-1`{=fgY-$GU(FR~)tT^t$5 zBz5B~N_fs8?rQ1wQXV9(IaQ4-+^40X4Em-X>)ZS8_Ho~HOw^}<0Zx=}0?T5}=eT1U}=L|gim zX?76wXG`t;oZ*3c4ujaoV&b!tcO=!`7p0BB?~RL%NX*qcjyz#})r6%{Z90=PK)54Q zZ=g|P2`jyL@nWa8ErkYktB^&*)V0D7J*t%3-XN7}$IQw#k21Q-!Sia+H01Ub!MM1m zT7}^C7;j@`1FmrD=o=3n=F7Hx5cHi~mdUwC)D2f8<$3x`(qV@ZthWbY*fmD?|wM=v17nb=-;_LD(nhg*4&X9dQKNuGgEP7yD_!En7 zRmQ4T7ovh5EP*c*y=IBaiapliSMp%?eA;b(%}e6b1F*P3pJweG%uR7w+r-b*73Vfz z7xa{uz`aZT@g6`e<%^h+CF?_4FRb0kPVnkNhySCPRieBz(Y|pTtUjOLXUw8ZA3s{_S2*miUGO<~f zx16U_ zpCo}JV{aEj&igY`zxS5Zd$#B{_Kj^Ie!_t_XUYJ=0h-jU6#*CRh0X-YP3XcpR(K=u_h~OmiL6kUI>tYFw_fHw$}duY>nLAX;dp@T? zN+i9U)2{g>$lI&^X_%pGK}~GKqUD1Vv3W0Ornf(_GLd@jl}wkRITwedc(XWD&7Z{9 z0>fiYj<~|H*TpX^?`w&={nS#mXjy8h&74&+agTu1UBbOgLp9r_>l_b2%Y7Q3es4qG zRHf}}XQph;aR7IDVOFYwc*mORTCkTEUOFMYGP zR%;|tzLY&;kyC=Un7$2)uJ2hXilvz(VY9fNHps5uXj;oVkWsntIQMuXjqN8xxjQ9X zmMeVq*n-t8a8`oocGTo0?6_OLDRuLH?bBD@%|!MAf@HZvoL3o_4NVhXsH>;P+p60H zpCKF6D(|b_c5*vY>=xR@P0l|oMyvgx@(W?r&57WT-~V_LgcDONtL^PChizf}%GPW_ z`_XkRI}6Z_2B#YsjXuQ=mfisi6e|<^`cmt=V-RRy%POkXzPw=|LB|b)lzt@fC86!4 z48+lYQemKO3$?t|Z$J6@o*P;UHA%yt+SzI!Oc$B8-f?f0g@E8cxsAKV@?ghoOU89M zD6ZTDIwHG9t+lF!_sz4i-in3dQvJ>_$PTY^&@6GByJLFt=Fc}vL>FNSkjrU>^ZyK| z&Z#Me+&djz+7dva<7Pd?x)II5v>mSTn^+{Z+OrLw4^U-tfsbYnv_T#5SB4EsXY_uOUb;P@MaHB&rC3u-i@7INJiT<`$;rZZLC?Y zxMXlrQTDx+TG}1vv+Pp0;k)~)WmupySi2eZwF{t`>R0E|GjMec-k&&J6Wllj`fek!S%zF0;*$xuV|-%J}wvbLH0s%>?ud#Tj+6} ze%O^nh21X-7A<;3a+K!$uB_7*KsG06|Kze)8%C=l0cBM5%mj&a7shxc);iIOH#>8P z`xgheQ-XXa3#zvyxh8oYtOqrI5+C>h%x@DAZXtww?y^G7uSIZp7z%jML z2%oc#?;0NufPDrW_#A_{SS{=vQ$6?3JO2o<&na<|C{9IV?GueJ-}milr%JuRn!9E zw&jG@d0fAG-r2&So#dM`D<@WE31_*&F`0QNaQXbYYEJ=ULuyYI>b$u=UMG&$2Xr@U zf3QmI2U?`Wd+pWbKDoK92Xfg;HPS;E>X8#*yJ^Usl{N)CR9lTG${pv0esMZ_-(}*R zYR+*jxzBPQ3%%3C&Vk206`Olx{n%D}0LFAR+2vr(A$4zRiimO*cW1*raMNjxn z&ac4e_)BCIAm6$$X#hHe3{9IJuJ=3$)-ml(?+qKecem;s@Gp6)%$ljoOWP(e8wqwv zY%xQ`%G)wwK|fhXDpT z$^VnA3Y@S*={H8fgP9*;mF>Ajx#r~7T{F)=S2!6UH#zDHzb$d!UYMnD_*gpZ6HCaj z&?0`BI@-S{GgwPb29tE)?;GKa__>m?fuc-Q-Z?S-m9t1LDV>iT&zI+~9frej%f>Va zVb4oJr=Qj@ExiF#-kiIq5v)48dZ)-|w4D@9#MGvGA?8h;5c`X}saC0{IW*lHA{1|O z&UkHUU9KHiCQNb%x1Dq{s*Cr$iF0neM4HQK*C=oHl67alCN;7VcKX8vSE=LpM*wYk zPd(A3bZ}p~RV~E+py~xI#KzZJzb&u&cC@JQPq*W4)>{sAR3i>!5W&^W&4Nv8In{P& z@W6T=q_a7-%&oaCtpOz`2=l$z{}d$YJ&I|}E^b|lQ|v#-zW$!Cr`Pt*fO79aY&9cb z*QHO9+TswMxe+;aQR*$YC}JG-sc6~2@_&erev6*seaOjrsE4VCHh6KwMj# z)*Dg1K1&_tD1%Gd4EnAI%MQO!2TLk#E%r6_Z(l)TPCB@fy;iY!ZQ^T#?PXq z#HkOhz_eJa1wmtb4B|`lor%)<^^xZN4$|KGb2$v%biWb8m7UohG*Ewt{)l#;S?%jr zw}SkO2txO)hve1EMuOdN*nxZiH2XnFz4j`21xcBylb}ePVfAzVyoqG7)7q=vr zN}_D5Ti)tT;}~xalK`9WSq)NfU8M9$7t7-zGu${v>paQGT;ncnbTfI7pBIJ>2O)awL&MuDxt^SDb-|8vFAbcHFua>BnX1citewygMEs9 z`_P;DcIc211rpiF{c<5}f+i+GR#M-;UDBdrmcYRd(~BGLsa@Drd?J6)X%lu;4jKx+ zF;f(v-!1QhHXuy-Md?W`$*u0Et%qx8smt>t_IHY=lMp?glFV=DVHTylF_Ido32OLD;Dtz^2bH zVC7W3y|pzIzkTSq6Wr&8#MM+vdwJxT7H{7<0fJ$SApVl$1@4eye4PtXYIpMaIN;D< z8DPH*PJWW-hT;7!s&E379PizRR+n%2zE5wpzb8cXE4q8%`H+CNk@>bqQ#1ReU0BcLJRkq$B9Ht;ClSav_W;{ke3IWga@DxUY?i03TW{h)JMS4#BoS^i;~1;&rDh7+qKm8A4`*S3o+=+PC*fA&;Tpx z@pYeg!<*ixeHv8_N{W%Xy;Y9bPk|C~dwnZUy8H$ zCmS%xXQ!k6y~jYm0cBupdt-gGb~l1QVr1ZlT{#fwSLQ6~fHW+u^{dfL#O&?< zGaO$2{?s{+7UDq%;`yaBmn`(%3iByJIc&S3_egvE9oy@axa96+ewoQzMxo)j&>argT&(M9Fx^{V3O$w`RU&)GREHqPI5H|T4#fUMjj`bsl(4x?0j-#bECs?4{Yr;K7 z&aRKF16VfW4i3&NlUDm zp@z#+-sHzB+0TYk-(zYDP&R5g?&=Z7T^^X?-U@-qnXA7$qpVKpDvg!@YqU- zkeS?x{B75NrpHF zyjldCG&$Cr2RjK9FJ2Z|x&JQoS0e0*(@6_}GfnDO8|)xTMp}&x3K=E&hh{oi2~XIS zoQ+-~SEY(^9Me-}bAcNTz7$Fb&BM}#hHFnR@;rcDr2vs`KiH`aC=%R>J?4<=87yR3 zqc7!xdVnc4tgq28F&~#g4TJD;u5iDiR;aM(ghcZQq$(gomeiYB$0Gn!c&RD0tD|f2v9lxEYN_R-cpm zGpB1-PGvidR1RL}mgb#&uJ2^JiaL0YtKvHe7!qMwoPgi@FguqMA%^AlOxxLWrAVVL>C{gV#pU znyC?Air?+bFgn-AEiVEX@DBNho#L40Dv=N!`6{!xppE_+?q)|#oWfYNh*_B}wbLX{ zkwcqg4!TLK@hm1W+v@9zS2P9OH2_do1PKS%yiz|rQgOngV;V2hUxfep=_@f`w;&Qb zSwAA}I(3!3YIR|4)L|KYNfDVA3r|k#-WTiF-_iR1j2}SSE03Y+I4;uukV=jQ`7n!X zOx;p(iAIW0BaPG6u-xr3q8yTyX*kif1>?&5vQlv{42z*(U$p9hl20{jTIuRNy6&l^pLPi$8 z8Itm_OJ5x-ivkHR3_v6h3!;YSi9u33d*_fpkQ$iYxikuvcZ2HexHimcXf%2Qd7iM1 z#d3s?^P2-ufDn7~MhX^xqklNxUAYO5%?i;dx={O?FN~H)yFS#;v~gnmR@XuLIrMz? zIjdW@LcB!utQp@V+?D)Vn6tC7H5*p3iE$y;;+{p63ws6-e?E*&(lRo)cMA^;5?QA6 z+bIz3Q$SoB4};eNL{+sB^nI(f`KcGtP4jO80mx19u~0 zWu!!q9NVM}7{)`+XkY5XBrv(p+RZd42=cZNz)aHC+8i7ndIzpIWxAt%_Qv~=vA!+? zYJ_R;3@aTc^tXtJ9=zhdbA^-fMo$&Ow;MGI4KRK`Aj9;8J0S$w_*pYv6c|N4^#Kc& zN`T_tk4xVvQ;hR>!S@sXKq{VaKzM{j2rH`(A5R6yf!2l-B?R`B&~o75O88HLoZnWL zU1qcQi&pznl&t@h^EiZr`N>K=CqVQl_OT((Vi*N==)~f(T|Phv3zR+vq@$eUw3#~Q z6r|yP`PX6#p^>6k^%cgef|XzG0V)qRXxn)6J5$rrRPF7LpoVQZT=3PZXunBRU1$Jf zPH@B0QnI(>Xw8n3n(N;4u8oEF_}jO^ac5WfhszAS`>0vqo?6il+u37lqMSN^l=cWG zJ&ct#Ut2EnuIoGB55FqwUjVazqJyi~ZNC{{G`6@Yj1ZzzNWaivg^@M)upHaZm1_yP z?`EyP8Zb#gX61Q;Y#Sai6_Bc51s@!fYj4i>-3UJ5>UdKE^_?!Lp3l{53npQ_{0QyH z8rNxm!3ToBg^0!s4tJk_*r4aHNT7y|E&=Rm4O$_<&$ox99NyKB*uPX0Oe;=i&mn%H z7(K)Ie8^#;|0d>9S8s2%7Ls$TLr*c$&N5IiKhjCo@o;ewD66)vOBQU_-OCb zT`lGSl}Y}|d+r#TixV9Ze1#ZSN+%2n+kc1Ie6+r(+!Xe?#1!Y0#4I}GChLLl9mY+2 zTo>nODII=N;aj2uOZTH}=mHqRk00HLIB27!eD+)n%sl@XBQ~K*MAGwz z?>QTmnYK4m;{zU`Q>}g?6>Nk3RX^3^JN$juJl2DF#6(I*qc3_5Ka?fI^3YNF#MPA% z>s@fGgBGQRCFL1?Gy7W6k9O9F`Zb^JKVD=DP+1i)YltqF#zo0fy}RTY+<1YhzW!G^ zKJ@@={dP(ku)x*#%w_a5r+o+~bRG_8EFo34{h8^Qh9ibsi()U7en%Qd$?>fSWeB}R zdQnF^+E<$O@7w6vl)Xjk_secfhs7z-i(N08oP_QpYPAx@C&GDa&d|X(N7x-ESz~4G z55Ou#)v@*FUMLd}^)kAL^tG|Rt4QsAla^1{%8q}EphV3&Gd|`#v1^4L_8@4Tjc#{J+xWX4ZJfkvsAL&AK-a1UGUxA$z{EKFJV*A zFLmSc`L{^Tmx(Q`veye(KGhzk=WV@uH3D-G?{I65bT46L2jAj-HlU1IQu`^Zl~kv> z02;G&^sDb()zPh!XGoP*A+whnr#XF;2F-YYYojjTX~uw>YVjmd+-`i>PAWjqI>dOb z!HjS_f8?Sr)DWvFiDt)p;|w5=tcM^OKgGOKgakwE}9Ivf-xfV>TP zaXJcACfo`3>#^0h9wPogeJc*X$HgARQ3=r~XvoN{* z*pfL?Xx4vX=OR;F(vQC5wRwZ*5zd9_qd($MMX;a4WgT9h;0^$xQy9LlwjjLMA#`bD zeCBJ|T#Kg`BlU+}L9F%b*y}&ne!LB8r>d_iVm{&BH?=#`w6is_xgcCusGIFl_+&>Y z09&2WH0o31TPxoZam6(*07ve(z3tw&uJ*yWNa+={pFgcCr@zK6WqWogC-aG(zUdmEc5?c_xNf>#;TA-2F*t%sSdPzukZku>gafM=;b}E=- z*=Kh6{Ax6iEL3n`u9+8e-J=wn9~2Ip)DFwT^b#SL9`{1$8h?U$3CV+CLa-7{%(i?_ zX0__w6)0}vPG$4nZHKAi5DLHWcadYik}f<(c8#v{d28_lf+j~5^Lc8IiH??~Y1fr2 zrk`PVsG=NADpVP>3Q?A8PES{>;~2NaA>#dGYjCWy$)8ruy;*5@1cu3X#oLpljt z!EdLe1)DWE*Jn5RRHQqQP%FL(v2$gRo)rGn$0xpS6S8KwEbtwP{>;_*ms-AF9*G?>uQAKi2H>IA2)T{@c5`7IUqQC?w%(h>pVI#Z| zuWtdS&}!glq6sI|m7O&98A6a0OaaOe3J~2h)5x;Uel#bCR`&ItUJ0yK&?ZbW3r2b$ z!!nc#yey>+B~YKklr&K&m`p3R4$*!zyfVD8-8fir4TFjJa^1}E68n_)b)(8hxEZ>C zsyX{T*y9@p5+}+Tz$ikySK*-PsFTVVmAFX_cWu=w{4MJt*BFXGxaf|&1CT6Tuo|Qo z0?`*3SOb|U51_ouCN4EGOAzeul^jmJ@`9b;MNWjzMbNZ4XR$_0`tFAY7aLkXfPk3; z5-s5vJIY_WEYAC;Cx9w|#`1uR$R7|n{6)OimOn3$+i9S5I+cH?Ran5JQOjl7Z<1OU zW;&cSrR;7+5jNv`yprQiD=Sd+32*U26hys0V7aOWPEz>=>I(RZdMO|vKTO;EKqK3v{l=j%GSQAOh7<@nVm=ukLm)>&c&79%Puh z>wNe&?XHDhv;4?3f4Dp3@l&mE@!eZGKbq--`{xcf2 zLK~zP^PA{ad$rA9DvJ0!s}lrVD@k9yPk{`=T~zU2?^hh~Un`B&1jMx($vX$+i0D45 zasNt0_ZJzQm+oJ{b z7?`p|ow5%L)=&WwDIO*!AwvLTMpu0E#lKsQ5~n+vndUxDI+6T~*e+s$hw@ElJ58R{ zbb-y4vI3zvrEW4v?ZQ4_8(m*dvy3K2Hpyg9zJ%YkmT0C`{dbR2D{LiDv(8ufMO~HV zHQTY*ReYOD@Ln(<2VNYrHc|{fou8sE^qL~2(pWGmwIYdSxKu4nR`P;>vf`pZyk#+L`ql4x?c>He~Z0D_nPqA(NX8Owr8EvMI5(Flj%&Q zlQ9?7Osw^VWgd>)yvE0O>ZYK42r`TMGs~|TjsJL~l8f((ApPCluNML&w0;((R+tM$ zrBo(mu2BsXTVkG%YQK=9&}Ct=XmL&!u&7qQZuBM5f@S0t6i7vW)>OIm?{;+I`VV|4 zca0AiK2)irxiV6k^0m3XrZ+>n=Sx%6BcMsd)|4<|%d<&!8gY_7GG9WZ8BFxqb=e7Y zNQoUlpeCC(P+IMi63Oo3*hi-I9_{(&{E7UUegNH{Dq!`PH2BFq@nrqOaM0;! z+YSEiTCV?G)34}szNu1Mo~P!s+T2{Fm7#K5lE#AkQr(u*h)cXmkD+O*jU(Zc6QhQ; zKF4ehH~*vEQppjz_Vn!RR{I&&Y?gngc|Yjh6}=sOC_7*`OQ(x}QZyxmQ|nQs_#9S(^B7>mol#8~`gV_);; zLL!CCszD=_{f$DeBNJ4nwIM)o7As`dWN27r=Eh#?0+OyUeYLzit@Xk}c%-!$wUzF@ zTVuWM;WTDC-PhZday@zDs<5Y? zlY^sBjS714rTj963=-6}KVgSg+;Is0oM?oaQj%l{5w#_4FL9b=@@C-_t0W#^d$fi6S3U#X$_ zOFQp7QUE&-4JBL63HXH6-F$Y<{~Q_QTIhn697Jmm%;o@|DBOM*Qo^H z59YC@n_~aYah-aU0>GXxj&9iu|MJSk?gLQmq?Bx2^k3TaOP|uX0l-;1kx}%EDEU8@ zE9C4&&i`HG|K*7Pca4AAqW{RtpYr@aZT!Co&7o)bpEmv<^75wx|DRF)%QgS^r~moJ zKkdt(^75w%`k!z73v~YXr~iLIoOqw#c?*ku(D*y|L}yfu0TmTh{=GD@wBhSF1&@HV zbN4y<`8BR53G+6|i~}TvYN>wr8DnL~DB?CrH-OTd`iP|Q`H^jr)GagIJC0yWrTZa| zc1Qz2-!~BKo74o>mm9-Is9ySqoQn2W`L9~KyfgNyHK5^c-6GrJx?QdoV=!V#`;*Rp zLC&gUV8yCalSiMjOsDn;T{Q+|_DjEnw)bS^+9#{iS0p^?&PZ_Y2I5uO2EGvF0RF<} zoxlITc;gUEVYAC*Ll=X%Uf53UNV%Dtg_2x6_3DVg&Uw|@Wg@rX^NAydIAnlV30<{S ze@*-O5%2Z%#OrZ9|48f7%zW9SlHDSW`s>LB&CDd8GUuOLn?PlG6~%uo*()T}W%6-B zTD#3~dcEO?3CXg%7MoQ!Ql1in+TGpEkMh-gU5BUZvFeWd`}&_L1(Lm5Bhs5$Z~Ynb zOIKQ{0`YI$&n*fN*T9pbM&RZ3cMh8jY54vNW%qg=4f2DsSaf=L3As?*Xs(uES5L3j z7I!i2k$dfY8sfD=Y$w31K1(wkJNop?CoUlI{3)%)^3C^}Jm&An#RNejn>9~GH%tCk zycv3W$%-8ad{##)UUw&e!gffZ^7IA&6~0UXdz@k^KN<}c=;aoJ5lNJw(ej?urZc|L zuC->fCq>)xCY*thT8lkBdVi1QlvXI}Hh+$`ycju=AyLd_aDAS8dj<5P}3oSoOHoE@}Y9O_DYCbq-6@KsDd= zf3Ncez?qbE0#qB!*Da||v5(&wUG+q}-Q>Uis_St=kSq1bk)4MOT)RI8w^ApE0KDVt z0)E50?JeddR#4EC;4Nzj*XvYAvr9TBQYy^3%0|kQCnQVnPMZ$rr3kKl__#x&3Xtzp zK6>G&=yP$5D<2q+DE57p6I6qE4F_wl&*gq2OL@17@_}(@ELKL@r~iKSk;<*vdAC)W zUEr#-`BS%Th(ULon6Dp=jsTAWxB5S#EoR>PZ{St{6YMlH-!t_>BVWBB5>V=QI?h1& z38e7J|9%Hb7fz%ISaCazRHX7yue?z(wY*)Wp9HtM?e@I;sOp_%%*CaC7d{pj_jlD} zzI?6@ms$f1oC9dD_EJfJ*>vgZsytULdMf(lOrFS*t)DZno-OPZ3r6ae=u|{X6zg$0 zj^|QF4dBoC3wHl~RlpPOFaT#a9?o^-29+GnpPImHm{@y_Oa(t``>a`GHcNPI(BRDJ zMg|Fa&v!KHyhG17)}Xncj*pvLc+_)Ab468`}>3wp<5*2MNs?r5Z=z1Z5cVr#-$?Ju&?{9U7gR5fr9sSlnAMI3p=#W1CKI7bNbfjy_ttE0bZREm#% z7#{$nTJJ>F99_J}i6tWUXzIjK{qs6^Y5>nAl1?M|S^g+4xW;g5!2PU;69p*DUgszk zp;mbejF=OSXCD=`)1O9}mzpYPK;9UMJ)7%K4 z#K=5>qmMBMjA++(fzQ#6vs3&gUWLk0?zBfYA9(^0udpc~A;f9=UrEr{{7PuyCiu`% zdN%(L;qtN<#U4MRWop&G36~ky|Agz$J5l zB-Ev*H_%mlaLW>U75|Uzw&eO`@cEJ?C?Jwqza>&*MY(SI}#W7Ct4XW z1ALNyBdsq02R=|N9Z+oMN&I1n9>x9+2`FHU2!Wp}LFosHU(9dnEmXY`?im$KrOuEx zu3t3lOioXBREMy{=qZ;RZ;Tp#-=PoPQod#!fyYtEYC0G3n zR@Lfdp&At+qB^NiFdv1DIPo2F=*-SFD%AjI>H0h<_$u?x?>;d;8#qg~uIb5N~PiT~~dA-w@`O*5(;$p3XUDjvgwybJR6MBF6{lG7eNH*3cjpeW!DC z`rTLV^BvDhw`mKHv0d2>y`9CemG5DjPMDfvD=ej@QvDOGa;p4}VoD@Vf<^^MW+VT~r+`4>Lhb?G zpZf;#ckh3f(z--%BL4t+dMvr@M$T?fAv3%pVLSuJ0rl5+@9c+v^f zOg~_}_u$pqnsZm>eT7#>xsHEApOD<&E@VYWFa$ZS*utx4g;~BQ&GCuT)Fi86|NSN~ z2!}H3LIqO?fT}`7LcEsH5z|8mxh1^nYa7MiMY>%Wz(D@20yz?QZRMXJfTe5=taA)I ztm5BSK!=>i#r6~V0EiuXjKmQU`e&I7r_k>(&^-amx3x7?G{0SCMf(KwBX5x{DAwG4 zivEN4T(lAytF-Gy(xRn@hX*$=?{w)t^K%;X(meWhhHWjQEAuWwMaxYL8ZUjB1-@kCXf~t z*53;}U2g9@ap6h+_ZN(J6U(aZDrqj8wcBn66z}cr#j_46@^$z2QjZ(yN>foC_5wKF zb_GgKYjg`P#&Tu|A%J;FbQ{gpe^%0d;{F|_3h5@?!qKM01!u9lhA5v%{D#6H;y;SLipslT&tDxn%gA{y;t`*C?An>k>uBr|O+OZ{2OD4_SMsBC`F zA?Jm@$G+b|A{4hmUsH9}Eq~SuB|4*aHwg0H_mA7*=JoJSUH#~KkWrMt}~U#<|O?d@$3eAf5acxjY!0G-|2c*I81OGh!HP zkNg-^Ubow_QQEhWRzx1$Cu4UP5kScQf5>{vsHpnyeb^2pR3s!tL^_mil?a<_ zFseqAu<8gLmtX~2bAUrF8l@)26BY?ibuy}`KzGHT9>raH=e{#1yYPSG;)5t4E;=7u zn;~4EUK(FZt;~5brJ45D+M6KLk4K{6*Ua8?+#&y)O;IPw5qkcb9{1Jh$-b=3s$GfWQxY$85$kgBC&hM)JaAXQ-PnNP|z}9&;+=nrh z(o1dFkC`B{MaZJcAB}{~N{)IKeTej@^3&62OT}aRp{>@mRvB1ARCSn@RcEM=D z-+(Y(@BzbPjoy78Y>moR{68^6t{HgQY6sTH!7;lT1<%$B$>|q}!DMM30U_X6LcR6E z&EJm%gB@>TPG|LE)2Ji5N770|ClelXQCu(kNWJf8rNR4?5SwxTsKUANFM0yzbNm(o zpgeQK;<@m*UN=tS>rPt9456WD8vHs zyjG)h0i$@p2YYs=V0QubqXYn-H8o9F)sZ<~`A0>+YyBqLG7QhSgfNifH$#>Dr(!F6 z+oiGCD4Rt;wzd9@T;)%yUEwIv;$;g-i{lR}d!q4cY2emNEPe0Pr%KhKGW)*<>4ut4 zXOB3INs zXp=vuQ_IRPr^3y;?^l2Lx<=Te<>7sQ#1VW5fXm#hxy14OwSY69pkC9m!TQw5 zez&%AS;475?g?a$8~la>6>Gs{@ut6HBA{6J48d`8+L8GIpgoNu4gaoGyDh=Ws;3czH3F{;;w zG#(+am}0|PIAaEwZcZ5|AJ1t@m%`^1Z_nMFr^4^M_U-0(7g<`mWjI4kluD~OyD7UP z-o=*%8UofZ+t#RJyV37nt2GJl&(6wfztktOmmb|_{J6~tkIb>8ICyyVMv!)NTmmB` zoCX-ysdZa8evKLoymS*u+@;-!XHXFA6(g5{-Uv!~U^h*^b61sk2B)r%#jeEWXY>Gr zqTV#0)^i%x6bs@ z3@l=uojbRg>L@sbN`KhUCp%guh1TsI6|$wa*1N41iqm;rSY^ zV2P}2_a|C$cKt>V#Ws9cpHQrySC!7yFXmL(#dJl7UYk{I73X@$_*)`8yAY1bORs=h zsnY`p9lw;B+_Yi>WW*7GOQ)yL@YCl*hwCKgea$miT3&hLe=X(>g(m-BhkB6l z){}yFYu%WqY+^h28kz+*+YY27+LxY3T`#I?WQtm+cJ8g6kE^Lt1ZB@UOZHBa)Hen-JnBNGg z4xCs>NMm$9krY}tz`bYGcIOclCOBevpaTv z`B{CYCRcugvzkF4K3|$=1P-V0x>SFgu&RnPkFvd|JK>Foz=g<${B0uKx(jH)C;W65 ztSv7Jht$l7A8Q4RF3Fjwq~ou7w*vT*yh0p7xyfIWFeU4ra2AoN`8w6@M9{U@TGb{X5NdDoE1*e1a?ynlD-F2)tkf7EOD%|jS+QG>zua}*z_Nd6psB$qiNsu z!9&jLo9A-rH+hFV%rTD{F3?uA9VybczxrjJ>|z& zq04>lUiD9T;Q#UVj{Ct6Mu!g;ZrhU{p2<<`HiJJ6=EtihFkC3qq6yjm!T66NCZ3Mc z^>wTCpJNin^Lt)$yyoLuDUBgR8*`@c6%h%#OZoc};So9&#>1yBR=!ZGlt{4E{3>sM_BljR10?%*H?8b)B`mfD86w`YDyu1%r zGYP+%cjgbO<iJ1ZJYnCB~)HYP#}us(Mwsj_DL?@ki38HLXCp_}vjVp1Q_KRK_7TPZQ>8v?|@G zx!qWzSKfwR9P2aWOL=Q_I$#xIxS8SS*uRC|M?VMao_MQW9POmqu zR^mLJUwlaig%d|Mb{F6FOISOG{Hpj(IPO9u)G?0Iq8TlwR1qkr=+DE)DVUSRim$!T zf11FxiPNNrJgyP`fJh|K7Ta!GwxGwb|j;5Mf3e3R40 zFBwNWjy+pEHpA7v28IguoTa54CB<_X+M@5W_Pu)QqtT99F3>5a(49M6WY%0t<`{!i z59pfuuV93~m%R@h&m;{aWhdQsvZJlYJ;j9WV_cdbRBacSsyR-877vVD6uDqE@01=e+0GT`ty=kB*!h6! zOinvz49Vt8NWS>yc;ym`UiE-E?ZkMo#anjv4Au83)K05_dBDS$?~N%7Ki*V6YIgDQ zfnrwe91W|vNdPh&eIKoOyK&3LK{f7Zdmz4@NSJMqa}ZeS!k{XSNmWW0=|p!%8)tZ; z-F+ka(@H-#A5Z?6+&&h$IAxx|jugWfnNV`eh@Clq28Dc5#oqaG(2vbX1sfO^UL|wo zlBYx~wpDMw#AOf!)(@A>tA<5#Y?!!zymu`3Bm|fZ;K8C>z+?fBbusFRu z_B>npz`yikuk@o4YpJbqec3VNUr*S-6K;!J%~Is31ix5rflN6yj-bj36Oy>CdNk=} z;p64Ibwq}n26NZRQaP>C5hdSo$6#Q}fiJyKicBFNW0;E5s&TGz+H0`9-ps@dZWgoL zxZCPg;~|alNHF!xKRd$g?hk9yTb%jrLa279V6`Iw1QRxVqba60RJowHBESwx#U~Fs6^VkYsdY`U5HXs?JI`^#ZTY)9fH=Wbz*U&+0@X5TS&e9)+s;fIE^mbQ?3T5rV4kJ3if zUrZrR-kPh&9*$A@Y;M;U&&hAlruvX=BdZ)o6eep#r6UD}_HkIl#II}L)m1S^hDTFg zrt3%y$8NFSl=wL+rs-_IaQ_>G7JXz!BzW?uey#1!Qg)1i0akQQ!QV4?;TR^C5MihL z7$XiG$&S5A3wplPaFezy!^r(yuzxpYmGeY4h>((I-*2G#$etywwCTxGQXLa;p;ak<*~utcbO{* zKCEfNLMz`%E4p_Y;clD}o<|HqTyPXVAv^0|!gW{rk-^W(ymtui{-~pbAm1tAfFz%Z z{6h;%#Fo=ink>hp&mykGcp^Y+NS3Ucvj7?%xrMlR4%NnU>HJ!ZS-)qN?!xw*jkr1P zD$(u6vrjLGzPDg@=&fqS$Bq;9c8FC3=DpXwRCmivnHqj{7>t=dBC-6a-Z*>n2I0{* zXUl1qT|X^}?Zgj`-AAS%Yy>Fz(C7Sg6&`{+jdJG$$+b!cAiQ>PlMt%pv%T)2?V6ou z4qGv(gxDw|KP^K3%R_o$H*`z4#wYkcu8SSxw$iSDeK11WO*A7XN3W6f_R*Cq8do06 z;mJW1$uq-0D7V-Cgf(cC!O>V+3)6 zRy*?SFAWJPh2)YYo6)9)MDiG4`rUzrrq;WwrK*Lx#a}LexPh#3m^y@f?=_39#wC_7 z+MHc0j_x1S)8;A*Fhwf~koqYE1QV$UhmO1^q7qrkPhQcBpcu*1gd9C!H{emOPj!K+ z*6&KxsI2>?ORlD0 z_J?vRm&(v`a-{piQLArd85=>>aUL2tr4(M%%JAbck6&2%gUy`h9 z35!AJiR#F~Cs(oNSFTGxx^(5@diCrTHF@&B8Tb zaalrS4V$N)JE+yZe%+}2!H}4AO@QPx;_4d-=EAjrXsx}yB ze{wpN7|4ZuSzaHsy=Lc!B=!pl^!x~AzpC}<-za6B7A6?9YsSTFjtN;fBJshW6W`<5Rce&t^pXY8vOU3j3YB{vp+wo*E$FyH2 zP5qbM#_XlG26qfM2J^!*BT5OOXJ*Uy@6mOzty9bBV`?`C5zi?g`n0b4AJB(uQ+&ls zMV5Z^QQ~%Q&f(&dgehrb~h zA3F$;({G^2h~bT+>Q7ypiaH-=f3q)xy%CH4QA$O#F74G~+e*f6vgML}rJ3~S>ZXf% z^+4iuTSP1r=G zrL~yB(p54}ldMuo-Xnd}Lg8~2wuXZq#?BFGIJj&J27e3Q5y%PfJ|Q&53=;3n7pB5v z*;HuB*q>O%v6tFUWg43Hu|P8dbb|2w6J_&>zZ0TVAE5?GFI-gO(c^m;Pi8xX06UY9 z?CmyYac+y{5ajDLdONVhL-R^<8z&+le26UqgYFUkhX?9o`^GcW<5|ZNQWkUItJeL~ zWP}h>Nj=iaV1wgD3gtYB`sc!-8|^DS-CK^uI^@gRvI?U}``k%-0YitH!~1Dxz6e&g#cgWV zTw&m~aI}it(Ni=eQ$^q(Sk^3{Hpte$IiT zmw9aXDgg7ebXb1g+`jhpg`{;5M{lmtSi*K0-G@B)b&a3`D!LB)Kut;Mu=l{?Otm<8 zhFxR>0%rO4(sPw{4EvPl&_3-b3wH=9FAKrOlyc9e7piLnZ&^Wo{>mw8?f6o|`wly8%=s1^qIkDV^SV6xgJhykdcUfC}FyCd7xBUr=UhwRW zxP<1)n=ajL80|qvi0Rq^%LuCT_4WP|t!4vl$$DytdaZ+F@l;g~?N|wSFJkOUBv>F| zmWtt{VC}((8S2+Oy;ifO12S`EAWeC+;k#?NW1&^WTAu>RSu{i-!f-6ui6L$<@D8C|5? zhE%>yn=Ubr#W(l~D~s3mr1Bv}qOd|s8Z+@oiLvIbB>uIX89x9zJ~gOtPg-Xt;WP=C ziK56C?4qLx1)YT~D{wx1o(+4vVAnm~wzqez30v=`H6>Tzp~faWb0Y^GZPB7D97Px6 zjCwVwpW)6H6o(U^nIk5+t!y?>4;Sntwz2fJh85PAEqXrd_X{;Nd*R-#C<+7!xB6}i zF^mOHIZv7KxGsHvpet~l{@uUW`}Qs8wQ-vmoSCe$DYf(=w&GIU6x*jeZo3e~@(o~WinF?azUK($EQ#_lf_IjPn z?=K5l4QsbB^?Tnz*O(NU%cI{d^pRi70v0!O%J0`@UkTOEPTXnh3VvD8iOr>=P z{lZCW{oBGQIjQ8}4Z1q6zpk1NQ zR*W$K6TzZYWWSamNI*3h<+|)|O703Bbjq5IOcR#=uC(oU)$zLrzmriZYF;KoVU=)8 zAZM41%|ylTsM$N=TVddSL8eYV?vpxd)s#Q3{d9jRs~`@}dMe@h1#>kMQge~O@4DQU zzzBM6(>ELmYc-Mv8Vi(OMz`oCJxecBzs@})dP+%cKO@8arijN$gYaJSx8kM3qnPei zx7El82q#ox`Hki_&xYuB2xS|>%@BB#Gd1*i#+U#TmT+554)lv}2|Qt!`Q-akfPx_lS7g5|D#!KOA&{sAu2h2i-x z&7#_Qa-b;zvM#T?5V7@X^|)VR)#OMGZl$8Na%=Si>Ew!67F(eTJ|@++0cI?(#`Sp2 z&ICS`8P$TXf{^gDcmACfIjB)X&hXkWQqIgBQQsa(o0@Iu@n+6eU=fYn?92Wn!SJ2g z%7l$kyD#g8{k^1D*mO%$U3DhKd{M!+p>BK_ieE@o#i3v`NuI+r_;j;h#yJVjjlO=H ziz4K)dXx7zEU5n5ZP5GwTuH*4{*|o2q+so@1uh||CWr6-uk@ASjpG!BXXbX)hdd-k z-$neLqjKHzVe5hhy>+PNx7g(8jNC07!m5N&`>zI7uf%c`6Lh$%1H(u)qtcssEmG%y ztqIpS@Wo;@?gqE7eYi=K=RPs81{9KmGHaY>q(X=pb>O0c;T10Bsu?D+&m?b1db{ns zD$--N?j7G#Fx@B2I1XJ_WG){sAl^iN&WKkhW5%Gh{RDEX*{Z@4;;!SCU@A)A3x+1 z-$r-e4qdzYH{(crrM>dU2|oTHFm2-bpjRUyS9Nm&+sy&AV2gN@d==o@i|Ox!J==k z$}d6^sP{4{m)$?6YS(l}Qt^09FN14$$K`RM z#X`$J5)xi_1k;h!BVfKo631yn$Ivd7tb+g}t=t2%^l7ae4MB#|IsH2K>)W%KHg(bB z;2X$_{L`CN=$e+LObjUVqtM^C_ml8la0%9vgv0uhq4(jB@@fZmhpHFgI*&#(unI|{ zjkqwV($RLhj*f%`akjK-Q+d=P6y9Ltwn!qTn7~`|Y2e;Xom(ky&QA9Fayce0^@;h4 z)Zwi5%x2vP%yN2;c4nCm^;g46m8i94@o5z@;@QlEb_~j2TNjSbQA9?ZJ3b-7)g@-8 z-toRZK2WH|Z><^`G+wVMo1+ZiCitt%7a$&N)EY91tNAwJ|XOAf&K?zEBzB)?wOjCToQ-zGK8~I^W)sO#nmNw z;_SPDL0veKvRrn*TqM5A*W--mp z{yYY(%`{_om_3^Q+1IU+qx52~#=fX@#f#>KW-B6-?k}glrt~PwPFx^-2XBpLVT4a` z@)E>401yS0G5ein!wxA^RqNc=zdo4-ow`T`wFQQ&w7YgTzJ3wkrJM}cw-ELpSGy1~ zVryN=XE?H~t9A!_+(!n$AU{R3Y*;%nKNZ#lQT#7)5Oe96IU_*A+ zmqVL?=^S>ORhi=6@%Z%{NkS<3i*g2z&UVnoc=%UT;2zDCSPq-`eoYwd*Ytwf*HuK&$UMo;b{s%c*i*;Qw>)>7C(0}oa;3bdFB zj87K0Hfs8cbu(Ic0$QHg-V*kBO6o@RL|-tR^nPUCRLw)(;O(J$`jHX~e2>y}$^7Tb z__W96E!4bibw48-W`Z)nSqSs4d>~o1-#nJ59lqWUwj~#Ndj*CX=<1uY8Hw7AOX>)r zPC>ixepxycZVZ@Jy^~O+7TO$GrptmZyNX@B`b6vUe=#WVPYjx2uoh{4X58eXt~puk zsjHA6l6JvDCkn0d2ew+0%`_Mll!;rCzcAm?>7oU6An52G6cS9^B${K^E;|GO83OG$ z!2cE*^IS(Zf)-nX%NSMD)sCp@@f{8cp%?Ukg!N$rbDB^MjB{g{uS%EfS16y)0f`!! zJcjMAPoxUWuk8^$^LSd$Q8;|R`K~TG`qKqd{&&4s{2J+8#a#&?#RltF%nhLJ@Rebf z+8x!Np*O=9aMyGG0Xq#spSu^RD1y9AjX8kviV|rFSS=VD36fKpFK|$iNOGHl( zZHB+k58;U!nE+H;$p0ib7f-mk#I(^s(=xu?0INAV>Y9=fFe_{7udUk8G6l?@QfqLx ziEElr+2nIr@2=kLB|O#UQxcer*AbjdHYTf#oOo+o_6p2$Xd~YfGK}1SI-+d&7z5y` zL&udX99bV^Bbhbj*zqwA20R)70Gx;7WXU?a>s{e-^ui+r=k=)s)^}!T?~3u<`13X2 zy}d03C|r4-?0Ah|j6HCm`B<`D2k6sVS2&IDQjO!toacYQSlYwH@Vol z?uSSixzIUg*Rbu~Ug}auowmS>4d^A;tD|&omVIBcT9E^D^9h%J?!(BLbE=9@LtXIe6I4v;TXyDtBY#J((n@aM)N1LCr%>W6?UoBrH0)F)vdKV`j~UZNo!w zl&XPv6lpI;KzrcJ<#?ecYHr^N`OXB>eyd)Or@v74IQ-VQg5yB1>z{d`ZvT_G0C@NF z-COGUwM@$P%nL&W+j0v9xPP!b4`dyK*tR`UF!39s7I=M`j5tc-3cDSLPFUvn5S`p&&r3a3zy*JKdr%uei<)!UWzq>O5za)}85N+4I4!CAaQ9Ij(mZ3n-nDutiIvX#nz)g*KTqN`3zlS z`6S+IF-AlymVNBDTrRRR@Gd8eOk<^Y_Y;W~<2LNPcc36b6TLb%r-JCnujFY*Z4JdQ zbcewJGpt-;&;0<2g6r@9jpL}O{}ab0zLNZ97zwY=(@%N)AfxKstA>L4r&fLLfDQgD z4{*!py*SGSwpEOvH2}0ttj^juc!z7!o@u>h^FG<^l8H#6Kqra1 z2>}WUQmurOD<$Q(@!4oHYPK}Z1{y`b&KLyRA9y6mSao8%B587%-5wwOLYVuWos<(B zKSTr4RIDy2H@$Yb${Yy3}Ak~&NBj&tuh$U zdT(@dGT1c^9W=`cY_v;OxO}0cmVR!x1|&_*LMH=_EUDYZ;U;>OD6sdzS< zaicZhU%!?7>3T)(UdlsCwGGbJp;*DBJ#9=8S^&4~#(t+j!R=MdP|%4Bv!C?}woN4eeC zV=YZ-Mg7eULQ3T^r?Y&eQnh#fTIEK}47C4`K!2gp-~DSq*-@rKD%7Op)FiU}xX6VL zRMYd|64utrW7=65sks5gBvAoha78ZMmWfE_op@G-O(p3?aj6gGPk`gH+!CM=c6^`9 zZpG(dq}mh10Hv3W)Tjm;*Sq}=w^XzXwfJHS@1%=jAhUhxlEzQAH>qWc+xSphh=>Ah z-k<_qFY7~(SBJLRd9ufj8wHVDm2}51#wBIZLtYCt?bcg*&zNn8^U!9|H~&F{3x<*e zgfnX^mU%$w+DHOb*;c7*4)5~Ez3z&%TaCq*V19iQO&;nbztLnLCKxLMa%{yMjt=UA z$Y`i!!bnfQquhxZRG#SEl2@@o=H^7)Rq5`E<*LN12!$ux1f<(9b`cP`jgqAb zf`W#uj85bTLIEa*>w-Ce$4@YluO zhW)lXw-YXEC&2NZ;@;^mZ1l2$>0Q>$sEDLd+yk~Tm~QFK>TX-{{sh2L zi1;TYBWU=xDbn6!T1)ZsJw0J*v?6z=NhsgowM9`Ha~Y61xhz+n?An(V+c*b((= zyOHdU#|1I~y+j|}ezF^TJ}-z*^DMr^q_ISa(Qvd^t2WYw?y2Vk3y8Xh?etGYc&vJ% z@<{jgmLzUGGqB-5bgpv042u29W&83xEW~uE&o96xQj1M58otaO6oS-pWvX;NWlJj;RN`(FBccy(n znyy1;!%7%T!<7QF*L-*<=7Vml{X@~v?qF&sV9k;Bx-w>kn04R^;giA^sJrqbC|E8tlbX(Gf*o@1A<;AhE^nL6< z^9lfD-QXkL0=Xz$Q|9GFog&+eTwh-0B*UaT2V{fwNt4bK2vgOU_3^e2?^L383y&%( zyrzz*hs)H7+s!~)m;SS_^pg^5L*^InuLZf4Y5wdnb6*NJ8wLtrxidZ$x4{|}JjPAl z>c|qA2-{)NuW?Sr_Fq&cRe56wxfZj}Pi>HVXtV7bec=Xt4iYxVrc7o^Q7~SbXuu2R zu&1Qe>vM&b`EI2eJzYTchd?h6?;rm8$#nU5>F4Ph%ppZa5p0qrcwgAko?`gbm(9ZP z{f#W@r(W4NiD<36aAzL|@*Oi908QEw$doZpRqxR)R?*S;^v}L*a7zpW3UU-5H6HI- zOh-DTDNZjq5RwUFm%tcwglUzd7_;py}V znI;z+d+G!?!ScoxlkIE}L}lZ#O>01_m{xh4RgfzqURwtqRJB6^s=~+*RG~k1-e(Pe z{68V&(yeP5zvG_gJn-gr;dJhApnM|6;d(B4o@0oT(&zBPu>PH?_cVbv;%9J^qRY$7 zWBr7#Qyu`2b0%jfFllBvTpJysU;F?eRPQq|CEwt28vU5e%S)jN*ee3GuRrC-R!i%5KU3zx5IzmHkTiLv)GZ2~NhjL7EYnNIXkcxkH79%_>2UZJtT6d!v~S z@uqTi>}?GS_y_HuQO@NC7BOi;t9Q(3xGnLK>yY?+Q2G87N z-hx6{;e?g>7J$Xq)?>(M#bik5Def%cK0TI=WE&Cn*x)HQ(@)dLQIOwT?A8SeB>}go zO#nfKfpb@@R435aefO!w%$g=mcYbjU8r*-zP=y=3mjR1sJjQ4>yI#-O^eenIvm0?Y z^248!&|A!f&C!I$Q4x*uh^0K`+`DaIyKFRkrLypJ>bttT$Bb`#=J9GjEHPh`5}wBP z>o=^6glHFxd_lqn$O%=`d0vRruIj=sx?dS^e|uMDma%bIjr4Y>!uxp19dwSe5=m=9F02f9JMVy=@h-c^r{<+(Sh#U`sRSxA}MWIzU zIT<`X971=t({8G+U!Ww2{N<%%MiNOQECbLWp0w31eQqY*{^K}vZmYiB%U5r*`W*Im z;38lzuiwcFTbpl(XchJ+xG!{YCc6rnuW&UuVsD^xwJGaEEelQdq{Y78D2*>RKn4-W zv~yDKdwXc}Be58wwIsdFk)EaacIyXbm%@n|YhpB|P5*-uz#n`U1q{B1oL@^^@YQN_ z7ge-Hw@5oPX^Bxr1qqW4lULTywaDr!kG%(yx=DA2zg&s)qkyMz{L-ESo|+$`-XexY z6UFM}AWT{LR5%jFA+I|I!CXG8{nRX`^KK2E+sQ4rtI@gFd2LUsbN!d{cGm)k`wpLM z7Hm9@wR}Hze^4AJ0tIwUVqvJS0ssj21#~6@-aA`jftpjUW|EMD5Wz#CX=nSzpz7Gi z(s(w38D5pG-ZvlVE|K_KDy6)B1@Fe8H#u4K#!vclJqqK8e{J3Lrv*3*<9t4LtW~+ z9MHSLO14lDEaPRH>e=Z!#Ggdyyz(*uN7YESiq%h-);z_eO-M7fs ziJ*vmZh`0f>*r;MnVPimTU}Wa87FoPfEH@=vd=Jtxt{%az*OLzHJpB|#1!_B+bX35 z%{<2MMsC4~bba~L_dsB-zn|`RusM*HEPRqmKV9UHWl|PTK3R}+D|&^oA}>^EpS$gQFT(w zcwh_!12%VX-kWUoQ$@}j)>y0f?E6dXTJ}8_v`-fT8MuN+C+ShNA3VuGT0mNPEW@g#TOEMYz0xFJa!^c}Za2ccr zB_ERbUaoqEfc@(p)liM-m!~A@XrXhUriRT7;`{5-KSeHEx2`H>ghtg6Y85LDd=yp4 zcuZhiTxgmLi#`5yD2&}#_#2G>KD zw0o?f27;lk^fk={6oaP7SzU;_YD3rUl&NW-gM3xf?dhcuouXe4_g?emYvgA69q%Fr z#CM^9kewvtee|b<#KzA6;Me;7XsB$y!J&bI@S)0-lc6TC1$jhzxW(Mcpx!kuH=KLx zlEHByCzDr+QS3AG8)(cZyAb&78UfAoVfRj5kUQknxGF&mVcA!CY`dnQ@0qSajcfHQ zuPJv++La#V97XWfS{vV>cy6Bht$(=nuGAlbE^3tM(CPqvQFtS1)Y&yhy)aJN=O>|s zuv(^4pwjBy-k03!N!v3;RnG5R7-$ZgygU13l#>yB^Y|2Uz)pdO7IGQ0gMlNVPl7_l z9wZ8eyH)~?t{TOYrs%;B9wek$Sj=I0$)BMu>7~B;0syGiL))A3Z0aBhowCwvF$YEM+iS&&6o@3Gnh633dm;$<;PS`NHvr-A~m^Yn8>{qDu8(SufisE zX>#{^ODmsa_S{GAFZ!;3A81-h)K7Eab!TtxPw%9pqdRZzg3nj1j(BW_tQ&yn7)x1i zCPYU$Cta2rpR!2>1PdzRbP&1d&+?M@W@191s`P-jQPjuWPUUF9y zcpuNK`^_qXu~yT`r{zaH$LI9zk!2uh7j(P5p0mNW3mvBFZLLmLQ@U>+IfRn(QZSI9 z86A>`A8?u&G3FMbE@Pozz7qb6j$aj@{K?%v0+VYTDA-SZLTrlPPvB`(M-^zKCZ4lv z2jJ#G24xm>4&t^uN~fncGc;#jPL}p5G2Z_O7|(iGJCkZe>l^cTo&dLOwG_JO;ohp; z&vlp>-}7kis?znpy=J#SqPR2DEPH`3c>sBRSpnGr&-?(vM-CtJwiiNOnS2Qy?uK_< zS=(vGd?SbNK3nLFSkwy^Ze@HI^uIiP_uK7@J_EHtS%5*eHnTzoqa#-6TDe!*Wln#L zZAG(R@ zu-cb=)&t4Uj2Az`9i{=%&*)5$h6dF<;`8FzF#3hyKikN-RFx5b8hCqgeP~*6vJL0j zqv-!~eRB+&2cC3G4=r1=>VUk_9V_PF7T4}Gh|P5&Mw&Z5NVaK}=t2mKz(ErL;Nt@T zpC0$f`2s64PICFwz=8XX9OujKC=yox+##*=p~%!? z>oFnfcRZx)K}o)W*7!<$nXbA}O3$t+YDrrEPg7fE8eMd3lm1iv=E3;&&j)<=mqLac zlnp2A-GIY84$Ti&n~Gm%t#7sBm*OLv4apX`cD^Z5z2;!+oft%^^od*cl1G*rEeuZ& z68$sWOShz+{EjIc^MF4MxE!QmPr=jigJ8+Urac%0=iaCy}34+8;4@* zJ%g5n*Z&Wr%+On6p->39ute0lDHyEmKd-@8B4K11XLZOi_?VK1(|b2=tHqaPx@2 zXt)QmEfDUCy(mq%W@z&m3&xUFpE@qx>dRt*sb=JMDI4m^DE|~YWCnWTh82tA?MTzq zOD;@EB%RoBjh2xqi|8N01C9=SjXVP2LzGttBTT(MEY)c_o6X5G)4d0&F?3CyRWIj7H=kITxJ@;F2KSeb=PB_=t9XlG-IX^2l zZ2eXtM(JUzRVo8aamu-N`@Y_&ChaS8qOc!8*Bb(1-aP`z2A#uqfG+#B%Kc?#h1l;e zy?Ob`%f2SP8SY z9{FMh3f-|$NcX*3sQXGVU%|U+li3!0D|MPFrMYE)@tb`~#U9@mNx0|w&Rax`ErijH z(OO0V3r79QAneOXD6#WA#m$@$her8Wl2A@V) zd@=rVqo@7I+IBl6O6@SYn&9wn+aO=8AImFHi}|XGL78)Oca)5v`)jPPsr)LfsIR-K zu|oH_pl4T+zWdgiOQ-y3(Y?7JBpux;XP03@;o17e{AeCZ#=#1;;bWcEYco#LHb&)6{_Zwm=af23K*YOjPD=;-|I^JjldkyvKmR z6mhs^Sq@*#>Qux(k~kDOX>VkS6NgP!+sYqF9zOHQI8^>nO8GYzAS zLX!BOrC+{#_Ya|%tg{dagw-ML7+-_`GM;gxZv>#nWu|^+P*jkQ zd6EOn8%d;S@TdOVO7;J-_m)vn_gmPo3DOE84JzF&BBdZ*(hVZr(lIcIAV?!24bmVn z(lC?~(%mr(4MPmg07E=~@V?Kv&v~Br`}^Un#bUA4apwPH$F;A0?ft8FIf>@#f-ydO zk>kV5POq?*yjTD+`SEjs+kWO)Eu}>xgq%Hz4m*ZkQ4Wyl@}1ur9B)i5LahOfvV-H& z7=u%omdmftT4b+o{Y|X^1j{|VYjT+^$Q>|KE#-N{){h-^feGU^k>0!QGqgJZT_P(~ z_9WJIhxY;A)7_0=`mJtb{4A{0CHaN-9|0X?)E8RmF%p|SllJgDZj*MKuIJ7R6Z0Qj zsxu@)KTcOW44WCtG`XFVbBB_0XAV;oz@x+&FbISF!<$Gr&R(tdr4!M}i2?vL^Nsj! zhUKXX;%w{^=&t&;K^EQ&p)?t9{D*xw0UBqWebmFWS!i4X?Js-@2M4zdm1#hc1Z=Wc z18(09;W*J^dmqE(_|!O3f%!moec;2lq&A>?i1_|P#IO#Wdc64acy~dCC4)vS_(bZ# zR6G13F1nz}dAQpDVvy(+^}jP)J<)ZiU_CW2_jeV%YS4Y7G3!UWanjyP-qOtW%&+vi zssI+gwS~R)>ZQcvhmEZ**tALVA94SkXaeqBQ&#~-cY(u&^9GF#RNXZ|bhd!pl;Acn zOYTM03~L`|AN)n^6hn$E@c_E_0ISj!!`U=HvjIM&uXI2aXXta(c%SgZLEd!!Xtw&w zmS_biF`W2qTORnm89-^)d_xy^e53s9LmP?$GY9?SbC7Tf#KD~3!KR<5>5cy4;z%i= zX5p#WmI)5kk+%3@A5IJS+kjXN=D&!Tmp`fh(A7s1a+TYn_44IzJ(;6HTIj*4iR=SV zPJxo&i-(-%!i%qBKYX}-C+)L_ZF6%PWNH1Sdlhs}L(((u0o}jt{D$Aa(<}8{;z{8G zz>A!%{bHZ0_M$s4GfAVm^VOA?B>z>dd^J!#riOobEBF|{p6AYY&B9mGkyHXH%AqTY zl54F=55>UV%cPK(gGSfHF=_+(WbmYd!1noaF?7WvvnIH}a^U1b&bNiS_$%=H%#A<-4XwM<3RbI0j|Q|>aCZLv;TlR*ELn@ zCYO{5Lt(kRlGIFKo@L0W*-sr`uYZ1p2nTa;Bv@7Lw<)l#aoskSUqdrUN=o4I+sL25 zf++;Ri5_gG`)=|dl)A-sd|~!FSObPK)oJv;k^kFYKK$$k2tmMZ;Du{k-$gGAEsh4` z)If;-(00VwA#bza0hF*Rt);ge%nr!PlhO>8Q{z-kdn7uCS2YFNMeiL;e!w&BO{$L7 z#6K*&J;E|70qi?3e=-6NBx)>9|F`}4 z-BY+WAIm$9D(}}HB>z-*Z7F%#JUuVox`{N0`1ahfGKjdj5wy??_yKR?YXMl@d6vuYQX90sZ!&D-q~+ zKblRVzq?`O1@a?mnLGe*uN<4m&d?ilZZkn%<%wq zP~we)NDI;D|LU0C-@SKTN`!l$F#AaVevZF2Zyms4`QzYcxmjj#+`A(+*Ow~ff;{tl z;f}0d5+(=cd*u=y-=tTF{aj|=sQ_3Tf$fcozocN->Fyp1fXB_}^sQL`B)+bG{-E`T z@n~3hefRI*=HD68!KVQJDKe;61eH$0%f4}M;&vi~50ZQtiN9+F{fBCEFQ3w2%W|l)| zuO?Oh`StkWALGFL#2P60U%!P9FQcyO`&^756`_hZB>(x!8+T^t0T<^mI>7($=gasL z@hzG3xqEK@_p3ev{tSpL`L6`v|IiQobwqOLr|_rHkxzli$JJoW#_q`yau13HdE z&eXDolLG{kT*6%C2aEUXJvyi7BRXC2jPbPRcX={=FHVAvXoSTHnwy#6n1WYAT|XC+ z`KgPOaYe7A%|w^kU_yp$%fU>k=NR)_0gk=R)5I;_FuM1b7q_AAmyLX{0f8E#@_2WK z65r=f4!$FE4FVogN~I5fJSuk{|5lQ8!zN4wjjuY^lgMP3Brp;r?v@U}J9E6xX$1!6 zK{K;u4Sf;L4eYZG!VkCKK5q*r3IZl-&WBdB(_ebjkDWTdoRyi=@KoMG6;B@=@0uX) zEaKRa$Xg2kLEL^jvH+%pZD0V91->&2ViMV}%b1>7<4qVBuJ1SMT|W&ML%@A6<3ghA z(-HvfNs(ySztl2*_x`G3JMnf85Nbe?b%LW3(^3_Zi5=8L+RUx4gcD!#%~j0qOPTEt zQo)*P?+(b;cm55l$?r6ARSk7jd9lpV%qMTRaYtHBEN^0Apt-oOL_ zB{Vs=c_vT8FCXZY20QModjc`*e$SxMNrU{;5k4Ne~aXl<9wx6W~@>H1^Z^RYK7XdYCgUkY#n-!{d!65)8T6{++KqG~t~aIB(> zS6ucH?6gbA8djfieDBbXK9cHR5bN`+Kh!{{2)Eg9;i*dZ^v(xpN##oHk zK!*2ls=qJJM}-9FAmZeq7!=bbKw!~tF3D_GgzMv3SJ4*HcXWdWBLiA2Pu~0r^ZWy$CxCiP`p%Zce(nk6MMb*r%#votQO|auy>pgwq7hfs zyw3#>Eii3I_xH4&-)F_YPNIQFht$%o5SNcZ!<%D>!ac=}l#0iRGWG1df+wBRT0Nur z?ml2i$Q_a-_9?d^BUA|KFV zj25VzEGxAB&R2q0KMSlfAjZ$C`jT<;sxYZnzlPkwfx!5%rI?V`k)(l9B|P-e15kei z#)?G~eYfwM56j-16#RC_asOW@2V}{(I_&-His>f+(jUA+pSaVUd_Ui`q`ovK6xI7Q z#oI&y?F|?8_pEF|pP2!ba-8hjzss-($$#W_F`zct`L!eLERu_w*J>7hS*%(Rm59x4 zRey-J3Lwi+>|=Q@Sx?wiFWJ2o{GR%}!s7vp7Bs+kF00))M`e+Lc{z2uD*FI2tG@TZ zbyb6h<<34iwa_kWI3;=kybh}r$x-;ynE$#|nh@{Hh3|fyEMinQoVg;!Hrsr^F@9)#D)t(2R*SWB_EJna?$YibB z5-Pm2$7~9u<*P$qOcJ2yEG?5q`on4vQds3fC zccS0d<>o5D=?iZB^}q2&I=j2Ap&nZIpV_ZH6F9|PiNo98kJtHStj^%~_ms?Q+dnmw zA~Ft;jtu($2x5>lFpk5=uR{Z~LFSpXtQy;r+cyO2IFKWwLzAV|d>LIgqY0F$C-uc7Xl1gC*+g_}Cxos?q;?qDC(Z4Qy+8ic|JJZ!N7Ofwm{Q7&aN@7J_hl;KOsUo~ve;Qu3 z=IJ4`el7V)Qmr#VE%|lhRQOqc!`?Z*>r#6Hh!`W&p0CiJv;m8a_dnkwfBrDs7MNlf zi3ijM5Nis%r-=xI6<< zC*4JJTr4p^|7=|XcB4J}Q}2UkSnaW-FPb-z4Im)15qXI?J{2=x0mT44!NK09%iPyk zM5-hCD&7ujFBKUBXv?8Ks~jRer|KyZw?ZfdoqqCy_Li7oP@m+5-{BIaz@YvFP2}Zx zZxeG`J_W55ZltS^$Xajy&Q;P(S!@fJ2P7}g7~mG(jXfMubk1{eZnsm3`WNS0q!%c+ z-`tx2yu~`+tyQ9eYV?mACKal0GMkQ{=knUVxb0|2Kvk=}9omQ#^LV@)Of3R+>buyi z*`-*3FBVU`GkG0YJ`^()_RTdbR7{xbQt*(}G1Ag@>oPuAfmeUlidtzR@yoU7PaA|+ z+Y=eZ95+wu_-+e1!bJ&v#q5K*kE_2M9!{m#IvZ8Dxvmf}yjw#`JP$jScxZQ(29e+kQrm{a{NB(E>ns6!9Dy1Y?$t8Vd|=v7b+xHb_8=_YuV%=7zvz=~sw`EJ=3 zI4!~R#c#F=3`FdfB6T+j>~|Hml5O7pGJw%Umv;~Ksx&TrHXcb5RXsZK)HP~XN~_&H z%et4$Ervoz-%4!aJQpe;J~=x+NmOgT1F;GO3>pKI=Pz)2-}ny+eYp6{QTMrFgInq& zb_3a<$kaFHEd=F=;k+F8*{+xA57D3BwMXPos%=v~uru#5pd*$Hru>9)h)f?RCT^zlgzuK(#S_4v|IZg zw*$k!9!+-q=KQqW+NWY|(W0qHF+fqE))^GXjuVs$0_W021yP}13lLT zNgOOjrTtO*+S!!5@`#`FS@rVUX5HdOBl+S%5tLbq)Q!pO=qzYc_Z_2iLzq08$ zIIiKvVA$;Z&b&Y^CwpeQNxDsx<*gTu)3jepJCjeP!>Brs9GgLDV3jT0tcG(aPf?=s zyGG_xXEcl5fe>4gkjqBlLuGPab>1U=$6nN>d+%hYV(Q38Zs**vk-0+M^%g@^ami#{ z;kf0+!twzSf3a2lF5iE#KdgL!!_m(0MQql{*VV^QhZb2zl;4wAg=eWJ8E0gUAe zy>MM&>(#4JSXZNFTm?<$TeUzsg3({MTQtP%zugXsutrLpG;x}Vu_O24-e9a!-GfRK z;4+Kt*vq38FEJqv79(A!*PmMQz3EG@_&>iL09pcV04X42Ds}f5^F6f`D+jfuTRblZ zdow$$qIWzP!RO&)Mbk1(SnTv-x1BtP=pdmMKlu*qzq&ISrRnQu%U)Q&branXd3)!4 zf7>~AG}BRJxBet>L}0^n%++cAzzzpOle{M)U^?Pa8@z`Ld3aV$v{s(QNSh3v-DZ3Oj>$1dy_O`$mVgWGY8|C&8NLpe!Jh>rXFm9{6%_t zUfWMrNA()vxqV5T#F7yY6TRGRERJ{LQ*XO%!K63ZgyL8i+`lOm1(%ujy`~Q($#HM3 zyP+)Wi?_GjDGS_Fo2jVhZte2OM)u-(dR@eCl9ZC$Y^Ig$<0UVG%Vr2kHJz|7#|X#U zsVQ<$KHE#4pYl~L`f*?%o+=H1`epR|L~u+6GOstVsQ`BlZ&xW8?zdORp-fYq+%Ua} z;tXvvqHow&FJD1fNaC!!<4 zsJb}LUdZc=qg=X%%h@{ex@0fPLeWvz5i|*>QHCo;)c_!%<*ULd zY0=I8{NoTzXKUFAe$xuIT^ysT&^gPh%Id00#%&%mta&Lazh!H2kzBo%8D}%boY&G1 zDNgb!URq9lS(!OQ;BZ2AIyY|;?PlWUG&DVTmBN4hKT^07b~|-yQ%*?(CK+|e=&;qs0wI)$H`r8{kUy}iYTUM6g=lP+B28>v@w2} z&EKpuqIRnLTyW+5ah@5m+e2z0tE7tPKr?#B50gH$0g7MUd2}>|*eDNwE2fk@2s4kH z^eoZIf)0`RtuJ1o@CHnLtq^DhI#9F7Q2y+&AWuC@PEtN=#9;o$1k{8e=VYmL3LOU7 z=4`&P!k*(v8)urZtEucWvzY{Yz^dcjOXENh@VA}c7RWOp@<|0?ANIx~iS|U?|MMBU@)--PKDHa#^ zJt8)B3RD_6Tg!KG+F$ze|6ru;pL8b4hexSkM}zN&lI{$AUVmbtW-objD=|+B)iR}oBz^~oZl^a ze06Fid;@gOwLcMTWOd-t-`^pu^~}S~db*hp8kA?lo}Nc>8p_{y*47=+H_1U@0$r}% zugjV%5dkN2V)6k((7qv%O^uec()cfrZ|_s9*%O`$4#c%_zsne+Cb+ z7=n=_bDzTs=>w?UOGqCd=zvmo3}BHzfu94gU4z^8#qac78|F z80p%>r}<_dvQF%-KRJzK_I4ztqNV-{RO}^WAKO=cw3>7Fn+4G;-lpNzY~CGOE*!~% z-%s~K3_!^m;8Nh*eq~-3+#s~i(!aAi9W@~6e^FCn!E=qQnV<*X@p!drsR%VwI&1` zwsDLrGiv5-KE-|N7JZRa%Ct!Qc_er>+Z}sp(HnBGJ=r;;{fpJF%!C~>w{Ej%>f*X5 zkp1jyX~tv>QKc8MJ_!ON_FFpg4j00q&AJdZ2?QilJg$M7k?n;S9?sTr?L$Ig9C{~N z+Bw5@^$P_r3IGvi%H_rTd}5#I%L@!A_}+TNDwVjyx6?xs(7H;egTRAcRs)3q46JH;RlnWwzb}=D;P~#6Ic%qSohp7--!al`1VIEM*7l<1cMHJcfWjVEYUE8VcPV|$Co5n^OhfJZa=I+ zHr@`hYK~1b?^Wn7sz|T4=}oQ8Xgba^0mm=Nzw33EcpWwm=VkOw!SEcFo@DBwp^Tsr z9B^6lYxymsLb~LihK%VG!DMRcCvaN6k3Zd?1*{?sU3h_d;5DTXq<0RUO#BglJfTPv zor+d7y6t9Ke}aPR+sXjDhc9b9WSufK`v*7EoKImtQBR@W1U5#`qbQWbHGcXUJs*1g zc-#;fLA6tNL~i=suebyY&guiL6gVHyJhzX$6czTkzj6qp?w1^!-mAZ6!2CV~vi*Ma zXdtXV>A@!WV*1?MbH%;+Z?6oe!mjO!H#L(UKoyLCbb?05~pH|=>T1kwfPOVvmI>{))X~G^g?xPYl+a^`|Ov+o~poBV$KsIV}g^utMK@Tb1duNwIJOuQW`Y^ODx)9Tk5gAU*M zV^eTn5!r&v1rUv_Q`hWK`sK!xge$`6tVOsM(NbT_lywj97oukphtF(9IGo!r_48z+ zcDgp753Ige-PYXuU5RqKXj}y9Vc|@dl+mN=t=4ryrw~GV>|HUp=u!SfPxS)ruh>iI zmr&_McpnU%{bS7<)66h9-!scA@QEiqm7$8Xl6QJM;XLk1nsOQ&);ajJ=;6nA`&Fq< z#8%T1_eKO%^M+y_e|N&8rnDIdTJg6i?SWFNI(xvgJ_$#Nq|i5}$8>3KHV~dY6O>mx zYZa4P;CWZi^V3+eFFd-rWS>RQNtJ@+g!)VEeh9y{{h}0ZRI&`JY>GJ@qF0D75?iJJ zMS`i!ge#p_NZas!V528ayez6|<^d$X3)T1n*gd{%LfQ4HCBaEMwj)!laV)qEJLh7y zx<07{Jh~Ja`Y@Yv5>DI%adAO(5x-#2#5G{ne5`Sa%JEw6&u-$~tM}+`O0G%;u@+)E zl3f-T7&Js5z*#RE-scavK5bn*4c9yV!2l3^{=MXiI00Hw+NBdI*ERnq{S?97BB!GjNF?W>lE8htOO70y5HP4f1%_zGVG)31%(y zS=)N(h2>Su(s=6B!BZ;!Ed?WZRPXp?kZsplP@3wCzjPMRU+b0g(h0#_B! z=Dn{^J$cMH)~Ue1ZO3z}Ra>9j@5Z6B7XZTTsNE#u3q%7T9|nQN2icJq$5c0@&7z1l z7BbH3C`6~0qoOwhST}G=`U{U%`_X;}VcwU&ZX-NF;RDXr?c(5-@gSB1x8hodyu2xvP zebA*sbZS_7&T*<(6IzQg;>OP}H%4UPd5JA+Ks9Q4wnVmWKGbem#<6H&=@w>M_k06W zaMyV;su6}8da!f$!fm6_GtGkHokoV|No@+zhEPORMkM|YEUGb@N}jr9`po_F+O1)8 z&Zt89s(s`FnTCUeyDID6TS}Ez4u$51XZjpAlZ#Df46{a-l|{lT|JeeO{L=!VK?M#s z53=16Qr=kGHL@J3>FmOl_tt+MaKVzdmU$pvKlR4pDf3;I9>06yBH`h7~Ouup_)tI}Ir?FEvq^;Udi|2Da#^#RSzi8i1H zmc3L>L~qcG@3lox$s6?kOd}}sHx7E%i-(alY|%IP!8j}Kh=zpuHUD?@H+zl9wQ%g2 z2s{ipc8ec44oB3;&{d=1)^dP~KcDk3#chwAkw;ILKI#lXxQ5Eh@2N3qV#mf@T)d^l zrcgTwZfS9U_=G@v$>|;Dbl;XP%V-a9gk*Df>Wt+_miKHds)nRSKL#^&783GOP)IO8Dco2gPDxQn#T6eUg86# zw9T`LMjM(Oc8W+Sps=5mRZX8jIGhmJ#Jwwbb~+Wv7Wleb@8K%vdaURvUJqr53pp(i z$4_t%*{}0j1}r@875*JeY}JzjI#j|kUu3^8b$*y!#iBL^(h8s)$S;AIj{N~C(~9M|_;zw18hJ;m$r#d{sT%<;1x$f5;La96i30J7$) z3#>>gK%Go=J~6MH-b^hTEB>rIBG9&nT%;m>B{5`rV({lIZitsfSBQ9W9QUBPaLL6< zf*7v4ShwKG=2~w@ZhCdzJuDjm+gwR_(>+B|ZPI&0^a?-oOj&`2)0%8rAzj|Oz%Y~0 znd|zb5mCd3)c)g^=dQrYDC(`LI%VdoZFu}Ar}DtkftgxR{PTw(?Fot6jvZvnbmdB* z(gvppQF$b639Ask-C=g|9IwpKdQTCvEx{(Y@BkGlY`C=^S0Ix?uv}DOW?={BWX#(R z#P)~0Us}l)_+Cad{~;|E55v5qa672`xt!dY$5hnvsm;$qtbGt$VF%AC>JAXjBL)VQ z12VLPLaRu&33w9fi2&?%Lnvq;Gtg;)09$agPITx_lf#0$g*AJ>-C6C?jM8>ZpPA;i z!g0!pJMI2F)Vz=E)E#tIU0tpHM3V+Tb{b-cCIWULC%NY=ZKIWHMgFWiHw5}{o=r|a z&^o-TVkEi^`;}RqDOEaa>3HIu$knYxqsz2eqv_*cZ~b{iCmzS6leU$GO;OHpRqsZ zW3D3#^1#3!y&!H&;WBwjOLn%tRq178U1yPN4l=ix^u1Ji;XW=5D;IDWpVrtzmpMm* znM+ml^%p-YrdyVh?KQR)E+6aDiO3xci`;{{7L@rV?=a)tqjH*S zoNq*QapL__I7g+C{%C%(jq3yYGHEm6Wp@=%C7cr!yHCprRG> z*S+W8gFYy4N;g~Lqh3e*nao7KQ)Bad16<(Ibhlik^KBxb)N(Q73Ab$^MG2K!$zE4c zObEA?qdG=GSSf3C&$GnevX~KW&53uO4#5odCBM)y8y3V6ldNS+k}W-HbUCpju%AmP zF}r!fZBIzEOzLEB70ze0aBZmlCs?F+pcMeECLVws%!m zVEZ!F4ic_f`;INNFR-?5vSP81hlo3Sr?(1~D?>{`y{6Mdks_+qn&n!X_V$En6+5)- z=Lx@xd)B;nJ)vfU#l7oJi?RYrIJy-4tTWZLF&Fr?ab`rn@gfz6Qcrr_t!t1xEw~n` zZtn(~ixd0ZX0o;iepKqzMq(o9w)0<63(MF%ACim0-KezIK%y68xLEv-ww>kl$fCC+ zQiSZ^6NxWp1k-6J{W93D5;dy|CAR>3!PRx`EJi;W-ybluV`b&&+BaLehMq^C;l(2^~E*pRZRqR!=kk{w8*DvbaDljC`EE0Y=qO zA7+XA5q03u?hd%`AEc;NEIiyby0u^=Y2 zt1^Zf=R`?1^f0u?&A!6G=d>AgG=dTKGeae*c}<;*V*q5HZ4lg!xgIZRGs?m(DMu!+ z&u@FcFQ?neCs88nKdu0kMLpZMdQXZF%qrjK+3WsWQIV2SRG~ zH@=y=^@GA0m&RF9EMZJ63zhyBZkhiy} zs^FRiPQP@lLRotElF*Z0)|!TQpl`-^QcO(O8_gcLe1D}3b<^_XPl~~fzC=NI==U@ z!-njJOfE4&x$y9WB5B+hdCrWZKgGkg%8rNCO?AT4twQciHJ+#>*|#k0*k@oz~8Uf_tQ_8z@HFU z>*8gz{YpgSvcbK*p=sLl)?Lu@tC`S|ENSmiLRl(^s$__OGHD%?!2CUt6v(YX-7bSw zyqv78!2y;X`^6vqy6VTfK7`wH4VpvfyK~=jL2Y&zpW$qI(=Fl5gsCS=VuB<;o)1OfEtzL9j6r(97!+o;ftzTU;iBB}@ zJ2Y%9j9+sExoiYWA92w(; znM|W%^tclX_Ov77OwSI7SRL}Gk@bvhnZPxPtVO}@dHrw3;V$wubmQ5-NQ^uU&e44! z|HaoLMx{hOL5O&{9865IC86g!sN8qe4^7*p-Q+8ymnLdKO>f0c7+D6nu1y9ye*HFUaBd0I%fEPZsYH)wGi>Dm)p!JJbHN$gqm z+S=NFIpVA+SS3^w+$5kxn(Ra{(SKxWg!-h2@^B-B3ip!_pt0SFR)C1;$8Y#yf^(lf zcb0SZvscs1#yQXVit=|P`^9=riK9u9?RwY@wFn(Xv~~wBk{hNyP+T1za=W**XTs-; z+PYj$pE^c0hZMQ#mq48%ynWXcD=&-!gFH96NU+NC<=%$FNceCU`QR651Z$mph@Eho zh?Jy>WbiZ{nAg7|m(xr}K;L(feI16f2uP0NB3I?QzUcJB%SytX;By($-uW>Zp7$x4 zM2{AAv!XI(-G_&^DsWZeG=RkFn{*gzuVJF_qv<5iF)PrzALg#HHEl;!VH#z+XBq9c zNFdgy>Mx~l7D82_Kst)&RpXZyMKho*yzgDpQ5;)I!(!nz;Gp&1eCp^CEP8|0w{j^- zz1i|vr|YW06#H2b0{RqJV2B8q0C$<^fH7W_dX(yxc@!iG_%=dM#x4VrB{e7~Wh2Tm zgxBDn?MK!m=Wugq@-A@GM-aMQu?8!PBrS`TT_{#V7mAjZELP`8cw$iaz&zQ-r0yN_ z_qJIVv{bP(>&I;RSi=_&xQ6H4`mNlJ?6st13x!0W`YA{6%U63e_5$qcE}x#tGu^~Q3oYkGVVl2R}Q!KY-APNY`c48w4DG}?@@ppIQ>lDPDNB<`b5 z_}9=EC|vj^y)mCs$nup7?%un0L53?ARO~3UFExs8n)gPEfu{A}(V$WGs=<btIw37o-*N9{5UelheDGKAB_4Mm$qH&M0C6hC%m#WJI)o>6JyPWL*xdkDW|-HI^m zVuyuKv!l8l%cwR3>hf2aRoZJWpTHKDV$9f;~A>$>Ct{8*NuSV=*7NpTSVd(vO69D zGSVgD@jvfbMbm)Q{asOU=FipJ+lI=Vb2CsM=8cz2E9yOa6P_^FO^m-xlkG&Y!{$U8 zqh{$1Jx(gQbkvb;zo5-p(cQy%N1m*wwm2Bw51uvy2>W4iqoAbZC4ZFUv{pI1`?lddI^1dhc z(~UaxdOmgpki7PGXOQWek!qJ$l>pBTPtx(Tq#9UzUp&LorC*wC3Pr zxdwWx8jHYKOx?{t>3voc1B;OHh>PCJ*Y31xn)>#;ZbKrA(@^;n0&Mqgx3%yAOG-9ice3M^ny!N6dGSla2sJ7rRlZ;OWOt&0(1 zXPZaO(-&EAeDBK5t)CPwq0B?ewRBGn^NElwJe%dK$n}bt2t52Rk=t*cp;8PkI7Bc5 zU=zzp0A|^#!4e375l*$oTVah{R*kN_cmR(7Mz2tJNajAR54Z$B+&#}Xzwvn8#vm}! zx^JcyY24kLCr=uFs%MD2G4|1xNNNk)(FRq-xHV=kcDzI63R_BU@!=HRRv67VcboT~ z2{6zklv<3{jsOn!VdMwpxivLwLMi#m&49sm(yPqGF^z^~mPWc5css@$&Lilm1Q%l$ zTTb*Dqm@YGoD>pIw|73#2e$>TYm#mKLPlKBoJs&ASgBDlLGwzHNp9`;foSqO1>oc*WhMi4+aMW{^O?|js6NBy*ZV$1Qj71v zb(Dw&NI^9$#}Kr?^?pB@!7y(3F7M<-$EM^=;evj#7>vW z*Dr#oamHxseWhJz27~SnyM?iGmQER{^&PJfxo#a^aEDD3My8IiGFF<*jlF-9o%#E+QJ%hx+@Ti)3x~bqu z&!9dm>!ehEfW7{DH#F(Gt3@H3W+^2 zaMc>KNb}0H7b(;1+OxHY#-)TI*UQ-b8&Z>xEydJJ@UgOT4`qjQGVNmQr(Aib!Kah) zuSnbyBN$;dveonU?!Go&K*E73e9l2vWyo^4=s9pBMHf?rDhM{s(!ITdysxmA_Ng~V z!CBLJ321b~;eyjvmf6}@mOAc{=He|6cz{anDr7V`CU@g!zOxiN@AybjIozvPt9gyM z0nA{0fA461v`6=j28Hr?W-vWz_Bpw)YES*BKUZ9(3cVQ$iLH3?4x>)B zZ)@y_GOEuyrivn2(ccjW`pX~e>5~np(XIBiTgZC`mm!+(C$X|78PcH*d=sU+iq$h2 zv)*U}^rDAyB$eo6?_WI0HmRm({E8@GTdR>smdvkms~o8+c^2aXG55=KFJz9^a@4QT z2Gv1M|9U32;M+V0BkU;K3=r}MsJoOkJLga*IL~YXoZM8PM3PRS&@EQ`n+qkflkatg zSZ!WRAbHVy3vLs|Y^)w(qvesjKVgEZdkg7yn*u+33$GL1&4-!DaA0L2SD()(w78BR zp-s>3rGqcbq8?g5t01a2OYAQfnFMMBmA3$JTIaYjSp08)fYWBok$#&kc)weexESQz zPa&}V+m03!r80RiXO4RFq(R$I#QMDlHY&lM&9XhsciI}qRWc8!#b=QryEi zk7*X(7|v=IgXU$et`Dk3`Fn3*4y>8Vt>fl*yX5d@MIUMwt;0uB7UyT7(PKKA#fDU1 zaAK6^bGjS01K%30v+MK5XE2cuK13-z$SW~ADy zXz5PHKB0j>fp?W<6H56LWM6*axRD|@1XT@t?08S@C;5D9dOd2bB&!DU6>qd&yC0Z87kteLEpDQQ;r31Tqm#g z#mRA&fB)R9P^zosrkl=8sDzY3@e+vRHdfZn+m}}dEXh7c^!(KO{*_O#uo|oP8M2k8 z*E+DAQuI+W+NY>*E>`7Nqp0hcJ(-I#B}4(XhunROpUbuvZhyG+OFCVhK|GKz12WUf1|WQVYic* zel}<_YV{FejKWxhLjpDJ3)gLmS;p}&vhOC4(_g&!p43nLr&;AsNLPfZT5RoP3`JCqIC;mB__ZM+*$5Ma^oh1a|r3Z8&|=oRzxF;i1E@ zn7YoUhB|}XXVcksHP@ch+4$S-mXpUzhWmg!SwFsVr>AN_{D0kGbU`E)4lZ$ZFuznV zK?~H{PM`0Ej%w=Jezg)XtM-^IYkOhc`i-^4XT}6t`i%-?j@Ikh^4Zz(rOuBKKKM45 zVt+n$he}|qP)~p@ayvlpBL6(cP(##Ne>()Zy%q91q&A_J)8GpixhuU+;59`0nZ!9q zg#N;n)N=ktDt92%u0WqrKJYS)7+mN6OBPafS4ePP5V14?>fI-#bE(KCoh?ZF!*j~_7 zG#>t5rM)zso(w(F>9crDvq!82h{f}-XUKC@$MGL9UG zvq45JIY2Bl)p}+=63%PDPcX=_7*5`-kkz#j~k=6Zar)IfXo3Q%4tpJsR zxn%F&{IGV9rQN*I+mXT#>@D0sv3GurcCiYy)m!AAt}_uJE=BWM9>qNh;)K@cC2C{^9%$^Z^lN4PR>b{khej30x&&JV z{*8&=9@X{!4UgnoZ#8wSKpSyakX=hy9U5Qgxbe0XYG8B-h5HxK%h~m zDO=N{Ku5(Y7k02b&gZM9p{=&UBOMOyy( zz=HXw0)w3TUyPr2{&f7+{AvA)mEuJph0Pr=;!u zqfQH>e8+Lv{peG=us|UMR>97?kg1Ct3g#x@4&a~sY2qL|6Xj|4oEr8EmknO+-t?x& z6Eg-DG_=VG00V7yrG;o}o9~mA!K4TYkWej_I72M=U^(ypXTajx!R2q~D3u|4tC_c2 zUfs{)zHq%btP*nlw0_zAR4&IfD-f^6Gd&o%{Nua57CyFnXYR+LE&Hf|!Kg^AJNI9H zv%KqlOFEt4RkLM*CO3W9)Ho!nG~H)5A7Sg;BDrP539!P5NeAtTQ1L3+KsTMt-2FJN zbvHo)b8X*Br)4?%;x7rmkYjypG1q9v13)`^vP{znuXNk0yP04^;}9)nSvJ$aC+A-4 zk2c2n%LT&$vlskOQNhBk37tQsa8TK96r-JKRg#NEuH_WI;?;kDWM#cdHJz-p?U+F% zMc-EuPOsxW@gdDPG!KaxMIw)hPeH*z(|xKRgV9^M)%8wR`+RvE-kfbA;5Q0pR*sew zLe|zn*P)%iGLi&ra)0A)Sm0BH0T)GPLyxFQIl37Fzl3j*y89pM7QXW7hBms4TM*r@ z!^&!>a!q(~{2}61t^F9PpW;-M$KN|5!wK)HE?Qx4^20Pp>KUhLU9tBHz%KPah>Nme z+bs1-@7SYo=`OFd9>o^8GHxLtq7HEb6wavj6{*yg_Xitw$pXeLlM599O}h-+&s1$F z3FYs*aNa{;2q0(dR;fm7Ez&5F3)I8mcehA>nKGixzU{mmYt2#?EkydRmA(&lG2w(w zcJKVF{1HOb(2ibEp|Dqd7-#m9_hbp^&I7}+(g`{o-H`)^2Jic3nIpIJcN)T7*)SR#P%JF9-sF28Y zBh#_P*M*g&U&mmh7Aq_CLYtDoZ)_aqD3AK!*aAa|WT%0VZSN1Gz#<<@3d~*sCMTtF z=hLS?r)Jl$uuTq}Ec```@;%M$dMYanl&*|f9Ec{_&Wy5R;6P1BYmHs6sMuOBPEpnu z@QMmsmTs1*=6q85y-eI8{){uKLKO+$TG~M1LfV3E=poj44f{w3wt(@7k|n+zqi2fvD+Dl0SeuKar!z##o&?H?OoOlm@<<9{j2>DPM%ug_$$$#S#Iz9-;-cYg}Kxc6whSdVcT(5dzD)zW^6+aiYk{|`30pAla*iruY=GKHk({snhhD>^Rgl|y9Ss;aTFUHvGz$aa z0V!&GQ}C@}34-id{y*%!by!q;+cvzng@}UEA)yk|4FUodF?4sQbPh<12#A0v4MXP$ z(lIc^C@38QGxQKrQiD=M^R5BCZ`tqj-QRH^-}mS9&p!6v!^~Richz~FS1hV0tqmST zG4eBd8C7*1v6NPyrzC7w=exTWJ0sCr+EJn_Cg9;)csce9KG(((AdlN0D$7Nmeb%%c zD-zm5a6jzdz64DNv-SX^cK|*>}atUs;s3jJ3b|{r=!?t5WW>Q*Go5-Am z;AFGnShcFQ$C}0K8xekKtL=o05qUp&fr<)B17~@`zbtRP>|wpuQnCVKH>SWxUfk{= zg$4#P{PE-O28|5?M3Ph81|5#Peu)P*H^QYRJD)=7*?0YuGG~mARr1rGMI>o{_+6p-I5>nx&lfki@knVk>5b(X|clABzzsZ!Qk3#T5(Oyx8c zdcu_6g_Wpf-s;{QGxSrYmgLLLy_6o>p($dj!LceA*)2TwWNXRWhSWvnZvp?N*dM0# z_Or|pgtX#De*0*mPe;TlxxhQ}I*a)MF6QYZC1j2#=%5=> zX}1=;&yIc^*xR@x7uhhs_k*AI7o`)t;W$(r%^_MDz+E+{XUSQY7&#}#J?ZDeV2T_x zq5k{A^}9-cr+@5QAbHE9SD@MUvd;{tiXP#rq7?zzS_0d{|HIUB%0>Iwl9-Z!GvvZbjAssu)yr(R8c(b8ph3H?lO z)i$p;hV>x+nLy(tr#qWlNn6$K5iqHTaIV+u23WnVYK#P0iCn-EV8y)opnlGB(Whca z9Er@5GC+1B_OG!+R$D25H3j87>K8T!?CEazN|cuY91?a;W$Z2B$w{`1DI?c)$Kh4P)7^v7d7SgO!m3(&(w9Soq+s!bS@cBz9J-2*| z8|V0yq?*^-Ze6t-^M!PKdyveHFAMKit4Bt=yra;LH@7Fug~2Zzy#x#PVfKU=BmRmg zjc0N&Qi#*&AcvZ&@coK|@Dbse-F&?VHBvzl7?-dM4EyT;WfhX1Cf@GJ~fP9C>V}pyVKI;CiLI=>6 zWC3E1*c*o_-#@H}V*_OrcwbzYCjlpLj4gFck}rRtm#exL*xWB zTf&c{Bm8C!JPg=3`XkpbTBjEWs5>xKd}2VaD;{DE<)R;UU#F1S|NL=;@ka7S`?L1` z+yZr2<93#bUUYdejqrVk4>3Sy2_x<kH zDdKhbeU@SH0-GM$2xIYy}}BiviLqA^zG@`FRs^05LOzq;h$Z8u2JRRq;Glb%2R9Xv@_(u+ME0h zKC{_y3Fxa31{kE{FWUS;@nM#uR}+j~{W~Tpb<<`m{?m$cjdl46UnY-m1%MH?8BB=ZG$E&sh_}zNT zRD+ZfNNeB(*Y_HEj(Ll5N|-ip_>M!dd=&QT;u0G-R(t>}wi&=pK-!=~Dc`ZSEI3VH8x2ak2pq5JAc>~SAUnkrWEpk{>W6@|=q zx{;L-qv!~-xhKciujWf-Ea}&JsVvFKI+JN-DFumtC7)2EU!G)~Mw8V!VlR-5UKb9I zx2T!~V^`M)-yH@Svq=MO3y}375&b;-b21`Y`4~TSx-Q5}Cy|lOL!=U2>d!uwrO{<4 zAxKU{?l;HX@;TPIgln@KAWuUNPpk6rQ@X})-w^$65}~GlKoS&kjT#!Q$JC)@Kq@1~ zIs|l32qQ%oJMN3QD7<09c343w`{J(1gN0v7Cg`teJ=5@L`cA-&pi5$4$D-rmamtIY zd##<>UocW>>nZRC)eIJ?YjYY_3w#;+K;K`IuT-Ev)D>c0E7VUMxy(r;8=aFPY@1qn z+fKVC@jUY`?RpVM1^am>)7{ybD4{PM-W(6hF0^78CZcQZEiV|OQfl4QwdB9dKcCRf z;fP6s;^CJYU;>kwm~6|7p9utMPd{%fz(7eOwI&t309@Is{kq zI_F)H5=jsnE-Tb!2@8wPNOY84hnWijP+zyW;fPsqCc9kA)S_Xtk)cS2nHLDW+iMyk z)dt*)_%q71`n5x9gECCJ?XFaefvUt*=!cE4s%0dX=VY6Qsv*MKt!RTRpjKS9CS7Vi zH-Xwqg8u=m#x9LsgAt%W&6gZJ-w#drj&)s{nLu+5^pbZN)d;Z9d1YxA>{$Y`=R^`gDV5kQoMFGH@mU<9FjDO|tfQJea`ABk z0c_}DS5Jy|OY}$9pxPcjPNVe~wO&R#@9emXR=1G>>Z`-5J+}hXmzOCu<00|MmbFyh zjDQw2z=&^~B46=I1N8+C93i@dBSe9Mm@KwScq~z-C)Of0xYy~tn8$0oug$WIeJToh zlLsJFLlU1gb)5_3U_L!JhP(SZcHDTd)2XFzPq<>t8{yLheW@BI9=b^Pm!fjWyze?q zP393=w?ewRl)$?}sb$eSy>!`N#cwwE&LWdTwLkCIgLuK^T+>u_CE23vj=Y0%#G&w` z`CNb7(&Er+@#xoNb33k1oBiU+!-zghF9VKcBY9$Jsqnu6EQza(u>7V{O^@%!(zgM_ z5nX$CgNp@XUo?pMg}@i%#X7_jBiSl1$fknreCADEkV1>`mNfSoHzx4l7gO}_5Rsv( zhVkHA10eOhxP2FT@L#Mxh%`gBi50#vGPkKjhujyt9DLR6T;t?GHWpq|Uwq_ey-WVY zGL?#vVY!54`BG#}2M5~_Q^SY1nD4U_u)6OAp3cmSs^!bM6i~%c$CUECauVq;IuoMq zbyja5wJ=fU`Tk|iyp#+gcwEx3D{0+{)a6~9n2U}jmsN+U$mwxVgSS4re#)pz?dtpq zH}H5Ur@e{s0QrTk_!M8~jObXnZVlVg!vb9xK8NPow43zV=eLM`T<-ae1z=RU8}_8{ zIVq0=eGB*47vcsJCcirM=h4i5dhV{v&52CB)&5d-a$k#0l4S{zknX!3%&Ih67JK+L z2pffN@!J=6d<+su!1IePz4aI#8tT$&B689hWqQJ1MZd$LcC`6vu*HkP1>63t`J0%wUa%6sa;X3rkjeLIg1-T}v`8<($4?3z`f;vu^FQp(I* zW4vQ>LUp9X*|HHfM2_q!+oF>;Vx}6zPjgXzFmMvoJnh-ayQSxT*w=bwTs~9NEXX^` z_i20bAv^nn`UO1{>H5WSpY4mm5;NRk;kg8!iyeI$kL1o77lQSn=doz96-=pq`lso= z*NoSw?|4ar4;5jFBN|e-0Nhycw1G zCbE0fB96DwaA_U3_CiU#N&O2`M8_rdyd(XFA|HR=APq+%nql@_%PGe6YqBG=y5m5N z^QjV*NWAsc^ZV{ZN0*YH^t?9m@roDNTLQfc`^)iG4spHy0>Pb_SC;xX%q@j9BqV*f%=3ayx-f6*Cu)N~ZNxls28pwRSG_S1z^sEv~Q$g+LM zR3KD;<~M&htnSYkMK#F1oIQ^Hn7#BfKb@dDLAa`zPVnApqes@8`=wz0TpvT0yhC{w zfu!lYFl{Lbiv-v%lgp2oUc@W=)khQeqw|iLZ0=%iHHgT-%g|ugybC7{fwQ3-M3UWd zA{Io48UCH!!iu`g{OiuUW%+5EC5_u!vyTJ3Y66g^c!dEgaCJF(vF*SW$I_#`I;_%A z)-2F-eGUFD=1|ySOxkdyA;u3HyEwK6S8n*RZug0A*Obff#tz|n2zoaGOyntsjfg=x z)~!(X$S4|&=Xxey=0L+ho@N+^Pd#Y(vMatQ`eE@dzBl3$Tre`6YmKV7acX4%*&|j> zw9x&zK(i2eNF-i7aWLugj%YX6)!fdI)vN!f%*CQ7iHBV}@N4u?eHPwk2E)J0KJ68C z+t>bl5lnyrisZqabKdRX!Zrr9{iM%vv*`QP!&vfL{OA(Zg@`&UwcYhKu{F?pB;UTg zu&2!81@VDgm@b`QJZ37*Z`yKe(~VoIy82e!-Tk$Se9_qqzdH?Rb6nTtS}n;N5d+$q zNePUN+WczAmm0@Q>K?NEcZ#ggnFu@8qLJ5ME-hE}7g=EPaWq(Rb}Vy-#BLYCQZ0os zrziawe)c>=|7b$x5ufM8{ffJkos+Z8gdz-2lQt^28`Wl5CMb*POOC6B`vYdW-!3}U zj&M1y_)K;*?6&ByeLqHcNvzj#FD!ob_W`fGJJwhiW*=Y(`-)vUKHjsP7oHPxsQVeR zq<}730B%A{;+S3q^MC`_AAS99%}E@fFHhxPvPKIkwcoEtQf%xF$8vILBd zY{@?>xrlhL@W^mvMB|5;ElujxX9v787dR7#m$ULJ!UCC8tLl`#@;^or#95_M$rC4T zUN+TJjHTEqrV-;<9+n83eB?Ik0TkF8nt)zmV}Q9~+y27sGijd}8Ufd9 zmk;Ml#I(%qHW$Gri&h*09oF`zUUx#Ta9`&PHBtt#Oj03?he ze2s3q_yJU*Hs0bs2UnoB(#(dvay3l9Dy~M;o6!s>fdUAwFvPC3Lg5tau)-qK#ynrv z8~X$o_JbY`?OSd@jPJAQVXYu}kTT6BMUtV4Hn+?7v((~^4{@v|h zx%BnUPJ_csQF1Qu*@KD>6i8D*t5P!PAS7OtEzDsY0Cyo0YD3}j1{KbI^sK$a-fm3)s?_d3meu-fhhnn?1J;cK8RPPWQ+gwG*Y zmYJuPuwU~_z1K$2>kD4r9X%V~+8mqd7>_oLve8DA5Kcry6x=M76`|nL%V7j*eMlB? z{GeBco8=g<959jOXUyv)$Ipu4pG5huAuovns_)K#36J7C7=V#f$ z$a~E>`B&sAy6yp%cLY>rko0hN@7m)*y9URvkr}Ks<|pW=fa#>Cpd2tT>+=n*T6>bgf$i3OxU#We#o;ps_4H3K+9p=^`Nxb_U zpZ2p~*hbFG8;yNWg~>hJNBK%CJnLAKY9MJUD(SnDnxSiKyasl^pTKpCw=9OmHzOzg zS{JIpA#xO)*;QCIR3@ zWaWSe%G&--T&e7feivWoRPBwAG$?6gj!=r4SHROdd|$Ob)rTGlh_weQCazNY4M zi}yRQzhr3xl-fBeGNdm@kVl*VybMU2-kh__s1U49y(PP}w{w#P7|QuZ{r*mD4k|jC z$u(zy;7 zyvmw*;w&Fz$l+h#*L>e8W%}#VI2Q^);FMn-WVfwYaR2@L@((g>PrBLDV_&M$b5=`b zcwdn%x#b7e_Ro`V7=#Z!&phv~sT^_6e@WYYeSuRHA9)p0IdbnQO4Hk+6wk&>6Q1LH zl&jtRrT=nPC-by%TU6tX?Ck)4@Ih`!! zR-c*vg@UM$n?w>C!01rL-j8f$RDyA@!tPY1K~mE@7}a9SkM*=e6!3~1^&VBVio8)B z7-qB*G?NkD4Cvm6x=e%A@@|0J$@7>f^XuTV`t{5iwwHn9iCliddiHo;Up}GxwVovV zo&A7~?Zh~q5KH@24wDBi-QmH&X^<@GeyW)BYrlFwIbkUmcW>;>*R7#)SYc3rlC$)C z@jKe;I`xM9Dk`WL0O#=qEPnUeFOu@~oZb?hR{wkr{(cko%Wa*0gS7U9!czU$fjrP? z`VMNP&D~zBvEF)kH(D9)I>!c{JRb#JF!Ieckk9hCAv|eM0$##zg#x{G4%}8aHvPnj zCjw5Ktj>g#;$Nc2DM8!AQ}Bjo;_>j`N&);^0sQ3Bx}bl_0w8LE?LKqb0A+8tc;WLF z5(w04;3edHiNB=wKnp#P68{66_@gyzTp?N$;V+J=*Hy2Yn}@uIgKH(EyhrYmpFXw` za0*5S_NSe|zn@nFbb1JEUSX`iIo#9ZQQ1?&5Do`2c_0|L0K-L1LrfBydS2fU|xLEcQ3ef8`ofhW06);pf1 z>@U@4Kk~o$>TrFzv+t}XnO#3=Vc-m5m!|sj%6|o(J2642JElmP@ZTQeR2YE=SFZ2R z4JBmXIeFgS|Mr(}&q%5Yi{KG8(e{+Qcr}?Cjr;g#wm)6+@AHQ?91y1ep z_y0Y)^R^N|#r^$6ME|@g29>L)uJ?=cm%HcBeqwUsdY}HUV*N{o|EpO4t62Z?n1TQ6 zvHsU%{mWziZz%k4L!q_|*!5ZKPrNXDl&;Fo_YM?L6n>}1dZt(vPAmH9P#t2b{ zuCt)z@-u=R4eGs{DG3*G`1&959KaLWb0pIIRd8gth=!QF38LgA^Mjt;}D377k~?l;}j{oV=pH=`oY0*o+J18 z|NIjTia_`F^u@t2<-DyCYTz73=+vwKOOU47{<5#;rSjz5yxEsk>p_0pu-(6JjqUbZ z)^>i!hBeo8KHNFCGW~ZDP_q{J^;sp)S~0}4MZPMFMb|3(-78gQb8=PQTT5m&T4(jH zAn8GOvLH&Y%J#iz)sWiO(xBEBunF#lbIcR8SB1;CYlXzXFpG1SJBJTIJXc>D_ygSG z=AHp8s#z>)eHK7oxdmX+qCWiWXaUiHX*0oqK6=JiRH^2y{PN0_rxF)+w!Mj^9j@h_h0GlQWGyrZ==lfEd<5hyg?vDFM0n=8 zMK1mgzWBi>0T3}s1=1pYU=gB9NwMvCssGn#We})4gRlBJ#Y?w;A)J$&y3J750T8r7 zX+-24dLNE-$~A!E=>3oHKKGG#CtoOflWd{FF9a;@#=kj0+iED&1Z8hJ z83F$nf(4Z5vwxg*Z_?TOeuQft)4XjeaHWSav_sTK51yRxdZ?Cw{9+wy2$aK>__D>ZK846-jf68xA`6o@ymW#Yfb(K{wuJh2)-< zXnX@O`J)fKbmQL&1uzY+K=Q#hlwNT*V+h72AFm}$HKHG)uc(SWL@Gdjj_-!Q;QD?M zF13+Y;58s^TcpPn?7VPBY|kGkonzN3?gwQPpqwfeF7C@yY;`9KT+LIwZ_!fzHH}c{ zwXW5mRHWazR_NhOJkV{+((HQnetrNa6fC?D@uxOCe~@|6*9?)RL@5Z$@UVpHGDEHO zTGrETbT#z8*`UoF&}_=$OoqMuXT|n~i@^}ZtyB4=d(WXdI*mj@KAV^*DX}eLu3~s# zzCwzVe|a3xrtcVtW7^9;chL`z&sf_PAZyXqaq2mpulOxPjS!rd$t9Lnd;!f!w&6Fb zcTd{eDj9q>XbcOs9hYSZ*E77Q)e=0Fa^?x1M}1^Vy$d&)Cf=IiMqI3`GN^lBU<^~@ zaRAy!bjU{sR5w1o;XMZC8F)iq;p!!f1O#W5MD7Nl+@u~#uYcdk$-|Or0Lsli`cgIK zGMlR!zHKkWhCe?3ng2mmC0QCd{1G@cFVaT0G6Qy#<6gHCFiZI zgP0pN^))Ac(yh~Dqb$?i8rR9<93du+bS0L~*3kLK5xfB$+BDJ#moofQ+)N z>TOYMRZ~$+wnt5p8i(FsR7jCNw8}P)v>)Pj>rAp2cIAUkt(>3avT)V2b~RLv>UmU6 zAm(9ajzAADeimk!^dpDxhKqUnM_vr2YA1*?Qq7d=Pp`|MB7(E2nI7G<$Mxt6&Za~G z4VGpy-OQhyFF?VUTdwIu@wP!Hj zLefGWCC*t%I07crLVL$n1V3AqjpNUw1Xi-hJRdG`9T#Cgdtb6ZPFix8L|Sn<^9A!j zUef?aLfNj<&uGgftQUa>TC_?Na!v2O9+Mz}O?T~|Hu+az{pAlx!-0T}=3d*y@;O^T zhTy0x;1|QP-|mpyNh%{{a1jl85TT?5}2G3wpoKbU` zA{m3Jd6E)dD_4xu$romAxNC0`fD<1=c-JwFA-SuLC%R~DObjR={D}{p3DE(Hw>2|)n~*=1c)o!>g% zR7vK6n|-;mwLBjDaQ(X$#2yOhF)sw@X87}q1@#|+w?-rLjRWWz!>a8EWs3lg>r*A> zxe-i2Z}3_Jh)~dccWT?6^ri9?WmUj9A24ujaWZiIZ~sIJY^^ByF`shd&mX>iw-V=E zGyomL&k{1S!JW?0d!WpatI!0s-@tYY_vqZRr4Rpy3m?A7xV`&5+$qQ``DI^pbTq^E zyO%04q=0Z1_yFOE1HxH7s6rP^99iG`R|8hP!YfA%XZE0rNRgJNXzp6 zO3PX1>#uWOzvB$?licV5#@BKQn|uHa4uHUT7#K|jh&+iypZsz5fpQc)an78{@g5-K z!KSCSelemyI9T*zYVKjkkCoHkF-Ke%+L0#5!Cd52LHvJD!#fJKEOcB6+I7L4~m+c-{)g}q! z6mTV`dpI`XWuJZJ@TD`N{SR!DaU9S-293UNdlW-1ov`?_Zv>cBp!+rJaeA7im#!pU z=&AxYJxzV}Qgyd2n$(u~ardxF&4yL2^3>Dqb}Rc1d0-S<&mOmw=-(3fZ|SmEH+b+9 z86#T$Dx*Ae_YWAfKIZrHY%|Q z{k=w|_l93`Ek=@_)Q*1trcTTS1*Y-Q$mLex0QGKwTfdpa*D?bQT6IovFLfifYXhuh zgunmzgsi(80mK~B6cK_ypN>H#=_KX=iwU?E7l7vPBrNs9pSBu!p8z!2D{K^Et?l`YP7so%n ze;e#M=;KvlX}cjUV6KS`*v(=2O75m$XLiSTl6%st^sp|Re%`wk|EFgEbuO5MVVgZg z(E6-c+2nE9IT}B^Q2Q8gM7K>V%N==o&QP+!B!J2Qn^kgh;tO;uDrvlhLC8uD+ZHuB zpHZ$VKsnbEY({aHR8aeHHWgUs258{`^PV$!;Ic+F&Igj>XZPDe#S^^-lA#*T$u=PJ z!;M}P5Y9b82wxGy{xRpXmPyS5SY{`%AwzyInH7}1p2_6MhdXbcaW7pA$-U$m3w|No zfzxnSpDkSc2X0#XB8jv%UVAoU1bK7OSrVRM@*MNu{DP*HAxe}*x?CV6V@PrtD@2UD z)9;*&TZ(;4UOi)kRrVL5KQ-g|ga5$v7XS+y9NAgyO*Ql=;sycC;-2Ja>W*n*3fvXa zuVlUC^AC=kkqvlYh+skf60*2RPA(@{)kd+B!&IX;UY@Rs;9(QA=+i&yB7PTezF6bL zekE-G$*arY1Z@Uvm21y3ZTila$^!>lqYuWVZ<76KhXDPr(IjXG#LQ)&kI|$5E`IhG z=c0dRCHChe;zA@Wh0E9g2LFG)(rx_g4qMaB-g0tjVD(ln?Pt|L;akR2z&{wcE&mcHYx^YZuqIyJesCys74FeQ#zYtHf^UWo3W#`PeB__SEWK7Gzb?#w3) z`hTnA1J|lHvp)+y7))>n-z_l`q4+`WfArD7(E|-ph@sot-v$)lz@N z(7!LN-vPXd=FgXXmbRFz+`w;ueziwgHOa(XPz8|-wr5I&O4iNjzMfU3=l%1W8A}9- zay3@hmJ39|OVH?OV$E#n$l>Ezl1^_Q=LO4Dz|`s42P$y^I4MUb>ddju8UtmUOQ&wV{~;7JO|M3IlljA?FNJ?ImB?!7Oo}5B!YD3o-9_ZYg3E$ zFg*4j5r`L+C&GEf{_F5(<*9!iByVe6wNqY3f1`uhaJh7s7N{xB6 zK(bQgpJ7eI;Z#>pjc;P<{

56b$If`hUgLiOy$3EW&n+%{%5`M1`uC?EjByUpP9mq ze71L<^pb+{Pxp_CPlbJ$s(T z$$Mh)`JC_mdFHYzfQJJfn1LUz*Au)@_)a$--B8h(}^Iw4l>?Ul}vXn*ep|{azBXJzll)BA#b!n2q zXn>df2V{QWf9iio;Flcj(pSf-)j^(*>9sY4Z7Q#a6}VWMdL3Oz^ZBW{)w4;3+bE}1 zhpBvgr1bgSzuoI=xsxZ<(?|$zItw#2AK?sW;rxGAg|C9ph(RgEzWe}wLvY$Cs_T-u z9+l!Wbe*4HVoxKIF2HX`1Q^>c9JH%)yw`i-911iwH#DIpdAwez7tk|49q{6MD%Fy_Z$oC$2^h#d8;sJ7iu94ojcti$bLto6&Q zN1kZS{~i9Xm*O%MTzUineC7XyQ2<{FsKduCXMKvI2yzJ+|t zeCcxT!h6D17{NlgjoEfe?GkpxE$DWYBkGZ$BNCeUT1I#9uRsFPtt-U$J&}`vTzhpU zA*e#_LVm9A#9eeXYeq{E>Tmc9)mr2exYQp@8)rA}AGOBLZAXm5g7!VsIR|YVxw(W7 z+emr~>M(w#z7BlL_u=dwR64CaphW{0d1P>=V+_b{V@K zCC%y4$B~sEXS|z1aU+h%F)U#z%hmQbIP`O4l)6=5O0l^?ob2A%^ z^K5Wdl?;0Qk39GY;1_{~StK=d9!*aznQh@k5k`Q6Kmm^Xg2b)RyX1kpzzPQD$nd%^ zO2pFPbB?EFAM3!!CSWI z<8~kV$tUY--CLY+!SL%4RQ2)U?n3$!dXXQw0}>7$gBihcsm1Dz?>RA#$4iYl!6HQu zXU#Q$9_kB_u2f-T@%0`4C14MQKphn5Q_hC()blra;kM2Ip1e)#)L|7-j-6%JE>q$_ zK!vi9`N=a!l8>FW_TAGR8AVf7cSA7WyJej9sepPy8xL2`U-;R<$YTEm_`;D4GAK%d z%=d@BV~rlFK$HDRA}|=agc3f=2ikf#1s&FFoNIxlN>advI$JAL>5;ewBvSY)(9k@# z)>r~ezZhF-Mbh=l6d{ZXosF19v6LC}U8xit@(GvOK-r#XtV+$AgRoJyZNH%3_tOsX z2Oj70h~K>ITd5zuawbqc$N+Yl_m|q2bg46I0Z_hzO#dGbM1B%Mil$J&?p8O&{#XlT zk$9UMn=5auy%V~C%1v&S`r^9pNV%n)-WWgUT+yJRK)~*nupHdSs00NsC{ijdFh&^3 z?Z$KJ7dH+pBaUt2Z8L@(YIpN+ZiscPt*c2Y0Qx1I0q`Rv`F!x8W1eW`Bv*L~ZiVLL@sAi_TTTkYNReeYKpIANK;UBG z!HKd|5MjHeVx^=62gJZaqPUOa*NfY5&LLHxI!^6F?m5*k? zUbFXG`mopHA!Q94X?V?!aH3HsC-9WN&qeEY4UBfR6gBb}web+z16}AXn=hiLP@Y`v(w#AI^+72iR5n@`QZtYu1Tb(7gpI%6PI^+OF zuG1yu!Xyt8NqUft^piGEkzw|YXTW|wgqW@~QCvr;|O|9TmYGfy9+ZH!h{qACa|94#q z56wKEy-scs?bXWWZPu|g52FQV|ECB{LD7-F)HPSm-Zdn@0eGwJ@9D`w=UXJFIKtxk zsh4k5zedZb z1uQ@8Tmn{tTqW*qidn`7U0xl_R+sDa9dJA@!R;e_(d~h@!2<)kvPSB16qM6{mcf@s zXzg&)R-3100P<}#U0PiN_PL7Xa;KsZ zGigheBvE}~jZE*B{V3pb2suwb3HufB!}ThWc!QFSUePZAzNi)QoY;6U+?3m(MtrMR zd?P2ecyx7ZyMcZ3XVRo^z9W22smf&fkx#{xkN=NAT2xr;%`_n|Z(yDTMuZfQ?PS1mun4_?IgDAI8dqlQg1p*g&mTr9;;+V~T?ID#r8+ zVDQ@cs7sKxs{2c&L0$86E#mvvv?UJ@DMNo7n3-MO`8VGGW#aqc_6g2;E&^kDDKj=usa*`NIvk9FAwCh|a*hBAAr)uBJ zKB$GNdX9k}yCR?I=Bog@3_9->8}$^|88;J`TeI5@~LBc}jHIVf9jNf|0yWn|ahh zzUbbMpiT#K7W8TzRubvP-I!b+3E|mG#xU=DqYXXsGW{F8ZKvW4)uZh#)9s0+CzB)| zN2Whh&r^rWbKjF+t#-3rhm0)BpbO@wfC&GMNxmzqt&A~1j<3{4vrox4V*DX@gdAlN zR6cr0LvQb9o_>h{I-=E&&}PwN=Xu&gHJ5Rr5iVFKH-1C^i)CwL-?;KR2#@zr1JQe# zv}eqgG@jCp>e->&_z2H!@BIn!!yI!IVh!GFWazjD0L5Z&k6K1Pkd_`Jt8VgO?pwSZe-ZkT0%3I&e)%2oHH%7*p=|QV9*cq&@J^M{kWrR{9{vu4A1?XZsNWs$=C>Poh%bz0-s$<$CA8q4h~b{)S8UXWrbX z8vk6t7$Ln_disUmvFz@LUrwY%QHn%hfGJ|W|It$^5}j2GzRY(Pg>OV}t*_}jW!8Bg z8H#Vuy3Og`j$N%Dvs%vRoQH##3y36-G#Yl~bi<$fV5%$NKgI_vDokoV=u0x8%{spV zTjn(C9FEBq#*SsRzb+WKOKEZLjO^z^s$(`*R!8kC14rLK7DJh>&MzGjNouXt3qJ-X zq^b6{>J5PHA9+?nlyyqw&bZ}U`c73zwy1K;uaRE3%`nw*j9o_Or7sMuM=?f%pTdep zjRG)V!V{pLc>x&`N1Nf!4U7;YaaR+$7e;w6`v7>J4aZUudxO3$a*0)GN3URKlo8P5 zhW$p2nV;6PHxJ=;m~M9%dK;LgU_<2&ef%-n1}}mQbClY=ud7Umzsn?|1LsJ1h>3(S zzfrBS8zLmun;cx&aob8?3bQs+G4>VYAGT`U9$TD65`J=T@CFC%GbZ*OGfqd(3Z}Zx zaGDktxJKq^D%jAfV^CD|epzYH_JY4+6YmhJt{Y2*)~q`LVcm9_Q&|0)dtqX~+4t&z zNw#}&l^kqy0zs8owQixSC}|+}HSVn2ZH?-$L8X9&J6iJLh34-4P{yp$$H)eDY>Im= zS5d2fanzlmex;PS_Fr(h7}|2d z&v$Js3#fX|(JBE9?jQsASL0l%LF5fq{fg6mZvAC4&}PCBNlThvjq7dFr=alv0)3Z< zaXx3;KPm6T=Py?}G_o)M3Ooi@s|Wf=B1ChTb=^fqivB z_m8#fL>~ycIy+VP^vpnK>$3^PbXb}W`R5Whz%NW-5|5j6RAC3@Wy_>-99D#)Cc~Ob zcB%HPL5#Ow2Qz*jX%<`a%V<%CivZkUU+DWggyK9Yy|Fx^uH#R(`dHHO#^lSt>!7P@ z(U$cqlJm*!qCbBQn9$g)x^=wlV=by19g-4S%Bf48v~1n}v^@{JY<&R_lpFn(y?G=* z6}mmPKyL-+N%I~vH0>-pNoo`(=~W*SbAb#8Pw8WAWqH`E^ zJ7^v2HjK8A72FrYv*A<;WC0vTAGlTw;%9AGJVE`Y`E5s_-WylovNCa9Biwz%A7M5I&6zZa&-iyiXXdl(#Pf45$@uM znS;-e7bAI!)XSe|{w`2T9kl}AJK9Y!*2Fe8H|;`L-e`iC2k{qHeYA;?${6J05tI(Y8tTp~o21F_oJKpgtBB$!QeJlOUBs&Yw|Bg(V35YR|gd zgh6&o;{mp5MUs{ah6a$JPVb5yj&SNBw)b)UMRkyr1lF*^P$f7dH)hSkS^s)f3c(~>=rW=Y`InR2OtLO#S=h*4GF6Ov2YmlT;-hB*z*{8j^RWn_(d;>*o z>--#XRJ#~|3e5RtNq`; zkI?pZEmAt#<<>H$j)uJ@DW)y}7V4{ED(drM28)Nn08Dd3-f%gn3KpY= zhl51f%R!Wi9ZcsBuCVBUNn3)dkvs>pn8R@`f$k%WPPA0MA{_-+b?2lC z%XhhDh)Yna1?SLr`npw8*!z6#V2agzZeUV`kqq>SSn7iAFAp4Htdvn7p|=W`3#e{vvTr_qOT` z@G=5@CI8~eISbv%t^N&-(CslP2WpOrm^8~kM!U6YH@vD5W*R)uC*$q|tp@B-=)-X6 zJOkb;42EN&x;cK8?*G5>izmupGoQ?(_sQ%+T^(nfmVl{ymgBS!-*I$LlNKuodM1>m7SKncG*VThp~X zC$Y|@`$?-&p37SI==~3prtaankE^G8E&VK8sMN0C z>T$2KXzw?9SDCZleq7hrT;GEQ zTQ#R|@2!HJs;!PV=133Sd+v|a+QAyomD3Gb7){RLE97slXd76Sv|^*K7!*!b8Kphj zy!Bpl<5C0F!p7vPSgw53hC^;gb){8~Wz7$f_?}W0zfsu-8^?WodY5+lY<|qjZqkpv!;{=qjZYY%6;{k~N1ssHst6<| z{;Yan%}DVXdCwGkZL`Jni?>D>q)}ka2dWo)ky*y_0WDWntM=Bwn`{QcE?p*JSFV`8 zUk-p-B>5Tn9z!#R8$8kTq%NTZK|wxBw}v`e)BRX0BzDIq++qYF<`6B;loG5Nl8iMk9lj>2aO6Lq!FmKQ%FTKTH5gY8#jHo|C(+w$7%!o9g_Q&`eC;kj%N4g23*OGwUkqPa zn=hMb-Ev$|_w&^FS{<>hIj3KJ#BMu3_A=f;#I3_kS$v+veR7n*20WhTN%oZwT zGPNNn;1o*AzI;yi5)k2Kj@M_o+RGO%Ctjt#l#=){1XD;%src9H=2PhL>(3rsxtzFp zcsauRE5oOU-NtsO1A z_!)+8jHTIx&tOfO_j4u;VM}B9`?cUP53e%q9d+iCApq~EHjcRPWXK9eYyOHjOk%m-e^7(DXDr1jrI_-v*z7-M(v)P+g84T zeP1LG?m8(XS|zX>Kr^n=J2w&dv-L`BWX#_D@?)Hc+T_dg%}m-RpPO>1&u2VUK5$3xYp-l!oMJmg~su z{92LyM@d?)tAg5fZ$gYTC;7p&RnVq{rXKyj`E$soj?NbK!{4qBB{OS%;tH zSF4!G?Gqs;LsidC#XNX`4;WhVtHnmPKvfdKj2=OD}aF2MC`idH#rmPA1~Sd`OZUtC=81lY#aL!-kP!01H7DLBm< zyc-}E9kIMUOz~XDBUhd&x@_a=Gq!+IeK)`JdX=y44uN51Rw4DQU0rWW5WJxH5*+~E zi$k(UZy1|ww!O>lhoftg=ru<$sbd{v2?^?jF64szvwPP9M)pfejfVU{n^Hiv!<#6! zTfcf_jI5;Iz{vMVcOlWovPXNeEh342td6U;=EI@42lnUxVeh?zqRP7H(Gf)y5lo1H zB$X^dken1GCkaiC3bf=5l2JsIoRKV&nkI)PN0AJTJ>?#%ckT(=5EJ-^5aUVhmvxb~sH zKrb^d2Dst9eJinQxocamI1eY2=`}RwC%gDz;&0Ix z|1|pcvp1x4MJ5=R9Lxq6+09gZPH|00gR?^6j(%-##ln&0TGeressrhwripsURJHTb zbVTFk-PpN(+B39{qM4w>0%IO;uF zF^V$X?5?|;rfw3GFIz&!u%AVf4&3S(%$k8~Sx{fnISi3iaMrnG0cTe5*uexy03_tI zTm1kzuH8coHfeTfMXUq%9h?537wkN~}IWKlJb~v6xgv4p#Pzs4)vl$PzB#({FKo`7DeEAqs_t;wv~?VIvPboRb}p z{iaJiTobWeniS@fo98MvO1020a!z%?(9fp{o0=H+Z(HW=1-Xk?eH4P6Rj{DTfz2J? zo}SSLsKqbH?Rs925V8oL)|61W_n7RiDkvnPe?)ws0?n=|0{}EG{pAt;(!(mg$v zDISgRq=j1?I+uxARY8yuvTPmQh9uv$GDk1o{J6mZtk;}4BgNwxBVdc{;1N=WZza0% zpHqeD<4Q0`*2x8HH&iF9A22}!_1dEujqy|`IB(P4x-(IC^x0uylzEzrX~7lbyFN$& zjeXVyfq;2chm?x5q0@&6ZJ&Grd-#)Hf3{z&b84eFa6xkx;F2qcC8e+TwMAh^TQngTXm=d zWhiT1QQr@VJ{OtMdy22#D}hk>OI63&7EY`hs?v4KEuAZM`Nw_99Bw^&?b3s#yLC0_ zuJu;2pae_U&qFlwJTwV^urmQ!p}Kcu(lwfOz7HA*6&sk->vt~F&OdjqZUSd#qm4`L z5}!(Q;1`oahp7PkwBWm&GS&Hc&O#4)@TRB<$4%vCO zwj&%)13)q00Tva=}?nDb5{B_~X z*+kx6xbt%@$Qjpfqu=6#D_y5el#p?aXsyWy^;Y`kHeJN7$YJ!k#%A7PvdWN(p@Ghi z6ICS<)h>2b&MkW~uDYvOjF$#yP_XPO8IpLEsU&(V?tt_4$HK3c`By24uWepoO)Ujc zObC=k0U)7?FUJI=`UB*ANsU;Urt|X4i+GWWc>yt&mCKn?98UZF-k*)?yAI1zYLmOQ zi;FA4C;|}cqrJB)UdyYVmy@^=+15tQogp_Ls^`kknjXnzd)uV*w*lcGKbA`12kP}w zIWcmdCn#m-WTU&)rcO1*J zn_W=KQqKC~U^X=B!2qu`n^BsfYZ*!Y9&Fh24U6M5DR}Ef26W9O1q4Rl9r&XCRW6=LBsOZf9^A^FO^AN#Fr7U|xMFW3cc4wc= z6+~BIs08wJ6{>cXuhvq1E#EatQe6%Xt%fITAJa~4cVr|zv(K266)OW*ke}^Pi&@$t$|HsSafpMmVJ3d6Mb91bhhx2)E z%%pW76)~FBD zSuV11H@|T`#C+(`cSlG)0-+C&=|;fId|tcO?W#`swMQ|vrgo7@59Vl&`{4`@6vGd8 zwKWTDJ}!*h6~mPnkUk+{12qs*h8D#nR;E^{zGmK5wz#j+(qLtqRqAxCW_J|(k@|?> zngw|8o4d=#2Ygd{6V0+8Y&+jwukNjo9|o#azY6=>n`7&dWriyu#)7VgR8FRdJ=$Vk zp5W|&Zm4SWxO`6Phq{PC%o04>7yI}&W;^mpns;g;q))AjaE5}AQ}=f^5RULix~4l0 z^i@Lr&e-cqRhcm}Es9dvVEqCfDvQ_2{l%UlYb;2tu-)>vZU1+I8Ha?M3!}obk1(#g zAz&}Y_`?x0#181WS{I#rHm2q>u^^EqjlgMD@)FGnEPP*YNOA_cdq1f@-V1ALw;Y}y z$McH~1!rdorM*4H_C!~2F+GOrDe6~P7&G_pyei6rm^=bu^2f`WK2x%N{c?^tWBNV* zBCJ?%B=0scyUGt`;*xb&AgK2bJ%7_X0vW3y^Dd3H+;2ekkwW5fSNClR1H;1T1RJ~kI5u6}1Y z+nh;laOD_#hyE6O@Ah4Eg4nOWWwbR@G%MiLd9JEUo#ohEQK35e=-?n^Ho)b|ayDK! z^}-xW6UiOSI=^Q>%)N=pyLl${weMZFKxqlcqL2 z2?UP~nPvXYzmE~%#U#?B=;MGLH1#p{Of+}`xUG-*_wMk$6ce(6m_E*6wU4!6E`jusB$vfnH9AGx@k9L2}{?ExEM|&b`fi( zIMnyD{5!>+t^~efO9yRKTvBBkqWyTyN_qaDTr)#+c{3Z;y05jyD9OgbL_NX;URzP& zeWPF_c!Ie9ZN>*Z#E)(9?Yo~NYA{I*1|1sIaSAfc)zgF4>eW}6?OUO?=OSW{<-_>!-jgF;>g>HP6qbi_up@zx5cDa)DndJ?FxH3a(h6 zobZlK919)F%V(6JRn2;%@84(D9DtH9TJYbai)_mt+J`~Ne?34OagNL=jeQ|IqTmO;NhE^oiG105^uW?v-E_7T@poeE-Jqtu@VbG6H)yR^#q_mG2GEH|4&97}H& zuRlq}GoFL$-%wEn2G%q2OlXM3J$9{6y2>#wEt%sD_61ZuLL##7ie%b|2gan_KOITA zc7vWJY84oqtAM`1-P0-?%)QC69|!SQF8m&&@4;f3WJ+#>XYO^tXYri-vjPA3LSKHJ zT-<)CJz_{t8)QlMy4cTCeXp5HpyZp11>o;P@VtXcMZeJ;$=tD&pCM-u{b zL0(=Qtx#!wX~zBCKMKmtH7(5WHNSYS zsM`FbDJR0TjVNHdI!wxq3!gH$>+~m-PC}<|qy8+MFFMvWT0P^ENiZ@N!F`X1`|ou-}({%X9wPIvlF8jTy} zXWq#h?}Vqu^m%}AQt8Yh&lY|6ud^@iUB83LyqcgjU_LvrH0u+yKF1cpX5w|DT41?U zfZf%;E8eKTHRYUft`2m0941?8F>)`tE9ri+JHNp6cAsTZBrBUBRY7-m{Q{c^+m-U@ z(P6J?Z%3~&qmlJF4%g0d?-{1YyYPPLMKorU=~@Df*n4lVG#feH8>Iue#T^$6=Yx4p z0Gv7GK7&34vzaT|323ajf) z%OUCRI~@~MU-PQYr(Q))F*o`V;%lo>XzVs}m=5k2dUJ?8)MOA3xMjPwLwu(zmNPSF zXO14hpQ2W3H9;3r;x5W`p`RLjO)7srcGe%@oquxCj z6U4l8K#emhIU4|bD=IjdU3!=3&T{{eavAHoQFb)k$?T%Ufc%B-TCJ)r7LLW-`dG=t zc*k6ZA&Tq%c4dr#Fx8 zRZ-KeazcmW;I1Ek=Nlg6jKp_@9FdXBlQk`ILfplUA-Lg~oZTPQn|+RS2$e3W%9jX* zws@ZW+14bXHV|WWqM9~z#VJEBHe4r!ioW^Vw^l$Q1){)HAfRVc#e7!y_3D@IpDLB- zUhw>91y8o}6Agf&Hx@*_a+@wkUOwZQc~*#{tLdX>(w;@FWI;9-EEI z0llTBQxWUirXw#9hnxQRGambkU=FWCoE;R_QDIt*B3}#UubQVS4a_m8<+3W*L&?}^ z0xf?Ww!OD@%qHFGJF^v_8b4%Ax1Ot*j+duQ&~=xhsJ*PmUkzc6vRmff>@DH-Cw^Z8 z%0QY!+oQsnR;bZ+(M-Z3S4=*K>oRXF7Q=JS5d>9LisQC=K*VkNP)SMYT#KmXe#uYp zj=|v3EYFhWV9r4oqjK%OvGO7`dv??el>X!V)t~P;5njbl-V=};#!M9%Yu9gN+hf9o zw4HXQaxX#7vwhvdF%$w$7w@XU z<>MYl?qUZc1YOoI+_ksfUPROeyXpG+-P}tUD_aRAU8%8#Es|-jZOF6~0l`;j`mt7Gut;8 zCzz*SuQulpiG+WQ$Q-U>tJr=)dazqjC*Cl(S-P7fpCAaj&7!p|n9QHynSB*qr5?v) zO=rx;lp3({XQ~yxyzrD4Csp{I3d@;YV{`6AGGzZJ9mXj)cT8~U!g=!vWfeNbyKI1# z{t&j5z+zX6>vs{ zFPV@3wCHwUp%92fE^k|llh*Nhz9qOT_;CAq0t$dY?fq@m(gWsjzqkqC{Z;!RDl?(N z?h2ztqTb3b`*Sqy&oL8D<`kp`u&0nMRkes*Qop@T@@vR`Zx7U%5OcRsAKi3W3jQW~ zBTg=szYDNM2&^b1liBF4zIRg_Sy(7q@2X~d8!$Z95<(S|H=!4;D4a;KUhW326V4xg zYK|2i`~?B)wNHyy+UjO!XS>{cdJGxAi5=G|{%`)4Rmu9a6`<6W%pEG^w$%C zZW8BRff0~#$W7kCszJnTwKO;>L@3DOsFQV!*gT?2bLIB3T5IF}xy*lFN?3Zc0gtjML|Owkfr zf0781!+mChy3tFR8k-}}w_a1WOa)F4=-6EWZ0k}oceBW7vFJJI-8lAF3ZMxo{Idib z&UO-6>88TT{t`BUOFpEI)6nC>o__!WvnXd1seJWaURb_fg^nEpZfV`(+{s7tiWZ2b z5%h}f#_FneX3F^tR2-1H;>6oHsYGS3J1=M8)`jcg5`q3uVq@ALMy^TDF)cYx0q`tx zcvxd+KcJ#FbH&^H`C@O=luY3lag6B};`kq6c`V2ZR>E!*bj_Ijsf?_jX#LU zkc(R6oFrn%Z z5@rK~cB>yz&(Tm?>^Tt6GU)mMO?nE$u2ZQ?)g7M4c^hEX+*`F$-6*^Q93Lk>*rWL% z9u%p%qwmsSUT^jdV&b`Xas%*h7Z^!A%cLmXs$nXAT1r;(IqFanRvjsYWMP)2LF>?- zmo07M75aR0s#V=b$SXkl3n^C2EkB>S`^0YFfnv>rZZpB`y*lv)5%=u^m9Fm%=hF^7 zFw0LM_}Y28d+}UXmKVG=ZRr)=Rm>*ritXV@{UND?J#v9DWQ7C))jbfCzU7JvCSM1p z#qW%oe-}OQhPZ=7_6-hh!p8okKq%=8JOVPLj+jSxl2xCURe5bCMu?dfIZ5JC$2(n> zir>9wSE}RMMhkcOWeoE6c0OS(K=)q%+4)D$`~k~f%EyoY0H>(2gVqe@In$rC`j=WI z>x9QElx-L+SL=t;lp447K}nJI3qV*e!U41K4WZV*Zm6v;NrMGo=Tprtc8{SUi185o zcM9?RJ(FtrOKJ^*LiaP{YHSDhIG=UZ->G)5S`{!IK{A4|-iID(rZW=oQY~9Nm4QY(j%>+ zI9E+o8_GSLZ-Q5y zxwoS>p*6qoJXA4E-3=Rhn~2B06w}Vg%sbkPAMIK9`s1Xr7ux`~uSQ1^FXqo#0DwO? zVhNEaFzzbay%RtzXf=&biS>ZRaBU!bY@q@+)1SwIo9AwBspe-;iC6`ypmRS)%)t&3 zV-Iw+FXAQo)RE}nNjRfMSq97#h)SVTWAsPyj4?WPh4w41#!w8oOVe)d!d&o}b(HN( z$whhLKZB>(Y48+Ng`OQ-bMM)4@O<~|x53koTf@5R%WH%XCNZuhgq)>pLTd z{5~g3GQt^;EJA~y?}aaAE(NV{rqnO+T)8ciO+Us9a$h}ka4XdS`6J z)k>FY_SX6ml!_J@W8xa2_zSbHN}YIUFqb0D&PL-)H;$vR;qRky%GHZkN$IQu-8%9# zyS`)lidJZ~OD)c+<0l>1|9G39pq`3%Yv20*qc=(zvL%*5f)M+8Pf~f+;g^&KH(lxiU3*F3jJ=p(>yYaIoXoZ9g_H`vhz?d$OirI0g->Fpd&w`-!Nkf8?wP4oS zyR|+%I4%X=B>Ami6EgOsOTncEBLhBQ!q5egx7Qzf%;<=B32RiCIfA`15n~mSh!oy@8uI#>WMqpMMuirtfx`TIS`!-VgMTYXj z0-sLtc+~B3@*$naPZO?fy|w*tjP&jul!#41pqF{LeY-yS;Kl0QalUIMKM60=@vysMb)8#3 zDcygYcddMp@CYzrOq48A?U*!_0hkN81$4yjGRdt$SmrZ>%@jW>*owGrv2wcqdfO2k zS05wvZdWy5D_?12-y*WXPz+0us<-P~Nm9cG06;1)EgE@Bi#)}T8!jH0rP-}9q)d$) zI{NFe87bVc z2C^{t1x_k*JSy8W%<}+`?v6n%YLI{3Y$ZuK=T%Q=OakVIB!}6i2AF#|)Hf$FS4)^l zmtO>!aAS0t;pZXz0S`NwV767g?~RJJ;Z&A1^^lkwnsG0Ft!Ajksk~G8BJwO>x%T~d z1Men$b3Zl}^n81zbY?)_wN>>~%F)?@fz~` z>3-3z6CjlprCOj&9UxsKtQwUUWUFk~Mg7UcmeD(QJf=It_u)=jgn`KT{bQ|Rak<;L zq3p_xySiiSiza{nbtYYCLNTZ6DN3$1wHgJyGVp(Pp?QbrG2`I;*R_>L2!fP1?xTH zJD~2u`IzLlY~Yey6C3x>Jw9+grgy`sZal{tJb+`GC^QHN1K~R_@&w09Q&rqMAwMp^ zAFb8hPAsv&MA|C=%9COOFHMZT3(Q^w;6|Z`2YOMXFmqo5yzKgg)}d}+f0Y;Sd%$B( zp?v!8rc=pgNBZgq45S=JHfWyy_M$nFcAqXd-ZOowN2=&t=Q5SYLKh?w<6&z3)-H3< zfpyHjwGnb`rJU$voatkoR)No-VTI;HRy(Fm_&e@!ofg%Y%Y*}!=Tkx1YGIly-QUH< zJhzrar0C=lET{s43EgRHMm5)vW?S|U%&C4}`$g@~!N}B6xF?-`s#cd+&rW(w6FV{0 zwESLTF1SkRx~+5^K&vFUvZuqvuiPN$V%ha96kH#^3D*rI6%s|)ZV-aC^Pgz}$$c*! zpPE&3Ge{^NvSs51RUeAUx3PLJ1{2|Bue6>L&T^dyf-@2`>zHV4(I4+p)dc2K_*{mv~pJYj+K{W3py1VZtj%|0c)y z(ydE{Ku#c9w+V=bhfPms3H$*S{U*Yqy&QQJw*G7hY;?$TWm&AJ$M$@x^FTJ+(x7EQ zNOr7w-6smy41=maj{a<-_d+vf${b%mCQ7|fu%&vgI{%~AQi!0pee2Xrt1u#{k<3Nj3gTzczB&|FIwEk3oK3QNrTWWTq0VS!kB6<6(Ujt_g9XC6fe&Xet zaL+}ej^)tY+6E`fh`lg z15yXfTIZHWii>P#=nxuh;j|9`SOZA-zvB9I(1|q-8AJ~|>zNFDa9q&)`Q^8@ASLoZ zml=6d4u^LtV=?;fbTLs?{UgEFb5ZJhxYb`>cY4K@%WYD;RqnB{@9IJC@|1>*_OF(J=07&>N^&CH{tuM1BQW)acI zmpVdbyD0E>Grr1Ab24z)4aCmQCDkNq@4nb-0rcTHc&VP!xml|Tw|0Px_f|d7F>v^q zmeq@eol~gDuiMvQt(biQltTctw;4I7z7vO3xTBOPV7O1NT&BPRBLgpvqKspA8vNjg z&+|nT1Kt4FEnD2ba{FP)ingx~qAQW5DZnpDnrqwn0AM-dzH%V)C}yvyjpbvtGDAM` z&b4SqLM>)TtE!I6#%h43Exa>@2mhfzloPc__SmlUKMWnENBY?4Q}rV>3s~L3VZ8p; z>dLdO$o)mh;-C9My-{*W>!sDBWp$HsHuKt<)PH^_g9j(F7FnUv-^LTvpAe~YzYjj2 zul7H5gCWOR0m~=MoYNy}!#`PFCY7!$LEtj+u764W!m#bkarq#)Ezxe4Ai0KDqWtR@Ab9r7t+M_8@q3(OEc<{O;!R$Py@)`#=|w zFi#}H(Cuu&wzDy3zt!~Zo5q{TH|H8gGsgrOb@g6PGNziC)qHtD4A#yKyes?+U4^9t zCv#BozJ^rqP0E3jwLS(119W6>fS?K}0cz)t$~NJv%d`-pa#pm6+al;gYOGf#Yk*c9 z>-Na3zC&i(FYO*%Z9CTr?7fM9kz%RRQ#+`I4AXxLJI8;zr*ItbE=c}XzVP9`MCk71 zR#;r(`E#GS_h#ig*Q>ihJVUl`LsD=u!*1UJar)^wi*@ljn3XCK!?i1rG2Snk5?*hw z8oKG1*F*TXw*)xThL}BY;8!P~a|#Dj@o2>f_UjDhju}uXpa66DJMLG*&j5^d)4fW0 z0DnDeufIDV9}-LB7|IPCs*b^2JNw+RpZ%E+f$mbKDxw`N7C( znRC*rC*b&hc9FVt zItHo~s>S8d5gjoW@}vEUkwl>5m&tv9+t#H5Z0%O6gqVG;_DiN>Gx}I^=MIRcaxuAU z-93}lRp~*sCITckjUlq^E)uA*;qVBcm|uFq-rF5jeQ`7pTHj1_Lut z0uJE-JR=2KQCozZrx*cGjKcdMUTn>WU_zjW76Bk%C+7XJ=AFZAj~};*6%zS(SODrY zEtmPDy_o73X6-ydQ%d#%@V^}a-IMZ%%s(6f2te2AH`7hr5-^7ZGg=_t^*qDb7f7m|-8-af zyRWJsaZTTa1dLz6iPR-P@0fuFUeCqj zUO^2Nd6g~fO^a=9-DjbU214KircN@ewMMpa*yiCk;Y_=DcEfOYVX#%Jrb^TfW=Q?G zNJLBwAt-}fTMadAH17G*WIL*om}*j0vy>;0=2DDD%f!T_!{zi`{ot_n$WuCDPie@j zVlUv!p%ui9lK1r|T}4Q2-~KF+hodPfEPnY z1$7a@sQN@57v0YuRXq>()|_$8ia@5l6p!GuPhlUOW|dMH&&E*vT;SY!E2(uUD{yemOOH`4`zg`m6Qe$@JT6$9&So z;J5M6Yt&n-?^At3g?@W+x1$XjS*pDx6%tdW$w?b+x0OZAb#wk(o5~!ZmL?t;%fy6R z*Cvs#!!QaoYJWlhtJ0^s@#RluXDRI!jT43c>2KphGWX}f$8?|d$n~&;0>&HBx#ygt zIl&59wqlNq%4r1_BSrFR`_;XkELBzC->q3o0oRj_|2G=|?@ZlvD%ah*j}ZO!HBQZ& z^|<$sH{<&E-|BUTCFfunPv2mccv`RMR<^~#>S%Y-zg%824lekA8A~t?JN?M8hnTaS zA0)LWwW*VVA-}QuJjpdxo$k+4S#OTFZUeNX=2+=|j}GT4M?VMTupVnI?`TcD<6pj_ zvd+oE%GBIz)WTSlf ztdgp9qNK9_`|JK}Zav9jy?UJC86F0-Xf+lORnanldmj`t^-#o>RQa)2uLj(ab8QYQXCMO#v;xlG@ksOJlS zxkC4VSCs1K3wzFB9{n(!-kGp1MgSZ~6ao!hNV2}&UfU!)*D9jT+B)B6t7OV(GjmlL z0%tK57HqdhzTL;C+fC{1n+kp=atrqq_Z6H{^IF0)FzgSUjFV*V_)idcZ4hd5W1{#d z^sc|qa%9J+N2y$mCb!#64w9SV3_0yH0tc7lNokqHE@pQ6mfFoPYntC4=(AhzH{~<* z1&2_G7J*M97>Zpj0daRvVgv4%LVwAVgv zw9dZF%FA&dE3VaLePht&HSXP*3civ_{QAZ*2742E>(tq;oM`?xwDE3V@V&V|$UOd%i0bO4{`rmwS$|?UTWroXOEXq_ zqPvk^baG)6`fO5NV^SD%l3G})&gQq50F9qits(JL$!brYXHAMea!TWSXm#nBqEqXh zs`87_k@B<69Mtm1JRR{@po&9(H(?BRZf zvY3#E4rlHGN{Y&Coc0+0J<+;-vZQ@>%(m8N_Q;dbTPJJ<=O5S#(2|nqw$*|5z(aXd z*crvV9b_Kl1h?OM{yu0Ghh8x;yk?I`dO0lBDdj8fx=fGgPGjFPd~PY(wIikuIF&l zE3{5EO17bK18%rT7~N*psmjn9FU);r-1d|Ck2*$u7q;Pcl^N?6+<-Qpliir+f2vC| z?d#n7CDWWzGO3}H(?$gS2MYcHztnP~R-3SiGE8pJ;!9Hw>7!y}438Y5FEuU83^-0S z0y(7Gikij2^KDULGQ@1l+OJf7#gFc=Kigu_Ov)hWMRwhS*d|80t>I3IrtW9-nssD` z?8&s%Q7nqRt2!CrC#87GPF>Bo&}VLIye36{@|4aw|L~Np(I~g&Sn*;b_`{}vThqjw zl>FI4a@JEYMTG=GMzf5b-li)q8hbm?!@InZvEtqK56tAd9=nruBBjxf z_mX&jwA4OdsPEMe9G7$mmrr&~M|4}C(b683tETa{eh}1DjB%pKH?zCLx?KhSA+K|# zj^cVyN8^c9uzlJNvnwIjbY{cV<1(LUDJQ)J|Fgr#mi#!5$Cs@XnX`a$*z;4c!$Z1> zu1%YR6jdl)V}Ft`!3z6wB6=5(sV}rewNsxTBzJ$j7vsEg57%sP_1)X4Ncuq4pEp*Q zto@d58w+p%g7vcHu7DkIesFX-`AN8$rJcJw74zC>A>)WFu?O9J*mSdl#>V* zy?i%N=pmrdhe99>6%Q-ZjM_gvQZ0P8BH%LpImbN*mLTjT*n@b^p7*5LLNmQRa_u@{y3q89&dRX=1avVbIRWT zy`3cV?XNLMT%BR5Epsa@W2jM9CQVfiaQm!M*Cc48J39AxBnNR`xekX>>$GlDmQG)r zO6F{`r2wj`yxhSSAoS+pXa*D1N>PSN*@MIm=@eWhLKIsCv(EKh101)$Mr)=wlG8S1 zB&)!IAoG&5I&mdT3Ve@XDy?%NWe(Ah#Zrwf(%N1O|JrW_K1{-x%bD`}}INKJb(jLi>kS1%fz$3NAsuiAQKOn87S==6V;3oSX!cY}ltQP9nb%l+# zqV~#t9knQKO6DW(lLc85f(vfn^I6?kg zdvs)uCI`9h{KBAR5pdy15d1Q0Li!WWEdG~v_2_hG?n}eL--6n2HcJ6GGKg{_dkPSo zGL5%LHfC4D?gJx2o3@1db3rOanm_cwg>++G5dvkmm_F&Z>+8XH(MGm}xcO<#&H~$% zKgaZrCrok*uL?lg5#2G07qLs%r?RfQJ*@B&xOY1k@1!6jrF3dF5+A9!b4KB@d3u68 z1b>e_@GJ}LSI&)C9^{*pJyd4b4>wO(hwrT)^v=O|hV)c4lgtLbju4iuqw%OZ_N__y z{PLmC^+rWD(u!-WkIpTw+ff0fzY?nvoxE%{T7zVD@+@NLm@({4+#IZ6;G+1|F~g2A zPNSv3*tUDr>|}BIs>O85yJ03NMDItI2CR{*KkoO|%Kr2TC(Ru(v@SFe_kh@*Z!_rX zB&|-Hb#`k6#^+sUUVz4Qu+}`Yn{5TG2kyX}CC%Ndl%(Lg(WeHF9|RP0@_7j)$Y`8e zIO`=(&CZfW(7)dHeeMG5^OM~2dwfGQIvpZ^)V_9;KJ8hLX!!kj^Lf$6$^-mB=-8*t zt*RoU5ydSEVn!XQ-K}LNrK1}DiB;~K50k=E__1Ag`J8kPCn{Q!Xo_@3ZlJ|3=N+x9 zYV)mkM_=e@QunTZ^(yf$NmO+9)Lr6TgHJVj2N`le6M$1*#V(V}Zky!HI|-Hbs)@z) z$>Xj&582)yBlPJ%qvjG()5Kg6$d+Qn#pOJmthYM$jjh3f zpMZ+l-@NMLCzY<>detAtS{57`NicvrH5fdx z_h744iP5xcD^A2ZZ@Q7D%(*L(-Ye+N&Gk=h3OK1hV62O)Ik$kxm#erslGXe2zW9NJ z$T2beSzxaJ8c@3^a-QQpOe;k@@SkEu(KX+Z!ozzDLJA5@3R!fY)ERpGgfr6y+Q2J`iy^6 z(MyCC-n&KreIZd-W-0US$3$XxiQAi z_j(}|grK$CF^-X11Pn1uOznIke9Qo&YEL@AOMg;3uKY!+;TZ^KyU9CpeUoYBS>hd4 zhT8g9lkHJy&r$KTk`9{JnbTfd>=BOa?C9{7%$I%Ef?G-$cQK`F3#O5EOxn&bD2=Sc z-Do;)SInrj>1CAITVShq?2P(Mjx8vUBncTY2KU=cN5HJ1iox3F8t-Ha9VTMJ5`-MJ z@W)^K%sSOw?~ny;cpsuU~hdi52wQK>P& z%z9ReWb<4e+HvPG#%V1j&IzksaDc@~scxyo1ReD7c(R;kb}nFzpat5iu70XfO{_es zf4YZF83cFkGf>xSWt&{BfXFdAO8Jv8-;2?^YdN&Dw=1&j!Fhzux+~<`si%H4u7|yy zt)t{t1Ur9-LS;3(WTB z=Za!d()rR6ecia$X~H!de${TbpRr;tgFK;*Vu^d75g2vo2v@3Qs?JW@8{(=P>rSGT zHCf`5l?_4;JOIP*Drj;EtoP1|w9T`O&DJ;g*x8N*3ob0;} zekA9=f`Li64}5c2 z)EC*VYgZU}cQ2at#%k7A3!y3@HqBzA%frc$LHE@l%lhWcLkT0r(hiHOhCI#_=2Z?c zV%bBL&a|dNss;`_2ShTyPY)h|D`Z6nUHb8F9FEo&CzOghp~Z2ZFo#e%dJbuZr8{%+ z)}gerxnC9$A9k)RkL;rHij0vCfRS)Nxn|>!{4W}N+vL4&^pWp^RkPlHuv2=*=9;gb zr7dLz{IkB*Sw@1r9nmZvC$hXRooGURQ;{|9AY7|#YpfQb?+hJkx=g~w zs*fQ|PtOdhY7ah9;@LMZgZhSh zh;9z-z2a0cyb)A3mD<_)&`|A1Yt#6BjmUw5@BTdzB1cGp(J$Avu!{pe;*U{JtZTE6 zPzQT?0t-|=7ny1i4|OCm;R&D?(%o&bK&6Y8hs&}s`GoSSD(35Y6_8Erd9U8F70b^! zTLQ3$`+JWZ_wTIRt?rq3mo?h4LVW(XGMdQ9zbU-z7WeV#>n4K^ik{_T3pp zkv=y$3k}eZdu9Fo4zxE?3bGa0+xuQn{ph*K6-F+uZ#&zA(^AL&R!5g2;FiX>dt^yf zp^#^amP6}yk0l;S7`GgR5T&}`X6fm9Aj)EG`z17sdkm?3pS2dV3_IVeAd{93XLieZvcFkxo(qI$eQP-nwE&?$#Lvq0l zMCD2pZo%2K@FjKx+|lk9zSwG}hFAGX6B>_a&LcIV>2)6O?%Ru*{>aYP*6ST`ap+@| zdyJGyQ*x`NsFePU^K13!Zd{AExfU3Ai8Sx&9~Ykd_2+ZajnI+Dkx!`yq1OW2pZl7Ql|uz zcAZm;3`BotVANi}T4RG}xlIy+b)10B_af5eHec`Vi_AnUAG4^+S2i{RJF zxh!Fci7m1xN&HkS#l@q{j%-p+c6KwTtXg;k(|B%c5ItgXQJVR7x7yOcWr>}#=^a}Y$E+VNVAe}>iv!(>Au1jpBebn+ zKT=k&Ovzwc^;@E(;;LVe?nHEpKkHeZNF|>*O0HTQnj-3bA5zBPkzKUnYANZu+^~16 z>H!^o(r$Y-{#ON7f~&?GvqLNa$@y$u@qFSWxWmfqW+RgQ**605$vtPWV3xO#!S~%^ zB<4RiY+p)z=dx^1oiW=Rv9kgW!0oz%bH6tG{YxL@c`r!>eZEZfx9v@B<9Pk}W6<3H z=Z{g}id&d&5E;PiBC~*$aewhe;dAqSSK*`azDlcs^fWKSudKKa*XSQbWGp>PO_dasPZTI6iDAA=ub3?RQM%2{&3H>TIzOXPG9=4sf40yMomxAD zRlesi&$;$k@%m9CJlTQUdBR0t0=QEn+cN611m0%d$GoMUs5nWkbiw(K#>PbV>Y6Ce zXm^*F-DurKTkhJBkh1l}SlBdZ0xL&wN67t>is*%*?GO5mI%o{%uFhEi>PFesV3QCN*L=*NU}~tObjN3VT`fP zFk{T~9&Mxh`+M%s_jsP?c#iM!o#VLw=zfp)d#?9+z0TM9I?wC6&e31_L<3|LoVxcUXX~fq`FNGF?iSHvath3nXKfMt{7;!Fnn6f@|?)>%_yug?@TnHFWlL}(T`%|35;n>vH{yaV9% zsQw3|O~?1uB(tW|^d*a|2p@tP641AsYT`(S*UoHENKmybcq=UqovPrR;Us&W@sKx_ zUy0P3*e_PERU{@;BSYuPReX?opIrD@XyT8-pU6ekzpOX>KFu$Bz4VVML9x)JDm6g0eMug2?e{KRtU$)mwo6^B?rk^F2<-a$3TPHBYxCMS zEjI`c{7|0qJMfjaB9RlWStzAeK}Ww7>uPgl2rGx3xPt-KczadaRkCWAqy?XR{*t9Wt3SSC?-2JJ+p=9#SYNBrck<=NZ=(YP57gannt{M1H|RirzuD<4 znQkr$&8ca+_x0yQ9txphvkGilgxBZ!ofQ>_-~%EBx!ST$eQP6NX2cVKF@i4ZO78rW zH%1OaH7JOwY~3lYuwU_|kJzT#uCDtX1(EsNo86$CzN&qo1GU4diF)p`L(z>1`d3Qp zkr{66=?mC9TIX+{G;2Pe-+D=9P}UNd2S<7BKw|i%>J4=d^~Dq}KUB_%rRapjcUtc` zZ5FvH5_0m;i&1wgLA0eL5T0J8y+B>R)>xfjR+V|Yv@l6@mn{I}V=l{B#wl9RbF+r0 zPCf7JyinJOlacIy`}C>qAo}GBBr#z0<#e)I_9d(7rv3|cY52an-S;L;EIvfP6m5L| zcs}l?nLA0s@2Q+j+)ez>Xq{6~)`fHxxqb34HeQk*?&!XNd2k`&qm33n>9cIUuTaM)jpoCaZJ9NeK1d2yeoiq{A}gzfHs5l zSryr*hAz|Ql7>z&2Xg=FaJ@BpyXO!5ZF5q{s^;mz=j8!w6;ZZN{Gff76IbvTJOIDj z`YBD=FUiYx>ilk!Z14(XuDmu=&`7?Hw7mXegu|gDdt*h*>33THPK%pAQ4Y)w0!H5q zeHN}ryr)e$trWGXCF5HDoaYH4sbh91>WeSd0(z{e;iJb9fkiikJZ_~q_>%jC%n;pG zg4nhtOGNjcK5_J{c7gO++nWpWEFAg&vOK$JzCX?Bvc>spJ65ioIr1&15RjSh+1PFv zO3NI411qJFs@XMME|N!vH$dgin!afr2IDA>&N438N`zJiQdf0485v^<0(~@+#N( zECimHdO_99(l9QJ-1obC)h=!{%ZVLcfds#< z%kY=^t<|qEYxJnI{;oki+kc?6Vb2b=o*m+^(c)UfFkC_m$;N@z`g7 z+5Q;~l<(eX=n%STwhD0+;=JC@VWR>&q%6}cFbLuu+}RfA@Ho9Gb)v5SEcs%$;UI1Y z2rOl084Z`vJS_+gw#%6mcG(muy(itw#8Xn$X(Ra7au4A#X((GF#iry~fGPbfAaQZ> z;Oh4o{mZm-NcK`#Q%_jGPlJx{?e+IlUL>5|5SiD8pq1UNGcYVrd_38W@Z4eLR)a{o2-`k);pZlHmmA+$$I9(%#(Z|)o`WYcW3lGCFbYKX{%490PX;Fsyhs* zrRMvzp)0n&UjY->Tje}kp5$5pGYZkXvF1$an~W#-cU9I_RUO|#IC$N~c#U2FtxKO) zhBYe>kTmvd&0Fba7hJhJ%_QVXVPW{;QtA7<9~UyE#R~?B&u-lk_>mkWoLXRew_TTu z{`!N?Lm>vb&MjyD3O%2FOnLwDb%lS11BdlL1M97umAf>&>C1`_9<{GOMKphErFPi^ zVD3E?J;)D3&vzAiw%?R~AGt?NOw6z3LWp`0^MaiQ1cpysfpqEJl=0%l?T$iMgH*}U z;m&Lg{L7oDy4(`?wiQU5jTwd5fEMY`)STE8{eiMWL=RuL@q^V3yX7B4Fr30dL5b}; z_pako2?fQFU^7~y)bQMS0lnbd;0UeCs?RW|NL=VMoEa?SdB+FIL(_qS>n5)HTCd%w zD85&mN^cXGh`PGJ^IXuO1(TXDmSFfULF0R_)#^!<}!+Z3bnumJN5FWd8jY7<}6o z^9yyToby`Aw~Gq@KY{u3)Qa%8VwpG6+`KBE+b{#$MKeEjye`-)-tS}m+IO#nrniB5 z&U$KxId&V$W#h_i_;BI$p;9Wy-2D2zraM+oPAVrQgLTEM^Q}xptKWD;NN*mnwydgf zc`nO%GJS|@Io)CpXt;g?E*FyA3+l>BDk&;%_LC|z^jtdcwhc7vGj+IbmQvK=yk*Ow zl#_So+)H$NFO^;qmVH5+c9Vi#loj{T^jsUZj*NOM>-6do+9N$*8x#X(`F|cOT)O%F z^RinTZ<-+n%s%_II_-SrxykZuBqZI<92ix+KJtSJzN^(x82ogf;IolC(S@H1B}#q$ z3s>uL{4J!oS)DICe>0GRU-+zX(D~qI5s?hLZ3hpGM`rek;7eT_J~o&?k8rC-0Y47) zeEgE$YT+!?n`ZhL37{(>w|)WqcO(3J2}AnW9rr(pBqM#Hgt6h@N*HeMR8AQ+KD|sA z`#Na2?l?8#!pC&8~SBWqx zq=$kD{uxHf22StaXAJJ6eBC**dfl^kl3gEL)3w617-o->^;x4qXDCsSTrl#B`!*Fg zNLSXVh*Af4N0SV66l`6Uf?<}Z2x0e|_;x{iWQz-K zjd1T!A2*xQ2yiofwzERM8hU(sE9lKhNiZeJy_lv(QPrOrTs(rRh+HK0C%Ru78>WT~_4akAlX0)@$f_emxnFRm& ze5=kojrxG$7@)b^{v#ciTJ?Wa?0gAVH%E$!iM=I1^YNv-fnygGqi>wM+I@mtGB zCTxf|&2)xZT$=EAr8uTy?GMnw!NGXwEt zT6sCD75mT(PtlVEqrZ0|&MBN=)a$o_d^krn4tO0XK8A_<%7W`&J%}Q z5e?xR7wq^pk?cSEy#H~+;|oJMbf9Dj(;Snz(o$|K9O>-j(lV3z*4Mu>b2m_K*u7Wv zK2V~v-gz%$45eM@PE2}!7j)8I^kN@#m$+&#@mYVE&ksjdzIEfvZ9w6!Eg4(0I457S zY&!Wy!^>xD*St9w=5Y4T)~kP((%x-fcF-NPT5lcXui~JUz8duFx9bOtcYo|^H12ro zv;94~{oFquDN?Q!jwy^T0+-W_(Tf zA-@kHW_v+ku#E<1bAc!2^u~yUz|mvRFLv+GIxrg;+|gm_5)Yl(Cvh(^!#yUmXw_fM ze%lDcB_k4t61J}2dP?E0kP}|J+?Nn|0{5jr>P%&uk{`9hV7aMj3B7gpo5beRin+NR zhL54&lr+?!>;0^YPsEq#_;>wv&lYRulATk;oO$4teC}Io(Z>F~$Aj@EPoC#Bn^(V} zY(qUXjd0Eis%x_Iz1Xy?Kry&E2)})T_W5XG@iJ<51hdfvD? zj^uyTac6m{=WdCa$=9PPJ^=yg6(ib39`8u|AR{9C9cXd;A_mHgLXEC^T0gQdAA%#` z#;b%R@Z~<`5MQKAD&(w-j>o{V5^==S!s^JaCK4S5mXtV|u&V%VO)mGiggdOHM4C7l z7Ix7D{A^;WN2)a1{XJc@clO5Rs>N9$O5 zu)mmP|M|0Ljc`$tDEDBW*-8PQnOP1j9o=n*>KG61XUJPbGW|bBuKB4oU*G+XEJ+A? z`Jc$LQePl4^M56>nYF!}%=hh*vlY7!H`oz~P_*`xcoswO1a;BzR52tLDCUhmh_2HJz8&@m zOjI+PX}@tj!8Ix!9xscLZ$`rJ($6M5I%W;uF0FXDAnkVNHSHiZ`RI})=#*035m??u zD`|l;SpD7iC$pZ9tqY z$XTPLKr7CJSX*!LekjA}>FF^`O!U=c)DPBj1OxV0~R1jy&;M*BN=|1x`uK!tWU z`l)gS=2q%JiO*FAFSgc>ot>^1Z8E2*LLVjigg>%S$yjPg zf*IGp{Pr>trR^hI_wfbWbS?7H+yptAKI8pTCuN}V>5W`Mmc{-{*cOo9hclyzZ{2K{ zi?Z|Bk(nZ2aw0lDn9hgHpR7CLe~cSLV$+mp^P_Ip1J3xKk0;669VUM?g#t;>U#^PWlFjdQ17yO34 zO^;%Gl2koUEuGi7vo@vBT}UEXm9zoe^!0tRc9my#yk&wxZJOa@Da5IDTAj7or!QUi z_GxMV298W;A5U#9Xt%kd9<)8|_1OWv$0baYE#9;-$Ms9!Vk8C{MD2g@>y1;~%F;dX z@;_H5ZroUS;Vqy8iKc72TeGT-OP978H> z-WBe4VEoY3Zp4;j)Q-Y7HNux8VjJEjJhM7k;#3f zyWd|aG&^;H+NQENvP*d0=KK4d66P*xcq{$~?_^;8zNu*Da$Q}m<*xfcl|Y$d0AbF} zExYHmQM&I7DJ){m+4JX5^*BBQE<2kU%kEQtx5uruv_JEO@c9*1lGcab;qLC*cGqIL zSUj+h>1b9r%6i`!_PEdmAyJ<4)^NFykibY=*qo-{4v_SW-z8k$zTGj`qa=}$>{YRs ztgmF+#Rv@%lRHer>&-iZzqDdYO#Eh3vPQeFb%iWbouw*sJe8L%fbd2!AxBx7vI-CYZ_$klJ(vLgF{QU++fBhMfRKG9#xvtZSIU%}H<%ojC zmRej*^08aXhmGzrx4yHWZqT~#3rN8JZv(Q0Jv&21Ds~mNT@Hu3NK|{wy^y~9O6AhY zZn)A(?OE6RO=7gO_j_~S-a1l+MmAMez5njoPwssWiJ6ju(*KBwemA*lt6^REzbpp3 zHK}BLRh83>@7-jPF=bFf`?>@!ATYMuityLwtN3e)x~EUeI$iER136dN{ORe@<@X|2 zBbUGtHb)-=Y?X3hYJcoEvCnlgO==n0@iGPBL8-@>(>bx3Jt z_wnA^Up_Ff`HX7`0a8g$I=fP*J4_gcFs26>C^>%W`wxG-3$KQ+Q{AhSbT z9jG&iT<=>aqV^ONq_0*$G&S~puW2d#I3*ymWQuyt{$9eC@8D4RzRIrA*HZE1AK)nd z4vz5uTVsNwqCSgD9gCioih)g>tptV=c%UX_#7G*;-^xnE{Ve_p%fVL#QN;)p}CQ(%)WRf z0&TXH#J&h+o#h1-fHFN*(ps;iZ3VY>xYJiAte|LEDN3%Jg9T{aKd^ap_eg8 zK)fmpOK;WoYW#OgF>-!dS05Hf4T}!SP@YOU)CeraA0s-+3j3u^61$;yXR@ zs;|ha!FOiPS7UyjksgDc2ks`#hcLASIk*ttz{8C}6g%u7cFt3h2-QN(-i0%%Au8Jb zaW(@`Te>a$DQNYE9lAHT_j3Q?kZ@x}J+fofM&4^)%TCjSUn-ZNeI_av{_4k{7g;&T zI_!_^HgsD0f&I<`y{P zsU#z>b=>~>V%+bb#p+I^IWBv9*)j}&qS1!;md^`g${$!eV({bTxL*^hzwtcgwuLxU z#3Y&5N?*%2ox&V4a)^7CrJR&uZOD7e*3dmH*~qphp>}I{ZW-IRtUmsl05ZDriZJi@ zmRT*UjlZ*|;gRKLJz-UM-doP>esCEShEGy?Eyrs;$&(JVn@k+1%no}TJibC3Tu(({oX*-3NDxu{s)0cySbeyX0uyyn$ao$YM@)+{$YWbB7Qn0y-EM>@ZWt-5ero5;Q z(O+=cn|rgFH8=ma%{(n!L=Rz%vM;w`V_;C0TS-YtQd3h?ItVsQ{HVAEBrR<$rd8Yw2GCNHb1stEm`(&RP7PHxtd+T88Td(%u5m+7V9PMq_~ z_`F4KS-?fmrZD`h+u>xnNQ_PV@j;f4TMdn0*wJ*&30J{{yZk)p3#ko6C7XdPK z85qjG&IDm+2Zz4R1Ttr4$9=C~53vwWF?`{3&L&r~Bp4pt;M7R>Ieo1YMuIY+R{{|a z2)x{>Y@$ow=0c6(<+ayJ05fY>RFVhwBY}}zv=o5`d8({O6IP&(_+lI{ z-@QW$&W(aO%52~`^~-3T!zrm!QYJOoz2pG_J2uN`}jeZ zc*M6jWmN|TtL?C9JDLXJH!z&T?uZk-LxipYj0JV{J=%$>B!_T@nUInv zC}oJZj-92w2utCbPPJIvNSGVebfw z>5Cb11s;~ATOx82?KOy{n6J0DDdlUKE1XM1F_rCP}PEwnyRh)&G!a21L*`sy}~By&iEU?T(o ztK{qmNht|anRFRS9yz2MPkm0l4xj&=wy&hq6NJ{Z+_W9|(Hp|0F#LZ$ePZ0{o1LxZ z1`Oj>`Yl#UR_JUnh)pp~H^ne2nDw8b+i&3Z@P=3P#srR8rx+Y|fK3PM*kakp!Sohi z=#iAvR1+DQ8p^WFN;3N4v?MRbmm#>yCHw(gKEZXd02?is;$Xx&XBvGE5Sbc8w0vtp|f?* z!6CC3nO!beuuBTp3GMCdjM8OfTE@r6_Y=1RNW-N{yz)epW0J@rrNw#V>z4R_|5@Uw zj(w`>&Ay4$yPeGDv7H8Oiy~YkpmRU8r!TsO;BwZ%F#Hx@#fP38jJs< zggpY0gW3J3){nKYg}eVti_z?^4Sq2noxCM(f$t>8D9Eb{pH9FiP8I%hUzxYL*6 zzvXfeEU2tgy23jMcia^>4@0L)v8Vn+c zrPr_Zgk?UMM7Tj^`*8a1knw&(Hk?eq4hizd%>RAs)~%u0@e1GhiE3Y8->DL1 z4bEX^nldENXD|Lp{i}J#z<623Bd<6jb+Aq9^`t)FXx)&(<6(Hspt40={tO_dGoDh5 zc(NSeNiH#M>{NWv#0Y@nthSVwl_U-1k*lk#hZ+5Djnlrq6CoOpW4!fpZNIt0*@CBafFHg7^jkzf?nhxr5m#brLIbJf0AT#ZAo31+wNRnAek6 z)bwi$6E zdV{3wW^zcdUoo@1L|~|PXtEWZcDH3Z>#7FlOHHxEuo$m^*Ar}5iAPr58gjs#ATK1u z{l0Sret{RX+KwlANMtzlbEyEN%DNhZfq+OPuyVW<>z7 zMQPlNn>ECxX+dn6A$D^ihC#lHQB9PA33BW7g*|qg^#}|r92Vv=JykY4S2GN6Q=de@ zcysKp-YY!?kX&1ui`s2IDKwZzW*R)tzDXVqo6UOeGoNVqVvQeh zRZ2Le=m4*nuSKlxQc1bU?zBEtUV@I?{DA!d!aBrzZR9wRFq`HnYan5750}VB=Vl|a zH<2egN)BtF>|#$0vJ4;kPBNW^!tl^J{m(AHfg2dTq7WG0GV*BaNvr-(#XCxNwJY9h zqJEm@$ggb4SvK?vEpjZtORT+rwtsxoKecr&2J!ACaA$87O z;Lw=!6(O1U+3pJ~pmySRBm`~-tZtOLv2k|DXpCHrjl%@VZUg8 z&jWM*3T?XRnhtl)G0G)^MIt8#2jd@+OQazdo9wXHePZ#m_<_3T$%ClDgTr&d)9yZR zi?Ohau+jUP^}>spYe}eayw6aCXSw6#?tX&lD*=EBng<7pfoM00O0FaicTLuN1n3lcg*`R=T7R98He|J~BwiJch z{gonyvmT_=3-^?0p@Z0sgYg7FK(QuKPPj&704H%pO#p3TKu!SZl@xgAx8hm4jJ4?j zo4%Lk!^_;tCR`lmDr=}o>dpmYgQ1)1ebjNC`NzCQUlC?+@jixR@|A9m zB!)E;j}3Z+Pjyv)Dy@G$c>&Gxc-aY^%WaSOI+Ls2O)sk?6VGbt|CSI-LfNZ7!dTvn zOkRQzmwj*fl@r~{j&>+YY=7EJx zzR={gPM}CAQSR?hsxam6Jhu1-M^h&T zvxbZJhbf}EyGizwxh!>BNtZ*=a5r(!;qKD*wq;>>g|z{^n0oC3I00_e*FN5h%DP;j zJy+I%A1SdDuv;5|Aj0NyS(CxQeA8__H|vY7LGuhXBsi4VJ4mE|QM>_^PCzgMyUVX0 zL!`tHN^)cH-4XOFGjY2;iz2!M2T%y}xOXdfp0goC^i&=x22ee&UUHC8od8bXvh2hOP)T+!?J_6N zjg0z~M#mrRo}QavLeZzMm3g74gw1+r)lQjTaM!)@4z}_#md#}O@{(=j2JR~Y0s4lQ z+$~u0V0={|0aj00%yaRpJFP}T2$Z48+Q`$_jOai~F@JGMG3UmJ6~#S(_sPBsPX;oG zkBnF?8ibuo(AfTT3y;ZWJO#_LS8H%`Xb|d76zHttnkb-Urq$Lf%Vy=_vgL{B2hyf&k#JkZ1I^`c?-vJBY2*!qL@IG0On~`f; zh}${D9$gGoEvL||=j4lz{@cnB;}eEoY47d(@ET9u`klq548?njqNlH2=$?FF8;1Xn zi%gof;$7NHRyNyhjOKAX@(!S}c?l~3(16_f!+#^KE>{PV-Sx*3rxYbnys;==U?f`v zLg)lA>W=6li0Cb%WB{Y{D*%kPvo7-@DRL9H%uLR(7(c>`0oOebR@7X+3akSBS)KU^ zE5P{kLSJ_kkiN)9`X4@^!b`diuXO>}#Ebl=u9>df(eu86$EB8pRxAS?LeJtqbqJtZ zepgs!IWIW=65La9V2iQip?}og^1wN$E}rSw@#*NoN{NI?!&+WLh|6;gafojSz9D`D zalRq=hTwAqpDY)mC_ifakl1`f@D0HiR7;l?EaNN71rg6T#E)!lm&0cwtXL;P4H6nkEH4U zu^~b^xb75PqJ6yIa*mzzvQ-~Vt=0gkMV>4W<{orM0uxGD2uaupDU9v`^dh6m2cm z5#0Qon)|FBt2kIV1LzO}5=3tPvsc3T9c!X$T}6SG4~tqElYxrb^mOZ@ZY-ODB}x~^ z{L1je&>wnvp$5Htp|jVH``dWb9u#Q?_x!Qe%WC(dviPl)QtJpo$9 z^N2;|@BK66Bc*NJ7WJvH(xp=<*_uD%$ii9t{Xh>CT%~K+pWQD+Pu;w9FbU{gVYsN> z3KQt91cmx7YT~gH;3RADoNE`Ic^Wm|c=v9h1;<;UZA>O_b5&h1&^88zTGTd%4~m}{ z;)CKBhWMc1gM!Z#-y5dz!^h8<#Sb690zDrTd{FR(CSPd&mj3+g<0m8VvyWe4f)5Hl zDEM^>-5a|6I>pc2nqR#7NeO&V{E8ENQ1C&)FLQrC^vExB|6Ez&uYLSVulS(ggMz;x zrt838CH<+H{^GBa{?JT(Q2YuLd{F!h6MRto&j7`tM1sxFUI6?JH@{Zh`5SJ&Cqt_@ z@Ik=`1%GSal2HEEyq}C9&fl;3_`@w|#{hB}5l>TQPA@nL!F7fOtX>7tgNotpFDUb_l zxmH3LA&n*fTnt#CyFw%GF;DRM({#i6s6_`PH+(6(F@g@-z4=F4y|Auyp0aR6vZT$F zILCYa%QEgkO{&8GwgZj?Cr96|62Hmqg;T~=VUR}m(M5+(H~hT|iP2PH+CXMULy$ZFvi)sB`;c)D|5nEVQZ^yDwr z5-e^vB77A6&A6%>VyUaP{Eu(hv^{39cyGJX5bBRXDFK5b8SGv3=UKp@;tG_LDs%4mkqcBhq9WZ6_aI zdpWFJz;xvQI!w3O1yc*Qsi{wu_)*lX4r1VMIuro9e`DVV8d%0V7pt#6)CJ}a^!mRu zcjx>ZeKS|$0D?<{4)Z|KjvX@1=(M5=3Gj9O55q`Ue zwHKOAsDrhdehm5jG3+4F&!Sa3pxw()+mFXc4t_ve3@cAZUt1ed=wK=5P5Go$x28_( zaUq?IuGuKG6ga?fav6BOj?hs+utUGO#-gI#1B$vl)HzQZ&%VMkhv@|<@ZsDJD7vd7 z$8%Ptk5XU$+Og^meO_qJmh}z`D`HQj2IrF!tXE@NBs|fbce8(g{cB5Z*NU~wm?Gu< zti7lQVeU@YFuP8JU(V)`1~99^N_A~}I`Q(GwD`+dh1ki%zX4$=xInVaadIUAwt`W} zm9<6Iw?Z|m?504zqrK9a$6PuM-#*iYtpKtKGa0Os@O(hyDr=ghzlbf7$T__3RzeVF|&pU6&B0rkw)34dF ztf01f6IY@Ky6ZhP+dB<%Z7y91mQmi1A{`h%YpOZ)rI0mRYTW6Mua3_TD5G@s5j`O> z$@w)P=8bVbvEP#N>N>8QPAaIg_G)v1E2p`$-OC9kY5dcMx(>2{&&#Ha=(HK@ z(zUX{Y+qIsM7p!&hMcgoDF1dZOt|f@KWK{rk`ahYKNK5l4I%yc4gg0r+KL;;tHs-5 zp8#`B{4v+Ehv)0>>NI!H#Gw^Fmg2f-&8a@0EX2yZ_Nt!~ih7HqcDSRGXK%OqMZoH^ z!tmCz*k7t-KUaDs1|I=L4qDXB2^*UNOx!_GwDd0)eEk?0(qj{U#7KOQu~j{+WmoQR zHF91X7*mcb5bMS+G$r3Tjcx54CR_n5Sd%)FN53zqWFtapurPHk9m$(~&hV<0aNm2_ zbF|o6yz9vW)~`Vn-rcpAv z5kk4f+s#w`r&|g6ww=8LR6StUX5QFt-L8K1%O?zjMDmJX~7>fzRI$!)NE(kQ6yh0UZID$*#n~Jj2pjQ(8N{v+qL$ zENkdGqAI|-$^RRiT0kg7l(#AnCDk$b=Ry*VV~r6?o>uljmZek=SS}SqG*z&ntpDlc zp-iqTrUK6|V8u@5fhP9^I~Id!X3e zP2*0r;Qo7Zu+QC-7@>Rye2mngO1PjBJo$m7UV>jo?304(mNK;An4GpsGC^t1Ik+}l zNs5z_Od5Gfok0o_1KH0bl&3y zTM(;2WEhnIIA4S!#6FQ%f0L9W<@+10Jlz>I!Oz{0E8JCx z7XUiUiR~C_@FiEQD$vBu?Jg~#tFW~$W2F#JM`Tzz1)R9XpUsmJfEH4Xt>@eOhZ^>< z*k4*$uo#paZ4tLCM*{Ow80dJ&ZmhF2`OX!r<3208RblMcna(P()|)R!1m2;sRF4i7 zPGHNf-c!Th`t0+^EtKNTOPRyj01P3<+Z1*xPOI4HX)(tJ3kES`3E_FwqI&uWX~q;V zX;gu^CYzH?7*4*EN2){}Zl~2Ka{nQO{+SMC34VlS2LK@`1i*Kr`Z$IZB8>hOL#M<} z<&n5X{9;7mg1Z9+>Z{{a7H-&{4m#~LwdS!)DkNlE3ZZ?l>>0GT6BqeRa{43K13Uir z-Ds4OZ_j%R+*L5M&PuGrz1st6s=)pbCT84;`BX`chWR>aPJN8epQaE@KP&n>p%PK{ z*sn`iF~8%&IiQ1< zt+pv}F>OShbb_Aj)hqgoAm$f}Ra;YQX2n8^@6V&3ASSUhY2h8qokjP@AeO7W4N08p zXzozQ^m|ajI#UnFtE2+4tb9^%bDx^M6x5E%jaUU!!JRW7sE_-=hjLReWB6!zUdm*; zR}v;@fb!X^lTPxY-N)jzX+DOE28!GlEtwL6e?v|(qePFxVOVGfxkUpMG#WICfkEj@ zwE+y)XCvmOTx^N2pV^J|qfEpXh=VbYyX3+NDXnNo&y3QU^`#Fk=S=j_2e1&=!Xio&y0y(HQ=#qab1dtjDJ`oYWe7cn@9JS&- zoE*>6W7y7Mh9R^vV?;gs+pok=*Afs7LopB8m$B_ue~+lk;gc9_HS3}iKV-#uIl%Bh zjUx$G;$j23X*+COr7(n6U4MxQUQbVTd}bOs!d4%oW9OL^qKeRwGCQ9})xKo#SPkxK zKv@+Pu)V@XN#C(=gk~wfFFQS^YM%qcjsc z)FO!Fu-Q`igA((-;Wg2@+u4=JJM2N4M{3A1#`>IQZ)SQ;CAkxOp!~e1%}7Xl_@s-Z z_5cw4J#ceXu2VVHHoG{Oj#^Onb)W> z^|Nr4C$jn+4{sh{;7uDqnnMenb4CbBBj};cMW2)JBxiLrfLBr`gE=a`xmI85r z+9)amxU>=K_Yv03NM=E<{Y-mbw=HzwJ9M}U6gc2>YdAJOO6Q@kJFJfEqQjc?2c)G0 z=wUHf9~9gt2WAZlBYbDSuIfff%-q(;b!*QdZsU zebJDkL?4{?2Xtfkn3WgYid6$=ew}%VPtTHs&b%ZH9TP+fm2i{_NhyjVwNTx28`HE#ap+a(LZzq;@>kls)`o3y59 z61~I|X77b^*bmwE2MphgOV!<(|zm{R;pgnu#wDC5F80NVo?4TyYX9n2@p z?w711%Rab_^;1D?D&D!pd32jzZC@Ou<(grzG#sw#c6UDhj%~2x)GHr*?09yk3srLJ zM&ijT8BgZ^X*?B?I_oy2Vn18b{^&l~OquLJ#{>bK0B!-PB2n3ilQa>^o(7y?@%nABlg+uSBOl7Hf`&W zX<|177P4t?Of|_@OeMhx%vg@0qK6WswpLg@8nYFa->J#8c6FSJP90yR0zL^Rgx56K z2YqOe`Ow5Z(avSHj^(rfM0=?WOlrJWn3xuCr-SjxzpY`TH+}qPM(|pVTe8+drsaW~ zUEJI1V0olY0ytWIofEdWQt_9-of3J#7A3?23{Z?(-;QI!e857#K5a|lMsFrip|ciE zVeLB1xv7LJFCq5_%vS{yJ3H{p$SJfy)=A1>_nXd=;%Mu}dLXGJ&G=3E1WVF8T?#Zi zM+<$t+ytQtY@hWIH{#%EKw?JlWW&VZssVZUXmO1s^;=)mlZ-@6-Y2VEQ>91~CAeb# zXN@jKfmfgpD>@o_F~lb=3@_FgB0xbq>)iLF4~nW|t%JXzw6D^K%SZ$;_8EI<8|k1o z%UcC;im9R!y^SrOuMA<?{6w&%rDpctRY&Jhnmb{tzR^CJu;bxD32(59q>+LgbM+XUo? z1EEe>W4&&MZI@U41GZXu;e}t4lq?4T(ACj*Z+%Kc`IVwasn9J}-B2c2S`spLwBBCa zZWau-zAFU%hNQ0Zf>2JxaFzCZt4&SaN0^r%3o4Za(%o#y76;Nn+WmvHHvz!|EvW}# z4adY3OJ*MVPmQM=b*h#tGe-s`@VR9ZS>BDIrh!JmW6Nop7|f?I273})h@NkJiAqBO z!HgXungsVjYtxS4Tmy<*B-G**@|BrcEvBBDBd^&vJzk3GMQe;a@TZh}7C7XD;a6IB zp86RCR2Dq+^F<(pzi9(PxUq~hOTh~WD#WQI@9>`mJMM8-Gz61Jk~VBN1wL}S_WL7l zQ_#ZUN^)VDyar_FtNyQnm9j4Rs1Pc}b_&uBE2Va9NtYz~cV9^#?=w9@9SJwJWw+kd zF4Cr>VV6QU$Ha1r2Ri7Hx4_EYgsDn$3j*p|I?ANfsNU6L4N*OT7n)%n69e4Jg(zn~ zo!(apxS9zFG5(+;%tf0m>w$$bx@T4kB9}ff|1o>-OcS`3psj+)oSZbc{63b)d}~*q z`x+-~V`=uUZI|aIfcWUQUEi*ZHVDPyDPJuRI;fP{;eG{xY<3^`9R`jAy*|C#1(9-g zqZi1=Rk8H#%Y632FXjAILxXcxQH$?l1NWMiYxlpaL9(~n!`mgGM=gS;?RMechP_*i*|=G!lONqs5J2KAi&jVE>{!1PXkUdWSZFS zT_ZuH0(c&OC1^L(9FOf7y~ZL&(IAzVBwOjsb}9J&j4=Fx2*F>Pzyg@dClK-@E3rD5 zp^n40A`5^%^_2R)arM}?86lFz&zFC-5qS6M^#9 z$*vghqOsHI^Z-n7_vC3$pz;OFm4K0@?n_O)#LgwtE8r}~_;m8zR4VoTrD$>Bl`G+} z5n-yTSK#D(JAgIsO8AAafZH{5XVX@7qS;NtQYu^!gV>Ykd^iWk*-Em!;yCq-O50P% z5=d8pK)$?&&>|?RXK`Tq#~X$swsW0$zo;IeNd}mt`d}x<%xyDZg^vDvh3=f<4pvU* zwZdBrb{S0_qOeC0nMWFdYyV!fnGyvAcb=%8RbPy5I_c1b`>EwStvcYqd=5$lU0{te zFzPVoLILERjC}d+*`Y}t0-!siqohSTUr{gVS*O-bPh~)#mQ%eru-3n1^HKX@ZGshK)pezn+3?T zZRJS-IXYomSzbmmzqnt4n~^z-=~+=?bO$k4ifpvePh1o9bF04|W@n}X-)|UPjo6Nr ze@$o#fzH7jLhjFv;HC&oQrExWsjE1XRqdtf^RT+mXfFnqRxaaNI+2y#u~7xwsAH$O zKgnL4-3^ChB_QwL2uDk;e2Wx<+n4q$cZAMT^o6WWDP@Dd@&T*RwC@=`7h@Jbo zDqlv2j^-9(#@cZRl09tTi11$I$r{`4UKh1)H5+LOg;*0#=bW>;2V-s)N;GW@(HH=- zz)a}qB={vUXD{5 z0Zk@oqPLA;Y)i?#hH8rUqI5R9j^dU^&$ar$+byYssjVa@RQ{F*vH%I0X#3V?i|SF} z0JzZK3e*Z-lH@6u3asX){j0kf?%P0L-*e#xm@kXRd!Ycy#_4wP{jjD;T_evk)mgn%18dM_O3k~%CwD_vgMo{Mhca$ zl?a8DL!^wND4W9y<50|&!%D~)G&ZJ9!?qo;Wt0hNaz2H|WE`d_Oc{d-4QU((F=og# zeD8Fv>7DD^z3RIze}41V`^Wn}&wc;y-~BxI;ko9Sp6Vq)ptf09IAmvf-H#(1`*gIg;LXph%kYEBWzeg&QXKM)aBi27@{ukB5O8fszptom~z|NKQ zr@-1v`uEIeRODL!9aeNfzf}DX1HrbQrR%>gzbEAZ@5++G;Rzl4csUHU5O%5a z-RidD&iFw*Y_^G8?1((eD&Ym!l)rJney*OK%1H7^TX3JJxb|d*HirgrIb{n#`6w@! zc(&9Yha&?Hz-Gqueg={i+zF`EJ#q%py=J-@ubj>zoAgh~R-Q|_ICqdf5jqcl(pI%XNpF%GT$k`>> zo!D_8A*)Pr4B~E+@4;92eBfiM6iJEUr3d*ulGUkC=%a@eA2I1g?&=OSt!a&F`dRBm za6}s`%)f1-_J_nM{|_&tTGz(Pnq-d7~<4eem)X@DrurZ zCrHC`k6P_a7t{LbwwT$2b@0l>AfYb?qi(+I;@40s%(^Glfc&}hLJLx#m#~>vo?FVQ zJhSk#*}A0w=(hYH{86)8C7CQ*`mqw2ElEdMv(XmQ2BMjGibE(YV@*dD{7Hr+G;Wa$ zsW-{w*R3B+Auf(*kFPgTk76}A<1ggAO|A_yC&n=37-s#v6U-pad_yWxCD;^kdZg69 zbi)GQb#X&%U-kI>d35VxRdZOh9Ta zwu@+K&VKKj+6SwdYQ}5TJH~O@AJLZlsvT>`k;K=N13_CC$B1!i3*!)?G_4O&%cj?( zb4b7C4r8|h@N?_56&trqu zbn6erNe2l_0q23DA4j4kHpsraaC|e5IvZl|C|rZbActSX#_UwVBs`>#Wcirinktlu z>v#8@_S4`WzDP3*@mlQewYF%8e{Rx$S0>k??Xtl-Qo}-w&-6P~HuZ3{MTgseqUJH_ z24>L(qbADEP0r@_hz5EqnR*pXI)k8ST=dF@K6O^61UMrhP6~l`O+BBkpkqt6(6G@_k;8-p34ysSwyPYYycRhZ6b0z` zv=;HTu?UI7>JylD-(B$_q&?TO3lg^IR`QgTz3!^!x0v9 z1d^^_?NkD*h^I{WQmzbS`AGa!uL9PvU0Fa9{}R~M+Z96M0T0iCHpCEzDsocFZXMt~ zl2H4-eoad)qAy_V7ck=HeeLg8&Ax899G?VLgvi*ZsfrHv#m9Hu;5(Ix+Rh8GU14FL zi0$I7;$bJ4D^|!sj~qI1(vFKKcweYmCOylQuN9osRXyQhr0a85MdXZE4?x&mjYqlm z-)Tw5I=Do@OHtSZ1jO2H1h}TVh-+>JGX7MW>m=9~+YbPYr@9y*a8w)3t4WF5j>`Bg zWt4(;hSe#6@i}QPV!wMVCxdGDV)&s@O3~#!A8GJhaDgoq4ZHPi>`#Hc>OF8H$n^ZE z$jv6();<8Lfsktj*~>%I{%T1m&3$<=FJ#73ZY~oQmV@$zx$%^aWisD3$ThCh^1!5@ z=UqlyCYa9Ysdzdr6RV7st`$@+6RTvTpkvz=$1i=JXiPm=+ASTDxqp)?rmmIj1zt?7 z?zM@%`d~fB*3mlE{a8Mj@F~ZAR*y$*&NBr2!Hh0&!_QGB8tgM&Mq+v0A&v1A(Q zUy^=?bm|8^G!8ABn1R#0^FxOfc%CBaYTrH49FEDOzzBA6eYrZ8<*Jk0DzYY*0vGrg zW@vzSQSUcvANUi`0IKLIV-STIrV6buu~KWe7&Je6Hc<8WD)2`4%thfMoAt@yO>=-k zJ~HC;*{sg`8~n3F9UGRyQNgB-Q2v9D$YCD@s~4z>>R?5B*1?l~DGwtjNR1y~pUWi; zKmRo?mi|6xrSWl*myJ=b3+GK=dSd0s$ww2Wdj0-4ZScS@sgx8k6FWQ5a=$yUBG}%t zyPCuJmFZUqhIezj7Ro-1olmD^%3`3JZxQTcKXZ5R&iGKZ!RmAZmdQ`I6II6@{KitoOnSFLMOaxly?#|j3IUApC9BNUUS`G$dR~7?-B93>?*GOsVL5YK zNRNI3EB*Lqph04ID-kSVSD6^$G!fOu$L2J7ADj+J5X{bC0{&eQZJsR+rm+=&M=--yv zp_3=9E4DhO80+lul7UDxvrYNK`Wzq3+rxiZ1xy14)<+-?-*u#?yr5E|>N zV5SQzUCMsP_ejgiCf46rLu#ckc7|JTk_KaKxBklgsrMu4K(Mp!N4c_Kn|=g$a0`!f zuzSAKS>z*UBE?j_Fip$bZGE=okQ15Mn@W4@g3~-MwU1rH?pn>S(yj zo!{wxX14VUQx+~8F)HdJP~=*D9wV8wWynGFUpZTF!p>06q4jv4Is;4Pzc0zhs35Nk z?GT=w5x9??@$458LA8eeN%A-=mOX{JgEPw zG!Qn+tUeDQ2^fq_c=ANW;niK4fL1JQ$0h;_T?jUUmA4YgZM$i4q+^*JV^>LNla_GCTJn?=1F#>^RI4K8Q*^^l$tIDVUn_|TJou(eNI+A7(bEt zR%dO)y}jmTnygJ~5;bI~3DSn5lvp)W%&I)(^BXuvI0ulT^Juon(c3-wR;?^okGkO; z3;Q3y;Va0bV6zE<*nZNg4t`&&sYpcQrGyb2rGiEZm)Ne7Z}0TA)9{Z&3+E6#psd9e zuPGyZrIWy_eB-<0sh8p@)&Ke0KKvJXz{C7sA%XG2C8W*yGjEc#9PU2ETk?fxcE0C9 z@kav#W8?CTcx0&ko3ym@NGEFb4!5{qCaMq zN+}ds+P-N@NqLntEY|DpojX#+@C%Cze8zpWx}>88=cLM}O}eMABnrzK-y90yc9A*? z_2R{gM$ejv1UDm7OG}tia$f{Jh`~T>$flT2KS#`SMdI~uA%zlK{eyeTBkv1Hq`9<= zOhQYlzH8gw3bTnPn&xxweq&HESUU4^OZ9J4ClG1ArLrlO%C7tLi!@VMi6 zui1&-jS-W5o)(egJxacJ=C0|aHz^&ng+d?E+^(qhlWB9FNKAiYz*}`y)koMCOk2P= gB>)5LD)m{$?$I@B)YjC~D}dh-8;3&$*52{|1x_r`>;M1& literal 0 HcmV?d00001 diff --git a/docs/public/images/projectops-write-issue_dark.png b/docs/public/images/projectops-write-issue_dark.png new file mode 100644 index 0000000000000000000000000000000000000000..8493afdf63e6d9c386fb37ad48067ed6d55d3581 GIT binary patch literal 626147 zcmZ^~1y~%-vOm1I6Wj^z?y$JKySpszL4vzG1h>UCxI-Ygy9Pi>hL880d++}~ z-#wY$92eb~vExjA~3!S2{Dm`sft zskVsp_5Z}hV-x|x=uaz`l@YIn0mLdwz1%TQO=v{YR-UUH7Kb8u!0TZoY3`5wLb%sU zA!jGCpo-=Kccx&%@JbV=nq{C(kr}X#AB{@ZzH@8U!^Gh;^Dq+O@pj#IAasBKAvlOK z`S(-N!fVNt{BHFvM?N!0kQkW<<5a9_=qF@1vk+qThapF!+ z9o#sYukN3@sm1D&GOWkKED_E=95KLKjwag5->1ObYXs_itOV+=NfsCF1QDRDP-VJf z!+U*=MZygG9Q`#!9J1!tq?dzHap)GHA1GGq$L!2Dnee`G6y|Fu1>-i!cOPl-t=+ZI zj~)EWk3OH7MS&*gbS5b*h;cekVHXIP!3fY$#PsIM2%6%&$t_-dooL^;Ss%Af-YJ#3H!HGFKb8`Mj$g&N>tc1RDGj_~`Eu52>LT!qFsR1*0N%pN)Z zHq%oESn@q}XjF2_^AHtOtptH2Yi;$PpxJj#ri83kl<))xyYY@AMKm1I1ahb}@Yv_B zl3Vz{N2qp}$#n4Z!u-)kek~VVM$f5qsCFnElW*lwGNit{b{9Ghe*6OSApgoM+QGBr zIRxWMR*9bBhUbh(;-<_04*z!;SGRa3-)=i2)0z23P~2`V9k-dRTX|7BCQeZ7`DIGZ zU5>LPW3^FGE?H~CiR8l}+AV5f;cw+T=|(g%=NOhR=oYq(*lPl{gbo15GlG@qRts4z zAG=}UGgG&)=Ha`iG#IbQhU^AaoecR1k2;U6YdSB}J|CGri1og5#&o(OXY$w8tOKMzFhLlwgJL+*2;*j)HzFwY9s-}x zZNlJ+2+~6{%t$K%h6CPeXm_D7MNr&f*t__y?~Pz}zp!-p0l#p~!E6U7A%-Sn00*T| zF*Ls-yNMZLpns2prNES9PK^gsWJlwuQ#PkW$T2h#Rf)Ax@QfvmneW58ql09fDSs!k z?$caB4XY7V#}SpT9NVRbxzD?Dzt0c1DOsG8@WkvQVUeww6SfofgBDIQkrte@wPS;4 zM~jchHcuo#_+hTDhnyKQ{<%{RNhea<+)EGp<4o3P^jc#7By2a@nGw=GWb|QdR|*ld z!Z@}erc3*t_o5M|BNuzZ_xRBHW>T)?KA896Na0F@o)R3z@r`M&(XK>&iuvJuQj{su zEfjtOA2_lf&KyOf#ZQnI?h7+SBaFmRC;zgZaQf??F5_x-2s($uD#@K z@rY(~6-wp75)cA{I6;`u(9k^4R1*l$Vn#kDxF@_2+4B4Z^;De9oq>c57?tG>RW_vs zRl4QmkFVl@W)^FgYFB%}4|(F|dK?|`BtJSZdpj;&3gtCea@?av7H1pD*sZwQhk}t1cL;>1m$?icf!{ zJ&3PiuPLts4nHtg;*rFm#M32zQTuG@Dv z!4ct0j^CK~j@Kub)=%XR&bQ~6T-Vt5+7I7;w_oBvT-*drwf?a2`0ZMVz>hEngAUho z;QQ`9Zh&-R6TO<4BsKj1J82- zds3r-dBq@T&utHP?>E&M)jp>3kNIEbKUU-WNkO;_369aw>d%!t>K{s+N-CsZNhITA z6072UaRh0-z0b1wZMM=ozPY)4hxxAibw{C5S&g=ZniESC+W~8b7LK+~1@ejAZ!iz( zC=D%*W;}rboc=XEpP?5!jJ7^^EgO<)kmu)=It?aFn^ES?%M*MU!x_Q(k{$*MZvnS_ z0~Nxmhcb%007U~V{gRUDjMzTXUg6i_dc_2MtrQyHZj`p3age2*xy-UB z&q&SIB-z|<)ju6Gv7WJ*m7CtpmXw#3`9ZImYC5GL$DY$`WXU@_tX6M@W7=V(3nYBy z`k(?=@(FA=wHiVEqEl9PC3w&ay%RbS`e6~ff-J9CSQ1$3RsJ$n#zlq?kN<}qrI03X znRC_VcihGm606W`SItk-7}>tl?S{N}=EMLy;i4NAs`)}_vt+M7kry(ZIsvg?3{-vN_c zneBD1rk{Oj+{!!;TD1dfs&yS2SdCuHrtf)f9o8KbSNcr&tiN?~t~RlpR-I;?3QkZ> z5cBCd>visFO6v?SPXtc{5GU}me!KThvs)~i{*!y!M&QEm?aI8y>NLTLViQtRTQkvy z-Hz`V)I#MpnoY(px^%|9rQdaZ&3aOw2w8(@^1SEa=}z!&sFZfdXf^iN_-(XB+|mAd z=Ckvr$V%VBi&?+>>mu1=V2?NXv)H8g%$Kgh+Q1E;Xx~ck`>I0yoyFwkx%p39Yk~Y{ zu8L_N7K;n>1GkqQSB!k6F2-U@mrCOj??{=1R{V{;d!D2YV-Q$04V?4yT(2goK505t z45=2r(A;OG*>>0_=HCizew;bo+A|gC=gs>dYPthi@jK>g-$8HfY+p9L?3nYJzqZhP z>bNV-dS=bd$mNAGuvRCFPUiE7+Rqefa)6bVqbMCn(podp~g{ zzo}d1L(QMYCri^P|IrlxklzLuqu=^(#qM|4C5MMp^W)ynlVu3=1{hs`J&^a%bzL2< zz%KL_NfUlrGk&hPDx)+Qe)g;Y}$S!^LslW?f2o2 z&D0O@7u7o++l3FwH+#QEPYUG`oFB3N9C(|Wm=-FLYo5rj(vD!Lp7;{s{! zvt<-ySHJ#stBO&|hj)$fKCd7P{g1MGp?v=@e;*XB>UuMuC$_StFucd2-)(OW2CSvL zq#7z30LmHW$Hm)qthJuJjj}R;@vV*sfQ2Fgz`fO=-cAuH;{U13K+ywW{?!f*07QWR zu>Uni<*oeZNPav2q4{?SlNt#?c)P-SJAI0v|9dpTU=hrJ*J0h?`T*jZlJfFzrKY93 zwY9T{or~w^D6aaq1|(NGeGdQtkLI5fN?wEd@@@V#kd~gOp0X0q(#46@+{(qmn$^e2 z^`ChFLO#H^s*|;+Ik}IMqq7IlN0{+EUn!{Y2g_3ugkdmbrk4@-BDt0&0Cnf#x5%`IHKJcTJK|5@mNj(^{$wGZh3 zt>on&lm4%+|39g=hqb$;i__bpo+AJ6h5Z-t|L*)RLLs()p8bFE;@^z^ zSL++6MUaKq{^zZUAfH*CZoj=q5|EUt)?4}Znf-G>3%vc%|GRvv!`6pMhz^$l0Ac`n zDRC_ysIvfs9wBY7SLqx$FcO}lx;Q2d?pM6hFPTM@QZ$T=B{4;mDHc$0usBR+a8Sx; z1PLREM77Z`4KX*-$R!v9(K&!nt%se9t(Tu4kIs6Vn-6;1yDyAHrcRCuu6vuGHu*l- zdMDiSZJe#_4q>{&l0eB0{NEykMpleXymmep4S1zirDOtPtK|}R{;JB(->Y2gr}E{* zon?OXuy{&uf=gn(JkykM8B!-i#o|k7NmXPEm0BB$yMhncY~_xk3vh4KuIg_6^)t}} zfoK4Hq<)R+fq|fsvGpKF7oq68L06tf5;Ml9>-e1kk6N4S{oxflR?hBS_QX5 zipH{Nl${~1=|JukFUy+!vtZdLotkE$vlX%~f%jdX?C^&mYwo!$_?k3a2oX!4M)38? zzq zFQNiU-d28s`3zCGcT8BXu?bNS?g=eNRTh>tCC%cwLP=6XpWM>nRx_ew)<Lb$s_&q_%k|zP!X!h%TomL6%-7b;i%36+&>HCOg`Im9;&Fd)j1{2k+@mPCumSPHwlBUi^J$z6 zx0&e8hOeFJxb;RbEn%$VyRbP%Ui(?KfP5cTAIdM+*f?R2)XTDu%Q;_ZgnzZJY>%Qi zN9ulv9FlEHp*gQOW`Ms5i291!O#FM9!9Ad(3pRl}N+Eapo~u{=xAcZU0C(~*^K$aZ zQt#u8lvZ@-p7S|Op!&S%xu0eoGsshyK0<^&%yh2UsYKc-14SNL&{tzQWL2C@qg6Sr z;c9b`BZODBAn@7U_=QIh{43!S#2SC({-1?U2MzibE~?AgBtCfLYVKDoQq{7!O`gWF z0Cy%(ak*lEs~3&sWci&4&=dKXAs4M#-3K`c6Hs4g9=>@;h8p!Yq$# zK*iYLBz1eFp-4#OX#>wEe#^n+C3Q8F6t^cwmH4~e@^)_qK)wKpzn6;yGaR!g={+TTLeJ)9L}*%q zT|u}KebD?C^5eOdVqn?In9+l#v+1%J{TVfHjNY;;Qli*{9=6)lmA_@VUWo7OubSNx zW`$kM4JqH0?z{|JGo(lNeP{y(^0n*PiC_zA@=k?V3OX0X^jtj;=JzfslnTe`cF9ft zOq!zUcYI&>2yMSx^(16*9nuD)hjGYX{g6Wh^pGUO=6Qm_-|`h5Y%3Bt`M&CN1fh_e zs(#Qg42FEMbhU4#Q3Ph*K$^LQ1g*Sv6xMaho33t5F{;^%l+hvUelZI>8&$drWXlKl zkz}h0a1;P^f+db%oVN0J%>&TH{YJX-Z_2OuJHmh368@3vPmIt#t|8zaHK>9t2D`Ug zcsa?63rUn@i&krwTFSJmQ15OPx2XaP6k0DZbmeJyy)mwu+)1GkeKJ{&>^46esn+H_p!SGJ(FYkEEXQ%s$c>r4*$QxKbYq5-O zoN&b!JRrg_+)`;OB~lX%`D~nqE>^@)uNu^A_(^r`U>3~Xmj0hT;lDPD_yho(0;;0f zix%xW10uf^@IF^)fo5C8{>KdkDOM8<#tcRO&7MiK$yS?+Wu0~Ok6NG?A# z&_>qv^s@lSQCSiaM5-pOWp)ioK`&1&G$s);?Q&;Z+{F2!gG*xtwkr^#mqDUG<~T;^ z+eb0@CAA)>ePyoQzQbT>5LnjRwND^=~PzL!bVZIP96pB2qUnttq57wgQlP+F; z_LWV0`ZnB1@{SaNaYW5{fjh|<=pZxI^3{7?B({uI_r7JL-M4nDka*b6jlEF}twh!7 zN16>mN&#Qm*^~l=cu#CR>TgVArhx82{lc&y9s31^tZ@)FrG5dB+} zdS>~mg}cy|D|!NjsABZj`iT4w$4b%x-mbb`JKC&_fusrG)9>U(&dL%MK36 ztQE951?(z{j?5QcwScHZ>2zs)H4Md6OhxhXb#@TjJ37z)v*E!HZAo6Ft9cfIY7{x3 zRtT1tebkf6Zhh;&F>Ihas?=d$+ zYsN3HetkIvyDn)H3%a?D_;RFUn7@d@OU{QXeU&R_dN(71JZmzdfZME<`$O1^0VHo) zu*QN0%XzPRhYQ>Gfv6F+J7xOHH)prS9ADu?b|O)(s*tpL*&!oScKC8QI3Wx;k!ke?s%v>j&qp5xy~Q!oZ5Ea;0S=uT5f1$tG2PqbYos%C~OYwTtlhI=8kSLf5kePtjg zBuIP9$9j#rkzjS)(z~)cXX$1pZf5HCPm7VIJf`*ZEHm(i*?n`C>|`R=>82TP`a9&{ zulidL23g{fisa{Z^Iw$pT zldpwf$@j72m80F?o^`qs9gD84Mx`D*-DiY_l|~{KwaZCT%1Mg0q6RO>^BZMjGg7j<2k;V)I0bjI7^__@Jckh_|)Fh`Y8iwVn z<9DP1O9el=9}g_zfW~}RF;{V(3@xnu`kEa3UVZF9jbhS`1<*U`ZRnEO%rP}ge}OH;gWp%ZI}JP77?UUDEbZCidJ;*3`AhB^Yb zhqUHruQU`CK{^YKn!ubLah!XJ`4?k4lPz3o=ri{Gb0oeJxk8d0BHgP}RndZ&2m9jq zd{xNfjF}Xho(-$3^_(e<%yI`^(I3L04PdHGkEo}yw zYWeRh;{Ec_xx-FGxr=leddyeV-jpu!b2s|o38bGp&}n&ACPH!X16xg7!#U$DbglEJ zsg4+Wl&@9jpELgQvL_Co3cu{#<9is|GOTwazoq78}Rc+5SkJh1;C%86k5q@G^ zZn>>PNL@S%FZ+b@OEx8LTWD`6-;Bt21{8p|d0%q*BTho1wRA9(k5wzG*ofm(zVhHG}2U?Za$!U%e-K ze*##pjg5t@vRwwb;IozcZM8yT-&reL@QR^qwRgr9tev#jcpb?~$Z)Vl;}|syWWMCf zPh2R@P{0+CS635{0y zonEz$l?^*@CW;e&x_-_u(65P7wp`|oFQoR?`>BDd^{A{2{3ATp52Q8SBul7{|oN?+e0sp2e4|J zUAn_olHMM~KZYU(5UA=ict}+AJbLbWJ*El+w=78m@pY_tFWHC(16`Y=GU}K$8Mm(bMtC8@w9qbf= z0cu^6dSbe>f^bz|@fWO2>vJs0>pOLB`*D`q;on&qYDs4uoGd(%=X6fZ*J%89+&bTf zRm&RLg{?Vc>4BB+?h6jW1@qdBLn#p-vv)rtH)wLe(ZjDAT6GzE+}ZADvjI`!=0Z5k z$kezcBR}QNSSoI?q+(#uTHzKE*jKRV<9+|+kmQtFqJEW$1$)f#DJf7sH&GyegQf7A zY|eZT%37RH?>&_`$K%0M={z=hpyz+~%}GMs-n1FYSEilJq%7Lqp-DV}pjL*$>+@>j zR9iii6_sq3^_!vndTX{cvdwYjQ9Sczr>fTu-s!z(1xhs_$_?t=^D7;)jj&k{Q&Dsh>GhJWq}z-Hw0{It`>gGm5PiL{0$gzZEGUhK3Rn6|_ z|0aVY;=%aL?w{>73;LE)G*poToR6&&^8%!dH*fM{bu~Zba2QYqXdwh0HVS!6(=X$# zhqlR)PPTL2s=VQB1#?E`!YGa|H=iE`(mmJ!E$a54!G%LB-C0V>?wGf}rTu%^Egk6z z>ZU!cFu9Yx$e!UkpipMxWtSfn=F`GJc!4F$OV(8c9D%teR>~QQLkuj| z$Qll&zS;RHO_bh9*~?+>mHEI&brbUHb1eAfbsZKQo$?@gRevUFC}tVbx`GIZRg7xp z*XuD=oMes#x`Y<5pC7{Ml>Tl;C`JO<9O)0NPOjj}ax_d$XT~<&1srBo^2!?*IiWtX zw~*YH<%=-thV;T%RyK3qGRd)!&`WQck7w4Kjf>oBy%|EPgyZ=4sAjpDjOC>*v-puC z4F-L_bo@V|M?0nXS+sOaG8%sgEge=ll-?8)NU02lgXb*GpwS-};9tJNu|I67Nr!w( zQ)xi5AmRE=7e7Um41#%1=fc&?$f(dggSMd@0VI_6V`xd)pIZ=RErU92GC4miUDN&0 zciUNtJ2@?#syJG#a49XJvKAoyRIh^0leS!SHOGlFw& z0Ek;KYn7apx>=S0DF&Xzd4DuiGTgh1;mWAk!9*wc_#e^fe^4$v#LJS11jduS3f?Pl z3s<4Zaq!H<4byz$A7B7$MysZC>6m3jySsBe?%d~ug{2i0!WO4B@479#)3yVtV5Xd0 zO84R4FC$}2aAw_!~ANyOc2nXchxx_vW;%_BoJa%8!sZSBB< zQO1pW?qQyI-;#)eHu2tAYj7LKaWf_RnuR_rh>;`zm_9=_wYaZ*N(x!A>zxpf-bnye z5B!wC-w-VVT&UhNGs|Tg-&2%qd{O2y7kSn0L$z-NAM1_s-!trmsV~quI8_KCc;=kX zig%lQ2S5+a05%>d#i08z;8UjyL(hxd+s5wX)^V*hAi8kcMLB2{aVr2gss|eS#T3_+ zLB(E*r(+7SPZ?Mw&~gedT2(4j+JmqlmPIW^g8{AXY#q)Li)%0O2)h)@sH^F`yqFf- z0~On{#Q7~87x->&4(PA>=|~hF={l;n6I}H$2Q3POBk5pumzvNT2>D`uI#BIY(NN{x z<^-BnIJ&3WsQo&{OXcb(funWK4LgSiTL)+Rdlo5R=9LS6rD?a;~#QS^NIZmXZ)!x#g&F?Xw>MdP=-xOKWw+KfLg zpe9gN=$3&8B?0#x9)^Tl?4KkCQz<-ZKgLr@FDR`=A9=G%%8%C9=KGbc$Xe^DR<{X! zcj~r7fbm1kXw|*~j|&D_q3dPyU96W_7txk>J3;$Bmhs;f!I|i&u5XY(xrD>Ok^P5A z(Z2+godVkL0jf%iR#iceo)sjP^yd5Alos$#5NX2Qq0{s}-uNhIaOg6g!mMYG>1_~5 z3Nt8Dl?6u7PfjbV5*v=UDiMEQ#{#j^c^Q8^KJ{e4+(mZx^6;2P;58OF@Nh#Zv3v?g zY`U`3ELIB?CnxAdgJY0h{SdjzEAo9wA|BCip4Sfz1xuWKEpZ|(c81Zc_r9y1^b5YF zZ;h%4>-^^yu{;$+8YQAq?-3=bP7$!&2$H^-GjyQ4oZIu%fL$htfr}=rhh6iOZ)oqqJ%#5!m(Ml!ZLaRhd?3HWRoUK zhLHSIc(6drhych`(Ii4hccx%0IF$F&sb<|q@+|&cn>?Z(>uqv(i(NqNR1b~O`PQ&Ne!k{+x2?g~Vi3Sx*ZTI}4FOcF~f{YOrI@*}#n+xdG zGhq{LO$LCx&h>6J7R-c#dGo+xkVGtqpC69lR$*92o4`7cvy9>=O;%qZ&Q9RmS5!9} zN+wBF<3vtpqGeSogj2$_Ch737Q89h*$^?!j{hhM(xa7~DN+e6GZ|*%RJ6KHkGB#8T zxez0!e-iJZ@f-g&Zu<*k7Y-?*JQ3$j_b-J&4p2-8C?a~fyWSLdsfi-U?KIc@&r-;t zOcqx6{k}U}=}cQxDo3pd=!KsQ@p9j(hPQpt!*#H&l{;3MVnRH`s0J}n{1_2~L1=6> zo#Y3F2mQy1#lGq)XxRdsfn)^I51!D*bd69t@7t3f;xzALph5Myyu{Cwcl??`O~=bV z@ZRZh-T4RcFOR@CMX$@UcKKK z2D@@5Hcd7hS3Zm!Xgsw!I_dkKwqJ6-<(Cjl&}F;UV+LRqCd$(mQr6%^3{{5`G}40y zzCsr@T?v>T1K;K6i7%Dimb8_(1#dJ(=Shcs3$xJkU&u^~zwl@O5==>CHZ({6Z8{u^ z_~0X6+wJuD+`};iJ0NgLQ}&WYFJaj3m#%28q?HPS_9(+cBf!ue*SX?=VIg-Rrz}-u zbGYK72OJMQSS`kZn73f{1{+Iim;~75**+PF_^P2linsYaE@p`kX)bWkW`(thEQcG% znibK~sRHj)cWseog7vE;Wp)th>Q(;gi=)CWltn%cVr!_``YO+&P)#f1c`=_8aWR;h zidAufvX$}|^@$ZNff|n?)rmq?k98OgEOtm6eFw|$>dfY%9#VOO@`~@S;p%}bx~jw# z^^>voTO?PG+KRfQ4$iam$0Z8?>>G4)hTZ5i<|{mEsNK(W2!^a2X&xFA$3zd zmYO)gKV>TT```-sBfXZK5bQ*n4H zCmUGSIO=sky6f3sWYtUIp-{=eXl%iR?S-|{d?)#I<;V^z!9>@9o4BApqw6t^QRuM4 zYM;ARmci=k`HNx38U%SFiCSX#lFG(Ukf2vIE+3OOlw(A1EA#3v)>DseO% z8)t?~X90os8<=boS-DD%(k@wC`WumuuhLVgu^ zUNxy$)f(3;1qfWyM~-DZ(gB;{o!H+XwMKb%=4eLn|N8ejf%2?1dzpwm)UD1yt72Q^j2co9?Mbo!)`z z)z%uct$&g?9R*$q=Rk1=GbC*#2ZEx(Vp(Z{RR0O>kvZWH>{OzpPSQEd3>{+Z5Cv+O2QFuX>uIm`&yMR8)!*yDg*qD z5VArDba5~+o|)dkWeI^OhQaoRq5GPe{jp=*fifbGwl99Zk8bKZ?`@c}Jm=mKcNz^@ zKqmI8jKyqZ)KJ$(NvC+6pE*Y|%*>EB6p)B+&9_?Yc-!&vnHcexmdcjv_y+Wy7nwj_ z@NW{Q@pp-f!Q36L8Yzq6ujpl$=%=BN(%c)&4yXsKjAHp%)5z|riY90mxK+cLE*SRH zq(7-y9X2|BHd5p&uFoNc9T9*zEbrWl@CFsqJzqMO`Z8;8&sXa~y96AGrG1Q3@@tz` zTpOp#C{B@Yo=EZwOfAHdGm6%U_R^?N#~Yvq*Nx+i$Z5@CJYX^2fE+}k9IsZ-zDMjl z*L(9(9at{hh9MfY7H#b(>|o6bbkuitg$BJ25r@!{!Zo9F7zKi9cADzBPhg-4CMF)6 z@3L>ymmcT)Q8KiQw<^vSp+23(x7jnBf#B2V|(szZWl@enU08bKnNvu^;HT=2M z5P4|oU`;EF67n0jH9=!&>nU?a6xsq*Z~nON zDCuPo46G^W*}yN9T@7AAhr}QU&>OybXRC9>(H_?IX~PMVIi?={p(&^hzPrNPX1wR~ z(+)^<;ZI^q*YHqIArxu4kwM)ev8~qNNG%C6;gWGGyXSoY|9aRu!_m1?AZ+Ds=6ae^ zW6fkiJh$9GYdJVGHY0`%-R{Dol1G>z+=5%{0#W@uo`?%TV1k)3Z_sbS!I-qavP#ba z)<++D@p1u{P2bi25sX4~yDU6$V<Aw;by2lrV&fMoZIxxmJ}BpR2k@fa2A{b?!*StIqa+aFT?D4#`OO%_)l^E`h9-=Z!(Z0fte2MN`kd-Eo5THY0VD|Bd9 zv{XbAa^1<|R4-C9>Ya;83r9dQZ0qw9c@<@US)cK9FzAFd>XTbGK2fu5rJS#Ovyim? zQh$y*XzC2{z5P=fsZo6Sc^J$uHJ93v9`-1eTS#|YD8$3~s}HlF@$ab;EtCV3@9I=W zDzm8UCJu_pKKd*VYm6M(ec|KNrpj|evo@JCnpn&Q&Mh=9>UZMsl^4(?5EaDzW3J+{ zE8JP#{&=P`(=`$N9;5W;uI=Aitzd7p4SLJh1uRb>i8%++Av&n}((;fw8}wfru0?(k zoN~UN?oq02nImcemnCW376M)9G?vEGR06JWRmXlRM$Dma@NQt(HpF0 z{oo2dXR@v+YpXS}KFGE;XAqYR8M7tb4?$rgIIgEzO2nSReWRf_-x#4n zdcSHX8q`iTdzn>8Nz|mtXc<$K{-NoYnL9(;fUdSAHsU@$mLz^zf;WkJtnTAVlGhKv zk}GoWmpFK(gC9(^g*VJOyHcEyA(gN*@>kxY930bw#1aX&ze#3{kY zYEcIzCRsBOJ7RFB68vi*XIPNw8ArhSl*R&a`!XGt9w5A!b2S3ErYM$q6AdEFlQ8Bd zRSZo4{;H9%-k2z((==8mVK0HXmFMu$>JHaVv?q?w%PfaXP}czCfQBhuEUI3>A5B-` z11k2LZJf_6jw_=R-iayJc$<0rFL!*YZV9IilWvOLiE>0L#H48*K?`(>2GmktiU_F;TdW2!_DH|VSQ1m-t9XBEqh40EPbR(*@<6I zfSMRGk-LEuU2d#q)q5b5Wcza|8i7`Hu^5eVwTV;nJX+1E)Vkk{zEkHNA(zVLkVULF z9y9{FA-xkMS45N=g)FXs`e~f9e9r%|e zCKMn+d`?Wju5>GdQy1ZN3kQ`h0YtPD73~+u2W?FSXH^afilXG|1=rT<%!GStC}&nc z$YdX38=5+gLHNT`}LJ0Jzh^3Qwx6$?@f2e7HK3$tk+TcbII)n>8V&7O2W z-ny^3b9)iHOs)v+pIA;ZXRPt=V6E%fXWc*?d`D*09GJ&Xq!2Hu3p}mq5(+D0#zTFZ zvWn(b(hD6|BH|87jZW%a6{bJj!I}oZB8CU-0SH?upv`AFn38hZoBLVJ(qm+Qog2+f z0ihW@r^NT^nY69aqf|9BYnLwqWtm7Wk@sMy0R;Y%sDld|MMGz3N6XZD$+A%PI6Khg z-hN$PO4F{9DfT|Yzj4S3jK8Pa0_{cYYHRy`TvsycnyW)oIqwgMa+9+6L|UJ!>WA?zgC_7%rlVx9=Wkh2@iD=@ zR>dHQB6gUrwb>8r1S3?>sXClT4Q9veFRl*XZ{H_#EOiQRTjTN|9gcW5) z4zdg1JmhITV&+v4CRBZqSMdAN8)&mUjYlqCI!Qi+FqX@39fCE^jUqCi$4c}^Z9)4Y z$oWrLnHReot9fO&h#oYBM;4(Tp7^jjEb;>X%OX*yIb~Aje5o|1erjy0lPT0VXk<-e z!(t;&W7^wxx$3&Zb4QNqE=?gntr&m(E}EJ}ARjE$aQ<$n#c}LHCbK1}0B%^+*he+7 zpWJ51b4IO89?0iXmdmq{EZr3a4^m~Q*8?Xzzvh$gnD82cit;Wmk>d$MM#Qiww(725 z8{HS?1?5jvTrWYF^T+YdN(vQyY`yWtL4TfPI;2Oe|K>U9QNsF+zvZ}As<64!&$_z< z*A)CltUvPCbtP9M{F`ez@BL5{7#?V6X@r|lSz@pc9hX8Z8a)@lb^l~{!ay4t8`c;* zwQgoq)PXAk;H#WWt*^pE50W+xEC1x#QdGjto6NocxC1aEz`Fw*m&r!BEnS1OUPZnF zL8gS+8iT1OmiTdW5*xT)3d_z9B=+*7sPWP6x6h~aeBMH!3+q9T2J@paWwG2vJXoBd z??~(%^mGiQNZeH$wEOz83mOyKH=e_jJpNr@eL5`c_;gkkvq*Gr)-Eb_KkJlh*91zV z6#Ur_7ps~nVOQJHmVKouWzNAC8=1SUe%R07H?le(zwS7hB$!D(RFK_4)aB0m@VEFl z9;{DH@i2{p1qnl5*Z;WzUQZNB!y+3@5)72Pn6#n4tuKn&K0?V#W;`SbsQ7s;fpt}R5bDHB) zacRIq^(AwIra>!&yt3L5Ya5T<@w@pQ4TJl58WvnWA`tal@4?Dxql$_YVtQ_~fWn=) zfKKPwMWIr#*Z4&6_C*UZ40c|1Y9Y71;c%tRn(SK|;kTY;$&4PeQ57NK+J_2>B9AXI zd8#{|1C2eQz7jlw)YfnNw*i!|8tScL&ZFFp0hg{(J&#jNPuT{w(~^GnV~QQ9E}0}O zf{(7IG_|0R52JHr#C>wuvwWDo{>{FOGPxGP>J9oIPnGK;0 z!hhHzukD=y?j7bjBd?nHJ9R)_|L{Hk33}ywzH8TwY@T^`D>Gc7L`icB{M{Xe;N0r9 zX7@vR@bR>P>?gr%{|o6)j1>d_bJxWLzR1)1ZdRj!>E%60O+E4}@u}!*kH=6$P=GW= zZVhROv_w%~cnYig?gEUAiYh5RJey`RLaWG}+gxG#<9q8$_4Zf;WRj=@weFGB)o~o; z<+uO;^2+I_W)#~xNad$<{1c5f_PX+3o~P0+@Z5e%ymiR6lih50(tsZ}b4-1v-=!hI zR{LlL+@n%U-`oYiv&2ihBGJHD^NfLp-6%(o?gN}j<)wQ<(q=zO#3i!$;8-0i8XVX= z2FfaX$@=8A=J5NWuQ|c#I9s*Lyjib}Opd?8;-UIkhemP<%I8~98PvhiZH(OSmlD>^ zOAESEQH9|ZazVBWi-M+Y~nZW7z`(xSWuUajw{vTA*OXP z@F7QI__1gg8*!q=g9LLoQrTbKmc7t#NrjH8vQHB((^N$SgznhhubydvgP!N228*NK zQ|6Re@_qAMy!^p68*AECo#jN-{C1hJ_b%vO^8V!_h>We^1!&~67qJI3N=C-od$Rxn zUmWpYJYWBS8%ua>;_UCenz&4ka;&MQIWm1t%?hVVw&w>X2KbpQOuIcyvTM+3G0g(m~0cpX}pdww;(jZd8=&sR7 z4gov;~hgB@)5?(2Hz2M5|k5#%yA*#ygGNRZzB>0*uY z9{7(MuVr_c?1~D%nm4X++Z1i>xX5yj0^Ls+9f$Nck4qdziZTa%X-(C>*9x7eVL@y} zL;u9`i>xKbHZ+X^y8+8mTv7*9V4|B=SX*)U&kAu6YO8?1P?j6T--4=!hn)rrWO~kn zd-xhwrW^PO+$a23d5$W3*n1wbGlv^56T){ut#8YwWezi@#QI~}J02_G zc?6=puN?S3uf_2MVX7Xe;^dWYw&F-;`9(jNaIneGc3W;*wy~0`)R<8HmVPz0S0}gq zx!{e3GgtB?FiCCWs{xK$Xd!jur{DIF=Qf$y+~U^GuN(>(?0TM}OHNfUFAo;#4$6am zWuRVEaVzF#m>GrU)FcvE$6e__#J881a3`PDTem!T#RK^h#WE00#}zZfN*BrZ%SeX% zWdlxjfQVdqZK)GF9xyWT({237b?nUoX~%6}pXFHH{Hys}&>49Wuzs!C4pIQkzG=0+ zUAqAZj-`|}@!!o=bQ8#4cEP_>fP7xj;s_x61aMD=hvE-6SH+B-n&ii8zcfGG>>mt5 zvQ&P#dn3f(`dJS3v+?eHY(~={`GV)$1O61yS*$rR#Q`wUo*ULTR-NUAID{9HHk;E-aA!iU$|J9TaWL zFWgYPd(*wpe*FU;UjZufI_d;g^`%-)(005)e>XwD`3}ejOP;jptd|C^Y{Im8~+t{Dd!v7{+7AZ#fepYmUb1@YO+Mt29}E${#z2EI}k<&Gi%WwAA?Zq7odz(FNG0ez0HC8#fj#!6be2>Kki- z=Exs5AyIYmhNn+# zpGXpYA&ta}JRNzaJBpzno^kQmaWGuv;r&cOJRRQO=;q#cTBw4B={#r;bpHZx`<5*( zbQw*}ur;^0?>9a8B@+%6;vzRQ#Si?K7!P$ERg^t|RnoG-qpp<^sg#+YdDbV>-CiZ!ENyWGvi|5Y7R*hg|~o8?)c zr)g?-67K>CCJW02%Sg1|NT23>m0dP0B`E5Ys-EIa_!j>`QPT{u<>Tr7dtynNez#dS7HZZdMJujAP?) zOth^HOg*Rtzjd;1O7f!712;Z;X1cTh*snOIdU|EtCnefOg@^YlOSO*7gubbU^y!kn z6OEzI-zkxd7lOnOjwdNu5hd%rts1>UVwBvM!-siTgTSbO`FjGUsRC*Q;6v%y@V9}# zS3>@E7epMl!;E)(TE{N)+0wDe-yd%r{9`>(w&c9sh{ob8cG3clx|~dv8AUVM`K3vd zZw2zNND(0mmxqbm=n#%EOM%y9XmEeZZ%1LE>=<%&rOWQvd>&zS}y9c2C^SH*^P{`paHUN@(2oi*}Qk!BP4U z`)3AU*)!|5o-eJR)EhTKBN_hEM=}+ZQrxUHA)m!#vI|OsJeoN`V~-k7>(;Te^Ob8Zd!-R&r{+WSocXaX zkhD-%WE%gPfx=&|ksDKg&9&7haEEm1K;}=(+EYpNs_!`TXgSM#P7#q`SCl%}g4%0> z6dK9+C%-7%H^(pj-HH^mcD1i;=;iDUIHzJEp+#+X&?A(?B?r`zX>Fg^E4@Z$3f=Ca z=6=O?!ESEaVWwvdy&#Bi%Q)qy2Y8pEN|?~euq^-Qh#BMd)a%WxoX61 z=aj1Z@%g_2YFXocyQBpGWOx{UZf#Xd_Wj{7W>+g@&Zk(>tBVF@FyQg~Uu-}sR^6@|D zQOyK%6URCsOZX8?7HPO>on{+eQr`S^a_<+1yaoE|^jVNw*CRRD;%3kd8Fp)6i9$5> zTvB#AOE@!w8l*+xErqa5ca3ooU6_L`^`8ir+e=#+DrP1SOCvA1z~leuXE@;kZX z>GR>X$lga-9+ovkqX%RkZ<^yQ2DD)i4BeDbEE2C@5_DiDU7{pca#*6qU?c)4Ur%pe zbMcoKa3*F-uhlDO1n4Jh+NCC=K4UX$YGDAhjNP`6E61A;0f0%*JA5KsPESEUx4>7NFD2f3)bGEucO3cQ^>J!@E@x$DbesRdz7S?<~WAgrg z7r^T+{h!sq`rKn~S^IS1B}^WW@2!-9neo&dR=|H6Zj1D*b{H8JP#T%B4?ATXERf3E zZ8L#yWEn?SuoKE&GM13LMS!J3*q-I#**{~N>lhvwO3!>9o0IKPs{BmKd-hMriO@F< z26|w9N<=zb#d3Ttu9?V;AvcZCLg>?rJC*$?FFe9umPVzS`l159w8S3R3DjDycBOBx%r+A3Km{GS;ZgYGJYY@m^l{Xfqla z^uA_;q`F;JM7&F_i)yRS?cxB&w{bg3RpDSzwEMyZy(@Z8Rln}kQY1|;A{*<#hug?{ zKLbIp6ccPCQUBU{;zifQetY*#v%_m3=Fgl!$Yop3=9A{b?o?w^&}T*d#RZwD;mv)S zyP@PBbEy;8viLx0%=j6zK!9Zln1Lx|E~c}@-2LOCT`rk_#>T!ATved$g%e%}=!KG# zd&cr5$iYN3RZ|wt0Cg}&pDQ($3J3Y4-_opnj(R!)zFVP0_wV{g>!qW+H!q`J#ckJ%lr zfRC>tmy!!)QkS^*50zl4v^eE|#=m-|yc2pFKvQR0uhLAsRFUdK9OaSotMd)_L|*xf zU~|d639>E=^Z?gN_koV?06WQVNo$SfV*M~yYVN6!u$>&8+LWlWnT>|5Hd*^QwqwdgXuYkhFL zxx8`=hmxng6N-QgWq-%dO^xc{pVI#uW|CTbk8u)b{_=S}cl6k*bws=-Uwc-&`=!qM z&bO5v)p{{Ofd$oC2kkv)p(H_1vTwsLm!p_g2Hf_mDHGPEj$hB4xR)LLv7}wkoN%sa zeeKw=+SAQL%{2~7z5+GT3x z{I5k_b(Z_8DHIkf3S{~Xcf{inWgnfz7_?T$C@&aI7a$a6P++L7tGo9~)xJ$eMBu&U zedAedz!>ie;Q;>a5CnCr)M1}6b_MHefnI3QS1W)L)W8jVK72_A>^}B zWYVw71I{h~9q8%inz2LR!MBc|JY_%n>L#Y6YMnpn+Zf$a9De>8Xqe%IiOzJ{CRE3JjOM%%LDD%=G)Z z`i_8{mVl*kPM>O(>9yl8O9rSc0!p!!%jQj&THw4Ma51)JbL|D~T6SV^09iDex3-)+ zc`vs*v-HOymiI2|DKWdEOmqpdm|IIhU9Xk+n!Z%ymr`3>nGJEYS`BM{hb~cTrt+pq zjF-&|5#Ye1TvL-(TNT2ij(d#d{X=qI8%adgDd7OKzvI+NWWKxww`h0Zahlh$4V&ai zt<+8H#fT=&H*a~Tnz4CIZg zG>jQQ-C6Z$NJ^Kjvx^p;ee;wm_Fp+WSYT!ZtXPBv#V?XBkR8@ch)V`s3*Sr4+gvpt zt^tnD{z&(uWu1Jj$&B=M zWXsA9Ka>O1U~q<}kc4w)d%VA$6A%D==a;~Z4Spa1sm4t_?C?unHsWO}?8#t?Y+yjo7sDPXWhKx{Y<0RHZ2^y}!d zsVH4$`XD8`O79iBur=*)ifKUFcvSEr9WPTbGgI-h;|Y@HTjSw1{2r%HJS z(?A?3q4ff`5uT{0DfySLy51g7xTyTv(QR}PVwO{C=6+*$iT%;HpaR}2TK;>zEH{{& zh};B;;^b2?jhQvViMh&)amgs})~&28Q5Om+i+gyHX5g!|uWuU$8K4ixuBi!F0$dgy zD%vDhg@O(t7;4bOwH9<*Re&$w9sPvW#ROH|GcGA>#d^VA7{J!*c-lsAS^h}|FV&5m z(e!pnVBM&ER_*pP117%OT&4M%0z^3BJMP|{Zj15BSGn+I3Q1Skuv`YRWM7r8evUu; z^BENzydb`YNEHR6@+V-&n9$q&WP(1aGvj(8N-k!Bpj%7lXAEI{r}x2?*h71L`2P7W zK4_@}#2tVgy1`8Ttm`8;|3p`g%e_Z-J9VtqPz60T^?;p_iXhWPpRLPTZi^9|xQdn& zFmx|>of-4YT~nfXpn?T{Pek@Ud0Sd+fZ_can47w?Z=$=Bj5UvCn<%bG1Ed81AEgdw2+iBFi&i7 zxrA?i>3H^|SpinQI*P!BD!9Od&@VV_N<{>}&)i%lm zm4M@xih)+Yaw^dful2wiIGo9gaG|fIa{??Icpj}8(0z&rS$K5Soc1Wh)H~4TDr08F z1i$Z8j|CAKrjX47###5-if3?5GxahQJ3(*V^LCY7OA0zR?-$JNiaxP&&w6O?a+l`A zc`Jf{LJGQaFf&*+EOXag__mn>i36MdM|VqV_K~4X9>Aq{vz$o`Og;6+rBY8cyq83d zkgud0L1@^3pCYiPhxxdUREfHd$7kTAIw{RjbNLkbh0Yg?|;DOJi$( zq3V8>20N#FQ$23vFyrW#SrYHE!gf8L3!XwSploHZU7km_Tjc2|pKdBIQrWhR&{o&? z$8Nyzn$fb&+%-+f;}N-2o1o!jh%S&6C;p@P_%&zY*(lLWC%r5HoMt$5LJ>`o4` z29|r^=`-MtR8h7s30?*L&sDq^+9`v?$hA`WUG(E$IB(@PgQa(wOuHFmt{eI-QP6wj zyIT}Yb^(6)YD09u9CK~}IC-GR3pmu;5;{vbuumv!SbMoq?j`9$ws+2>&{BeM&b~XU z#O`2}`klV#4JvqwCZThMwNv$} zk)UTAtpR$~9JiGI;et~&Nb#G`>PJMgIKjuuu%=Yh~XuQ;PRm}|GyTCF& zTDf~VM@YW-*z-hV_0s1GxFvZ|b$ZE$Dr}0Gn?7zfT@hyKy6c-XrjN};Gaanzg zM_3(NQnF}X#OB*C;_er2%q)@mUeeB4_hiZ}>%Eq34{+xd&qRRfUZd;Iijn6KiHyX@ zNBCA{(uN}g``%jF4&Ng9wpU8|77FVBNL^?tsstJ=eXDsSM0BNMUt&-+FKF-HlX1QD z>vK+n#Bdy21ar^(HwFw)b0lJ+=OJ^Y-a#+p8P^FM}w} z{uY`*G29X+oOMF;W82`HQ><&6C!*6bs-ws+4**cD>WXun|7RPi2|C#RuF~xs&+-hr z5p6KdDc$UA-n)xAj6z=e%-7rlq`E*>923a@BKT zM~J(vv_)jXtoOD{TD){d0DN1|HYXU2+{%THBgGm>X%4)7c)Id9w zis?cCT2=PCYmOAdUm7_QJ5V_~YW9WKz}n@XuLRvcgAVg{+;7q~W}nu40?2a@=oF?9Za>yBjaCe>Rt4$G7p1i&`9IHkYuP^;uAD6Ebv2?W z@GX^Rex5uqrTz|VXSJmLbE(Vfa=!d^$iO#T>${7L@*z%U^t#& z9%oO>tA5b}<>T21JO6EW2;HaW?8;?kJ5B!x*Db=xx_x2y2KS*X8LVimR>g3=dh-K1 z+xQQi7$uc*fZqm}Fu!^j~+m7(1pt4Pcj&_QDj( zB7OhEUj%#ATbr>UN@gUihb1?g%qyS0@-5-5!YwXeLBl5YM7f7`9&h&VvqiO5Em`a` zjVzMhchkzS1i{g#@w1AEvNKzQjCsNj%#J1P%3&isUh_P((3`>Hjg2b|3k3+x$O+V=j$cFP9s z_2QswsRclN?Uol~qAW@`*w1o0@Sdbl+ay-B;KlP%{+wdLko($Kd;5`dR9h>Kzs5i# zfFaO`OZ6>16R%Fu(vZ8Kc1d9?Zc2Vyfz4rMO+a^I&CaLVK*S3+S zN>A(T<%eUDt(A_dht|m1DtYaLA4VBJ<{GG+NouNJ=BRUz%S#~`A0k8s|DBhrfhI2> zcq$a-;zDg-@ zBc4_PhC4Uyq(T`AK{a(@tJ&xyc-v`U!`y&qHqoT4J8L-g*~bNz&im$pfb2q)tOciwMdM zWOC{|CT_=V<)VjuJH(_*DKAwqgCmT-hadS0=?)g%gJtnY9!)UTzALoqe)49n);D$3 ztCnVNXP3!lqOZ~E>En%8xljG^w-0hP#{n>ji0=A7Knlr!mIj~&*iDM-90j25+wGq1b+N{$th%} zpf=9V$QjRKS^Uq9<2O*RYaoFeCp9BmBJ1f)pH>#J&B3trfzPk)ZXFMaYwb7pO-Y&E z`h{7kmKQ0G2cqJT4Ed5?QvG?uW$de5DO&2C?*_!^JU$KTiau6K1?9BTq1?53<~Wr{ zMePY{Cg*lvi`exJR~*A3f!E@e$&#ze4yPCYiRV5z_RH-7X96I)c{Bg4_R`URwpldU zh}kUNH#9-{*qt_j0Z_@}x5sv-kxCK5N4`#|Il18k|Btz$;qU-a? zSY9c(SXIg0_FUg*7d&*R%e=Z%xV@YZnE0>PW=7sZe4VP$*jIcx8FFp_Jp?NM8 z^%tB%HqBe2uo~6euDiI~Wc5UQ1+jPAh^fD(u?i?p4I#OjSE?qJqH{kz@VHT|NahMkVfKAmnXU&wSQ^X4vE z(@*7gq+`XEm8Ct!Ws!}5V$T#xI7)!q3J>}Eqi~epB|0=Ls7>^7F+uqO)(^LX#F172 z4l4>5R!5z4U0wkY8(SHof!QH8|a- zyQ|?!o2^7c(_~7_H-C~!O?&UiuEx-u-AaNqZ{s7A@6z)!-Pasx5N;pDrCeWwiq#kP zVYN5dFxz!@xZGSO8MU0J@{H89d7Y^zy)e5JE&l?psxE`Cs(bt76!==p1AW8#qHAM` zOVboh6nqoWBWrjlFtjsVq&@J^w(6g~fYz8eEd$ipxy|$T+@Rg)fHPn(jD<9c$;)m% z=zNGXY5>!>g|%q-NNuGWuLz*dz#!eLUX+ScIK*dD*|M-urf#uEQRW;9M}#d4L; zi?5J@&}5?F{{v_Opt}($JIkF?8Uqu`_Uo$(J%x_F2yz8JYAY?ga#ik4 za#+z}=E?sKjN|CkdKP(W9e>!ZXMi?e@wu&lcO`2O%Oa-0{jZ#tfemCgL#Vu7|Fw%X z8D@acI1Nfy-hSiCeTXA1WpvI@-Rd}&>RAs~bD=i7u1a%so9D&#`u>5&jllr{YYO1lf~Ym$5en8ERXxKFtJ}vXS^$0gScSVX3ft0epi% zR_v(Z9y6zD@tZpmNtG9<6@zd&X2E>S@-EDF`+8dlLJatf zn_B6_zo_WIAfQ-S{271`iPexit}O*J?))c(!haJ;b1@)B%rUPr#dn=Q!k(<{@Ou+s z{W@v=0>!Hxe!Z6k89@5^mL5OLvbu%xHL9uQIoEiB4%E5Jetue{z<|t|^B`|LaBBh~ z#kzJJKY=F!&n}l}-4*}Cy##M(>Bjnlbc*&hi8)Tki!h^qKTk7a$-R0SnNb{b_tqAyDImoAez5LMpz03rKp(KT0q>FH@|A#0xFV`c(FUSe$K^K&r~JRh3^b)1!xPWXT_P0YpX;G*z+OzwaG@vC&Rq| zG;;Vl6=d@#bH9)xIETO&;0FdNJfjImbZ^nP+V#a{MF~=NPNkiP;s*W02ZT>bSU>Hz zZrV;EnD7|`wMUC1rrr~X=_;CWTjFOu6MH$2O;95~;!&r2crD!Xdl?cl^z=FPo`a~SSKX31CQAs9g7qD7tvtbazAs@w}lqB z@{$vE9d7jIRdSf+{#FO8!`>81P_+uFq$mF{a5;usFvle>SGeQp5KJNmp#Aj`Gk zeJRF_TpWl@mc5#wCfE~F>=0&j9~F9tP^RW-qQoS1AX{8+p^DTavRfJJq%EhI);~@cge&@-TOrP$~Y8tuY_)*KLZ1_U!bzM`U$_*AYReQ2i zYuvhFt4p=${oC!p@VScA4%V>7D49!3Xo`*|Up^rLmTZPvu^{c%+voI+BjhL~d8H6q z;1g%1t9ZGeSm?i5c^`y~V8Otnjq1C+p{!n+gD(!dPhhZQ`svn*Z{iuEnnKnORuuq4u4#ud$kytm4Ipw_gP(RyN9JruGhDR)Lh6Pi z(PUJ6A9FDvOOEv=nO5&(|8Lcmax2g1y*JkT+BP+FR*s!Az?rzuvZzF9%xTwq;Q3MZ zI*0_7+l8vsA?c`BJjG#w1+;3fYIeGYO@!IEQ@&A`KI#L=h(dD zt0Tt2{NAswDnk_>)tGZ1Ot2zrORs#B*yu|t_3o_Mj$!55EW#KX74WQbO!P-kL&<+7{SwvxP> zFL*-I!V*vEc=WbLM@d|6wXL-9Mnk_?BQ!q%aU{f_=w#a^HIdctEh^XaYk%lCC_m%UML5-5yO;Ud5MtyeK(P%!q8^OaeRvjiFgRnwRl*sO z&Zef^B$4me{Y~$e;l-wpc%7U6#4tAurfMWv@?-h4ZKut$qOyr#{U6<9UKTIX{t#PI zpM=cv*m#*N?u=rRO&jm5KkZbR&GqM{;QCQ9?Zf4?g>}1{=I38+<1m|>v0L(Wo;7;V z&G}pw^j{p~Wh?(PhL~mNhSj&DFJgXRb-^sB|Jaw$ca07(BF)7ryQnVFZU>(PNz5%) zP?-2j6Dhf$N7Vy$4#=GX$eZ8=-T1Fjo!YH6+5dct@M>k>Ki%9N7hxGmAcOaiOY^SC ztaVABbgotpo=t&+@*tm?MZ0gn-gBSB>|7q^tm|{)o0I!sF1#U2O!*nk?Y_4ztw?5X z9!;wajhQX5EI*^CZbQrHQ&)Dz({yL?1HLn-d-Xyb``a;ROd;a=kZAkaRn>*(Dq+W= z>8Vj*(-!}kYkxAS)SC_834gPzoo~wLYEN3I8KBFKHR_#dFaX&5T2rEu?y3TUG+A`+ zFo-bTWRKybYZOL@Q)xP)ljgYYCL~W+;N7&Xl@d1!(Z(n7aOCdxymP0@rVDHB7J&{zr|qwb&zKbl?|hA0+a-B12}GHoAZ+rtJnSe_^si<~i* zAvIZGB@Qpz5_=2BoNwoR?8^OeGt&1-nwChwpm+J7EQnX>=S-&y(MVdl>OUSMKH2%} z>MXolWzN3tutIOCExMLSCg!ujV%y815CJkK-(E`{q<5C@yM-9d5V7q__HLte&V_)B zjKZjjAZtHO`$^v{Z@g4yoIpsIqrT0f+2mDF1&l_u-cWW+Emtu&%{GceGf(4IEJ8z_81l%Uh{)%?!P$}EUU5S5C z`cX`K`K*MndDi7bDba#~;Ahpl?cO}2x8;*_`8<5`L{0~MKsmlUdK9<*BSB-;RC0d4 zsgltTE>nOz;yo@{@aTSjc-#zYroA$7_%Cd|WWH~BR6a1;jd-apE;GJ4zYtr*n#cNX z{wtfnh6Pf5DSwqC>YGD%^jjf6go?W9^s@e*seeA%`77#vvDy$+=WFXsHeW50%|Z|I93rNxf4z+GX8Q=0{5P*M8TnlTlSaYeD>+!a`R)EOuO!jr{LFk1PFdT%Kxo3n^2Orljx9dPm zGlR}zW4m=WbD^AQqDX_I8qHRoE6+Z~MDL>fZTB7LAgYDKqPg65RhdbFC579rGu!88 zn3%vNBj#nVOUZSu)iOzqP<{qzqYkEVDc?x;{y3Esx5=9gWiU+%$N~HR;GlCK0 z@ydX1NCWZ&TIL*R>`5Rd>ZR<-f1soa*sH4YhfaXZ$}Y&xV3Mi+8=Pe1LFgQG{DH1J zV(V!glwIvTTWvh!CI4n*xdx-tdVLX^182g452D|D5?JWk67;shb@w_D%+#{1O#SKT&Se&4%W zht%U)KIu?%u%gK5?v$Cvd_7V2LH~}i`;LBSM5?1Wy0LG}hA~Z%`&HdX?UzjR>dgPd zRNrU`s9sr32W{?`kzW1P1{R-A<5;!a@_(mLu`&MnN4=m-HN(`1 z=Pu<^p0JrZHK~|WwEnO*EMvV6m^kzLss>NWo_%gF9VCLVKWq5b@bBe4Lvo{qE~3p@ zYV)?loM$~Ns-@NJZg?LUS-P$8-|@VJhfrxudII5%?nf2b=P8ln#MlOCc3j>Nd;3+GYbe~eLT4C7Y)$mb?a4$6GM}+2mw-4h=L#q1N1K) z7PAAdf_ZI#!}S8yE>zz|(g*+vwOwjN3sg>I9bnm-i#$$g`)$eNL*6Y{3cty)9{21P z|NE;k<|lKRw_K2~>I};$I|!h`Q&>_ypUlH4R24aAI&n*tBW^HE(6NH=)6KghwF#H& zQ3*`k@V+IblNQiE;TqGwCm)HDskM8^&=#AUu z0_Z17%>7*go^%?$94I>zJ+6qpX#2Nk>VdaQ7lJ@H`1TPFoxbG?S+M(&K5 zK6}8?I-X3}`UwMU{e-$Pk(I{8?AFIrxfkx@jywPbY)1uRXE)gC(UQQAO$0t}bFrXH zz7oTDEZ?5;C@q;MhnNbYPoa2$X@UuuDzQS9thR zAo!OD=e@Lj3_bKyg#q#B=hKwhe2pc~^Y?-WHnc-nY@#&jM^*lP#IPA~e3@6e^N0TV zO8wh@FINKQPxu&A&fN7}@AqGJy=7{j)J|QAc({@4)lJ2#&!v-Snjfy;^9_-jE+ zo6U5~QQ2Ybqw?t96e@N~Uv0bT zaMTUNmQ^~bj{o@&L+6-<)ZU^FV1v31Qn-z>9fLTGxLX(8m-(5_|Rx}?@A8Tfwc5beEBCX;67rrc@T`Cl$#A#t*vGHA7KL0|LHAaL9x`*$CuCcn?39Lv(( zSr=cC!fSO0_J9T-0+`T1yF*^nfa}S5ALW=oR{W3*5XR_s*Ph}nh<9#{XlY_+Qjei+ zmc9DJb6%`a^4Il*Q1+}h88roY2U^xv1Qzd$Fmo?}|t`{%yPi+N+rr~VM6zL?S0>1G;EvFwv+ zC%5&&?!vVDgOUoYzIThm(ER-Tsj(v+)~~5r?GEAyO23X1ZvS5QBZcCdtlW7h?U7dc zT^}xC@YYSo{W|=_n~BM(xd`d+Z=dbC&;~?_r#^g$nIDR$z}kZve;)pFcgbQGydj)D z?HDVOYE=ut-+##DqYAAVl^fZZHG1k%@3^=46gWB7X(5@fZ8tHct){H`Q^jjxf*#kz zb5`DLzjRJ=$8Yg#QK0{OW8dMOQB8?Q2^%5jf4u%2*($8l8?Fs&MSKrPsP3-6s2J!sd7JpR)(UA+ox+qU@e|SnhmKPmKt`I(SAb z6Hq`}o%KY=!sXYRn@(Q40OzSkoJx?v`?(D$xT<$GPgz02=)ouMR$bk?jTLGzrH?fc`|u8@_Xh`{`yAyk2-$(!TU4Y-X|!p zEPddjmBxRbpLxaR&+J4DD*4z$*ZTXyR5zb-wgP+eE6O0IZW%WAt71wO?bF7@u=t%) z61H;D-OsS~**!>VKU$Lz%O!5)z5)g8rekx3Cz%w(c4sYlpvG&8xz$DnEDd?!-R#RI zvnBJpI~RTS?OvXEOuj>t8Vwf# zmC%rQ@buz^ygzB+2Ppum>P+^elit*SwGO?8)lrwhDa0APl2QT4@9mXX17b!mSy_#u zAEQK2AsU-MByT|Nr&f01-$U9;f*Xn#5mv!hq>i#5xG8D0aAGU7nOH3dUM=DhhpOZ* z#ypCN=CgPJ`1$EC*SDAm94{%7KzzikGsYis|Ic9}{h#ZJ_)WI|zaDVSd};O@WcH%N z#Aq?G=;BOmG}VdrLwwT8;=H!^> zV+I&rZaqIWGPj=7(?ugj`VN#r_7OQh&D#F3yiGdSig4k!?QzXwGc$R(82@=rPhYtW z_pZqnq7}vL_jfGdpItszxYZ+A%juYbG6ryF7WsS~7Y!d+cJ4T)Nz8cTu$#rX_JQ{K z*4jeiH-f9{LC*bE`lQ-C3MNZT5ay2aRGQKi4ey~SR^ICW8b&6ntDXT+_c#tjUl|kw zGj0hoi)$VynEJwlpV9YoU1ZchP9VTUl3y60R3+L44w=|{^uY36G@fcX*w z*%#z=BKF`~u&mi%39r4!NfqJa!6CN$r<`OTxK#I7Eq9BRsZO8Ne&HH_G0-%Nx&1Dj zZzF|H!I)%akG_pix;m8oSk|=r%a5^fJoI-ZA3~lsvjkHD1}H6SNHjGVfzS&2Z;psv zXW|zO_PcWC^c{XDNMk!@c5VOl zI^|(F^Ig4+osF=kS`cL*9iRuAXs0n8tRQ|)WD0HCn=Mh`it4s>X*^(Wg9 z{US*GzWFuM)#IG!@vk1+Z}n_Tb}0mLTbw_>1G2;(5`2++U?&s*1gFo+Pe5CHGo^Cs z#l&%)AQ_D*A^272@3(V#%2u#f3NOB3wPT%%Rtbi`by#JKcTNxT&MZbhIRf5r8GoT? z@W#2|QEoR~B^RE2UFqW!TLSsshBba(w~>`M^L<3_`7o#=V-9v~edf05tIFRs^R?7VwG)Phx5jN<;cZ9 zKr@XD-x3kUjMpl%=nXJCn3uimJ>O&UUMWgkZ@eyRrvvrTq?IgRh6(O|b)qJqghkMr z{6?4BfzvCmI+4%L`!$#y73>yjQra*`!YPzM+CeLNm?0{#hT4OP+EKKH9~= zd%z#jh$|h3vbK6%_f5q;;Ek;mx;9yWu8+E#@^nmey|la?aS(d*0@da{8PN)5S9sy~ zmf%sReg?4kDWB1co>x3(G4FjK?SXUui8XYb`m+>F5+7CrZ&o$LrGnl1Xbk*7{#u{~ zAJF3G*m*zey&DZ<3lZlvlL~wgKpVf_scFaNjobEM=wW`P)(yjD0UoZ-Q~;?*+f^$li@N>Sw3)PjHTUPKqo^N|g?Azs? z+rlXiy5ajcN=Ywb_ZyM9WX@;M(XNLle_faz@V=u%Hhlu3H_5tL%uYkwm4fjs1KPf8;rU_U&mp%>b!FX+NTQ7_NYr>T;7VDaObSh+~^UVELy?XWI> z^f{Fs`HyHekvqK;;m6ND3u-BhJXK1W`3e=HdeSYV5SRKwvON#^1|lu-{ZG?6kS$8L z)0qUU8LB%9|3W92JWeOCF|~N(f4%T(8?tL3`Zz%(VgHdb;B?VvZ|61%)}3#t)8FSl zRm3t-Xfnr2^?_%a$Mya2?DIjWD`EJv(CDz#jGM=JZ9iWgFJDT_Fsa}uvy*@8pYXcJ zbB65BP__y%i2>>!4q4o$yv!qIZNmkBr7eHzYhc^GQB!(WFfs|G3C6UJlHiNMo)bas9NKQlR&hjd3~gq-|j>+Uc!x{Xd&# z3%@iY9a_d*dgfP)N-RBz+kpkHTm1)3Fmo=h6D4G&cQ?^MiM?N+Yf}A;hGbDmMbpc3 zOS;7-CEBq86HmP-$=PZ^>}VYM*HqEL-1458;%}x;H&K-&si3&eM{GFIsWzKkmF}(7 z<4WI>u_sx%83m6My5}CFJ4b;HtFKnYU5^snw!ce1ui)X*{3Z4-=cAEn88!A!ygFfA zEb5-aV4XF^Rs-bo1Yk!AY@+#x*%jJiJAqW0*(p6Q_Jm2oqqYfdcgx!qrgpJA=02>1 zKmH_WXU@QCpc$(zsMO)MHj_XZoL8p(R?(;#&FBe2(Ax>c3;>X%|2fh6f$zymzWb2| z`{X+zx6#F_Vs{w7nImsF!6Qp7wp}p4zephc=D+u@UrVF)UD(`Qr||700q7-{=iHC9 zqKbCJs~--&FPj+e#cjb{`*e#%p(@;Q9Y`Dr7EBn9?Q|*&az{z;wOh6OgXfq{7UC0)mRARn!~q$@Ns+KD?YJ>;Jk>iCK0iJV4WtH zI{H#kJ##X}^SUjj5cH?~RIX#%aP1TG+1Mbziy_?`-`X8g3*|4Y+-931DPnGxsz23U zeHnc^uy8J-+92}oW;>ajYg7dQG9dOco9)k4=GLTV>q!b4Jh@z1Q`nK5BrzVb9ik!Qo5GP&ohNR2{+2uXLFg&2;F08I&l$-sY5ZyM(TJdl zCH`e)S)xAx?=JI9DJ*n$R@BJsuksrl;_n=X7A~nhNgG%VX?iwu&QW}w8^UcDOOc|MAug4_6rE*sro;fu7WGdXlsjrbSWX-E#0jk(j9}O z(%lV1NJ)2h4js}h-QC?abT@pj_ulUZ%$hZ8_Bm(or#5CrUW1X0_VOB;qkE?PpA>$l zVmYC&g!v#clBuaycOvmKSPa3>BPm>rd3bXjCm&f_uk5$2-vG{&TF_N+wYV2>vJ^4| z#jUE3>rfYv?Piayn@@^`U!NQp*TlP_%B8O19*9)dgszJUnurn;ZOytc$&R#$i#BU* zeoc=V9`m)L*x_5qMe02i!Ahq#dY361fbcU%a~X?JYVAWFhGqN<;Pw2L!PjON8cq@VGNXgY1M+tel&b&6 zBhsu<6F|Iqx!YRAf5GlXqY@y8b_dT=(WLc5ElnyI$ z(n_i(8Dh->)zKkwr*n6KQ()aS`VOA{T44|gBDAdh8J2fbZlLkhmkD)w#w5@A8*;jH zRrhp#7~sN=NcbxcujLls@zJWD${mx%lJd|9zpxDd>{a)k2Q%!KqvF{u)*PfDj*{uE z=<@3&3QFU?@*s5=rYYzqSVn;Bw*;E+cUr?FV^T+l!npYH0@{0g-4FP-Ixt}Yo^Bf{ z90S7SP8Mw2l{=WSDar5qrBkNib%Q1i(3zHbJ_OWcosGcFhpuf;CM?i`gM9+%uPT_R z0_1cpnE8!hLZ#_o+0w#j>iQWRo6-(*o~kIigjcJOlyXU>4(V^Z>4!gS8h9K^<%>^_s+5BD^FQM~Ylh+C#d zun@7%b;^-fXCE7+IAr8Gn0JINj90e}-GyiNux%>F7|YE|f<^Dx`iOGBrF-Za?kkzRO81mvmQU-r$SDdOHRQ_5 zzo#RycqB zw`$XKHUC$r~=bJr6R*9O~ z7WJ^xvsyN}BNruY$|BHQROU9;2ahZ!^fcd920pFxqWlQg<^HLw``Uqx!B zdLQ2WrD$FHn~$d#WqO;Q2YWbP6}xEHmyY9X{G%%z-cBmEw1Qedh~)>FHxyx+WO`|7 zEaN$(W1#8#J9DvjzixB)P5o|P_qFiqv~aT~Fpi^)-JK@n_;M94-|?;0p5r6?e{|OU zLKy=@Df)Ay6)I9IpeHxfe9=aS^dHH5z}GdvU;jk;W|X-CF&5Nktck9$o9Xyr5L@b= z8r?*H`>$MzcWmnWm-w#9hIW1;g7RL*@NsGo?SX7Q5}O8SQaXW-KcC}c-3Fh1+kA)D zO3*Ggl@$0rzK8?GYvWq`sttO@Sy`Fur~{VkH;04+pUM*jG5l}+$>Q%P3`rZLf@D+t zwG8E|vB~{WI44Y0g(>?eGNXox9HY>RvSi#u?T3XA^8M=k|29cM`Z%%jqw}B5{fYFk z<2L#?FlpoLsryFWY`o#*g!3`>dWk)`d;*EguWP{+PQGRFXx1i^TNCcNfok=escwdx z3EeKMthi3OY8{a<9S@E);G}BRTa>gtUC2P%sluSl{w~mIsTHoD`WBrR`E=h(s#T-6FTeWk$-!g2%SKwoCJsDaty=K4rsh$dhDO4uQ z4qu8ubE)s@XG;cM`Bv7;p8ocU zT=y$Q1!%QRNv>Kg=4v&F1sFDS)3SB#dUl|bGR$@txgQaT9iy6#>~D+D3K8C)`E(1M zw(W7g?h@J*wq8Y3_tfw%*DCPIxPIN9cob{eth`=&R?qW$zj#1rwU*Zsb$lZ}@(nJ*2YGsm{Ds~Y zshm(2>HiG6A)Z-%JlX3B5?tTI+C@gw%F%PXH@!Zt@A2NdK;_e|>~TvhU!km*aVf-& z@}7i$q$Tl|Jw0KAERqN_AW~2o;?v2zb9JB^ZJ_T<{n(=R1<n5n$Q*8M>H;LFqS-UL9|W0pCFjHp#eW17@oj zik$;axi=f+)7K;%U;EEfru;c`l_EUHDIjm&>gLk$^9kMx&>E5_v#n9-P7NZY$h|ytY27QsK?k^ONI@?u=XI zP5a6-firXlyb26vrHBq9=BW(y#6}96z920PfBY@P8 zRhWyNJ3rl}Qr0IzB2%qfl)^ui-zbvSm z9d&9>o8g*6z+cL0J(!#1Q@vZFj95@sQcjTDv^?R; zW`Al-*aerq58D0+JOzJuD6oW1mN%boRzR&ci)ml$fCD6a7!R6$eby5LT*)3M-<|f! zgLv=FK7OE)S547FcD(5L&FF8S^;GciB>+$aGET}9U1oTk&NOG$xP<7~ zzPLdFG~W3_W}wg^ zw5JiUU8F5*JZIuJwA-Hw#lCNUh1hF|ZiHXqFG-M2mHee3MRnbdMwmfycS%vM$5Gc- zI(|4^xe|*k!x=@7vKM5lBR<&t6ZxX)v5%_RCr?=J3;g#Ua9|O~JdbW!gxZREs zU`E8?wm+oxaeHYWs7LN$+q?t1v}`-NNp!oxq@PWqVHY3@60uyqYK12MxacTP2Rh?S zd;HRAR9khcbKgF72@`JfJ0gCgqzL{LWc2#0aRsuuz~qBia4;o$wcf+L`8-8MSs^Q( z%JCd2F-1f1=vTGt-1n-_g7Qd$95NrtQ>6?tp9~ev%?>{WrWSENs&57Rm!`-tEA6%y zf4AKxW&Rst9`}=1lO*x&%*({@WpdI2|3Z^wa4O+Ex!z_J*Q2sX2<=WtA3n|}Nt{#v;^!Pp zQMddVc9 zMndk1R_08rekorq#^qVe)uhJhtY5R%x;}tpehWzbUH@Z4bZ^ag(yGrcp?=w2jsN8< z=~mPYs&)~E=Xh2JG;Z|-r-zOp$2BQW&7PcSZ)VKxm}`&q?5wZA-2$5F{W3rw8(0M` zE-7|%Cv=|M!?m=kJD`a^g|`bh1L=XqkJs{LQYuUThy|gk&_c_ybVjcKM#{7?TovPX zZjD~Z+mE`cK7|u-Dc_Y=)?x_X{rz@hN|)pP6#OUzpE;(s@QWmq=We-*>qr=@7R}oU zw{u4cL%S+el;ey_D|amUGDXuP-AT}``g8h~&`bg)p;ft8l-bBK?$P>?>+38==6W{Y zU1?F>(*x#EC_FR7epJ=+HE4?TuYQQyS8SSFT&UjZIKIQy;M z`QMFT+UuLqRpa3_+N(9!OEfOC&UET8_w<01|Hg@tuxQB^CaDX}^ zy$#Mln?QUn&kIYu=5XW1@=LHt(Mz$d2)QhN(21Tnj6y*;FS%0!UB7>_)DKe3aC@&Y z?_6%P?fhS?qO^*6N|XJG zzf#2+!LbJ$U(EAlGhq(SyQX{tLLnTravO>AnrO?-NEQlYgnoXY;!Ne;$Hj>%DY7%1 zOwYqg#QbACZLGIg@`I@B4;OmhJ9?V}ILASiUVl4J72&nS(I0Rl7^{1Cfne$N?zNZY z#C&*jrPx)%Mc_z2jBL6Xo?dRKWaf8%o zW!z4?Rd#hct9+D-)LQeM6(6gXp9a?~tt;k}&c_WF(}0dTRaMYlW;d_o`v(CTvX3s+ z!XqJPGax;k%#z01Mg1YB>-(Y9!UDOJVzev11}PG{&xH*WDZAOf;JRd(-q$MM*|pa0 zvPqCy)dqK71(6;EeYSO(omi}2(*@^@RWqqIUye3UM+h8ao0TggZ)m_rZox`V42y=; z1X~nNJe;c^d)Bmi>V5yyY3Vt0Za>wOCKz2;1!7%7VwoNI8E?$L2flQ5&{7ojz7(k9&kD8W99<;A@ zYG7Wo;ll2{o90D4_p?$6bW7I&V}r~!Uu~wQx`-hKVcQ}Z9>65T6FAJ^=z3ALGu%Bq zd`Ze^jQ|ZDoGR^DB=s-fatKA~U5h31thlzW#%~N=G!B0& zksk0#v+M2_HffI-V+a~L_>tK~tJBG!@t$wmH4P~@?}#Iq{pT{bkgIpJwr15te~F4> z0Sc@^W>Ga-UEV;p*c28lT@lBWRM|0y#qj%gzhtwebUknAjt}2e)TC8^WuSR`(sIiF(%8~K5Ui{Zj~!Vn%{+AW)_Vk z^#REUNiG#hb-aJe3T^ zi+uE_q_R!qjfV4J!mM)jBk0IzxRwEeU$sBr$2*j>GvhDHdaJB-QKt!83pFn(zMfnAEHdBJs3~_!vdMElrJ$*{3bn=V647lS8}4`i{*Hke_T-S4 zUloca%8!nq$Gy54#fg{kZMKrUiz1XW@av_2l*2}ilAmH=B;0F98 z3~nC=6-OyMJDG{*H>!hf08?dd!PP_CRpi4Kor_8|<&O=dx@!=`!R9Q$z(iB_+Dc)$ zk&0*kshfVn7B3qmOJpYd#_cE(j{VI?O6H&MX^oIR1#kW7@1MAQ$frCTFJ|A2vObYW zk=VlEMgqIMSV*#Ai6Jv>@S3ON(LkBe3uY_{F&Zoq!qbReBX!N^kT*1$RLpQOO5 zORcxbtfSJ)3L2MV)B}VZQMpviKXqB(Mo&lzismb8>?-DVMsC^(#*tI$bkb$e()#^k zCET~1{2lq2`Ov@(=F{~3mUZy(1VLN8C2xI`Gl6~}JoBun6mZs{&#o?6Gi8F0x0F-I zTn@c2v8%!(bkGzkU9~P5yQ{I0`@U zgVjtZ{^q3n<2XDDZn4o-LQc6leZZMiEKTv$vgw*09{tfrKlhrOnBRSY%N9#c#E$u4 zLr^7i`zEr}UziuMx6`pb2WUK|aqiTd4ky1fdfJECU-l9{dA^NwUmrHAh`ZA5OJ6@W z-rDPYEpAsN?X!D!+EQ-D=X6cd-Zqxhe9^(EmKs$Z3P_dtL%i^}cYY6a} zO2=2|;y}JpXffV7@qrDPXX{4GM*VWH9nXY)3%IPuQIqQVw#$$|KuV9f1LbCk*lj#8 z2|QDH`lEI5k>TVBk5Z%l_(a(L4cT^kyW{_%WxeleUp zRKxd@@liUt^zyn#U`OTd6(Z%Mp3{*SAzuEOEc)c-@%8~eNK~a4g+{`Uyh0%qztsKR zu>Y=!R8rjpoB$F*ibC0&*e18B(_CS>AvTH^=Ia&#QQIgpHaL2jkNUg(N`k4LGiG(& ztgtm1G{u~MYV^>?xn&#T#f|LknQ^uaB&>U)cw5z5+UlR zw?ldliw0-UzV2=Q&ok62fM8|$t~)uioZET$qtiwJUc-FVRRdFM5ITM-z+oq72ypvK z)A_SZmq;}2$Dgj@*om<+`s0m4|HI&udZ#hWxrOt3I3EK#wfPGNAaQv7bxyTpZ`7;j zz5-2MYh(%CJ6=saSlf)q$?s)aML`92j5pWTmTxetdh|lQi4Q)+a5(KgXVuF~4C0)R z-6^5x9_*st!ZD5=Hjyh);)lUEU8FQB${RvJ*S$&5$yaYtUS<4p^e}VfR5MsyQmA%a z+=NS5uLuN2rf~E&{h@ejz1=N|f4OEkLOxGz&tr9f6a)9b-Ze}(gxM%l~D zBk5OROseB-vipf3(qeoLjX0f0M z_$~vsCjewcI+w)2QgM#phngzD){Q^qRKIMNKUR#Tm)xw(J!i#26nhgp!~#7S!~E=C zax=g;-?@$_f>hjk{LFJluiGW|yaf;S5F_`~4Kln}TUEX?&{DtG1^%HKvuAnG9Xb_Z z=msz7vB{!BJ=6Op*${-(hkP=HkdZ7Bv}|k%kh?Q}7_w^KP<_`bw6)i!qct5MO&J&W z!wZHy_B~7EzUTGY>&qNPZ1f*gRpocvaxqkPN~`|k@MviDKn|+jpx<6gEBO^!V$MW> zocP6W*p%>WKY3xZqa{aeL6y2NaNs&J$XI)mJ+H>GD0PD?9cB*a?|162Y40lz8f3QD zxI9w;nveG$pOf9kpF+uNYsBUTDYk&Ui0F8h|D!zU?B3UxHT;5rTKA9dWY*C4^i1Ec z$=jT4TK4XypD+4(%;M1gNDpoAw@Kvq2d>(vqJ2k%m=fgy`2^G{WBBZ`J#9!bX`h;c zzBlEdTup?@{9-VC6y2ytAD4BA3*Ew@q;>i&aSxHja zNF5jMrzVf@N9iwyPxgTNo|nJ~%y;9do5du?VP_V=do4%j6nn-{j42GPe=zTfS7+b4 zd1$zwGq0AL$q^4NeWL1au=1_ax9lT!meeo)Tu^|rp{BEtg45|o-vb@;g+++l7F1kz zTyRSvCgf&MZil2y`@ACrf?bXQ(~;*QKSm8-tmd~upH7cY9(N9w&f zJhYeTU0%0hYymni~(HB(qnE#nmP>rl(amn zuCa>_6|EuCW1BtgCAZfu7}!~~3T+A%f7A5hh*KxOAQ0yPIqk@Vj0u4{=E5)A2G==W zh5Nn;Cm@!#JAEmV!Qwce_X;_q&GeMETKUq{^?N%?Yk$}n|yW%S9`ZHoZ@nj7rf0TG=b1e-1;9HiT)d4aD z*$1Pj)C`^~^}im7-gVK&k^c(pRaNYR7+2Jaz{;ErU+5>`xgBSYn}76`C9-R{2HDzC zgQC=z1Z24UzaKCsHIXTu{LYt^nhGY9^)p^0R@d3?4`V&HPfOz--(<(>8+-k{bxSzb zFisIdDisyo!A3V&nc0DjFPSp_o;vviliZdw>D$mXz3BeAf0!V`awr2u4Pt^x-L4+* z;PU#VUpyF-(VMEsVSrrU)b!}F^{gb0P37lJwiH2jUcjd=djA;C!KSzInXi@5A^4!Y zzX-4ts86`cN6}KJ-06RFD)iU_&eE?If?Sr}62mIqyzZt}pqQE=0oic!dC2NVKX-H& z)l~w{#6!KN#g}|n%`0t6Zo9gXU4Ql+3Y`-_IeLV4~)Ou4b>iR`G&0n{Vq{RJdKRbonDnT!MAG@3) zml?bB{A_?Wvk8RQ_I#sde!JpaqF-UMZs|6mr{i;G{x2)Vq z;|qEaG)PI%1W9jp4r4ss)82+Wyy8~+9{}`RFxDqO#qYfQg><8;B6`kydYs%(`XWm_ zMML`!-P7&C(%2GP&?SXYYtS3(cD2^rwIP`W{)6SCMwdz`sngI#Fv@Z^B6C6W_##6Drs1%OEp+=;C*b6CzBBs7s^E(sNopMJ%7$>B#PfSG2g%8n0hvjNaFD-nkd*HGeopG> z5yQcFn5D2TJd;FEBzzQ;sHiJVIKEGTM^KrjU=62r2l1f`Tt$h#_iRB#J>n8Xi6MGLi5Ki{Mba6B^eO@;=A#o*4<#yM`X z^9RRb?B~cN6a3Zb5^XTuhRumaPve|iU>Q=xM@(Bt+2+9PhZnce3(b5z!Wl&kl4LYq zo4e9`&R#_LRMd@>&16^6ZtqunFjcQBRuN09aIVfj8}-<-l-jqJ7l=lfa7ruwPfbhc zFrRWB6Us8n^QtFFpr5xKqm9@nJ#sJwDM4Xw_zWN{h-K1U&g;B~PO);_Wg*F`|IUJ$ zyLOqT)kzH~!a;rG=obo$sszbG*8vZszko`t$r0e?GC!ID9pc!P?3wL+gNg#EeCr*6 z1gQm)*h_v_=DU7*RBLuV*|eHo*#1r~C`fIFyfOau{3t=oT20{ekIcLxjys(&fU!E5 z|Mh`E7C^#Ydbm0+8Rgv?_KdF85Kun#yIljBpz+JJ=7B;WW;5RrBNqvTti^dF@qdsn z5>X!bZ>NGMkvb#{qGJPWE@1M}HthuXC7<(nN!I^H7wu*xrA#J>{=M!H;n*FVyHrP=raCcUs#rf>DzGQi<;q2lJZA3_HY1MCsam zq2QgUb+yf-=A39i8Ym;23o?JVU7G5e->Y5F!0SnvC$rRJovY*(>?=!vpzX>*ltxt~ zO(DkOgv=g5(@pk8teU#-+hu;q8G~QpuVntb!LTH;&1uP|wD-X>$#0h(*RKPdE~x#Z zyV31QrUvogny4^`sX$#xR?KW5)0Dj`D+h>KqZV;nsaL%I`&&32pyD2j0i}Th6>sJ2o)nuq4pg?TkuOjuj)3sV11V@xGCNylKT)o`3U+p2i zyeyrrB3}c65Sm~hmt>VY35bp@=}fN5x2y#eMBJGT+2Pf=?XM>u*FA}Pz$8Tr-TBUP zh~s=4PZdwcnl@YEEfq>E^){5jUjm2XN3-^xdL#jtH1Sk*BF7W(2FQkslCPH|eNgR- zNM9B;+MEs$bv>Ldo1u)9cQ7tYGx?z~emQFvM4aBXRKK=*Un!@Khyh`;B2QZkBKB$^ zVDt39409dK_q{uERVO948)lOz0VYq%aC2SfA*Ooet=@3Pf#Pd`Yx{v0+l3)8{OCn? zz}!NEyzz- zE34`yP>)RvZ~F?q)o~*gt>hp5{rz3Y;G4CntWS1k!+E)5xGj3o?>`U3x{^hcgjN{@ zn)CnIXZ7oCTiaUV^EiM0{D)39knx`!N^sN}yIs{e$J4MS4}V?lM=E$e zs+#&d@5UlHjn5N3eq2_Z318ilWns7>vxjzg0FNYk3!P!PKB<^su7rSpr&m~c1eiv}59;vH z;H2lM)tJ@u_vNu<9~eIDc8;`2@x|`#PvsYd2&do^>~MCUx-R4)?_*yZiW2+LhHKc0 z%}_*V7}nDxP*H0)9DoLsTab?(`i=MZbH#_f_wBFq{Xk|4i^x>(e>lo3-Jtm0@J-S? zdiIr%c}q%$PSe1VjvO_cW>mUX9k?~cS5iFre~<@Mt`NNiie8YiV`l5^Mcp?!1I}{H zm%-BS#TIkVQ%R-j3&6N0a=NUftCX!7i@ouwya6*?(@0&F{OQEwMCo|R#rDCpdPcn% zTLL`^y}b2=AI$yWMZ>o?hP-jFicO|cAg=~Q`N+Yv@*_HBV*(oRk`kWPv_09m(nLM= zl_n>ri;_-PAoXGzSIhc_-TjJJ`ucQDuPpgT50ld-8A;sX zWMlQies1LE*Yv03x;5Q&mlL<*o?b!^5!3Wv^dET@S`;!@A3mKU=+|xvmn_y=<^KCl z4FM^*JF|CT`P_P9#IG(u~#io)}5 z{0mh)(G71g#5`F5ZEu2y_#4mYZx)v& z(_CDrX{)&V_+7PPQKD{25sByei%`IrURcs#6)$?0tl=J-=DX2IDY%$5)!gKjz1mzVUp_6N5*<OBdW-2!?dqDs~+dAW{BKVo7 z6dui$3!(kYJ!tziZ_d7d!?w^qi5)Gj%T|i#ytqJg5lzo%@elsTv>y2UQ;q{~d(-il z=O`IgamvVxAB}>@wSv-M%rsYO>`s$WPo|@T^9>fuzrl z^$@TVCTZ>dJHCUr`AOvU zUcuccyJ}LJu?TqhwVgz=niunSXv~w15^1+{E{6lo-MY=NBgMePYRJ{s^B9a^=bJp1z))w$4Aj=2qO>%@0Oz6@|vshwP%50kId{|>=2>iVdRR1zocO3k{Ma0+F&b0S0 z5Ind?Av@Ke%&461-+-r*Li}W$!~`o_xjpcmMrYEJcjpc9y-Qucx{--e_`LlEJL9089!j<`Ca zLVUT#Mnmc~z<=~L)|`5u`4;Pu@-XKTmNPC7rwe)1xs)F+H#%IS-L~h%+b;v??y#HV zXI1k5G4rkI!VfpcDu2p0@?#5gNVfloHVh|38gMOkMG9*6S1Nivog-Xte^3DGcsQA5 zzgkA5QW7U-vHmoxQpTrb20%7`1)!+4x?h)db)zHBBV`jEkGNf?nKW&ENyH`Oa%l>G zNbT^fU$o?aSZjWpew5;?kKox#6Eca=1eR6F{h4D?BiAPAd%Omg;T7L3nCR640S(2k zkL|AxZ57f&AM_e*eWCLmty6*YnR$_AQ_arD#r%#(St)=euf;3Za)YBlXQ|E|W#=?a z-!8K(|C2vZb*QyUp}4aeUM~l6u^?2+`xl%~CtU@wS& z#Yz)t;bNUtV!i2$YbM{N+x3|k#_s*j=RkDAgX7OX7JJto(B||kVuofC-wt=i`$}DX z;}dzZ#8N>bm6I(G@OF!x;WoNl>~?ud%znD>I_Vi?L)==EpGCvt;(pW}aj4n{(QlRL z+Hnw`F++YYkQq7}XI^O}xfEi(ko~IioJt>$CXPyqd`PprmhBrQN>vVU2db^zYI$iTUhi8D22}zdyh=9dk&vBv$dPW)X zn+QXlKcQ)$n%1gr3fn&`6Q|Sa`=<tamf?ZlH2fX6)*QJ=cNhv`jUK-gSacBNXchkLJ z?*Abbzu!AtB*cl{wbZXFmz2%^O$h>cLOHAHmgIPln!YN`i^!U1Zr$QwtCc&@MVqt} z1)NnPw9kFPt7$&a;c#98V+2@T$JPnADkuRUwG=~!W_bWJnain{&!Wj1csh`f`z9n` zDol2cvD4!qexn@sc0qGc^p4P`rAU3wgrqu&$sj}vi^Qo^f(?UFdM*A}rV!M#w$zK4 zaz3Bz7FP7NlbT7RHoWk;;`$EeXil;VJPF>%tN$)|TO&mMeED^MsF7SAk$Bxwg=P(+ z3$CpZ=m+uu+lo~n@);<-J$GNy0I@!o(;yf%+tPO04X-%=InQ1Aw|-w5^lZ$R7|2>K zRx43&8X}Ds-ctZSb@XqD(Is?zg2hRKd3`QnWyK?oiIGT)^3>$Cu}A_BHvSNGJ6JUy z+^%NHmSf5GNHuqwQ(&h@iO_?s;aoUQxz}>;lyalg20d&Gbg9!XOH-kx#o? zuP-p&i}#`_dT|3zKUZ}XcW=aAQY9qiySqd35B*{$a(j|snST7YrFB_(Qv^N9NN_Mj za>l+5C=Ucbi6=cx-NzHQBPo$R(Cu~i!vqOsDGa8xHcb41<;-wqop@5R1!pI4-TU}9Bemx177$@XXfiUuYY#W zQt`L4j%90#j#LsM0j&3j#m;tt*3i+POBd1mcI9@u{VL=mNZ_*#;lm_ANzaQMiC*m)@@YpgwUHS%2dMFmHT2Q-W`>uYuGusENrNzTVZxqulcLmv@kPK!TD_ z;{9Yt`+AS3s~AqmV|U@Q;09rMmRm&aE8F)zU2&Ode{Btwo5=+lCtLI45=`dS&EE+f z4;@(mPM{D|c9&|?l6|wt_{{cB-GHqdNcj*?cbyD|#;M3F*ivJKVw%mTcEtj<)xkU*_XoFDzrM+U&&pxt@^+70s5_)3H9+w_$MuP89g7 zuqdOf3wAOakE98yjNsHi`w36@*gpfItCVf5Y(}wtIac>F*z!Zq#3+vi(^JM06Z}O4SOI1RR}V*(`P! zl-Zop3ZDWmS%TSp+%N)Za|sU|f(_VxKl0kKBsYz9H)b(@k8?REcAR4B`GGEXiBB$O zkjYBB8@$yMN`)uCSeVz+ec3w{_=D5*iXnUKoa0NH;^4$P*F2SSQF1ZvE^*Ru&-DUS z)AEFGvqrf-5kE{dM3EQ$&{V)emshrC;TKuiQWe6~zkh-8@^lE>zoBd_S+%z|-Rj;- zN9uXsi`SZNti7p$*TW&G%k=~*`m)4Y7FZD2a6pqpXJis+s$W}TYH3wTn>PQM9W`Hzkv>VqbsQBoM**QMNVAHx&-!(zBP% zA(rX+l5$Bd*8TgE3^3Pg#-Q>{-R2@{oeG3_TG!(=mK5*qceIGhs=GzT>issiN|`0N zbhM)Wh#ekK(nyiwmQUu)!ZD|lG}$W! zVD&(6Y*lcBs3Y3VcX=P^7~`tGs9?bn+0dd&HQ0ZXf@_kgJQhAR`QW-@Qu@ zBbt$T=A$hg#{7wU=SpjS^+{zVc1HBRP24vz)QWRGn%OQCpSDOt2=ZmmRQhy)SS*<@ zjWw0NJ*B3c6!s0ZnDP;ANm-%G24#hB=L4%gCKT-PB6AVPk_ z%BGzJE$yS}t2sSy0D9U@iFOBI;k1l~>Sa>bbuTBtRUQx@vcKXq2UiP3xbSlwN|QeU zxPtOqkpgZ8O zOdQVXjnX^!;=|4W@c?E!ec%k)hC^m9+aFhUr0QMourO|c72&)lY z!Kw6`HgV8X4mWXV9%cBKGBcf2!p!oU1@KW6E~Bou64aB-8)ov78~Wr9Ea6N;h>R@l zWA^abEu(jRR3S2{N%VfgJ90!1_H+fUbQ$zon{BA^1=Mnz>(vLiL8Lin!Tlo z<1c=^7hiK47XTfoymK5>Do7AR5AWKI+Nq?YG{d(Z@oB-AhiM$3w{6?wD1)JXszU}3 z$JN98Fx`2^b zgPspZ-u5ZJFnUrq)VikjNCo}L1_VjoSJAwjDx-1HU_Hv25>5q`Nv<$_uxzu$6?dBjHNqD=cZy#-us|WxqLGxauux3`m z#1dzdCSP4eeA_?hE8V*TJ_Z}mLOaHHeka#9&V{-H&Qh1dRUI9tnU8xvNIfi@pl-u# z@?OflQ%&=2(acTFn%d+~z^*B^AR_l98J(ZaQ|j(BZuA7|ExPsx`x+|$sxjw$tFL6` z*4C!l6IukG0pG3?s!K0)d7L1SdKE%vN=~Q47-yw>q*n=umn2v;DnB#TUQM!ZW4863 zG#Axhec#MCEz_!3j}+t|F+(m1O64>w1;iRQ5ZQmXJ54!e8?ZvH$Pb;Lw>0iByTN%z z4W#L2_8XwBW6W!OJ!a|;1qSI`Jr1igkJqdK14OCt{dO$pPwf8Q<0iY28H1Voy(Ln( zV8*j8Iszgol^O1nMT;3ABZHZ>tJ7q8c3&|K@+u6{;i8j&U zZ|m629&roM_@0Wuf*G5h6lQ6g`<+BkS72uP+)jv@C+={@vvfuV+?R8=*XQN{K@WO|J@f}Vy^#lQrRJ;4ZLl*& zxhzV+vLvfUv2n%@!eSNo+uFN(iIG$u1-XVpbQBgKlA*8&^-NuY;I$y)=mV|4&bo2+ z%4+3AAzn|eESw=CDm2%3V%+{vgy{P|MFfIFTk~)=N$63S$LI$ieyhh9RY&CEP_F&wp6(NpWHX!m>g4|Vq9*-y zx!B=jB+z(QvHe#xbrK{RgZkE6;dI|2>K~M=asH35p700A5(u#~>Id;tAR<+5Oz<)+ zD^KF_(4y+~V1iKyxS@#_-2NYHmYs$)eQX4(gb%Ry0L!UmxU{{&kU_?3!|~s-CWuHk&)b`} zJkM$Z7GTi@HLPmY2w6y8-jts>KzJ4$Ih?w&gf95LSo;YwKKt}T9$GFeC`dmJGA4dp zaA{|LxXfyufj*v&f$EpFueaWo_QC@hW%5el1m_)uqxCFj-5(-LAeru>k|w4JzS3i# z?+9*kslzc-k%dAeNC7K9s%-*RYT7}e7j;B#e^O2$iwfC@310K?H^fB7PPbgmf>6#P zs{0sp!4Q+d*+H*xJ#QtLq*H``R0IDR;)0)EQKW9+giM7Cp2nlcyBx zk3*>sg4@d9u_2GRqkJ-0b~pBH_+Kf1{ogMdDo^GtPoZW1Oi6t!$^Lahu)3*BMylzY zda{)t_-$0mDOjS2yaW=k+7}B5ab-_R(l*o`e4j)=#&^-Ca~{MU*bQK(N2GN~f^tQiWZCJbdS!KO#9=nBseIkVGwX;k^xo+04(9Xi`{dcqMu!X0~$lW z6k1=sX3AG)<(Du-o}&0S?zYlB+5d?0awrjK5F&5bnJl+Io(QO|HgTPt!YxEF`it!z zyR0e!T4V-Ai>{Cv=i|jP6{HM z(&dTQDifh#-YVifkpiUoJJ7I7- z`+`sm?3N*?imj^#oJ8(RBU?Y2IeS0-T;jHx2F^qJtYiE(AoNnGof;KDA(Sacs${zqi?z9{n|YGmH74hFRti#|4fBJjJ+ zj*Sk)CleSN(NN0^;FqES(DtB))E3U?489@20$2Ngbe&~XoKdo_6Ci=$1SdGbf(7>` zK(OE*90CM)cL?qd!QF$q6ReTo?(WjKG&I~Vb7s!Hb7##jR`cguYp=a`)vkKqr;zN6 z8)A0OSXDUUX&yRy-#!fm+|9jqXLNm_2U?M91TNI!O6$_g)Or>N-an2v*b~>GgVNqG zYPnRV7n4RWP`mS4uX@o-6f7v%yXZGQX=_mFb?;jeCe8PWtqW#nOraCLaq9NrcrD!@ zyV0;<)IG>vYb0G9`Tda4D>b;ZJQgF?0I+#9LrA7(~*$MbHhlBjrQ ztC9%Ov6w%^(iK9~`Gz(q9JQ#(1eVS$ITm9DLYFN2&IQx#<%(Z~(71sDRX$x_W?>8n z%cCoz$B}x%mN_G%CJ0^*7-$7$PoOR6HUC~Tb3{|_b5cxjgGF*vB`#UktJW_&E?Yp_ zXVAEp_altYH`lIj(q#Yb%mDS>utvB=&P_m&A!^k!NF!!b*O@vyiPNo@A*l5iR-nSaJ){g*U32gQ*>x2nDc^4{aK-HZm>eL^)rJTEY@!|=%-M9GAy5jFJn`7(-7A4!9|rb^1dIKTrhM{)Ws`xS)A2d&AtjHR@53S;$KFSn&htCS z7`6Ac!jwkK2IQUED$ zRoIdBh&H2sCoGOYU5_UASq}&q3iJmjc{rRo3g<-yBrxF`rSp0?QjaW|ZpR~rh&u#; z>dz8AyG2546bWh$KB2!97?MJAM+-o0)L;OHJu>*B1DO@NsO~WVr5(D^U|`ngLb<}| zL6OC(S%&lw-*<8h`Qtyobv7b&f(Jgc63WQ&6l@0>yiKVJ+Lw~}q5Y9RPW{%7mzsuI z!lrQbSXv_#(SEUI?*-1pSzhS-*ZTenZzA5nV_j8Ezg-noTKH*uMV;~Z;nOII>;On- zVOMc#yWoXW82qhDK<1|vV1TCnr@EMm>|}gS2~nFkIZdV@0`#|kXdZ|^+#ic_4dyo) zX*>4E1hWymm5TozLyPvnQ$Qh%_66&U6{<{9FHpJi36CMpvR*tZ2?PR?VrG@NS^yY# z1T+=c1TzZ zh3xhN|G;CO`q!IdH<@E(hk>Dg@TdR)Bh>|j>>^p)v%2MCXg~2FW*B*6Kx7@BBAy*>+SZ{cJ9iv@7I%wA$yfZGpGL7Oot!IV+vnKvN)TotH#pswSV z0tFbkQ>o0&0&3-3ejvOfSwuidS=Mq~BRy?HlvKLmH{=aN++We`?i7B!zwvpi%YSMP z)47aSYW{N!ytQ*s&+tM6kor1DdxQtI=+>(+mfQLaZYcb}=Pj9bIPND>1cl`G*a8*A zA?fA4*Bi8s^7ZzjTE%B(???@$_z;G$l!W~2Dc}p5;LLk?NLW*Qf`8^?xfGjhcccD% zWv_)?dmE;``jhy5fb3*Qyt=(4B5KzROY>IP$B+s8ZKQ!&lk9|eHo$9ikuAaXgfs}V zzMwoysN?2&FElCH&j^B7WZ#zkbY56c=;pUA6aS~OY97vuJ}BRg7p5RQe1w$FQ7Xc` z2WMJexB1vinUp7s?QN%+f3A@5i&yyjPh#c>cIrYI#i+oz8C~Wo0eQaU-$?uv9F;!- z3Z%8df@iovvu$+Txxyh9H${0&CSgc{vjoDDGK7641O22xrp$!Q#@{cJ@*4KPNOq@PM;^w7J6TvB7mqn7V@aYtT2T2 zw}{XFbp`qx@F=)n9|jYOW0>^lR)l|*B5HWuc^4OMX!S)4P!rnq)diy97e|rsNnVDY z18LdDSwXU{+7Y)o&cVC6$CY>*_p*yEwa4;&btH@#ursk;Z|taQspHLr1X(EwpVK$) zx8H#xzB^D5kQcn>;5>_9?+ydL_1my0T+jQyZ@sD2>mjprZRyy=QuzpY{VMy9*4QXo zElsAm2h3BFXf;Z-gO!pnm+Iuxd06ccf4ra52GDCW5hj@h8nlnmx+NY1Il;Xkg23`V zTGbvTX zdnfz1a1{fuP5^$QdRiT$wUfXmL&Jt&lf&57kd3F4#Dj$FT(j$Uao1MYtUYh5=E1_l z0jg*=wS(t8b;9Jvu9m3PFxd8LQK|bd^A^k&EJ%`}L=ueQGr1O8F&?<{%>~^qy2(}U zd1_3-)i;85^6f+T^PT953uNVxsXeu$6pcU3akVq8QEAQi2&J8buOZ?eM(Y&6Wwb=k zv+r4`lW&9(qww0E@4fJu*45s9N11bsI^)GT`_n0lrXw4bcmbr;I4bIxSsKsc<)Dk_Q{VVH3Wm=mPv zPm{0fx00%z2>TO%Fyu&Pkc2fAK$y6&ry%JfoF+XKXL2JYkFi6ij~ht^XMJguC)|L? zpBRqwWr3I`RlWe!R0+>ZN+N4yns((?nU@%k z^`iiQ@ThQYOG}-PV;_;VD5?&KuxeNkm(66Gp^r?wRO*OEm@Y2 zIl(50GwXqlbB~#n5>jygl6xRy!)TQGPZaHN(I8a2QAASl1)EOTv_2DdeL3%=e(OWz zHN1k)e(ujQ+37h2aMU@5u)fEkfoO24`jzux#cYF>7R07pHm!jy$zy{%6IST&Wz*L_8~3UFjjv@VQLz?45O!9FsQY6FL_DJgLWVf%Ci_ZDrHZFtn^D z7>z`wfxTIMu5Y^os(k^RIxS4ni!em^>X|!8=d)T@r4(EgkcW(w+~Xcse6-PQ8`&<-FL*THpV=S1qOlZ_Uz^1?ibS|*nwEP>{ zWWE;qx(2^$RBPkb4kjb~;3R{jI>h_uD}+oqsmJLcF?5uotF6~q$Xe1EnTcJCi7=*C zE@%4~xo#@4Z81dE=?ERmulrUaFKCy1A*m zXD;f+)3?3G^G=ADFrB(Jl@WT?)^WzDFou%!CfHOZ;`;ON7kD{u>E_f>2Yb2}=4laD zQuROZ=yw}UMxssHGYfcfMw(CN{gt}r)WsL=#FA67G8d$eoT#IdA)_Ay2~J9 zQcPpiJHsghEn34&;4Re0Bxqy>>u-;;On;b0iipR5pL;l`r_X-2)m_?-8C7oNvTBU4 zE>QZjJU^pf>Eo)0jkl2ji#7Fkps5ynjF4MjfEktZp1${|s5r$dZvSKr_mufuBDFhC zv*lj;^?N z;pf}A=e8{pTUoLCzl@D~i^h88_p%h8;Yq=;+d=?YNLr4|yx zU&?>ZuN1W$jOfHqmu@Ru^)m!aiRaJ_y5sh;>j~Vyu&Iocyj)j)lTnM&TPtNkhF+hi z0~4Jqs9FwPG|zcs&FXV`@*NCX-nd&L=)AVVVRZrly1j={fX(zGjJhU7V!s9+guIbv zIXOwK^hy3=9S!ytk6;4fZ2r%!bP3{PNl~VX#Pz=Lxp^STl_(An@bxM_5;c*6EJL7K z-c`)9M^5P=3vD4J-~Np)gQ?3ge%i>C-kN!e^|~kc8T;#_;0q=+Pe3s5PJIVS-NxTx z#lL?%B5z*{hHgciD!BzmH{|f!tiC&3F!}x>(#qBKuxU#^j47xG6B%mL zaUYagE~M279eNta{-$ly{;UirULzM}AeO#5V)lxMx9Q!i-KTm!&jl4T3^(VXpY@FJ zPPFj9A8c$}{qruL>>Wrpl}H)A!PF!$It_r2kN4sb|6}eO$2atwH2HzWm|>3cQ+=O; zdSoVF_ef+l1!OBrERv&pFRH=!$iMqWlDPM$B}f8flFTl)KUqfYh%O&wk>@vtqrfGF z95*noo8jN^dADOK)R9tb)urwSf=2{3q%VofC`Y_PD0zw++TEZV&!%ivv!(YOICaFo z(U+aG=bOZt&}S1jG9XC{AZ#VhEiatH`X3ix?@%uTdm-R8zijfZ!56Ne&yu7&3)~_x z#{vw&+Yh`t3xGc4+Utu`8`MAH96{F#OEKEj%|Afdg2^yuLYVIma{2UifMD<_i_$sqj7F`^nWE3|SJhy$2j z#p*rc<-~l-HuVvdnoiuyl3+9^_3&1D;6B$$VTjUAL*8gTzOV^AxgJS7?28om706D% z)L@pk3UC2TgsFjxb{3eafDMUQ0A9SH<6ocKsiJta>sQ;Hwr7DJ%W~$iVxG90Ny1{Y zYTmb<174FXY&SeNAO_{8ux=5~c;-baA>M@PYAn_tJ;}8z;dgJC{`py5YSCydmsMaS z1CVex1Q}(4r_6?BpV#h}gQJR0U3|3L#Qd6#%62Y^lSUghy}$bWmb*>qA-r&oHq(jd zRjx<6k2F^Q@&v|(@$X!`lA-WRteJn)ef<>kU5saBXp10U9$&7V4oQd0JIMd0diBjK zFwtW<*>*{&^ZbUyZlnJ#xajKepbskO>3V1z1h6o|D;dlMpJcucEv4-Czl#$pj_*G> zfFGS+3a`v$`G(kM4$G4$S~_mEd;mO1pU?@FqrH+r2UWGU8(^SLSV2LLx7l_^DselF z!N7ciyPuC?$f5@MEVH9E;SvAhX(W%aZ z8YC~-oL}{|J^zNiS;^#+E>`bOqO!RUr+#$L4~x(=FW%#0kx|(MnXfpb)6la1AGZ!` zsFR^I%E!t{zUu0WKQXoJU13;BOtKB@Ndp=~CO-+Qf49ZJO9|>cMboSi*?ME-Qiwo- z&%%qJ=W7Rrqkh~Y$3kQjj{p9V+ca)hxm$14o-+N*6S}dGeN=snXVj0~mzU7EuUI?| zQTicEaVl893sFSS;jw+cPx2VW@4Y#~ci8*`+If-Zs>B?S_Hy8p*?4frd$XGbr;|6F^1Fa8!+Rp$i%Iz4@>4H3#+JK$-Dlf;WLfJN4O}QL4*0}VP z1;Chh7#}UvAP&fp%gyLhzXCg&!03O#=!;|FOk8iiN`==RthsKXwToSv0EJpAQp@Yd z-gx;^Rdt>6`Lkc{f0;2Y+neF4%Y?1KmQDpl^B5nh*zEk&q7+0FtKo9DfHYVwCDviC zHrW|o6E~26xvO!?0p|x2WPU43nMyoDhQwwvCrAJ9lg9}d21}zlI1C7gJU<8kk%SnT z`{<<1Wr=CQe7~w_yPZSKR#Om=xyO_YJ@wHSMmZ{Xs#Mu3KZg^9^VDAaA`1dt`*VI9%Q$3 znKXDS6j?-i;u|l+zs@Wm;yByu^YPFbVi?tPvAX!iY`O7rT5%6*68W%o<#72Yf)Ltv zen%omAWy{OI4@b>jm+Ts;W0KUs<%LpS0X=+Bbj;UWu6gec5P(}_-tigKhsQ3FbS4h z5cl?%1zTNchRbpx=<&>7DRsmW=;7_6o(cYh-0x$X&=sQY$B7d=?hgU;5u_;%4|}gR z;tZw)A5;?AvH@P7h`K8?-}MjzVIgr;z7#P<)tIe0on_0Iz7(6UMr148dU4cf1Ft8l z>ZI#LS`YWb_^>7j{;8$vEHNB5qMkTj z{az=yq2mF|!QUwuC(NP`;U){Mb8v{$FTKZqBf4Rn*V(KA?p)gdR%p%e z^lwD6I7-R_a{xg=9_!B!X<@fFiBs_(e3N(Q0?=|i_UQ2Q{=Nk?q_vQOotH=vJ{jkDJjcI9l&sR%bBMAbfz_`6%d=9n z0Pztpse`)|m_a?KQhDa7EsB<&<~&*0+2MhZ0j9QE1J#R*^lMu zl8eU*=$@;KA1Pcbc4O+BkyEmDLrfu(T5pRu%zP`pw*U^&cFF_PSJsr8*U#R>@`Vno#L3aQIiW|lCJo%$gbycRB7Qb3h3TGs zY4)u_Fpxox{}h5Fsa+W0C^C3yJ1X_EhkTrO;A0St8OT`5t=>42<4tVzq>;2%puyKI z?V*CUeBsYrlW#7EluV`idA00#&*E4DF5ckQy)PCULlthx<)P3v6?m?Vt;sjz8gXNk z1sjWy6oWYrh7z34wH=i^tHw-Gcn!k1Q;FZKj?1JTKfDdB?32(mE&Gha{>q*JH5rpR z6#Gjm;ag)QS?|&g1_c7J<(=3`SH9y=@M^c19k0s%eNs2OG+(Mu{lgeTMf%2$Q$SMpo9GQE2odW&DfvPU!`~QDOGv{A!X?zcZV)uOJIxD zu)i1v6o5T_#t?I2QyBxO(9^-*Pp|NceU1##k~Ew(2sO=#`BQ*rE4KM~w(ub^J5;V* zKJXXjsLWl}PZ1stZtDf5mE!Oe+0;7|%HZ-s2-EZuc9tzLx3Ro&^-Coq$Jsg-sMeOt zg`Nm`5by#Nrm`7-q5q?LzyHG1dBx%OJ;{_t3&B$`J~pZM^4H4JdN0VseNmQD29`B? z4bU<@Y`Yv&=ZDnQ-g2WpTTbdJM9kTivJRLXcnUrth|Kxpg7$wbV)O==&Ea|QJiq!#BxdX!1&W`rT zzI!hBAn3^C>`B*N)O5*q&?cPi#LI&e=X5-rL=Hr%fr;x9B=-AQ=D?GN*+^XJ&S4bi z;(%aoPtP-lMy^SDgU9a|5FgqJ*FCCkgVWvxwLQraQ^rtdKzV1zt>Wl-ha`ZdWBW1s zQ3eZNXJ|nrnPY=S$Y@`>rA|U1O1?Qk0X>w5LZ;dFLaAlAmw^r5K8d&X;s-qQL34$R z6J}+>I5A%^eXt=q8J|Y@fUl1QabpL{+WfW?^_m_z$$KtFTxZ-q6zSPX-I&)tFD{@A z!!bPa9HSt3R`}ve_O8zX`ztOSmCF7YEy3#($2O|$P3S}VcBS~!!55;clv(q1?=ZgJ3q>V#1$SyWx}6aG;XH3X zQyM?7D9nlML6BV*cAK~udI^uWeu?HsbXC4uwDS3?@R?yS6?_5@!m-~X2u%3exyhH5 z=~c|zM++1mvVq_{EXmx3cJLIudf!j_%m-ZnRxZQF&2AXpD{c{vd9&UeOf1DDE8g9Z{;x>=TNZR_XNFqQIO>>6+Bj z1}L@;EU@M?==IT2XT~a2`zF)<-R6wWH#I&GqBW^cy!xj{fF)Bmluscyh2d9kUf-;` z^FMwDb7_W3f=!Wj*(wVs`{_~IzPqr=6y8g*`rkqCG{veW2~9Zgmu^;Egl5XrS?c?e zw2GnE$v_$1X zS5KDysIooD^~Q`mRI>!LH~|ycTo-{Te_L$oOLno%;s;sPgw?k=NH`a{pJZNr&MEjp zsaTTp!2s-m+T(=+|+8*X__lKJ{J8Xcs*W_wPEwLYqRPJ8MMvAQLLk6XodaJhUKrPy6Tt(}N|a0W8$*YlN;L)*Z*gPb&9W2PYK65TCoAwC7D5?_piH8@s2mr%RiI)01ejQAZAcH8&(Z z1jjz5il?gO6LSwa=H>^BJ@tpR{E^)e8}G~A*3KjTwq@bRaJ|RP5qzKX&gT0^mb>m# zk8vTpII0_7*4G<45cj#=J@1<$ZlP;sq59j*AQgHVIQ57ZLY2f0ACcV$&yn(I<~GMi z6cR%Vc2*}nN|WTvuIC%}+~0d!BP<3^eoH7wmK&B}No~{Rf;%SQCurS4|1E#BNP@Xl z@%j5N9`9+Y#{L!xNlmJXITS|31bEv|sie-)i~OFj^$zRtu5P`4X8AWk9F*WxQP7FQ?AuP^u3~ zjq&{5T=@PcmKfdiKRK|PXc4Yr_E?_5K5mzba~;l?7eZ$jBeb5~w3eWY*dng66Ld({ zamU(r zgNoy{k(8*T<@}5RS|~tyROC^&IkKzV;&R&gXv_lX6uP->fna;h)@C-ltv#&H z`CQ#&Jgq-B+)t3fXyfIv3E0zvrv#tDEdUDwhVP~518F-{)~&x+xYbu&BP??Xd%B75 zY`^b-Jm_)zKp?R8OOCpluqVm&@Rm%cH6N&jZta8wa_4#=%YL5E9;|a}~dAPt>cQAWLeyDqvaJ$2PwTrY1Yp4bME(jb2-V zRnN7qU7wCDWx0Ah$K2EUT+oh9)_ALRoU*_QPNRcB?a!KcUbI(W7YOlf){%<~*6(X;7Z-b&AzGK<$xkKP@MkKJY93YlJ8sRvz|yn^cnithY#o*E!tUV^N( z!A@+}9w95>zUMOxn8I!A5v<7COw}8P>a&6Wlrv)Dy=!8r3p<>uFs{QMBxV#$kSe9em^H$Nk-n1qB-Sc(8~t_Ejg{0l zpQ0YwH4tyaRge%9r{LwpS5!j2hWewUhNE37wp874D~3tYN;NT`=_S!+9dnG12bT~q zdV@y|HO9#<*B08A_orkkmS7|rwrR!Eg9hhB9Dmuz$wjaW{Twp?)vHt^a^!=Hp9KgP|1?thi25%`F{#811#|9h0$MRrt1Y#m)Ud ziPR){@An_~9iN?5mFJviCwSOw6O=Xa__m`aDIjoUMwjQK>r$;-YlJjD>IQD3W0M&l z!n3qwxb_^xxcZIrrukYH3BW`?T=L5pF4pJf4f7#ELz`_tq67fBlhqSIL#HSZ5Wv$M zL(#jizm8)7*1?*$V&EzN-p3_-Y@Fxht-iK$H5tGHAn~s#w_F#~B576dS+cHjD8@Wt3RB9m$ z>8eh&&R<6go~%Mhw^r|?Y$d4fKd-;Wa)lk~b>8QYJ;m-C*?25zar+!cKTQ;Rk@Y0| z+$Y;~)IMbHH($dGox##NpXQzx)1?>x|LypB{R7sSA*N9O_(#5^aeK1lyiUvB&q6|* zwz}RZ3`yXO3*EPA%9}Ygzxl6!vY#gu5wqcVMGh4;`1%u1*vMa5P%F9EBg_lp+OML3 zGx{1F5!YR)IijKkxIqnzBf3*MZ*VXyu-6j`&USP*USX175_!`$KUKH}%lcEzy@>ZZ zc+#w404uz|Xt(n)<0N-rd}}=B029#KjL%LJ9fU0jr2IgHz(Hn$Y{s0EpP1VBb24hH zDGbBl;i7o?>DIsQ$52I*OYlN%jE6)D3UPKCxk%l&ex$&tUu`TQdqAGG_Z%8>R)tYl zATo_3{VI+x3g+V?vP`d>mQvjMgG$??!vy9o(q+$?Jfwy0b+Qo{Qys%1jXV)~RBmEf zVy7VRw4&#XZ!z`X)kdG`JA`E&-RvY%kp)1)HKDX{>LFc~9oOY)djfmSBcq)Utxvyq zwK}i0(r!3kd%cIg^LfHgT|=uNmUrn~xn7xghU#@X$PQge{omW*pLau=C^>1JZ5vj} zYl%JbX-6i#=(4-@m{pr z-G{e!v}GE5Iv zKmXnx?%ZVfPWxC*_8`QycBlR{v@1#m9si{_Qta~M*=6ma-ns+-9I%?$6?G}YnnojhK?G*Q0~>L@3U&fW{^oV<~b{<+3p8YD2; zZAZ+U1y?9~__$ADtvz86^J{_-nO zK4(W+FD$T3B0`|^87xr8XFi}nhW|Wak?cUW=OQQ}3qm5RmSo0i(m((m)e3oB%0C|n zX{AH_fs}t2@-+551tj7Rt=tf|F%LZ0-!$9l^0sq}pR3YirL%gUAz0{n4wKX2;& zx{xjU_aF!SYT`oR;ZR(Y7PvXzH*(M4<2|zz;JNW_VM@R#ER-ZHn9l8^jAV1C>&T6C zhT=FhtZumC+lU7-vr;+?pYny&%$0b9}7H{nJtvxly%U$ zD^SQg;(A(?O+PBe?hE0!4)ZL8$$cV4)>Ji&UizbIITA)=(JDdE#TNoUK!SbUTYokG zZdxm}fN5u)MyK&{YtqaN3F4Uq;^|UK4q#XJ%wex!knQ2X^=V{{T~^81ad)ggHRpR| z37G9Kuqtl+kdY*c3Db7&_)NOf@-Xh9SscL$%ZLi53qK$3L>f{!GcD13X* zD|D@ybRm4lCVmi$w2T1fb7TYKPV2m@*K2jh^YXlxe;&?S1sdCs{U?uamlZCZ9+yMv zZT6SESr5Eva~(JJY4T6o@~drkeJl$CTZB(<=j198*WEEQ|Hj;Zzw@nMzKmj-9sS{x zAGSB||J-Q10NYvOgEKq8t*xR{bZ~grW~yDsEa>bwQ2#TD37V-;7^v17_3Ls~Ng4tg z)cXMEjo4MD?u_eR0u!oY5ug33IUq)45aYR}@bQ8TSJL;TE%gV|Yzdx0Sq}T~iffBL zy?oNU>2&xyj^j93wt*QrjYJS>!XwR(UCc?}`K_w5n0J}3*6qPY8NVQ}=f()-1=Xn| zbn>;G2YzFZ5xtP8E;uEVc?ii|RpyfiO_i6@6l^r{ttFybXtfo!XH z-=k!EEb3Dm{OD@eJqmQ}iX_U1xa%eJ_pOz0TMUB(Vr%?~EQe2qWDu8RPku*gj_x!Cg?tp8!W$2?bTh4w^>CNxk`R+V!eie!rJy?=(5Js&PWjG~koL zBReFijzvnJh&12bhOC_zyeP+MVMt7xkhbsGUSF)q#-CX{soS?u@7wl2BVsF&MzF^5 zOKv|lP9uA$es;L5N$z~K#P(iy@o~AN*1PCS1K6w=mYlT;|CYV|T`z&xaNa7LZSEz5 zSNjt0?m}yFNxUMtq9lS`bgT^NM3If?ppwap<_THpv%TpOaeJE44M`EY34M}rI?-OC zH6GI5WxRNR<5sn4#(}Ve58mgb`AECu8J7xYMb5B;Uu-pC?pX7Ckd^Tk%X1_#ml6h(95pii0 z(&CAU&L)NJ$1l8Y2-;mp<9=L!$5rVA!_V^Eq+NZw8BzBcQMd7i&3T_}*Vp`e0{!=w zHYFUfgDo)yQL^VaKa0?&VT6&rc*ib(-eugV2ND!7vC>j=Rc%81Dlv9C|8f9-#goeg z0l{;Q$|v9|Ig>J~?dnpicFr*wbUX2Y9Wxb3vyrknnb3s)QZ5Rsjc(2}^;Hro2f2{V zH~LeqV^BL4`9Q4J<7~kfb1gNed_PiX`M8gO``*eCpQg0hlq$+Hfc%|0){;Ra&<>*g zZp)WWf%|}6!j@L?>>;~7Ivwm%vj+F%_tJi5(*JVfX`j&n)yUC3>50m^;LN+i%?Ez-F9)MNt#F! zMzuFzt+h?!ynLq9M#^(7XZ*MfN?>0g7efqv#S3WIzkTHqa3m6rnpL#SfvL zx2Z1))XqPc@rq)dwL~Yn2@=R21=FpfMRi2%S8s(>1V-c7Tn$*5F))(_REm9sz4d$d z`4a^FImrf=G&1J{n#ItIvWD5a9SFMET7P_rlq=W`lzJ@?zvk{l9*}+D68E7W*%hMMp zVR+oP#7vpob}J^2X#{ukqPAId5N18nu;f&9&d2K3<`&Nv)w^KG`<@x1>=^FA(~jct zm#<{eH8%@fH2CzaZO*-dItCiTgpeRv?#_hw+LrQ}kMLN33*IdaR~*EXJSO%aMYSH5qq7Z3+Y+yB{ml6?wfadY#^{mHcRH?Pt_$h`h# zV%71;(DCgu@%gv9^V%MaI!)g5Kw5naIxPXJaoZZ}w7YCyyA(|0ZreahE6Q{?ce3RB z&!ELbzAiy&N7~36O~yy(UVK%*119Et$ZTo8s7^3q`qn1ah+7%nJZW8?lQbf6*@P6j z6xT_EFz-g!PStq&;;|xxEv_*FJq%5QV~!E-$@*;bD?chrCBeB9)lh9<#ma!-jzhLX znBWg=<44lZ?N!L8Qpv+uwh8$r4B4kgk8xg))@N3epr$e|`lgY|_`V2T(7gsi(-?{J zo{9f0w>xj{gj7_4?5Rz#+^#76M`0=a1JM)KH9O-V^<+(0g4QBK1AbO+U+Z(=g`IYN zs9alggLqQ3S_H#lqWVV{V0PO#wTVcKwgQ&G@PadM5<&5bdFo_b<14vyzZR>|%D!#> z?qmgN4@%o$B!TDqv9-2Sr^=@ql3F5cB>=j&&pI3y)u9R7|2i5TvV8M%;|EYE_@!XK_8F>}oDw zCGTeMD)5+&mPIwS=$eq7!TUjvOsJodwp|6m+{M>9U3E#vGIyDzqE%$oARES+SAI^h zwlV?tH=rrG5$LYcHaOa>VChFYKf4)Ne^*pH#gYsWuN!Zck3?KZE#GIX?U+wtT7P50 z@R26Uo`LyV3*qtUwZMMpr*CC~f-Rc-yL;A$O2eXI-*4SFL!D77W?gR`o5zgGP;{cG z()LMm%6@NnOABB&Jf=F^ym%B0T`IW!{3r+Rv}PbYBYCEaD(3wnfj*Y*Q|Bfz5tNS6 zElg?lA3^?~1)F2P7r`{F`31>YOY1rFgZR;$xe3sbP zvgeF8dTmKd;e}q;cMa;Aq-1`sh*b^>d=YF=h9Xdh_y$eqgk5x_7Uw#$sWsvKxx%A$ z4#{s*8-LF_IrO(9pHy)&Y4Tf7`g&6*-Ha5i0`ZFPW_ei1jEWtv#W;)G_;fJ_#LC{3 z4!J|8xiDWqh*SsOe7sT8&1INLb3910X#^3GS(9 zOmNj`uvXVf21X9QnQ@j@=J0*lV zVN_np{eQ2R|9#VFAoNouOrVi~-x0e+kWS^{U3p(^2sjr_kQ(2XpVfV3Jt@v*VcVkD zAG_e^L{}OA!sHoQ&M87nJ5=vp(#nA_uXCcSy-ad9;BDCYC&bQia9$JenBs6E%^tld z`+W9MJAsolDUYy3^x$#dE^is9;UI>}QCV=(-#7Q8SOR0kKK4l?(_A5wH4#NLtt8j;x-vkcbxL(QIE&tx_AdeXvoqo zZze?O!x&3XVwKMs9Tl$REE+s9Pm!pz{-28J|0XPdHyt8nS1jTNbC2i_ zmF{pfL$Ad~aJ1vZm{pBMv-|`{Wq@+cE`itkEi$*hvBa#}8FL`im&eUIjSfdK4&{2$ zxfeNb-AX?#BUR<;Ca)OJeb%_!q7wAJ)21+HtRFRvAhF{9cxvWiiu^UU5WM(G#5es* zHFw*%1R+dyir&Z=2d$JkO)Vk(#!nqtG%@N&euq>qp>;6d+ldgg0Aj+uP*FrNp-I-Q zGvVI?XKFFC+YZ&?=JUCrb1sk80WP{hW;m*+6S68Q_@xgeY%7P)r@}I{w-qgx_+)tG z6H}5EPNC=@I%n;(@G8GH*4vlQJ>U%eGKRmsQ0k-h$lA7NE|1;1Q=CPRAgiB2wROWj zt4S2HVo1GcC9(LkUt>bD#tCY>K;y5}4x8G<*y{yrD|fPrcWBP%h-r21`k(PJm&pFN zefS2BSY9RpMI^$GkhD}~bE}lZX4=Uv36;SEoR-q%&f z>@Q-3agWGP;*U%_II6~E+oK^9M1pRVF$y`&Z}u!}WuYBgJOY@Inr=f2+*FS}p6b{J zd$G>6I168kPiqIFuQTCmzvV>|)nBZtQV*}Yg`C7_eW!E%*we-8cjR@rKNp7~oSk@t z>fT>I(R|@xINCR3IikJ3=J?ZS%HPWE&}4wjUYZ$te(Q67m|>zPzf)ZSZPD&4^BzIm zaMD&v`)}LMgQAN*8ZpOz=rx8It!9*xv)49%;|;HP$@aP0hg}lflkp1T0Y9eKf>nJ# zPZd(QLT{Z35y>na%EuOpW3S>c&sMHU)T5;@s7LJdSuFb1&8?r{hnJlR)@?hHD(pXZ zcnF}sz5g;nRqgoPOtMcZBUSqOOu-R@*?#5?C6RZdeey6Z^KE!TOI!JLC$(!@3gY^E z|9-Hje@7;7J=RNS+z%eheN=v5-q4lTZI6os3eiB9fGx^;Jp0(8YsnRlA*u_QiVmn) z2~59B)Ad^Ln*~^|FGS&@(MbPnVm)X3tF(IG1g6Sh;|S{c$J}3=wb#oXY_e-RCyGYk zEJg*k)(qGCI@isd(_rf;U?cH5PA2`=l_Kvt4;D$6puq)`?^}Qg758c`w*!Dwf0R^< zGGC0hK#{1N0CIyTubs7S$FfS9@iA^GSFR%}|8iT(9Sy0fc9nte^o1pN!*B$6jLlG_ zTDl@qcM8j+(GdYCMMpw9_)#BLM6XS6vmn0Q6ke;#+1U@+t61@%T$&Z=j4{=@Tp=?% zMo(f@0|_Td-=5{&G6_l7s@!QSeOKK$$(v7KM5JTwua)-sbxv|zrms(R!pF!Zin0Sr z23kaKQ>@9>GDNUnk>p;`4#RR3ak@#z+~osTPJp;JK>?LyF3JgXnLNZ z5Y{`xXgiG99#)hB0b|)V_bLS7)} zN_5x{0f9qbW@TOTu9>vM^;j2j6AWL4pyfvEx*;B7KF%|pw-?#jAEA&K8w*=C_uB!X z6L>PAFMXotq2r^W`EIg}ZAI$RDnQ3OQ%8=isPPKMsI4O&Rx+fZKm3cns^6p`Sc?=vP78)zCpa!7hqD@SJs7c!#l%QdzXk4dt1XZC zSuwxPA_C4Kr;1YYe_J(-&!4~~#Oj|Cl{~eHBlSg-vcR)Ozy-mp_pKp8&EFl<47^l! zj?g3|&>)dt&T2Lxkvl?EI-kCY=%jU#9M#2o>MNa9eN=e^-?eYv>3lissQ&TLOv{n{ z$n)rB^R1K1I2`V+Ho^84%BvfENGCwA9s$&qeg*g?XCP>hnM8J#?Rv89%`tuR;C z;!Ro#4!_Dl{c@w}sMD(egBB|TqtHXSVJ9(mT{4>=)xmtgltL_H>-vFE4lp za|h!*E%o|1MXK>j?(Uo(m2jLLfesJr6f!k*e8SvrKYKOn@}7KoLK5^JnfyQV3{u}N z*8rus&neUUIg{aYlZrujHFv3UQ1(jA*6Kjlx7a)TKA#ts(xk)5R60gmkKNCkt>5@9 zo;G;Tj=EB15q;~7wb)u6F9rv)t+JrwkR|hx{_wC8pmNF@*m`%Z&hh{&G8hFFb7yaA z0_XkM#70Ss%*xC?t0^ch)gfzU#F@jlEDvLTi zu1fxdcH$#B;#egf{_B*UI;zyijz^lBf!c@E;LbvLPH8gL^5QjWZMGfyh zI6AkTBnO=xLfl|7Qu?nshJ?6p4<3n~>3uaam~?#8?uvoh>Canvvi6_=`AHdiiiI{XPj)He7kzhM_|5p;fUGj_@2;G*BqK#c zip($fjoY1y3M!vp;)<2JogAEt(;G&xWs@-8IzGGQ4ZhZCTWdk8wTLWXZ~!8;?f8Ex zL44+)e&2;SVh3Src0Dvs`cHu)g7Y@+#_RU3qXn#W2JC5E10ZGmE~bk|30}=giN>_5 zz~A1)-m_=MuxGcefThAVl$WF8-X6cyz0xkDh#}Bnl0Dl%jBKkI7Ix0}k1eRvAIqTD_bk*Y|9U(vI`S4w>Q4~n*tB%> zp7!hMOaHQ=J+z}_d)nc@vj9-$hFD5I(;h#~GR^C}e?X#Wd%n+OIf!^q$yFc}bZS`4 za}HTpJfi4i@B3e#8>U+(KH-UDkP=#o_3e5BuYFRdtcOwlrXg=G|GV@5KXhzFI~nO; zjqA-I{Ra^7)6d5Qj(e%{fYJLEz1ap8``L@p3U>qvRJwEXVabe4Oy#1jkZHcdA83sX zcb4{;shtKQljHkIunr9-&!``+i(a^JChJcGBj@BXT_5O5dx`=k-z5cM|Cnp>N$7wR zcYWmf2s>Ij*QRYiJSD?+o+2|0d3dW311xMh_FFLKK;1_*d&`vtbyy{OJtqDZZ_CPj zjYZ6}<$qxnY#HMC0o4r9uuc!chhJ(hJlI{kG|VOZEIN#hBF~nRjn)}!08{&Ts?y(X zp{{Kx;RHY@KGsyds964PrFXy|67xZTp;yn6jl9d?3NFq$6t;;e<1or@ZNpoSI*T3> z+MA;n;=ND*QJLbBt^8K*AvOs3`dWBACnhC^zOoBWc%4>;cD1O5o0V=DBwo?41!-2dj$qSQJ$v=W8qWe!7m#Ly93<7pfh(BjH9~p%Apx*nJgAR^e zX(mB#>273UDX^cz*4eV~tT-$vLqR@%Q^*8$#GP9#@A)4dMP>_iv?i-#|Me`ln- zU|)uiGLotPr>FB@I{^(W_68O16SP|@x*v!KObN&*)*C{A21xzQ<(U2kp~aLxrGA(JKKoa!=LlWQk>Vf z=GnjSR`^n*{5=5gvW(h`F%spwP!#4Dfo>Rn>b@*z93H4%*Ut#``!e6meb&I#8g_qv zEITuV!6!G}vxMOd?l_I4Nj6nqX4x*o-ba#&muG_?0o7q)^H^=0;Gmd^T+6^rLCbpW(R6<=jY%5KFhAxRXmre{_-Iybh{WkPzg8q+~mQVWh$yS2vI=dHhok=E3 z9{z+Th2kHky~4uci;f;*@qQ-Fj8t7+RCX0maTlSJaEe#9kdq((7^a0RYzRm{<57!x z8Om>;F|%%Wa=~-vcuyy5rFme5Hw~40G|J&Kys^Pu^!Tqnr_}zQ^uba}wtaa_+S;z~ zRs~9d1PW8&CFGsUJ>wYy(Me2=eYJO7U<}yHf+1E*T{jedTtQ`R=a;@jvW!0psW6B`I6*lUCviXRWGHYt{*zziqKGFxwemG&0>R#6 z9+QHZ*%wpL;LSwS7(< zZxnyTgC9NEz<9h4uMo5XA(;Zy=PeQO4uV^b?f$X1ujM~vNj=cf1_c>+Gt{}}&p>TFXwdf`p@ZG!WEw+{ZjZ`{L<0rKQWMCMR%OEi*dNqaf;o=;ydfC3Dz z=tB}d->UiQXw0N64vg30H!PmOevc0smCPLImM}l`G^X$J&jxJtC`bZm+R zsPP`XW$oGDS-;)3nK0Kf0A=EP|8{YSGkI&*(d1karSB3Rlk~1E(Jl3U6*#-LdeVSZ zp(_)`FyunB!}JFFfbz#nK92ZDO#b$6rKu?~lCYQlc+Qq(8%d>koX+E#?|1xE`pBEs2x8`((lx))< z8}OW}r-gc2!=Il92!B)-M%~}aY(}8Vv{{`GhRmu(H%wBS?xZiDGFR~OC@Pp72l#w( zeG^l2Pa*yGgP53{ejii`A%KErn1@q8t@5)g>XsS_yW7L-EF1I{iLM}`S8d9xsCt3i ziwB33FKfS6(S;jxhU+n^U&x6Pmk>ifg!hZS+==Pd%71o~__I`-hH#G7x^F2Gda0VO zrz5D+q;uzu8Qh_JBYIAoXuNOJ$2grkIrL-$(WZAQjnR4lyX}8GZeiTE3W8Po5Es6W zCKRdOvcJCkiM-^hyRN;QAx5evOxesIwZn6amXeOtJ!2dSM8=e9T67=~`Z}q*&pAGH zedU-BZbSK0&S7j3G34g{ymsJ#7&ic{g^kaQRpgnG5Weosxlf8E)Q%+?KoKl{x!NYi z9!q`j6fwFAgJeu-zlVPMbi|DNvGmFH!~N!Ul`mf-ng=V{6&y+r-oMO`#*(YWQWPi- z4UE+@rBr@+k3~V1V%&LPHw4RD%sWv1>+)3I@QO5d-gxDgR?1{(kGauy_Ef`VmY;7Y z(}h~$+^P1LtSGV`T&jXY$BWpl_d5|SA09XQH%D70h7vS?seoofnV|f1>cI3)p9^L< z$%(i}wlA0Nb5PynEDb3FzuSXNhjRORkmB8zT$v3 zmRaGv9{QHw1$g`Y20;i;o}xNdvgR57s(0e0qq&zI_7VRrcHU$h^n^=aU~w*^v=zMX z?L^pk1XRKHoVP?jDl1$0rm|?SH0#--u;F$Qua$B-iiy-)x=_ug{8jvx_I0bowYt#K z1E3z0EILmSrUW8J8Alub9>?~zk*f6Oo9(MoJbH2dSl;$OVdDR)M>dxBtVca8^v;UK zZir?Njp@Ua`bd&eMX|n_Oc4gQ-r9TsBr{U#$c)~gfU>~ufu93OTg@dR`7n>Uow$d= zbM``g`zqM~05?-uZiU;~#exa-Rhpz-eF%p>9HIVe4{f@J3=;z zQ^Ojqf1T?ZaQxXQxk!tuIpj&s>m___uLNWAdV}6IEj;l&U3uPwy+K3cXBrFJWm7(= z`j!>WQJ*sj*=4N;0G&@`!*{1`1lL55?ym+7pjwB2{Kyx$>|x#w>$EbB%)m{zad`Q7 z!;m!W`l&s)3GW=#>$Z_1p5)gSTHXGi+D(rLTz(63=?VRQL0S8I0BOJd8UD%?w(IRo zNG@rRO<8ztAT7Zd>w9IVLuee^U9wA~ugBzk%-Fzwh4{9B89D-sEfMY2?{1%BMz=(O zY?tQ;GjU$!G#lDy1WMRN?UDhHeD~8<#azy!%uxfBLHPoW2x~%M3dxVkRL&s>lU1yu+KBd{oS006B00T6oyKcbE z#kC+B;rmuaAtGYAjIiX5XA*7pX`AyWX>;Y8ZV1-$52p;?rgy8>`d!V~7Nb*hO>cQe zbrF~d)cme0Ib5EWqjQZS>*wm_OIAIWyu|N(9!es(ZFHlJN25es1b&3{{K3&EvEog- zCx0E&^t~y8Irp*HA9i1Xs4)S4&HGhCcjm4P}?9X$vl8vO+ z$ANdrg$!`;H%JpDhvvK0ph9S^cyM;ni4Mp>rK3~CX6^53Wo z_9ZKa{L}$0S5E_r2+kR>%1vf<5qYP9a;CI8=C+f{{7H+uM3_XW^*9d3IH@n=oo<$H z-ZDpvau2YG4^Lhz)uNB+~k!-jiP@-ouY8R=b{?zrL1oKTyB11d4pCYq9%U-5A3#{S&J zpVK)rnZ1{)N@d#{b-e3fYc?eBR%XqBIlRgzW0TJ-P+HFwnJNy zeiG}TuHC28;&Idw|1TDYGahF;2aCXxQXNX+qicdLa#!pzQ{3Fs>CWs*;WKoEn8oRl ze#I#YU%3Rj0JflSer+LBBn%^3vr81<&B`wCu2uE;ehrqI&1^;r?03iAJXJ`0%55_d zH%*$7y5PtrtB3HsX_NhJ>nR%fwfN4=hA{{hp{5d8$}<>%+WYK-yF$zyB#T$_@U|is zRiNgukrx=?D^^3yn;1@t0ZbG$rYi?89*^gfJ@Vnnp{kwp=rX^!{E19DVp{2V`!KrM z1K7G=v)hs5`B>MvS~3Y5Nus6MH)L+A+LC+37}Kh>!J9gT zYry?r$j|brt|#L~^P)w~5$2@HcyR=Fuf*I(8p#Z`L%S0K<~*kr%%&_`Nd@qsAF}LX z&5tCbkUlK9X$8?!ExNdP3?3Q8se(&Ek1JsZ6t*1gtNaK9k5h$`>k5^-D8t|%tutPM zmoPPyH|Py)4>gfH`(S(Vf90GIsQRtM1i2q=D{;vD@C;DnTjhNbf zUfnJI$7*_i5ZZi#hjSd zKM8=WfhZZ-mK=vbZT{<_(iM|mQ>GG?2^&<#lk%V&*)JD@C+0l^xQ&ma&AFBgF+ZJs zzj^DkX}3@gK-v*Lxc)u`@vr+{eqj<6Ib7w?Pk8;3RaytkHDk zS8|Oo)Z5iRM)b5c%|z|(n8TDv040_?(fg87gO0073Hi*Q4+FmY8C33dN6%h?HHo#l z^D^GWE0TZUKrFp{U(%2U0tzykxW(wx)rKO~3apT+o7g@Ad#({a(jG&b0c+D2mrsXy zL)OhpJs0Uq=60lkhxFy2u3~R3svDWvAm=A*E@c7k>T+-7|=_6q@7ztMSVwSYyTpxCv-c(pP{mAFhR>bG;n`d9cJbwr1(Lpb?fTMQ=$egF zDpRObnI?md@tc7Ht`xT}661tXQ!>ZsVzM>wUV!gJg?+U4S9#x&Qc;kpxKCyF&<1-t zy-4G{#?{a}au{q2({{>?6aJ_639+0Uh$-OZ8u!AcG!T)A>7h&~F*#1``R#1>_q>i$ zi>gD^${32*NbOJUR677udX!WalCDKq+J_Xj85%q>Get@XvCWnqniX3b#E%Uhs_2NI z@TX%veJXhW-5rmz1&|p3bLHZpJmEht%rDtx**iwm#Zd-8bYF!amZ}c z>%;@@+6~{mHBM|D5p~!45n17{n4s!@_J;Z4_j-e-&l&Th3&6#dVz zZ5QzM3mpzdmfGBW3R~hTv$L;k4s8*N384(B$3t-NJ>i(gJyGUL4Weep5pDo0fi$sF zxxR|e7VoYV#z4T^e1TE(7}{yh1ry~a`vPg;NRekCH)enc_D=a9ooy3>a~5^!vCl#g zqfk3n7fk)78`k0`6&y^Y+hrWCA9$Zj&;ddDHE6CEQtoeBfdNrUn!ZH@6By7@yri~i zMzKN42prnnDR*VBYzS9qP0hrj3||FCoM}ot#?Qaa$q4T}`U=-vr~QNo(td?Cr}{y{ zuOnX5eP=yp3Rp8|*f7ZTST?_&p;~MEIPIEHDYKGzQDcp+dRe{7=iASM8~t{0S?996 zM{E66Q(Ipckq>~#aypEmPs@0`gZ3IN^ZLTQAOe1w-!&T4X^s%P%$DUT71`3zfcm65 zmM?aXO0S>EO5`(?#!vmm$SKda`TGB)=U6!ke0bVr-_T++rw?=X%iBPceFkGm;pcU7<+QQx?Ti#CJiEbDq5NHzBl1dkm;w7X*lgF8%&

LR9@M5QlYzITHdTM(&G><+nl)8zkmW zU2RM0C*ljtm9x90o@0_x8uuW)t;J_+BKUiuhgU{d81w#@H}Ckl$w4J_Y}Gi2J^#Gj zFUp$=-K)9ffaGK}Ma0}-K+y)P{=|RkJVmr)6P#R`FO)U@d84Gh%92jZIG zF*k9UPadbml2^BeIM~H1%WWhMkh;uZS$`U!$8AEuBNX;dN0mn#nTQkv*SoUCO=Rv- zl8&w$XbUXf7Jlh^&T~;~@KU_@8H2y_R+FcGk`Wnp&l5Vypy$$l)W_#c!LMHzS&dyS zOC!S8UWl{oyn%Y0tM^c>30RL7fjx zW->=Xm)?p(VCl71!6e$}35U=5L%1(l{roD@Sk9{-l};4@sHjo?3|DN>6Yxw9!)hv7 zghHEenP$sfl4;mtIDMiAd(PQ4eG+_`9r+H_4LBip$>a2JKds55*PnM4OO z)}>Zi9#!bRf!kbk3$ecO+F~Cr^@ni!*sx;$s&2{|{?eFcDV)n9;*DUd^wP;%L^R|$ zHNFqK^kT~4g1I^D&CdU2@BS?q{>$&j=mv2j)<2e*j=^vH3)fI@!1X~a|7C-Q7vPLL zWi!!5ZHhhzW^v6{evUzlY7O?;cA9m^8i#ylW0l@jlPID7+Nt|8=&+Zy_v5IV2FkK} z!dk&der@GIC5k5#l`tkt2Yul=9|H#L^_A~eI8X)sCUd(+1C;%ZT?KU(E~#_3Csy8z znlI4fpb}~pBFVzzij_&Wp`Rr-iXR=ZXh1n#Is{S_H!5|LVVqfMO3g_htNHIr+wz8? zZEmKx4kS)s^rCBeu$`oX-)n=JFkAbR?%NNZhX-P0JoA9MfypLYw14JBBU7!)^f{MR zsp%it)-o3EA9(Vcufd|a6V)jq6*nd=HnIExw$SHMnD9w$+!g(Uj>+O2z zL>OE#uhohRz!fbp=dt7E-LH_tctOTh>SsG0VLb|@XtBX~uIuFwu)X{ z3NNlv=x)o59hz3dcKlREp9fo}GKuLw*=c8y8Y%AKZ849*708s3(cBE>Gx@?0#Q$k1 z1r}>w+pZdwx!RXE9!aj$;GMYpeefn9mLN$;^hoPP!P0Kt3B!+JAN6$Hk;PYJC0r;8 za7N=m2P4n-R2Av%tT9_M9Kak)^%`)dwhT9-HDuN7EBV^;@cCzg-=h=5{Wqwap}9tp z60OW9m%=TJm`vC4!5SLbo37U$uH#x^9iqu388yc&4VdvbgM@K`f6^FMq$@66#v?B* zL&CGkC&|L8L<_oJw*l8}e)mttqwFS=sP-dG?M{LL#lHoq9OIzcPoEP5XEqHosXczcdg&U2ZpXD2PfFd#=Lw3i$vFzA9F|U`eRzH1OwUT}R?20^J#A zLLqKkm%>?rpBd7x$GazZ))n%I;uD1TI}Gt>wz#}TTF#R0690{1u*Jw*z6~0@nHPmd z*zc|*UgYty>n9!koGbk~anUcN=DsHK&BBm(2dl@h;roN;k`^B(-Hz}mrAHp+95(GC zn16^IRYCz}R2uL+MysGJZOBY>y3Bn6GzF5$3&`fH&ly!p%S(5E%?K!FZYDSWucG{a zdT~^wD^C=ihS(c`;+qGWu8V83Sia2ld*R`oI`Zsw0W#aiAw@a|72EM| z)-#Q@yHev1OvqTB%>ok~lK~Uw3~=*9}n?HACBPFDxBBO<0k3 zLroald|Y0JH`Q|!omhR2D?2R`u%PZr=2x8lQQnoQ*=wr~j{6LIXAiiZ+!Bg`AsDLV%vfz>f~+5{b8D270qb zAcY`?=m&6yAO@Mk#Bp(8CCmq*5n!`0sZb1iF@4~>xWYC%VBfo7!)`W>vih*jXnue* zL$7!>o6_zYuR{u=%@Py{hwVBg<70#H@G?`Dd_XyQ;EZ$>lh=S>)8(%>AZ}Wr`=c`W z0nx)NkdmmM!jP-LzGu8xFY>^QZ4xb44n6`8P=>VXiVf-^O)m}7yBE_0(l_RI4VA&t z5?WgnW+9S3{i{Qa$7uR{O!l8@RFAn`8>$oPO25V}zSABSb@%-xV^^ao zfNEKeQhEFRj?&l~{C0?Z_x50hF?Py8SE?ETAGIRVbEPt;6AL`Y_0KKOX;C8hzkNC$ZzMTUeuB3~AuHq(K*N5k zGmM+YAu5CT4As|qi)x*E9+gW|>e_dF4kB{TCOn0|da&c*A~sR&DVHpKmc1QIYPD{K zvu@uk&PZ^+?A3)ENrMEYbwg4Uf8WG%wLfc^`@E=h5o_SD@~-+iK{` zo&S&HxHyD`uU~r@ts>o8*caKAA#I%x)GSFf*aa-J)uHwW^SViRO#i~&&W-AVu$mrD zzHDtmb0oFo$KO6oh83S;9#!ivGOcm9X48kSh^+}53t@-0mon~p;h?fL zU1-9BJ|9x_JV!+F7c@5}>Bx?Xrdp2dTX4P#S*S?={GTIL$pTxwN_Jy;<~5>`z4W!w z!HqfGK(#p0u*T*M8ATp|hZ3!&7L*B?oxXIUex2odldF=UAv8Voc&DwCG zwMBQNW8>bnszEMI9N6tHnYuSyII>JwBzoZnafH5E`%Os;iWFKx7z$sicGp>@j(;c_ zg^-#kuzUVfRk|?ajI$-i;W30ilUy5dllgDzOb7z9&WrpDJA2q!9+$0O(`~zL=o6D` zjhE-Xw2>DZGoh9*A%(N|!wCpLVik0`#p`!ZyIfztpb_s!pyDq5J7jX2I55K$$HwMz zDxW$7>YjCXVB2Ei7ep*i`6PcEe1oO z_FgM>H&gvxJhuV7_Beh;q9fJ4tzNd`OF+22zIR}KPh`erQ*QV=V<^$iHv`Fw-^4Ob zG36T$7h53*R6>7~IrCpz0wqB;u?fWvh)%NXV8itQDPU?g;=Yc30>Mz|eV{U%)L2_B z{)5=Zz~lf8=(@z?Jch(mrK_t-EC1%XM9JC)U>f(jM+ozPM7|-V1-^ zNPBu>WCQ+!&*^uDar1SIZ<0%j|4$(PbuQNB^*`~PfMh@x zne1ES3us$QLO^AWVN;;6Z}|>C1akRXwww3jS0tJc$vgOR4OvDergAG%bs}%tCl{+C;UC%X|g)qaB+G4<~9_xDM|&^1x6{ z|FNq2!@`$ZXT)jh1y7ZI0k5fSFB;45+`5x`EO6YjaSOktjMtYRF->zFT4rekCz=aqc6qL_jv8+7LN%7;nNGGjk}gMAEj@6>_lEvS%(P za1llAWOC5QRCh5$En|HoIP5pI`E590bCYHm4+B_#qbb7=E|9%E-ppaTMQpM$dD|WN zY2Ds#f&-31QqNj1Zc<5_chAbKKkxmWqg2J*{-Xc2V9fLLyFCM=!Ej9GFZ8EBUOFU{7^5cK1>D>&zRWet`QtDcE~K9HF= zt_Se_aP~a}lM$M~ox3+Y`s3?c_v*4$ul(JQ2t_o>Kx=*o=;(uRwP7yyy4%T#?q_q3%z+Cz4F0N; zmn^cxClM3a#`4?!mRl93T$asxeltpjB_d_JX`EUboOHfiw@^%Nt-M+tu=fQh%co@_r0dC@eq?2ib0HxIQV?kSW zOcw-gY3o-r09b;rE>bU&6~gdHbT6r3`vd@s$SUR)DH=j$y2`>N%pP`p&~n%);QD*c z26*eK<(GuK2^JGDWCPHHA0K4oRj70SI@rO-N1XXJIea=%RIS#~}P zs~hkwUC~$D)V$?8WaZJ6$?ycaX870XuRc1Qn3@ThUWP?8U@z6$-Rmg%D*X!*gPgL$a!${)L68@gQYRwJ>$1em+3)d z&S)bSA(O+Hc~6+Yg#YNiQsNA>omaJ5RsSIs^hhW5scF}^NGQ_@{46{t#P`j=mLRG( zU5$4qJ4~N;7njR#s>&Cd&qV}!!2y`NT4*Y8uv>Jl{he>p1`Tif$S?TOl-_yjf8!~R zD^T}@m=ncF{LD(Ghk@+e0K}MZVNPHZF`&h-7GhA^Q!6vghIVHg;ZLB-;cM|Q0Q!!u zpHz~)@0oegxH04sS?Y!VzDcP6+-{!5uhBwi%2(SUBjY`(zl>RvMcY@=pWGMnUft9X2OlZjR;$dCk2Q!eodm|sCtOLLL zw2|*l-_G)b7-s+E1~F%!;@=-XRUglwB0qj3Vepix-(<#mH$#jilEji%IA6=&JhsvZ zpmP-QLAVS&I{dOH_{6hV6Qaa0z5>6U`FcOn`Cmgs$`Uc#d5hhjox)`;q7=-$HMVzo zuuFt@^xt(a@8->j4?XuyU4riiw2bU-hIy8IDvWTS$Xqo(%Cp+_O+*m{4rT->osl5~ z`oTeUULq%)N^&UDz%v10gU>Fk1)l3Egqh*{58rk=1jE(s%=lz5Gup1~0@Xnbm?nxV z{$Z(}Drn$eU|k=#!Fa>XONgViM=2G5?unjXQHB!p(t&H8GX#7_bJv~qwMBzNSuVtk z546?(v^X>wQ+ex6Ib@HpTx1$UxC(h^eByjqmbv%NR2e8)NKxZlOp&kexFXCt70{Z& zWl866F_yZsCjOToj$(G1MicGWQ6@R_cXkq!@b*?V;y%RkF`EBw@Q<>KQ-R)v9%IR%^TmqP-` z>q2UbXdaG?>E+5X%?|JGYEIuOX8hEKm>gb)TxR%eY|ai}eHGW~k7%DIJ3qh&R$fdp z`I{ZB&j+0C)l|Lz`$q@jm5g~m=`qSN3w!o+`q=)aR^s|c?>IlY!f_ZErsYsIx%PUH zZN@hGjkYq1f{CeTe@J%CW=Z)_18+uyenxlS$Y>_}Hq1iV0uqkTm_bK-wVHz!BNR>Y z%O~xACD|0j@~d<**H4W)?9Z8%lCmd2xkKaNGhqty$>Ix&0f4E92!V|z2>Vkm*hGkT z2mjk}Cr8|G@q^6bg8nIq_iR36_iBz<-Hz|f->Grx#St|k=PJ0t7|@$VG=1G34(^X!J15}53?XwG0X{-Z0vOypll^fCC#e9Ga zJh8ZwyEdckSNpY~1Y*pUSF>HSkgV3LkHAtV3;lSBT_jOtFi%XtlYqKs5l20|VorH~TC>(3-mK))l3H_Xyqx{4+2 z)VnRl40%(cnc=m9tf|tHCZ<@WC~VYZWRih=owvR?=6UUyEx;QWCK&t5CTsBP?U#zI zTwQ9p^T021FnaX`mWvuV}3nrHS1NVL+PvT z^wDKdj-`!5P97}4uWzNC**oR+3rzH`@iEf4j(Uk2SS#&@)IYBUc#)dV$BrI-IMkIU zxNCOy-rs}+R~txDg>%S*$ypCN&LB2NN6RNkBC59F%>y8DN zEDQuE+s#7yu}}#?dOp*g3K24F(WT>&IyG!_NV z8a=ylV~ZCPzG}hKzPdpHYsx47oH-VU%!Ow2;Gm9ky99(9v`pv23VFdNg34KyZV^nX zWQUEiI59=p#!F_+fnz6RCLig-MSDL6?9PK{wtejy!>$gvByv0aGb^3Pi3CH?7B6K( zEx{Mpi*MPsKG4M4)o2)$u=QwjU%kjFwTfhLu6ZRajUx~^_H3shaE-aeno6rI4#ap8 zT5f2()qEw5sb~DvVZYfPC*YRsb@gCX`qhtc%>6+T?e9pvcNDZ71GcXM9FKy*H%sq! zEMxyhiw?oCK=fC7f5rLH3Z&`n6XfReE;UX2Llmm(LLV4A3=dR$yGgU2oKEIbHDUn8 z>E~rXfJ+D&H}%ue=M6my%t)tZx*6B$@qJ3vGjj!zxT7cpywkkN-k^PrVf9`l4(YRt zMM1`_WkDOVCs-dJ(t2~bDAC-QRPViekVT^^=#y~9s@oydlI=su`iS_3Z)|FRDjw%dkU07g$&ur=&oJW&6jQjlE5< zqfwN1WusnR{m665#T6*9TeVy4uXhW^cB3CQ42Mn3cZc!!BlNYG3E9m?EmUKY;V4GL zXl&?IZxn++I#q3K->&y<-QWd=QLCG}Gh_PHwocOOa)f`^qJ_zT`$o&I&+5WJAbm4h zAl7!s=Dgf|roR-(KxCc#Hy@!eCh%7+g+HVNrjUC)Lkk;%C!J@#?Qz+|_B7;TdZ{rw zFc3lYKrV*DbW~Z&KT^UF<zVyXicO zS`_w6(Z<6F*LAulcdushU5Tlv4%)JX@6Isw^IdKVb3Wl?i_b`Z#=i>qvDN5~`ZX00OrBo6W1@#k6$phy77&vE@pNHdD->Jqh5j`sr-2AhRCnsRnu zG`y5`J3AhrqlU-N6pSo5 z1IS+f-n_fY;}mF{-h1{pE@ueo%8Z%Dvv3}IOGP!}V{Oa;>Ul)%F>-umOWBo98tyHb zX#D{c9>s7Ol%(qVNX@U*t3_k0#p|zVJy{N%IZH3`(^W85Gh{~BCaQ^5A_nE=xISeg zhNWa*-MAF|3*)e8p*VtQNCq~dlT`l7VrcSh^$cXdX=f2UeFfjCkRHQYm~@El*>thDq}=ytJSfBS=h%Koc&Mm5cJ}F%1fXZKu2S%LWHYA zVasi0JiBHF>PK1z{utQZc2|7JGm`T3B%(c!ZRAF{?IJvoZJ7pB+zB`Tc?OaT8c)we zc1h6Pj&k;&zgXlqDe;16^T9u0w<2JQEex--L$bru3n|AkphEW%3N5W32Io}V<#oYW zO$PH9^Iu)8A1W^iE|kaz9q0hN-d|QADk+!Gkrfgu&bLF62MtE>t@e~(ZLhOca`%!8 zQ8>~bmfz@HQ$yN934FCn8|XKxe%7UTZkd6FuE*0IMRmB7rXS+0+)t{6$;K zehoe7y%AB+qEGiz&DtEmL*-(enqR`Jf$e%8Z@aMxsSVjnj?G^l^Bl&tFzQY-#;FTZ zpD-IOKe%ly_tyxZ_w|SA_*oJl%*O)JOsyhq&#(JW0rUSk;wOP8{=TDUqjvxVA~A4M zKoTv6vPG*HdL0AQ828ftbUZIMkott-1lQgoVd-xzF4jN`5jOOF1B!;~$^!jnPy5Px zS`~+dZ(q}at*kj|nmEkO!&$qCyJ8?6)uLr{)~;+holG(Ts+vu1s9jJZ`Oum1V(8csyz67=64*>x7SP$^Ud*8`i9QmYZmzTqp4_On8-oIf46d zjG^jM(7mV*pHKN@@Y7kf-MhaC-^-IsZQFjrr2E~=^Lb=vQACKe6}uV3naL<^owh?c z|6+R>Dxm*~WidweZ`nk(6ymRz-<4$4_)NKHh)f4!LXb=3SBgkvYA%xR;HhQBTMnXs zQ_IG91|Uv=3{8K>fcNi?iceev?&1Pc=yOT-WRIby;fG7=lBg_%;hWY*dtg3?GH_&NSKRQ!a}LiWUsx-d(~T0 z?>Wd(7U2dDdfH!DIXK8Y*!U5u0eK!ACDtI^qP4hY-`V6m2;6Dp@z3JVE{KzA)ndM< zE;%dNP?u$@N)qwz+okUUeKWgU(q43tJ$r&0p<%4=tnOOPWq-|K{&TOW?FP4q(>y<` zo@F-%*okdoVuU@V8A!XV%P1&@j7`@bVN)dvG?zzHmToT)n_?med;?Rygy@y_jfw`) zH?}D>S5xK4kn3JPo`=@0H(yns``;M)*j++>NN;_X59S7Y{C~OI%j9EnWbN>P=jkMl z0k=&{Zj;X~j{atsdHI)Z`p(E}$q|tj=ZQgo9f!#2xVA%l1zfqq_YCYn7_hJ@95cPk zMGj^@@k%pQqxOeCi9FLwGwqkLmeosdpgpsPHa&c-4cntIEoe2wyoP(|D00I{-@YFW z6`Kyfmnl70x|3V?{Y=A?e@V=2I_N*hTQ(fJde)x5`WF|_UPA5Js*Av^c+A&w#mcJn z#N0w2+Ray~cn;M@)s3Gn-)%3mn+P9GdlLQGs+TBPT^tU3)cg9OIAEG`P`kY5Sg-LE zOk#y>I!401Kt7HrcUSjX&x`FR&KCFzy46Pd!utM}Z^8N&8z$<3vrgeo^G$|k;=*Csv z_rI^AVsn-(A&hum#WEFtpGhP_^U_+vvAad^YaBqgyan|tiNtyR|4pC z^FHtp(ueWp#W~dE=6cZDf3jfkB(+v?g@e?4oDL%;|2iLXSoN{|&9UYQ*@$*T3@ro` zNwX>4ipUg^X(S(eoBkT1^e(E=qVrCkYkz9ab{66QI|^Z+<_xqYI3JSK%0Og}LEAbu z*n}7*3uX>E@FQZ}w6OZmS>N(0q4e*;9V3v*o&=#dZiKOuE8MZ);fFX+-DUS?C{U0; z;6*n=c8yRXMaXN?;KtGeMG(|_H~U1>b+ttCW@mk=>p7h>ADOB>frBeUK&D-L7P;lg z3Y!CWzzbt?ZeF?~g7SoK?&W!)EpG0R{j7uql7UVO5B-5i&4f_dO0IyiCgybQ$;bPC z0|z}%;*Fx1ERX%!Oh|Ew)Hr5tewyO z`UEZ%&fiZ76V9gJ?JN8AP}JbxSpd2N6%>Z7)aBK*MfgLBFh|ANqd&6?sLv33`$4X1 zZcK)iQdLtt1~H?>sgY_2*Vi^Bi*}M-x;|0Cf7C0|*j+#cu8|Ci#C6F)xHMm1C+pvr z6lz!;Qi{QDV_X{8!5g0bW_TM3qYqmdg20X$kCm_ICi71P!$et_p9Hw2C z=;;8f`38Mz6!15t$rZ15+K`JZFtll^QzbB@#yvUD=PIwN+DTS3j ziRmF~W{MaOZb~r4X3*(4+6%hTcRIG1*VhL=Bl@Xy!#pg)!5N47EsSG|I$G1|<|;Sx zj*P>0N*Jx?MyG3C0|$0XqwTw-cR~&XE_O4je7c`c&TW(moL39%rCv4$?#j}pD4e;s zomRCVw*qdqd@p5WZx=(fgd*DMakK)Dw+FQX<^={Dashwy1_)mS;gZ+DAr9r1@g~qa zR1b-N#Z)=Hxg1(PEE_Co?cR1T-D^X6AeU;=V2rvPoj`E$QaI+>bS*6V^s|yc8Vuz- z>t@V~vzP4)g_JI1GWkT7dB-Qa+p^G_ZFE=!8yn@)PxSp=H(J(aG?yop^hgz3uYvAM z{=}O-H&1jjbI2ki?Xm>MWQ_gYK=)eMJ~2SDjgBLqKGgC^stGKfy*N>=z4VojqiF25 zrggQBGY9;vHsYiqUF5%E9MFl2aj`(?X%RSOk5#yYs|lDuXHo*u^$8{5xt;U}ivip> z<$G)~@8+L$8+~)D2W(wayN`Y4d;yAoI@=Yv(}!{fuHI|(lZ}fl#+b-0%IJ{(o(qFN z3ZAf2=Ig4~9UU64^!RZ_)P4*eXgqeO*M9ITEc;phW+{Bpo-r z7iVZ9zVlEXy-sZ35%GWM`s%PI|G!^Q6b#BBg{g>ulo&J{2!hf`Nh^qebjJ!s0jVh| zA`Q|Y-Hc9=?id{-HW(wu;>_nczjK~*eZS}8@BP7c-=EL>{YsRUF8!VT%iW~2ar6E} zQ?EGjj^wH<>N+nreqiu3iu~HQNwfLsK}@pkI$>TP`mhV9lWif(S}4*{*5Wn~%yIAa9NHT$kYhu!1$lO*@YZ9(2%yjRnGxuE7h z!MQVH-%29a`J@Lps0#OqVMF)%Nf(;&(mOyRllak!z4#5wVl{g2B)`o{gNI@WcOap^ zhrX*3%P(Gne`LJXQe_8RPfQXguMNQ5Qf%%Ho^^vC9VvUPpWO>d^97WG@E{^G2|*^S zVQeOUJfJ?rWccAco#pom5lnF+?fGD5#b6aRjzcY$$fXZ@HcKfrX=k_?L%|Wb?KMzU zk~xc;GA;kTv@7K`H*dReTxE^qYT=-xd&77?jp@PVzU_yu=zKJM!q69FXfc;luj89~ zdg3s5>Z9QO=QY~DK<@u}XEa>)i_#w?q^hN8)(ocV>DNcYcsKYIu3`y|=kA}my+7=HgGIdfjOjHW zZpc>YC)H;VbnIp$t5;fc3GGR&(=NRZuv3n3;6}eXjJ-(-^8&184TbB`;Pg>$@8neSBJ&JO11Dz3a8N zz96Ts+IycRY!k(7sZJ$*f#{O)HCacT^8(sN$RajGy?em;M!)T=FbQ7d6`k8x3U&_5 zO{ZyN3n@qSJOz&VaWfg%l;TuXmtlp5pt!_Zg{g-s-ZeyuA~vK`6osB9}bk}^xMsRtOTpO zeXiXhYC`0VR{wXQ@dx}o5;l?$)!gbemx!g&9c*lfs=~gIuIbTm@zsI9VU9!5e|CB> zm(DcRqkC-qe4ud_79GA;zkcmaaQY)UCtZYR*-O<6y7EJ|+&7CCZh?EMI9MB_GHrHrHfdWJGT6^W7dpU6Wnzdyh-b4212m9e-vqop1R(jIq7{ZP+|ETTP%h z>?L&+#d$$gy!bC`Xrok6k z$?B|^^3q44`bGIP5A>imetYLbIMqc1A38ic`q``Rm$Qf!sLdx^UxopdfH@BUUosDw zm+c;3qLFv`#MGWd0h|cpszU&?0@7pE-R-IvDuI_%{Hup_Rq%m&5Pa= zxo{C+@s~o?uQ+tEmqV#1Ka-Qh!AH?fudUvS=MB|;(#Nm39ihKfBeQZo1!CSf_*&%f zWM$`BRD-HFp#M~6!EHg4j*T}qQyk-l%Tz?K2^Ql(L;PWMC~GJe?NcPdB% zrIt;#Ucdg9xowT2+FI{T75;x?Ozj_${&eqto_+~LHaUQvdl{+{nY~(PR8GLFu=tG%Hqvib-JMBGl525Q< zk?~{YW{T{dUTEK+WoGXroYBPz+t~P6)o>%TytocA={HcXpuNVY7vhSPE$*uS>E zAJX~S^Gik(-5&!U@AcU8S#G?XYTwgJUnoHkA%qIebLuWZT>`^O6>A}jVK;Fi-zVO4 zZ`d76kv$kWgC^eyZobVM5EI&oJ$sJXJ4;=*dcY6W*}c4*x4>5fO>%K;1m102ybf5o z8}V{~Aa}ITUp`Dfeg2%*NVZe4r`6+d(f#Nndx>CEYdTkpfP_W9xKtx*bKv-)tl_!@ zBOr-iPeZQYjVM#|3_?92m|@SIm0zJY@D8C)K7NGMuCtfCbQO0SL%c~$xAI4!Tjge> z2{}(R=*I#;1b;HST;!=wH97gyxJSe4}cU8RR&&d(o4w>Kg+Vd z#=8uBuZq0dQ%WnI-#(eXp>1%m5Y(l+zZmbDxU9aSIdLsdya7F3yPDHBtkg z2q25+*Tb9V3gCWwphB^xjV1K=t&%+Qt^(Y+kt zbI#npsmwg|S=w`SaoO@LUC4m{RHo){)7ZNW?<3h>78HzJJabO1`9uppw)$fcK~vj`?#j_V{F_a$vW9W^Dy$reRYWA1QZUsmEwo&oQ=)-9nj|yxUqQ)iR_dv<}36 zEskcUj$j0i-pY|6Y(2EqqJSAPX%QSSRR^008OaWib+cNxndoXhsX3)AqcuQ_?qdp= zfD(!7&ch~0lo_ehil~a8O(2?klOiX?@j4+px3N(PP2~Yw8f2IHrw_pY!uHB3Hv^im z&z?Lg-d)smY+*-6ic9m3txG8L8Zr>xq)nw2m3^r@Qn7)z{<~`VuicTZbv?rzSmO;w;SWh!@?ks zOs4}mKO=1U%VoY6`Of@n5o=G)JxHK~rAPgP>gaAj??`(E1}$`DQTPTfT8PcmUPn=lq!D!=pDI}5|`MO zVt>K~=g)kw`)J27zu}AZxb%BTpJYo@2u;-+{HnZOUs_0u0P*tDK?2f(2^GaSj+2^x zoAW0>j|+nc3-zDZGlvyIp9~M(Ka2~%;%Aggb5_wWXTj~v&8e#|r1_zFZ=91t{+J%@ z2rvq%SV&#k^mqwGB=&-L^CbF69Ofxl?VexB=r^c)$*$I~RW2r|cHZTZDt{9bWjdMA zs`~oOv*GJb3bIoQ>Z_w7t{=fhOM@NbohvZ!2N5IRTxY?xh9^EgEU+Q|>SA8vw^hJg zW5W(!UVGWuO?HfXQTFnY_i%M9{5Tw5LHGrR)Z}dMVd@W|W8mW2{JQ=kvHV@PBsl~2 zA8@6CD7Q8(DFZ9)sG0!=xl788-sO023_OY)8#6YqU(PoX`^R*2<-Ip6mR?+$sJnYS z*+E*$yuur#f|ih5;vAVdsv12nc|gr^J;+gX(95QJl`<=bmpCezJ6!KsNV&WtADB^> z;3T;gU$q9Kidvm5_g}`UBQ)8igHHvSd={J^%{Q{nw_dPcHC-O}_^tPjG(Qs97ijV} zl`c9gngRX(?_i)qU0_ayPTB15iK;!@f16XeO)%d+!5CdUm&`S|za}}WXSVRAe z7x#}^HWS*XAbe9LVgd+5@Hr(rH^qL5-Ci zEsp1|FyWT$ia;YejriJTk*@?bH+AOW_`Ka-lPd#j1D>9bVXC0kX)B#1CERemET zA5ICy+#5f|Ni`M*pk2w&@KVO4{#h8=f8ChcrX*g(ODeT8m|OZ__8Wh{Bw(f>-}U&U zL|L=WhE9wUBb?tyIS%77?)UhYcSuAzQ0ee8UJ7oQfAtyK0$H<-;#Kd$LRztCf<0qt|4QzXZ1ZiI5zfY zGjgmp5-{q3?-eAO||ZwQwY=8Lg-QQN+3oOhco0pDRGDj zVaFAEijHER`-&y7AJ?Myg~e0**sZ+WaYh6Z2umKrMh{lrj9^JE+j55Y!5F65YZr1F#q3_EC5y-=cZ<)tLh0 z2K;qAg<|WC_clgk&n52UOCd`Fc5w4$$^#ke+QVTuF#;t-S25&IQClcea?r|((_BWMnm{!h#J z4NLCXxM&*2T^>i&(d+W72;9Cl!@|Sm`%EY0`Qao3JXPVP{3Un~F|(R%<$60L_jXUN zlRjImdXsY1EvndgYVYdYl+v*>avM1I$+s?UVxAL2zbGIR2y|%MD{_OX)e=l>Nts}n z3OO-6^p}zuf8|oob z+1?}lQikxuV2UAWp#)SLfT_fY);>bTS)y@=c(qp0NjU76AGQRrvyMDC8Pg%|j)cqj z<~8j0ZWSbe*75ZsiIxAx4JkDPzC_eK);YDEuwjVrQnduimjzx4(TbHG@;2_)>Gdbc zV$9j!UEZ7%tzzr-PgI)6wRFjE=sbho@ymU|yf>-+64>S&+&rkQUedwHCM2l`=>YUt z--+yh5)vVbE=}dUM?=HM#3+3OQhnG_e?iN)t3#7s9MO`sI6L1m9u;{*Y2#IR{D_dlP@&`ep*V7;K#A6-;|gG*}d;*6@95rd530D=*9lW9|IL{ zoN>yBb-U)SX@XG5L`^O|Heh9O?e#2naZ@X|4y|{99DCOv0WJ^w9ay}J#lTm8b0y{j z_T?h|-#+Ga%>7jAKJ}<$X`Royi_NjdwL-M}5!ygI{3-TJB;twdNaZ;*a96bn!D9=f zSNxfPdmG0FH6Jl@)9OM@$(D@OCi8rRw@=I=>lRw~j|@uY4-Z12$1lC=B3(a~c(N1+ z%^?~l+MZ1fZn@MH6Mg{5>>8*acQ?R*6Vg~4=Eyyiv2pJwcYzLkKj*+JI|z#*tir9J zzEB3>LGtn)T^%b@VM*@%VR3ajddTbtJRIG{ds;!bPkOIF`r@|3IAMf3o-J{mmqh@x zfk+Y(=7@(PAl7@C3ku{&_)#ai0Jhd=QRzwkx#f~iCUTa{`Ok@b`-kfGbF&9sotofI z439!es0Pr~1y?gZZMi3Uvdj*6uQFw$0NCU6Din1^##)Q8!ClAvw{tYRRMRX3i>LtB zW`&UolCgJ7=yr2dESqd_V3iuq31z9m#%kPf1VLy_aUTy8COLf=klOcWDq^!iSi_8b%2{k?;Fg z=x8eF?$n>Lh<+EA$lV2XXz_|nigPx9`v4t`&M=fqbG;sJTy6Gpd84YMTg%~l-jlMo zWv1+M(cBhF${V-BY*^a;mnQY%kzS_Flj_2jHu`rmZ&rwosP8B}{&Wn(O6pSpwTmOR zo73@;XajHf_J)eWz_msybg3+(L8e~R|9hrwGM(88qhH**0W7fLu?DRz1I!wUqT;US z{dP5A#pwm+OG?MGt~m)nHWCuKe}tC$l`36(9jZbYfbWQl9B)OsHFEyB$8#U03#TK9 zir4UqWg3J`AdbHd6koe)EaZFed0z{!mIYrN;We~4Aq#_lz9=>%Ks-o?1We;T67RA5 zLfRKsi_X@8;>9%H7X8Z>KCaRX@Qo#N!#7Gpdlvyva~-qcIAR0r;AzUU=b#nKGO+*j zprhajnpf*?ed&v_1-3=@WdBWORcv?ZOoB5#KGf=aA@yKeMmR> zQS50JNEdt%sm(l!PvW{ilfzDs*IdonPrOuZ_%?dX?~{>g#nHD`Vq7sJ?|%4b_n zcbp=|X#p|wr#ubc(sL3mYuJ5$dd%a0KR`wp$?*Q0oGPUt~Febw(vS8r`}1R~|0@fXmtEb&xAajaFzS+T4A5PdD>>o#4l|tsVbnl5C9|amcA$M@x#DlD|8hQm3sZ!2 zKe@qd<|p3*FA&2S%S)_$VA?DV*QQ3Avr==YQofY3?wP1+?8JNZ?K`ztaxu^8)+#ta za~mJ#i_bOi3(l5QjHor#M-;G{YQA$m|s>l8VXSQGe>c`NrBp!!ZP@65Ua`2A6gP7~JOWZ(7>cGgZeOj?fa zjLs#1-gsDZr*8HIhk-F6JcgSqX0M-dOt78>*&|;$Yi*|&KOnpH#-Bsd$VVYYmzwto z*dAWwgAF897a4_g?ti^qB0Uhqa}VqwT7G0LsQ4wh%e!S?8*|Li( z9|6XDmRa;9bA}%e+rJ69u%E5$_GH|@o_L3Tk-)pN4j(Dehp7%2rV`uXTwZ-0cCZs2 z<0DeY(T+?LcEC!Pbc`WRnoIdK6MwLS3J8@63dlNwEYC;OPr?rbaTYBM+!Wq=IcGU1 zYfLGnj0%v-30896AXy~7NIc)gJDhyffm}_dR1?Ywr(IAeIs|5l7fr=G7r#3$@jo=i z18+lf2ax_pa``3spcD&*cNdU3pk09i<|Z7yl!vbgbDJ1>#hmwJ>W#MF|8zgpD=Jc) z*C}(<0-X6v6oqFu${>Sr)Urn8sZ5DHKa#f5Tq9e-_HzzhX$n0rpabl`u2EZ^oB3E> z$;EQF=eukmo3}AAwMS%hCXEUaHgu>>E4kXC-*C|2 zefQ+I7_yq~L(ocEMPTjPNBK`eHHFO&PA|;Jbhv%dy~O_r;<0CXT=~M+8>MZw^wtnB z|0ByI{PXh-dZP_>2Yow+-}h4-gPW7(BJN*R6i_(bd;rM}oUS$&vn*P)3;R~L!TnAp zHQJoPL^<0bSk^%HCqLdvuwAb%3}a7iTHzF`qW-tp=rYHz1#tx9fkg;P_*oO+TSIrO zN)a(`8w=A z;z4tF#OWUzc3JWqTL%6QL^z>G$hbn z!!2U2-A1yd@;A)uOBJFIpW=7Pfe0LWc)oj*OdwH%)Go%b@3((7zDlHN5027_%DsOp zpa-kH7d|?)JtIHe;HUL+?F2KUxHqt_^ABH|p9w!97UPu0psM+q z=7 zbQ@SZG(0Z7VN+%JP6XFa?LlJb2y&$ErOQJ$O@_dH5_R9%8}o&ej{+|BtHr>_nMt@5 zmoO|3;`k3bhIbSmLo{>++u|8Plw*It&A^i#{Odg%wDNK~9zf}b7Xz_N%-e~iK+-7y ze|D^E_Q(c&Xa(KG<);$o$h07)fEnT^6wxe{5qdO+DQ;TGn_KkD8z{wSiQ_jy@Qv1T zSEz@Lnxb9eKd#&RbbiFw`7+^*vQivD&YYEBmh}0m#lbhqe(%=CV=F8?+Rn!@H|Sf3 zOnWHE$4>GLPs$ca8_MkqixM-Op8-fOfX;NmyMZISj%s*Lt5tO=|M~9nNE*SM2i`O? zkZ_bRI;A|;E>Sw-gKi(K(_?{#7ws{=r*U#+#{#oouK=n$hhm_R$OXiOe3d27WExtU z0}C_fE~9&Y=Jl$s-RPsAQf_p7@zjE$%Q?3A>cj7DEgbK$#mQC-@=i~0)IZXqqgE77 zaj48{r40IqE#_Fs+;ALGr2xtppE7U0Z{AtTQGDu@)viYRxsnND0QIz#E5bHx0Y*Y< z4n>|UuxP1K09J`PH)XHJ?$EUM|4y>{A9El>%!UB>62x{bdC!V6fUbv~pa#6N&#tkP zRxt*kgVvni(AzlYR2+qRSTDdpC6t*7Ln~Zi$vbl@`U*0(@JZ+kcx~K7=|%7RHWuZ0 zF1GlBL&N)hKcAXmvw^8E;NmCn0%U4KMGD~?poG_>nt3NNh4=xG3&X@wigISMztAt% ztH?S2LxJ5)V8DhdbH?wLIqun?z_GPcZl`<7-t9XZ1M5}#K{lB^h`lu4OQ5%HIqAxgX*rx%!roN|G{{Cyx3QPpeN`-AQ?P>=8Cc%4 z&|d1a@2Sr+d#u(2Vs6#QrL)*v9-5G$GoFsQ@ey^{I%6b$?2BZrGsBz~QQC}&Uf!v2 zHD`zY#!bil6QTrA9UpVIA0*2T|Iawx%v@@a2@r+mO10zrqOYHSDxkD-jLh!NsW zUPxl(K*6rpjNH+7!6j0n1{Btz12@613C|m7lBg$f9)Wr$YYxQIFDgjC_$RfklBU`W zNQ$L#mqTbA96z~a_8b*(P(q%x2|Z$fq`4IM_tN8YU%oTkG+Bu-@IibMV3HlYx2E+s z)>(rZ>)hYX-*~D5E{xlExZS*)8`7OX*iRZciN?@wEOo>53rNx#eSZMWxijxd6%Ksv z6Xbn{%pafGOSvkjcsKu?!G_t+`C`l2OaACccKiysPwoLLjK#fE|tZxkYHuV~pN$X~E@(bmLTXO|dQh54>qe+3t1IYD&*sJ2l~N@T)!*e;8<`_dgw# z0~DxMdoe^xC{w*MVP%Nz2Gb`#_ZmBgqhV;%>tWgCM^DdYzwLb8s-4nrq=Y;_vGEjA}1QrP@nYYc!%OYtEW(3YJ7*mQ|(S z2yfo_V(W9HaFKUG`fz-1cuss)iDtrNda-MPt9(bntNFob?hMa0!1PJFJogazEcbK2 z!RLxL_lWu=^|VK&IO8BkW}P*NP)(MZz|YwAG;gBYi8euTXt(OIzxX-OmoRi>Ew%8h zJL&!m$cFtvZU4!+F8;8XcBY&tn%ppPmQdKP=PUWl2wKy!rxvlspI+bME$q571X)*( zWkTZFlPfYrAa}&y+BaeWdS+$h~v6bV|H`DmQhQoHFoCI2?Yj} zit=9nzBf}V9y&#scd~+G(d@>kqXN`&z8-m=vH%>@fp!dt97C2pkxc=sW>yjt)FmdB zoB=4IrYc$`ovN(ifM{Gn2`RQ@E03}^hskYP5g^-U3OBNnQyk~@=ODXlmJyf!VwQO7 z1Y|tthl`9f1<+GI>3~;evq#r&QDgQ^ZQ!WOXNMeEo(2LI->`F^}r_Z{%BXI+-lXz5$k)uk=uwJABXiL z_o@pD61!i7?_Zu8_yJ@1b$DD);xJTnXz^r7n3L(-egk~Twdl#o+gx=fm_0o(*C_8k zu&Arlf{!bzwag^p)=2fhJ$Llfoe~8ulN9{-nL!OTHv8qoggBOkrYNOX7dv=u56;FW z<-X}$6Macg6|J=-?`;%iGzFMvZi~hL)E~b=FqyWz=+sDaHGZn!`-~aad|NJ?+*5HX zYdv-c@N#a&nuF+Ok5~^qgxZ==QTJa*s)1*Ny&UzM} zI0vonz-<3jK=`Cm6%cdp%selzMba+@#F&LF=9DhYY?6&|qp+rJvhgzH(rm+@5O2is<~pE(v{ak!{ZZVkc-rH+rpF@1wmO2}&X_I0?`z`!RAu>n&I z+ub%Udtl@x_jU*gh#GyKydMYm%K@>xOHt>T8JfD=zk zWN-K8zZ9D`Utk?vzN8TU>X!158rP1Pnq}#z;8b`2GOJ(!^^c&~s4`&C)em?waCwNG zb2?l~$%k!6F`K=_aNkkXtUjue*ID^NfF2v)b0396+tEdnwWPzCo6S^27^lZO-C-+7 zolT?XrC7H3bHx&QaV!g4+D@~oe-fdnV(o?nVfbp!sXYRal;1TCgUTzHjNvRPfJ#Pnb4snuPZMFtuVRC%z@Seux>Z zO^0RR9u1*l{^Aiez4y!3jgJYy0P|W)qA}76O2HwGw>JW?bG+touagmWh!;!ISqCfX zgyh?Z!4#;Gj@fI>5R`1!<2dx6>eIlKU4-Rn$QXqpj2hc$qUeEip}(P^DmzML0_hz- zf?f1*)RT)<9m+ebbZqDfv%*iWH`=~wee{p{NAb4XGy`^nP93EG=A=`Nvs-&r4LD>Q z{_;cyDIzv0Bvgsp4TgnY5f1oZ)UZBo<#)27q;FLsk3QRK**f_Ob4|e}r6M2@E7mQmHuOH4VluZeWP4MC{(%fy-?`PbJD6azA;D0@(pP zCj4Db^97)QT08jh92DJGt% z7pWm$EU=SQb3F@km+|lQ=Xd{wi;ni zF7NZWA2vPo#3dWnH{4N`sX6=oZ@9S$b!G3;ZKy^Q%Vup3wN^O`+^d|LV*Xq@w{qoN zcAngWF+@X-BIm>SsDK{*aoPxZ+lVo!dZ70!mE&nUAM&5$rIM!s8)a!SZfM=eJu`04 z+}w+u$$%?wWU*r__ zeesgUZ;ro2&(nn2x&W-r?&I-3Bj-KmZHuPsyv!|+H)LId&JL=f)@||yfQ09v3WV>~ z$T}(&OR~oYBX@xB%uqtbm>u##2uw9QXtl=jurt93b!gSZpI3Oy`mVG5;kC;5az_`%e-^@E>DuKB>7=c)1u9mMhKrrf$QQ341O&tN zFw1k^layF-LOS|=0x*}Il3(4JPY6!MG=(($*Y%6suXQafZd#h2j}ZEofbCykI=>rF zY!fu(5o$|tyQOf8lVDyuk&*g2{{Zut;fxTqPy>u1e@ zstOMt5z!#!*R8i}>I z#=w~W_}u-C^ECSpvXs?KHkF^7ziHJHGo2jln*4I_`^+7_2@b^87v9r%u|n56?id6X z$GeL+LN&Qmx+aH99(Wu?KJZo*((2A@XO;?);yeG^!5(6~4;=1OIb$mimi zT4z#!KgImzZUWj7FdqyJR|)kumE5Q$FoQSUcurl37#U*sdpDX%8FS8INIy;jk<25>C28fVZ(FgpszQ|#Z*W8M ze*hx2z>^WhSN2Dv;WJb>S+5HrQk3+yNV=(0c|ErD{kaoOecG(C_g6sLmE}G_t!@*f z6KOsp@N7RU-9|^HGNW;fK+ce1LkmhM6&0KZT0t6m=onaQ(J}HW?Mz6ecEuVve`h# z*7KckPMzYZO)447>x)54`Zi%#EJ_k@HC=BCZ^Qc0l#J`_OG;;=_CJ^zf%a?%3U|FH zz?r6rmegr!3`s(ubQ{-pN`yM&nZBVs`@!E4LgMG?R>vkRETFpxh>GgXJ#=WxqQeQP)OHUNx@Hpqe z#q5~kkAWCoIgJm3nV=_V5JQBNEl~)#B4>}Laj>^);G9RB4(!s(xkjHPuMMdUoG$Fa zXw^g56*I&MaSl#_bj51ERk?f%W~_P~)QH@3wf6~#QB)My2&aFoZCz<#oot&oexaHp_>p1TFlVy* zXK~5R42!z6rV%TmncSJjU6F26{wHdQH)8UnRK7%))gfp6dT*z!&JWizrV1UjXKD(0 zJV{OF{fOGRx@!tuXxsH@jh|qK{{@dWcbu$}{N!eEGFGy5D6dA>lS0=5AYK{N->1EV zI+^!1`U?XU&O`C_^d#yfs^hmSWuQaI$T6sHS}meqelvLMIDvAIU}W5oL!6rk2sd}F zgpW3Y0v;i_;p?kN3li3qm{!2mG`gOC<0Eo88&fz>h(?-y6T1Eny!8viHWMve{zX35 zPPdJLKe3bnVH*0Chc}Gc2equ>vFx=Uo*-@;?(-%myJiyBW5?_jk#5vp-T*}@Z1?4M ziQ}|R@3LZfBK_yiGsl%2^I5tZxC{?7M(uUpWdF9W)PiOgy-xrPdb>bm-#R(+=fdEYD_d7 znn?JAx`wDSnf(3uxe86g4Xcy1F4WFY@BjmU`$)F}TJ)19-0zR=Vf7`GD4~b7F^eFqUyZ0TQ zQ@f&+jiH>C>?ubXMQSy$ErYWT#M+qkPEtEFQeT3pvdVQ7nuz8DAPHv8)JWp)dg&iV z@V({1?3sgGH6HI2R$Kt4&<+qOAFT|0iOMc2;b&+mDdcaOHx=~^)3!@ zCP{4Q__xI5R})EQVPcd;VOU+=0I0@w;4piDXxx94a1{G+5zKo69qXFI0FE^OZo>Mc zmIABUk)0=gQzKT?eU`MujjPX1e*7D9XYqEQ$mX`Yu8X*;-j@ii;%M9<73r4H9u%Dgzl#|~0%h=LE5^RKB z!XXFVi9Eq|JBla6$7+w}fBI%CVA&K+8w|%46kWZkxyZinkh{}HM~nI3{)C`qLL?Su z6T`w2IT)DBMlg~c7ZyB*0BbWpz`Q?RG+bJ&0{BTiwHvc<=GKH=IK%4dqy1Vrux|c@ zKYLcwBxmyZg(7^ZaBZFTgI!&(j3MK?5es0A>|6gF-~}JOgLeOj(;W#w*AXj3eggC6 z$KtrD zTubu961m)z@~M9yO44uX{L&ss+MIG^;|KXJv6T)1?|`@O$zXZXD_(e*OsI-2rBk!M zoIykB+G(YarF2SrLRR^t#lf+kpVuK6e&O7G8z-U>Gt3|DB3{(%J28D-mnLw-F8^R- z;4NI<98JF>UQ-dg;8djM5vdp(yiR^!EKA6eRs*Zk00#||WJTarpNqfpJa+1{XD;>6 z;2eQCcVU9mXuV_kEWOkPCb$SSILr@zt90#nxoiq=Y;YmuGTVHIf8w zyTGqiKDl34;S7cHc^{xG+SLy!5#vH{?p z*u*NdzU*b=7H{Ul5T<6GXwL!~&1b;Xn~*2py*L#Y_Cd87bworTfCt19jsC|sO~vj) z19{`^H@`kH-&48>+*rjl^sU5+by6R{9^--)lqnmaBAx1@71@o=xf75x)P+;Abnkr{ zv2OAE#R_9Mh&idP=~0yi%#t4aT%xy*$;6>`nq zkCSS#U3JEek6?Ij2E}_;P748T_UK=Gx~VhDG5kq@7?1nA^G_^wQYjJB;mV;9KU?e6 z6d85Fz}V9SVz*v~=m&3utM;5p;-4fT>+}oWY_n^Cbj#i!b!@b>a`aB;!xl|HUZAFO z8yE%1_}^6ioWH7Sn84yJPD1A9|FJG;%uH$YiKx2kIvB%jB}j-Fd3#S|dH>en3mq%0D>lV$Fy*?i^vRL}U-TJ=Gz zph1{~@{X?|;aAPPC)28lF%lQ#_L%U$f!j#GI>(Ls<`#Rwe#%?b9U9@)O&YF&RFi6p z>|V}u+)W60Benj-96y}X6aYT=!1G^x1CD$P2$1||5E|RX_SIOkhaHql4ECF%CgMIt zvT{3ju)I-CD16iu>iwU7g=_z_U*S2mU*YH+Ey@D_@wfJ=wk)!cVhBlColaMXLbeTu z=wJLY>fUvPI`0a|N_e}(Q*JLeD0eqXLc~|s8#r7l$)uQfv*VXcN7bI{vxcM5YUO^} zD}ThfvoyK6GVBA^m{?^eTx_$Dl(K*BX{(x9>|TM{|E7*@!o-u z>7nQxBPa1*>bB2A;6|+pQCx#cAt~S)Vjh*k_>UhEb?6kckKhUJqLaNgL3PwkXA-rL z*pF+93TWo1e}b?(JEL)~ey;dBEAZCg#W!pJ^7I=$38WVgt7mZhPZofFkUDweM*t9h z?F@5=PFcLiw%gGDXmo{IeHb5o)i>cNt{u5(hZv7}vE_vz=R&*$_v7f@GqgVaj?|!r z^O#Yas2@kA%l+J|d?D7AdvxaYvc=FlVnuDTo^ob)&iwk*SfTy2K9TN z*cyg{i*|4bwUW7924`zKcAZc2%zX--{*ZJk+b*f`SV-7NEqF=5bhs8e;D2c9+$tAG z&f?RKvSYs1y#H4HvwEFFW-Q-KosFcdS%`}$W(VVCJZP3vQfd7MId(EeErp_W>~Imb zk2||(t8ioAYyoJ-`%#W7Y1QiRV8TGk3XXdl^S0_=zD>y}8pP#;ml+kaz;LS`K&IP!qUx?L58ogtxD*gV$}1s>~60%Kb-f z4!TZDnY{2R?S@Hi{tv$Ba}B?6yPoFqGb}mO^4RpvaG=&cVfe?}@vjh_n#1=4twvAI zNfo?Z%lUcBhQ%E-r&cavm-H($>O&AcGta&!bU{c@{k@~}h|xRuZ=y$UP0W|AANWv? zScl~MhWYd%0kquLAAOP?JoCfoUCBI;yjS-C9^CoR+JVm0n;VkFZ?%bSYYKB=f%Csk zl|^Uj)>Qhqx+hGhKc0GNVf3iYOT;e1v_q;>`>W1sq}yYk|D#`4N66t#jud|&UcjmH zG?yHbOZiLQkFNA{1@puvbmaiJ&nMb${9nF!>SNr+$!jqDy6bL!hs`DX0_PH{gZ4I? z$tctUNt+U{kw=xlN4<2)Fs)#8t_(Nc9(;-@aGYn*=dum%x2+B^j>Z_%-dH!IvPLsGwcFFeRJdf-DuN-p-Lyu4xV>+pIB7VL+GA}YV9ZOq)}UZeJT!Zd!$W;%4ga>aN! zE>ovip)$y=vPm3u9Y~kS)KSSBa1>H?P{!;i2>2?dtOw%*ZU;QGKH37^E@S$nmaK_MgjXmDyg=j>cRQe6b z$n(RiOWN06q|Kc^Z%JM}5^;|ye-8@=4GeNCLpi~u>QUY2>&ibaq<|A&TLiP)?l4rm ze6eaLTbGepTTuDdX{##jW`OLRV%U??;YaydpCT_x<+79b?C@wHkjVN7l;2n&Xx=?xR) zSC*V@zMNcr->9?@X53I8FoJ1I5ee!Lr)c9}f+pexd(+=36-lc}VV)j(WR95WVi&Q;TcDqn1huBrC;STv6 zkuLX4P4MukY~WDC+{m)r!oqDYJzlhTK1!EpiLOP_sA)aO&5fTi?Y~fRjbG-|m*)uB zGNbOoE5T5iY=5=q4Vl+hC4)sgiv59H$&v zPiEU>oresnMii64gH{ts$$$0tb>0Zt31_a4N@ z-|d1#wXJpEe{66y%6a4s-EqYBFjQB)wJTdKNs7%`h@Hi)`O=!w7+u=)q8r$ZvzM-# znbno78Lt2C!GJU#4^Gv+15D?nTW1xF-tvk2#&i0hskgPf$EHY=)4AL38R(^}zYRh7 z58#$GNkMJmr=>iRSA_F&c%o5=hER?ow|a?43PI_Z2jf0NIBgX-tKGXyb$m0vp8#Sg zM#haNq>yo+!+)}5c4ugLe-=Ivk3N1(7&G)}Oo596-4eKdfF))FrfjqdmHv(w_MWs1=5ygibsYbTA zz2q)6FDkW7KXA5l@Fq=O$g1KJVnWVuPsCRCp)M1nIEh0syCz%Kr=4fWUn0GP>WBCI zZTu6zS<9RbL~hBe0$sMOn*)A2T+GO<`(UT012G6lNL#g**j~+eIUs$`ir)27pg*VI zEvtm+NrRBYsh~-SZr~5QwH7FDH>sggK*EJv^S<><(7YV>OtJXhF1VREXz%nzHD-XL z`8e9q#!XjRa!69S_OKc;y-jvWn8r&kHX2gxLSepE)iHg`bH3~i0n+#&H^zXHftrfC zzM$Qj@c%{ETSdj$Y+c)EAPFAa8VNyy1a}E8!3hLUaCfJ%;M%x*;~Ly0SmW;Q?(Y1Z z=X>`U|JYCVQJ+^=)xB!1YtETeB~D>OhunNoURJbxyO59}eMF!97e?I(lZM|#5s}pP zw70Vu%NMke3IfUT4O@~{{YZ~a$4#q~=T&%2=(|mW3qLAG6bF+4@hO!a^OV-}@AFqU zFuyw&t~F6YubliVE~ts{HkcKok(}m~*NiR_CX)nPR^}=EbV~?k&u#?%W_5XAWCqp0 zWx^s+KOuHHv;uzg>p&S%omtw^gM^9-=H#zZL58H>e!i-(9pPs(vjMnOk3CkAbr}%QVM}v`cyRr&4_VJ&iycZ6ow!O$-PR=|LG3M$j8j2I>vI zHt11)bBmSR_03(MV_inYR->rtmx=f*7h=d8r;K@Fx2LolUt2>9R(c)7iEOy)DKy>u zdsO4u5<@1m4)*c?bVY5dCJbvuzoTQ+Z)?wdEx(=PJp4>OC;XRJ08~AnBYA?ZENvGi z_Cc;v@EW6h%c<{}QoT6GoPnt2zFzu}#j>Y1%G972o!3EvQqhVa+;U*WakweG*_{K; zl8S*Mb4hEfhre=3o1=AMO>E>54h43M#HH?+!ws^IoKHlP6%JR^paJ)%HyCCqznys| z72uageSS2qImsX^cGUIXMU!ZQ&X-n|&U>6M?qtiOxKioxp(fbyn8bcFWApbkZk7+2voZ))jmLTWBN=D&Er$##(*J@S zs=U1gpSkv$(+6D78|9jrNF9ZsH?N0}+dbliQ2JP+|NFFT>>X&^h;E=G0`-YjN#l$o za6ZdpPKK{R`V4+IK})$#839PG|D!Ja$SRDNED0JN0h89V+T-6i3~^{W7{M4x(GMF$ zDybbkuT_VeTHUxw#BPT}>XoFp){z)Jl3m!+B565 zt!2e@(~G!^1-xqz9oRxc#WHv8V}mp)R8HkV3t?H(A@S37=qoKozl(NP-AO|a8<>}O zr}))|ocia@TBPfu?0AJUb8H26!T`y#&5)CQ zs*V{qxApz3Y3Uv(_jW~Z~n^3@%-v>%McV$x|N)tMxpw3kER<3;4&SHn;W252X^o^G6d@;0U^~`@*Y;8O-UI`~r zw@kj2L%2rtxp#&fcs`X*#g%)Vv^vCk{AGst=_d?GIys3G$Ma=08WAM<83#bRY8z%GjX3QJ zr^W6mcgo~g&;sTbv)}zf9FEqnf5wG z@C@x%tT!&b`a3g2qJ*Td#;it@DYRY9?)9l7+-a^xOXl1Nq*X z_Fgw$&=Ku;I7GARyoLj2+8)vjfcQ44Y9;g8HiK!9EuD+w8h!UGn`ea*a?Le$9JbfYWwf)tl!qnTK99*~oj*?<*JuUiT}f3khmoFZ;#UrB#R2 z|0?>ipuXv=Al}PcANFf51i&NMdXM=PPk|km{4leJC0N_PM~tY<`GuL6d6Nq5iB!Ql zn4^W^a5i#_GR>gipzFa705xo!NA4oY%_!sz6})VBax($;*zz{A$~SN#h$fx1?M(42 z2wseG!|2~k2YZD9b!iA4b6=@^D>g7^fH+*yCN1uCMwGsXl!n+P$d4IB*Tze6IVaDJ zbaJFxlEPK}{74Rw`At|P1?!Gdz^n<&FfP&(<|5CzG14%sgjTRaYK2!Wrv4#j`00Jd z@cD4FrX%b0k7}_yhdlKHLWoHG#;DP!HxA^5w0XCQ?w!|qCdhQ?gfZahb=^JHmHBz| z6cw-EOKk(~R<%x2%FE}+`wqkeJVR`ZJz}mJ@vSpDq<+O>Ed-t!BloM1iI>lwxz#(! zyBnjrFCBGTDXZ?S@^d=>x-+16@|Vwev;qoquBTWYt}5jFAMZDI1l9vD$E-!{h=b3o zbW33}7n;88u;+rkQ4ryGAx=0rP8KP#8WXrChua`Q-nZ|8dJv!PORyDUQg1G2wt-lrgSYiHl3oY) zmu^EvG}WmI))R&vWnq z=X}FZ3!r`GQ>z_j{~d=1>~vyfpm|1?s?6H4%tOUg)_Iw8tBP?b58$(5wiaDDI%NWI zG;Q6aI?@3H)=8l$$Df`w%_V+ejO5c4mw*v5CKD-zYyH3^l_gz1W%Uo5j;)`r zYH<@Vg@)1{T;P}JgW#l&9&hi}fuvHPRLWUDiJC8BEL zTqiVJLriLJYk7eBJs)yhBrZSJc`BDv2WzY9m!o%>K9hr*oE=kmb%PSwFlTuY%3Nn0 zr#^aKqq@(iam4<+-W3AC@-LeJTy%K&Qy31 zWSk8K$b&YZ=`o2BC_nc$V5SvB&1c*V`8X2tFDy3+UcEz>Ve4?yOQgx}f+k#i?xSYZ zkZw%iAzzb;siKh1goA23el!`gF{yF(4H{XL#GK>9p%n>DMn}{jey5cRCc|rc)jBF( zsF~Y^Bb_9fFb95dG6)DP3UQhCbdcgSR|Lqu&g+LtLG%)v3+;Y9RdSotZaRDCQhNU3~nzZI~{IoEOOI-N?UFC z%P5bF9;(Yw+$T&?zB@w}Yqp>#)sHOz@}UcK@j#9ER+9NFX%<}*2trje&wT==^P&Dp z3p40jn%VvB<`{ zj-_z{lM?~YDa!}GEmb#t7tf@kAcx0jzw~-8DXGm$PFT>&TrL>`4ps!3W`I>qX=TYp zUAr;Cr_cIpRZUdpU(kZGHCoM!kG>HJo)HejcXT)vvs)oHQVlkdj$7IiO3US-Fx^y0 zUFUBE`!YD|JLHQf+CI{}}TH2yS!05Ug(KUGN?@C!=SVc(VU_~5l`kpSimG8V)T)Gk1gF1gkIltex70Mt zJok9tttZZLPIBN-+kevu1dZnWigd`xixfBH+K1GNPgG=^YTS(c`kqx@^Vd9Q2co#M zS1kF#p)nj!Tf!>kCm}e;?@&`RrY%SaT_UuzET`2R>tO9b1`eQ*kD)@4=6S>`^iUF3 z&WV_QUEnE~EXpn~yvr91G;3N^e=C4L%#-$mC-4U{+aH}on<}fz71k+L5keJ9V(w2o z%jrRCPwD4H9o`=)VlIir;;tV^9W@qqm3<1Mukt=6S)Dqz%_6iadP%c@i}--S{Q|j; zz|4?PXp`z97c(|mJsqL-DbxO?-d?@BvG+Rdq*V@F!_Cw7!9u`pP^5d>yvCfiHiu|{ zXX+&rt%Kk;J>&lKl(xWT1Qa+jAJhtNx5E5Kx|>!G-MD|cS9ShX8h=@NO^J3uHJ2{k zp%ZDs?M6`VMX-OKI~Xo^YYoIWp$ta_KLRCmL2KO1dS;abJ1vYGX0pi|tqE0f|l z_}$cb6#l!Ghpze$(DCI@m?p3jMO%s3%9UZOyBUb`LADgC?kBD~+N)nM2?c#V@ieY$ zuO2-&a*?T1d|9>YaksMY4qwryE6eTD=q-hk<~oxxCk(ptxREr9sFgf!I%2Pl2xvw# z^?z1`(=s6N%K8Fr#r3~@vi_W7 zpBs?R%G15Q705#}?tVynZp#Kpnx_2P1kKA{k={@{4|5x9FHpA3`6QKPsg;oXpcyU^ zOcxTi&YRKgGRIlbNcc3LP6U`K?F4Lo=JH*Bxj4~jqw?hKf`p3*#RVtYaVaG_hD_!uYjpe26QN}9t?s?>@qHnIdhydVAHQ-e^QaqW>s>7 z$`6*HQPUkvRZv3|LMV(}Qnv?Hdyuz0y!X;T{sp#8cyIp0Iv3o;qC?Et!EAWysF%07 z#0&80`Nd$l;ySeimsuKEx2&$gK(L79IT$dqth7pCHhP2>f`0UNEb;-drOOC>RH$0gVk65qzi2uI~mMRd_=midmrbQIHJ_v$jkK4rHfS= zAI+J)RDi^(OCb`Tsw_p+ebm90Z$F``%+J;onXGM8*AOqpVVa~ysUfo6OC&vhR7}3e zE(?rR9~R-l8N5IetTEP)7E%ntfQd~99h^R zT30^tyVQIQ+XDN1%-K@z)@iM+0|h9CK6dB*ZL}EZ4}An@+B+y*D(rcj-I6Qa1oO3y z^9pX`SyIOmh-`T`T zV`E(?!iZfhR2(SLymm`+`HGN^Um|!kQw=JQHV6RD27{(&&R+PX)Rw}r^ zPW*?)G3&;T=12RZeEG(i>mw00V&F4B(80&f>e<{Mv%>Y5AATQX(`c%FblgsK`^!7~_zOf1?eB z-7L?LyfBX2wV-yB`=Bpv^^K=!bqig{mkrw|+O({a!f1 z>DE*!o~X4eJ`kiop_gcf^%f6qc4*A6hAD{Sa0wTaK^*A`Kav#nuDIh6&B;FG4#0eG zf3%buFkERfU&!P&4dsfP%fh|amL9V70*zd5EIwjiT#|0PooP508VzU`-fS?%LG>|7 z<|5K*EdCF{e>~Bmfzh+wKq|6LF&ssPJnP(+HWpkqjzO+4+6N4PJ|`XIRZ~x6Ig8@w zOG{f&$2u=!8~$8R9r(VzR7Y*5Lj>FsYQ}v-bP?{!JVJM_NaDv@zl_y(sei1b4Ln&; zt82Ygz02cje@`MN1SRAjjt`2R+tym9w!H3#fe-H3rEDMI{tFRnKOaG2K+@iz$wrlRQV8VF}VO2PC42t{o`Z!x+U6~rit@XY#7#t_DS<2@DM-YoSdv3 z?Os-PW%fOw9repXv4Xfkvn2ma;?R>cUj@~|?*o`9-N3CMyye|K1DK(n61lXna2N`J z`W*WQB^|^#zprL63&EjLCgp{caD>VqGS;iO>eY%%b33iE4!rs1D;PfLlyOTPo*%le z{yr|m3BZ|xbG|WUpl*#$7KJkKDK(P?=IQWui<=ZW#kOg8b;)y64n5aea`Kt(jzZ4a z8dm1)NbXmt`fNQ81cKs7Sa+)+*~a=sfTmPnsWWK9#DBX@ez7ONzFNv8|Ee7X_vF=4 zYr?RV$WcV0FHn^Jiof6Y6nXOxINdnmVXeD#3~#NxbRSVyWMw;sICWRYCy3rlsbDNR z?Q=84xu~_|awR)eqo%FfazZkrqSkuc^2a>PT^ysA`CsPQWSHLqVC3Bb9@eLNc+c3#rVD0Z(jh~?+Ez7R{sT(&#H(`lY`M$YA!&ADnC zq!n#RCEd{sU>tUmbCHbOAo^Kgr_ITDf zi-??hfZ%s#uF`Zg+6#ZK?FbOzR&s-;(!5)%)Cqn@NiUhgV?p#G&*es$(%b@MA;%wj z*{VlX_ZxH^gq_#o)X4+TfAEVR ze}B4pl!H=cyo{Cogyqxx-C;_7`ynC3o&zlF-n~(J!;V?#WOK5VV*3yV7F7y zNLiEqMtiz!A<*UgIQrVH;VJESpY^B`R1)`>_tih8m%9%PNK%ir%z61~RK)PzNvH%S z^jrX{YL2mLjic@49Wqmk<9NuucZdB^ zjuTozEpp8fLL$oZ;f-|iYX>1i3prqBXsbbho4IAv9Z0`(kr3fa`w^H8`qRd> zR=@TDm z?Pm?wJs9=(wIgPOd;a7P!INVr7C_O6u5h(@m_-~|@5BZ2g2b$#1Gcurtg%rR23oCw zs~m?A`3)`I#qEl*2w?xDW{#tVFe&&Pk!4*p*jD@eA;|kgXR(InME}M7vP%{kGSstb z^TG<@6>4Mxo*B6moAWmz9X1DVkGfrsT?n}BNxUJ!7RnCuG$bS<^EntJ5uBR*sXBm3 zv!_vBDOj63xeQaD>}yT2zpuk~>>T@AMnlLu4MCyd*TifNyh?$?yZHQbtT!Ywx(^%x zgirPxEBs%INK=1uW$jtk!-x)|BJW50LxE>7$qIk2036XOWx)|SV1|{HJ2FjNGj_=t zOVTGI-44QUEpAnhV*u8{%_{iI|IcLxDttwtXY=R*Ua6;uE=ueh)Z`(gI2vr)4F; z?TR&fUuwJ$s;;>%zrC!1kTHk^6HvlI8BebpL0lf$fhnAW7v6FKRLh9W%YK^+cO0{4 z`>E8uFvPFMd@_rbBnUK$40jJ5$Bk6b;0qj6J%Y>l%GVipwnB`orfUoa&l4fT6FeXf z0&VKN)OQ$0@Iz@@BL=(Ma_p?RF|-2d_5(muVhw~>;$i^J5YMsJFQomvpitD;Id)AS8D5npv3hoDW3_?~JX2~Gb+Px_DX_8ZvrSB0it@38{g z(f6Nk&%eQicm}N_b)yq#9JJ6|Db#T@K}ApK-O}>vG_BB(`u;lbSF^NntI%d(v!%v0 z=C2rZf)If{Q;Jnyq6ZtzO)%8s@zbOwQWqqOJtF?HK^)Try_vUNgQkhI9WmRhzG#JZ z7=+9HLBDwhSX&Aw{G;GaXQdtu0?uooOZcy*JJU;~_KWx2pE@YDnIU`uPHV3T?{306lp{!CLY#geB>e;`Nag zGjG*urlI_YvsN?fi3y+JUbb}nQC3$pycwyzaWi1D1iXwdAv=p*F z)tE{o)7W6k5FiKnd6uQ0@xcjuOG)RC(1c_UUv`UvDNVzGS)j52wA%cT>UXkr`6>>( zL9{9R+t_Js{fjS$g`9h?@hb;~n?OL-S{0)po*r~q z$XOzDi_U{PtCl~VEM#HL=vz(n1zYOhn2If^5}L>y^~D8yxM{$XOTgwVwrxs8U|C*F zDIyGe+R>4OjR;b-M5F?|Lo*ER+-Y6+%@7a{iGLALFzk1peh)-*XZ+Tj8rG`-XV#!N zMJ4@m4a@16*{$j>F-z#~5zMhQW9L!4=RidyaG?0gk&u<4ID~|7BPwC;Y=PX+A})+5 z(@EVb293Zy#~j2nt5r{st4+n}k#nXiQacG(Z6PO>TAJ0Yj8u^X01qV* zn8=*{+vkPVqfW=S$yLvmV0*(M;$D&s2Kk+a47MCxXg>OJ7fhr|Uv>5&kA+-HCaVV~ zVJlE3)j0!e<^Jc;U&o7%`LeLbU9yP?80h2knw({5kk*V&r{`L$o-KelGhcc zca1ThxL^hbM8~|5mfmEB+8ljLuaqUZ`H<8g#$T!2U{%+o&bmNJ7>I~c788z{b;}!G z3ynE`Pnv2g9w3d*)W83xZeDfz>)Vmx;wg!SDLta+hZE0X(3X9h<%KIotEC^S*I$}O z&{h3)gM12OXa;`1^~1O0>i)0~5?;-^m71pT`Y79|G@S-=7XyHRE`V6-r5(ByP1{0d9M=Tw+J8$5=e2VI&5XlNt6^H zoV^{j+z%P@nZGggomHm5tcu=ba4JZvjFX%=p~&{Md}OPR?B*2~fj)tTo{~qp%c#)W zQtH}6)5{JoE(|;zr6bx$Bl?U{+L=>!(1DK?(Q}ThH{$FIo^)dSNrn^Wrp+FDTN}*= zy80Y9yxc1X4)Khtph~qrU0d4IL*v3~P$_2hsdLIDHHobqpZ{z8Y_kx5`I%OF0qLDF zK=+jaG~wY?{r^v)hW(F^2$m06%v<7>8@(d5;9JKD3@7H>4#IAt;h0JD&iAiSqzOi6 zt{{0dfozeJt|;e(b-I{|H7X61#bgW&55$}6{y|GYP_(r0KWOPDd&D4y03mo_`}tTT zb%ND(0v==XvpFo0@6ngfuP{(ZPFRnrF2?{5($%qkuVRr&_xogc>Hq*;VHss82#rpz zaA_Jnldv6bO%n+5jhIx4Psk*r#dFe%zAGt@9C&sdwp~Z zfsEpU%R&m?^Hy1I>B&<{P$G5jXNwrW1MCcp$~(J5)hqX6Y<(=i`EgoNLpC`PqbiXbLMt7g=) z>iG92X(K002|DhwLg0nuN#+*sYkah?e&{xt167P?nKZl@Z?SafzKySW0VkvM8na62 z$d$*V^0O{Df13xtlSeeQg;|yvf2YyrSWfh%#_DbUJ4o5RoK?X)rH>@gHm}acNSk51 zcI?X@?@BrWWj0Pz`a{k3vg6>i{bC3PQhw0Em~3u7uVT4Ok4^5us*DP=2w2o3wq;r4 zu_Wt5xl5^1)Q>a?S`BD;7)hYa1f$_-M_U|jaU9*+K{XT@bshY0$A`S~J~`>*U*^8h zZ#I`Cf)Tpvc1wZ*!Bd4~Ff}YlHlBa|n^FFUyWTdqE5+0s?3|k@8io*(w1IKcIC0uN zjgvH8(8fqp{dFXDpyJBCq;&1 zoPhm-drupN-!;e@4+oeuS>XrjEnV)zw)pTSgWKF6&JM|kzP#Zfq|P(W#Ck*I@2*7>NF-J7W{ro= zC^c!!X6_Q|>s({Qt}r--k>naW5vsE-=O{X@@NWn9FztDS!IR8L%%ZL=@!DWE(x6|l zPg&D=GF>eidxJlCDC}@@z;sKZg(C)Bj-A*TuIh5YdddZ3N^6L4>^;04(KxUUyuh3K z;oO?>K359ao4sk(yF-MUO6youiZ99()~`P?^+F)PP*4w`GhmqR(TZJIjD z`!mq0^}f*H(!+>tH#R`^OgkCHUz&l9(@tF4Gm(38 z_sf+?V$J+!!O!ekN8r#HN79sdp0&WAf+AhK1JwhnMg$1s$ubjjTtzPHkn*&cBfnO8RC+ z>!#Dku5VL+q~R=E4Ql4mqYnm8YtMRC8naJ3Zieabdu&su-4J+KQO)?CYLctFzVQ*x z#Gpa=@1F#*?*eFZf^f_V6z&iL9^A2x71OH4Eot7^eB>=E2_2rB8{*q+d)*l+z|3+? z7QVCp7a4(wapr)FUA?e@(}e0v)D7M7?Ue3c`irp9bFX((!l4~eMs6a2;NkH}ZQV`- zwVN+o7}`LC`{h{i#ad10!od17e@4O#{8wTFbRlM=gu#gV3ypXDDUdewk!pg+xu@Mm z{Eb?IEbo_Z7$j3jCu@7V_#+azBd-Y)s6jdaI$ug&IFzyxmq#=u`CNsBwOqjbnh4Ax z5tv?)7!V<|w+7a)zqM?y?y6_-JHlcD-Jmtc9%sY;zCTO$B*p5ZWIt*=l z2D&8YVp?b8r1Bdjsb=boJFag~WLzE-J!OAk1c3x@;-^ITk=r=?nbzU<2?InGB?NH~Y(x*)mo8jI!-RI~?eb%%AM68M0Df7X!@l zk($VF*wY;jVX&We6cqGA*|-<5Efc_O2KS~xr0*coF+**25&k?=J;Wk0>D%_T=K4xL z>-F4F_cO>Bx4RBw?5a5Dx{Ar~6Oe2fKte~gURbU}6Wg)yD!%;MDFM}! zhPye(I=Zs8_-~!AJ8s+1#Fg84HBH$a#c;v4VN98Cqc;UR$9H^6y67E%V5cd%e{HIN zc3S!yShTN`u`UcG+9qNRrX%IIed`d?VRx0h5eL$$-w*h9;Ve9gae8BJ^eZviCwzCQ zR&z@?u+1Q8?ip?-UY1sQD9ni?i#d913ISGtccZp0)|-eR;g#YBTH^lws^-G&J}FSu z=>`fu6zWva(P&@FxjIO7T{g~@tF@R%i{IEmS4K+X5ua%&NqI0^+j2P3RL%aV>}DcLw894C!%4ak&s2PX9e;irCIYT)slF zI^g25?adY?z5{HoTWsCsY(`{HlqoY2^TZlcqv6WI2Ddz4xDhrrJM^XJq-`dCVm!H{FUz z*qX6pPynBLTSbhBu5*9OmY+|hV%A-Xja#DjKLG_Bi0qVI(#A|*g;&`Y7 zgUiTZC|f_?It} zm>P=-Df%YHgZ%QQ`Y$p0?|jfy8ZFqH4DsK7!=}HCHBd_3lSd1mt3c;X&3bf_*u2CW-y(p0y=lq+5KP#n5+7*94&yNm#C`Hq78JU+ZYsr*pts_4sMN z@1bu&+zpFcz9nE~J*_`edOIffS^fz6o-VyJJ|AQcEgN#b`-5pVNc07e+$qfuOibu1 z<&*m9{?zFH@8$ZxHDm(8AW_>!rY}EnS$xI=(M5{YoJy=z513zSYmB^?4<6G5H3MnL zmp8ynmcm=mJgPjXv92yi5Y(7rG~!~WJm3)}A)>7V1H01FTkK&aUI5y3_CC;!Jqa(j zH5gERC9{1q&4U#2nesbvDJK-V+<`)uoH;`4x*Vs3Ge^Ts3>_@+_zb}%IS4|wq37|W z5AI5l;|>=7x1`duqD#8xrgxgFU@Un)ST=>1Oa|ijoFkrGQ45HEUtswJ z{!Xp+IssF>#0hqW1q#_WqKw<@5kDB-+FIYa2*C*yUbi*z9-O4JTqvVbmhf2dHWL9R z6DD@xb_kF$Otdb92Oe!Bar}mF6@VoBym9=2OfgJp8H2;&7Wl!D4WR{$wZ-li{|Bc; zkNpPEiA&h*^3BstI%GsNA^2xS*X!Qb$QZBK3c+Y|6)|3U&KZ7clB&{WdB*1ao%m*k zEj(tsiRLz3ed)a}b)hp9Xue{i`dD7m;{)641uCx zoyICEY9@LlxG_%Gy*W~+0r(bWLq#3Z;EkEfi>WJ>m@7UtQs3!|O!xQDV+;~)GQ;_= z^ZTC-8SWjy|IHmFlI_LEGw04$Ib&TkV;<-9i}h9IVXPfp%Y)=}N4}K2{go=gSW0IE zs=7cJf@9jwH)xd+4G0%nRNR+oGd4a8bVF&R&J$>zS9xfK8mj;X?5&Z#Q+L8EUyT91 zpDQ8_ean|L)w~GqS{3;AD_`Bh^;&GY0``?z8sq~>G(SK}%_{kVDfCD8_IBrz^*r${ zlI{lEu({#BAFf}d~M z%kSnVMo4KTk|s_1cXwEt3sk2=KvT`>>(U3BL!yG>RE$IfL=GVIRxyCT(Bhnq_DyKh zN~kM*3#fnQSC8EjQJCukrprc3T|bPqfC<#(>{Q`CnB~4M`#CrFx7PK;q0x5(L`lXX z{}F9M6Dpm}H(1MMU<&@-wReV>JF#CxQ5@*GzFr}1gpP~}jHo0Bwfn8@>GY5?OSFm2 zfmajavizDfZfOlh_il))U1$W}I1xqeA5NS}K%6Qj{Xoho17a3~O@e)e2jpF@hBgH0 zgXTCh7F~itMV2*S#1WbnjxiCOrk)s0l>v_wqmBJ=+C+by(z+4--_fY-?jxw5=xnQU zO|w()8qoRJE+lTWt4aO5@Xo*1{r&LXav*H$N9i-zIAnv-7)CaLRkg*C_NJvf7r*t| zkGHcLvHa{D`IYYG!xAYwZdmDxCe;1AY3r1YH59~}&xT&_;SMvMq~5CY@to1uf!%-f zbA^QvOBAJWQLyyE^mLx)rPtWw^OzE*0uYJNNv05cgyM}$T_Q$a-y^&fMZP0AM!O3oKdcMRYqk02V;ja3 zjd0cviTX)M$a9{@2#cD_Yh75VjqKbXxbkGdImmCj-yIiv`@CbOn-? zn6Jf}lgI4RHm@?~Ts44nz@sI4FH|@MfIG(!v6TU(6{RzArfdJBd+u@rdm2?^} zw)rW2ih=JXGc=xWVUfO)nMpw!VSmMv8B&0(J>;)#n*u9akMdtmDIh{sR)%@{1^)E2 z3=bW5R&d{izDn{Pa5v_ph{Q%!+OpxkZKE-^y%lw1{(>DyXZvxHjlp(eP)zfoYG|NS z1X`SA1&Tjlx-vkLk0iqxR@^XJ{T1fk{{5{`C)$p#yzV`l+AjgYp%=7T!-o$+e@>^q zUwwd)CZgMF9uQEq*fTkhc+zhn8VDN|sgi@Y0elWTz;HKRO-6^m5MYKR#_vAc(x?0WB#mU9HS8FCFFyWdC%7Iw7@CK-tBcb&f0S1WM>l z)1}K}vA(kvMd~jxIp#SDjZAHVY-(e~DX-ffT+O>-c=89tW&MwXh=IU0-y89}5(%R91$?yc6!s5gX9tam}yxL*2cpswCsJ=&R2W6SVrLu&c46CrPH z{~{!(gf!p&?dDB9t(G&kWL&2++eMmz9k5!H^>&*W4?IFxmADW?Ze3v6?};8iPv zrI4}5(`NqT1;9@gHS#^dy%Y`ZU3@4>Y_acl`}M7yo0@XSWeyC(ibkSy9hYV2z!IS z?p4Q7Ti0Wc>JJ0!^=&c!yNUC;TG98=+A;#X^ELK6B|IX;%&`v>IWavum~n)~ zoKuJzwUD+=JPvpY5D9#XBS~HrC^H-n32(rn24YR5sZ`jXkjd5OBZ5{oUcLjojoAPh zP{=U!*lQx*v_0n9p>bp${^*X;!q&d)v5F^Rtuh+?qhEzN5XR{M!@Zc4vH@7L%E3tr<3J$E&kPamVM5IHI0M}&)7AS<57;`+l)GQOleOIP~qTK$p&TuodgD|iomc1yb@`gtDYIZc?l!B zbZ&3%hfL7E<_S{p_uPxv%5OgsYc0aTuJEI@hK|3MWB`I&)SY$t7nMK$t~OTbw_~*M zZL@BBkT2AVJ9mGoTs7Cz6v*?D{o_I4hnFq?ZtsW&IVY-)SFcfsjCFn50 zO7bC06YS2N3%*vRV3MzFuiL#ShKL{J)+X*KaTh~ht4v~5>;K&V`M+hX6KMwt;-isZ z^Q*Y&5(|p%3q(OU_se758Dgf7puSqwktvg9<{UTfSj&(B4LjbA%6AGN_lmQYEA*`y zr*DzJ1{7vm$P5I^=AF4Wa*GX-xg=$m*pAMeAL>;WiCoaKR>WMmmnxf1WX{@O<+>)U ziPc!Wdi7d!{!SW}CY}cDCAc4HZdOXFG1U0N1D5RhTy=YBu~~TD7oaoLEB^RApRw0x z#lmlgF8IqIt4>&oHX(6(B4~yXINK3p_I+4j&okr-B++(#;3YkGUq3emdz$0@JGOEy zbm*yjf*czo;*7U2(|qf7GbApI^tI$78oj)vp88DQQn6v$;Gy1uFz@v) zu~(TX$DT)&RHF{cv!>JIvDCrmTmG@q#sBdwRVHiCdOdXchXCxaK!T7T16;dB1=ss_ zF8lSPzon1Ut#KGA0)O$wX@}Nk%04)#X^aqt)~1K)#3G7DYlA#O1-LCVkJ=*BmXrsE zB^v5NnOc(rvdL}c!uO{v zIqSUt=yvgw?i}kQ#fGf@g=LVW*xZKU#q6B85jRS6x`Wvn;i<;>w)%_+)NwbIpyjC4M9ScVXHJY8$J-xt-ZX#QA$#@boTkGWClT?TWt#M)LL}pmKS*&zOey znsJU7CdVYoy|J6s^74L4s$gNohqXQP;Gp1HkRVkq)@rt7Z;nKiNb627CG_h zmkKkO2?|PLF$ZfcT9<+!V)|0P2G9To+|KiU&^E^oQ11*7D1C%a8elR7`K*#n=)X6(;Kx=0<*C z{Sq}OOtE=}bQ5X$g^T761pio;dFffNW){JZhKD7UK{ep8S^sm`5F#G%#is`#wC~G~ z1a|$D*5)SeVv@!fx%Unw>sDJ#iZo_W%tVAV{{=TOcB7O)gw<6JuVfO0rik`~KguYr z-&wM*X-3(~Ed`6->O5wGM+9(Akrp0bKo3wYr0?Y`(}P@2DtI#V!3#cuyvoD&^Z3KP zkInYC^2e)3Ly|h@%r{wc_Tl}2(Zvr$??z|IP7!S`jj|g?BW0aoYcIucuQ(qwG!&*B zbk2Rmr2R!(b1Uwdtx*&JC2_y1SEdMPVij>Lti3p`(tUBqC)11YXr9ui7)IZw!<&et zM+t`Z{4Px0b}%MaR7CHfq@cq4?+0i*5m|d%G%42`BxJh1$2Hu^hhK7(ySgrYZ`iky zX6ee27Dzd%i1d5eXQ`_4I*t4F2&!&>JDgIca`jP`x6{6^l_D0I%m9ccJ(%3cC@l}+ zota-TO5dJ+KCJY%@kCARCSmS2d~VeoPAN}tSk{uW48JBHS%21z*UdSNe%JO(K8wY) zK^9ocXK3W*nI>Oo73Ka863l@?M)HG^nkqY~g{)aZ%3rYZ!95@9Ys}YHy&OJ}-jZRO zo`i&TaRh41g3x zc(#ezYxXbt;lnMm03?T*_b+ALLC zH_iUimvF;tW?NlCo05-QHsGn@s8uQKs#NLHm6Xq$Mv$MZXno#E>c{Fi_V;=L+QJq` z;QEotnZT;U!;r>u+kw|);e@qT7I+o9s+9?}vdj;eHF?{Z=M2~hcExh*yR9Dn7S$ht zwvt^Q;O)gf{y=nW_6R5B)X4r!)X~xF@kYpntWLt{=)|{k2i=&smQ?<_E|=9}hmwb; zQv8mOVoX6OFD&8MK7kTTv3**E#!4bqQ=qczFosVch~&0J@(aG9()H!6V2F4#?DXfK zfjTf4hSLS(R{E7bp7+sLpF>m30t>< z@V2s<**iTWO`f~KCSpCxc3QKd>MD_8B$_!^CuhvtV|LIOXtwpQ<$o_RU3d^4ZMswJ zTP~773*8Uv-$Ydgj?8PfTimWH$Hpv&Hv-W@Na>zp%5@GZj@a8wL~w_2dE@7#Z%hzo zOG}``>jWs@Wo4wBqCSi_byqL&92#*kTT9a1V|)@<%NzW#S3x3R$^P3>O;XRN1fOSj zBHOX9M@R~Bo}}4YQwYUvnJg(w=LemWTa07>xa>50YQhtZY^{F8R}j+sI`G2hIi-B^ zLu#2J4)9N`N~(>WSp0$oQpn1imyA;c+pyc>NZhu>ZT~cDoqM^N zWqWH|h7`}ABP(xHjCD6~U1+{iv`mv;ED4t(tI)eDFcsXt6Wb(1yG_-2!6LZFXLa|2*(U z&(*BSjV+j=AIya6n&}ck6ZD6$ys~dN5`HKQKWS!_IhkV|wv-uYjE$%yJ-0E3ZXd4A zufP7s_W6Lo#j982+(sJ=3tVPJW)+c+fFy;D>7kGdC@)W}V}_7==bv60uA$KPRJR)Md85*pju! z=y>mq?D|Qs}FlD%N26(Zm zNOwsuCBHar1H4+e#n^}Pl+jx`Jk0jBqU=P1!TR|KLGhcEtHfs{Z%g7wog&g)G~b=1 zh1d0D3Q6o_t4kzV?SHs}OoPqu+?aRnO@EDjlH<4evRQl4t8Sknw+(dO#xI_!?aWlY zzSmylaDgCHjLm+#*oo2912ZIVKQU!->Wo#ukzi2Gxh82=3rGrh{zp|Q zL%xdi=}b}-fFXp-zA3NyJ1|_wulf^ScxO5%1x} zN6YGN&)%!vgc(`#tWPR^PumHD$Ab^FM@>u;e(EFy5{OT>eg$yYx!kN6$?PR|i;7Z`02yND-Rs+svKV+P-sHwGU;np9%&VxqgPJmw3b>mElf6N)g_ zuzoxRy?UO<=_~bPEBWHdB-0#<%y^dz5vdtba%zpw^kQ$ANBJfD%gm@X+^dPPILV@w zi4Xe$QJ6#%#z!BAO*uPE!G%sfYjbOFV88^DJSsN#FX3j1vxKQ67zXlR@BAcdU2fOa z7P{NDc+)|)Y1s>lo7O|X=^EmyURzXdkJj*;hUND%%*-F8n#@}F4ktfq?nlhIAbJry zyubMaro&NkA{X_YL1z|D=L=#*gRnT{4=55ZYr?TJah0HG*6Bea0TO%ju`rwb(`N+o zO}PsUppW(7JIu;h>hX_@gP8b;nti@K423JDhIlfjrZ<=uiSM3NJx;(NCL2-s0?&(+ z8Vb3{nQNrU%i4F|&xmnMM!yeF_xCzDSnqQlr?!M)0UcG!l76>yJ24RqiM@OcQNPm< z{MXEUIw`d4u&Yka23^yF7RFR)*z?saKAJT4i2DvtO9^@2}rNJ4sL=J2(QAFJEMg$9){>mQX+3UQNZDDpv3|B$~`l zA$zDbl#~|o;*{#V%+qt5C@U;2s(<7q-JQ3y060lSpvaI5RE3;3L-_W1Qd&qi?ZdpJPcrV@-q4fN?FQ zg-lK^f=KM)HKC$MO$1b6kiE}>wCFj0=hPlpAeTb4Rz;+qNnLq^jX$6kRFm`}uy#k( zJL#kRqJY`#&wrrFs%`Y#*Jp2dvuE0^JQ9~GW>*g_Uh$+b0UJs*L7EJP&Nm|T5+3|X zRloI2teR)uP7fgT-z17XgfOfR*T&4|BB1@I$0zDQfHJgp|Ic~mKVNn|36}TrqH!{) zM8HbC|Eu7Ui{wCEH0#QGBmczXj%js5Yd{gWu~a>w-#8@(o_Rsl|I5oH4<55IYj{=0 zxFA-T0yJG_SgpcKr>X^=6+kIAAYr13Uo`#*9|W->aS=Ks>nTab2z`bykuiP2GiY*Y#_U z-QSbNxmP8gF)9(*WoAxIb_-Knyy5+baeUnb%ktQJI@V3w{x%06PXgR=LUeL3#dTU3_ro^F=H zh(`IMrcG-I8E8ilPKKwMhmYm%G*D9yog^-f=&ddl1e>70)m zzC08hs%vs?t8ScN5lMqy?>Av*+W_lDIJZ zIzc6vW%Wsq`6GEXD>A?8&`t+dAu?`yd6e!%3tsmguLY;d)mLd-RLG2N={9QlS z&urfp|A>rC3pMCopA+6Y;BDjoS=BokHjx?9vU-rvxJHR`?a@H}YI_|Yk2s$VI0sd;=Z{0er{TO)H!3Z`2uZYpU?I0q1Jq#=_x3>{LwQV3VI!jnz?hc zWcWp8gmC3{cNHSAR?hN1NA%IEr)a|QK{4V`tz)mtf=;WHf=SSFp1o=@wBK~;@f`|_ z^7tzYoN8>?+0w3z$d&_Kh2rdqD9DKWT(}=Xy8{6o+sW2wQ+;ILBH-tKQG#QynbcT7 zI#!>!!&HRvbxtgS@awoWI!R3xj(aRXwgaSh5*lV~`Zz*&#hiOZC}?@=8MYg(WGAds zP$+lTkstoVexaq8EaH}PPmOQ>}J~2YZTDv+@VS4$_iwXe;@~k z+0|+l0VWDiJPx0K>1qK-xi5%szrKX+fYD0QMx#Y{lj2Y1tR~m=!WgQ?LMKts=9rNG z_Nwd1B&NiIvs-P?Rc>TmcT%4SDZY6D!!NdSrZC+oGw8KN_rmK{6j9ZHP<2FR`@sRH zDC5FHUvrD>dd953eUTCG4f~1I9pR6|crG_)*s5X6gNfws2{O$ptrCFs@CQ1HHB-1_ zs2W8Id;oqwu^cWmcFp^r(g2PwVqaLVf%tB06eQiT># z>olPyNRzf1_|QD|8ny=QN)YTW5+U7neTO*GEYV-ZOf0MJxbC!%MtF3`O}I?rXRz z2bgo~zN&aXvgJ+Y-wA(v!EV@dY5jf12xu+u@D+sp<;x2NiU4k%tps{{O^2lk3J6PN zVY{=nVI`{6B5;HPCcyx%RC#b=I5PyN0UT#f++rGBc*!6+&+}lYx3)+6&~q!)**Lo- z1QDe_v`Y8r zVMW2e?lqV^mEZn?+#C9XBtCeWDq#G=SrcU4Ix=+dt3%U?a4PWj%=$h;q zxwtnTo8`loBFfTULcn)lf zd-KXr2giBQt-%u+5J8?$8Yg_-^69?fur`--EDA!FT3i7Qv% z+f$))+L;VMKzZ>M{%yuh%lMW4i~R#qxUjxT(#Uh+AeYovYp2-t)9*ZH_DdI~r{sfu zUUXZ0OpctQ?r33+2oEzF(w6a^%XUL*H8B;3*21@pzQR#O;rnvNMd2Q{M|=3;5dY;v zk1O>fzNhydayN#3A1$2JcjF_vP%Q31V1dfW9QMf+8wsq*@ITa1F*g|G_kqZw`*epu zU%}T1Stpkvaa!8hfo;&Q>Zyno{3ydW=&%o!UQsh22n4;jE)u-$)xX8%##wJX@ovpv zigitSGZ_5Q%Lh>ar!}Bf*`QJrH-4Et65=>gx%Iv8n(#nC-U&byJuVjqR*`ixF7(i!DOd!O7qAUn7rc=vETH&1IXDVL1|89rSeRV2o9;V-M zm{^Tq{Q*{5X|{BXKeuouwq%rZr`PpR9RFRUur=|`c<%CUfzqU|KM_5L^kr1C`%7!P zQT0mMtkVKVa9O6F>WyIau4m90oPK5y#J)Ebozhn+$YX+J;dKP1Lrrz3w|FJ( ze7O6s7v_Ad>bdLIIBp{G^XH!1_PAb0dd*i;Wb#o6vBfy5$r&9#z$BdEx0rE&mM3Mq z+ucD~Dej7~tb+YBB>%w_lb5u~d+yaI@jQMcQ$8qU>HUq2L^@yzWLZXgV~iR4=}QXf zs}TO{u5>=V(}kOqj72d*e6|eTq4{!31LL3RZ5so@<}1BmTd&-_Kr^0F^8*P9k;-kf z0mRtcketEOAlok3OkB?QXF{hEs}C^y*(>R|dU%Xg=ubKJ(GD8guV1!4U9XEOCu+Z6 z1IYv(X2*!eckBfNbQ4sSBlRx@<___~!V|*rkvdQy_xchEZfPFH&3dA%M|h*sR>Cqn zpXXL&JP~sn8L#1eT8Gz(h#M=r-V|@2)o9k8k<+fPPj|PBJ;at)}Pr^>LQw=_Ai_q0^Ypk}Pvdwc~@D zr)77WZ7?fLjb1oR_m8C1{L0QIOF+cm;n%y&zKgd3|KJm}s{QA@s{Cc~vAc?GlybrspJE=RtvH4wH?+rJSnMQm!G~nb3}bCB?Hj ze2c(}ao7F3cC+KhH=IJxNIJvd-UPTXa0rjzNA-HpS6TzP-gjOP%4ank-o3+$Vp9Sc z?@P!`Vcr=EbHDd8`!Z}L$YMz%Pd{vU!w>y=X9E-cl_XKL^PYU}3W1=q0R#|D#k@PX z?E4yqyZ_y=GIk|$poPhA5|S8 z9!l_Qg&)!+kmz143KI(oGOsSOlVvKq+V#&|tXMs6-`!=qB#yAUTOFENw@nW44mAaL;D1#C)7T!EN^m_DT%d@?R=T%93TEr)xsb3yd z3a%#mcht^oyx%_Tx+lsIV9cA_N0XJ|SsP#F6)=nNDlvq%2wiE*UWXQhr$+UaLcuv?B zCN|TjWuB*UoPE!*50h-1Me0C_r`{89Zz+KILUXI;)BPp+P&r-*AQyNdc}&!8M^uw8!dt2|2b`*F75q$$f97K0}Hx~!EE1D zefjH-;mmqwp%-TTX$++^Xb%q$vN3IJ*T^ei747>lv3@aq*b?C5k=vW99|htul`azf zhB&22)Ofjcw#*31op~Ky%0~|wOir1eo6z1T<{MOF;Kk+@Eofh}$mIIYgkc-7)x|gc zI-uv9<*(O5xXi|aBha8x-F3P5su73wBx9Qm?BMBu``!s$bId)uhIc_?1g^Eg)ERWY z-?UqO&?W;3U3Bg@M0TZA?A3O1MkFoG@pw3S7~eBX*S<*YC@&S@_D1(gA{sDtyxPYB z;lce~Y@$Bcpcf?o!6LuF#<>4Iooyt*B$SU3Y#s`Z5G@ynAN5TaGGOnyuAxXmW(pUK zt;$=dQfQ2FZ7D%BVUEYQaw4>`L#36)B7Il-XKg5GBB&c7hM{AB+=wxc&(UG3xh(u) zt__m}vjXQ%IGrEKTLaccSsqlj&&P-^tt{Qe&d@u>AA!7kE!;KZ@v z2LpccsayjMOGq9@{fOb>*%-e>P@BTF()?mzV2AK>w#1uOQPmp@0iFzpMTQe*JH~~y zdotX3Xx!!w(oPL#FxIuESMib9gWOG4Gi&?$q$~5WPf9N-PA~5Xn&{#~vmE0hP8u`@ z+hs=)jF>2shoC?l`kT&3TR?76;q-%I#u$xVTwJx~cddz4kr|qa?fpTKkEwv5b5{dR zh)!9-iugz1U4@Wv-u~rX5QcgT98LFAQ(uhAv}Nfjg{W% zx1&6tu%;3^1bj#KyaPzss+frPeC_Pk`3TUHF3~FAuoY*qHY%Q_P5bXz3>ksO{KTod zp5~mF-*3H7N+H@sA`Tb14U%prsF@x5ZDHj;GND zx+jdV`{|{Bxz)ckf5r&pnsWH!tm{2HEU=~x4-D*{@d#z9_~Ba8_JVx5p7jOq=C6^c zx+FAHV{Y0EKNyQU_#>ZL^fbB8S<7p2$06;PzH7AD<2 zKwLw)YI&_}ztBqa-u8kBd+?F}f4D>J^~fkXX4xlDQg=1(Gpp|^)fb~yLGPSiJu|q` z(AX#R$#iq)Mzf}P9)=X3n!FNle))3!$2S;moe;E?e1w=-7=!gEIc6)59z5R0SWVG( zpDerynf5G~J9Uutj&8~mmPQd<$b^7aU6ejkGiL#Jn9PPmEU=!qam zhr6Jn$;_AzmbRW;I3*`(r`Vql80mQ&DscB{M^Wei6y#IJd1bk}dPs@KF9`-@!{`xl z^hU9%a}huZ4-9e|{QGCQABo?VNlMRq{N^~;XixZ)_>NRge91;GU5d9vn$DaLQ4!np zL1ly11e9n!-S(2jd!Q5jRIuQJN`k>i?aaaJVBiymSb_KBrZH6Lt}UI0v4w1dGp}fd zuFvSwVwF#{^&V_se+9A*-`wxoG&$2LYEMM^a1^cxd5!c=BvK}8NMf$-L&XZ+Vis2J zKa0)gWD zpE6tt@sMkK{cDMIk??dHxw_5J`rfmh6To*N`Ruzy!{zMPv(vMzcFD}PGdcT)qc(Cc zSDY){K<$BPW$uaReR>97;!S?ZKEM3ngiOBGln?K}!x*(V(rpx5RbyZ`41J*NnQ8U8 z7vhA@f>7-F3iHmS%VMh%$*p~vyU~FWg*WWydOx8T(q?GHMXC6|w)3!Ry-u%Yb((Jt z6~e)w;fQuOBFqAelYGyP6?4DXD(=k*1fGZ3WC7^m?RLf0n}v%`BmSY4l2G=5xUXZ$ z?nd$22VBUGON)=c5hE75>k$z&*O{}WMf%20^AFw&Of94DTbtN(sMs+dmZFGwJ)J$~ zspYkp_4TD% zpuUFH$>7Ivr9$bBd}5-OlY~j#`j`2E%lFVpHdKhF8>~)~mjLg8AR4f0?d}jT|NP%*4Ph+0 z@2b_T5Q!Vr2#G7IECeUZbP#Lm2q#>j-epbeaWuQ~lswe+SVhiD=0KO^IwzT^C?i?; z>I2~f<*haFX8O))r4GfN^ixWiK`{*k9}~YLD|pU`!RYJvpzj1${_(PZxcRuw%-iI3 zJ+!~JYLTw6(@MVS*7jLBrP|AQCZFg}ywPpBdykkvZz`XA^P*U%N2&s6G;$7JR2|@i zc)std;E`!|n|fgy$Z`e8daY}*9ibi*>9ue^ha1c%a6b~nxivcS=dbDpT*T+3jRlWY zr`pTbi9>D_e!$ZyBGczx1#`BM&wdJ3TXWrz(vBM@4qMfv_GCKLmeYB#0MdfwyY*|m z))K%te07Ei7#h2Uf1DV#q&7~%~ve#i_NS-x9odZ=LAMV+e|9X08 zTW~Gd3u`k|q-gvrzv32+k`mbAyt5zD#B^A2NcZD>zHz%S$9dlL`1OmGcDK)wFnu}y z?!c2J)U%Eqc195?rN#!2IG>_@Z}IMvr3veyGv?*_YswQL+72>K_EI(_Ho%(8a(<`# zcuIfj*!#9c+BiZV#Bm|LA8i>#cmBgaxb2D=B%6k3QmK((o6YcpJcoHoqgfh~JGJxh z*%ZQgiSJc@V5>B1JlO`YsY&_tI*HKth=a5x=u26C0#AoTWc~AJC>a_^Gf#s%x1-QT z2xsu>V;gg`8s=2V2ND!VaX}$5RL7mr4c*!A+^dpHw8s2344=*OVhaDgeTEjsnRe(F zuk4}bO^%D;fGvg^RL(nes5MM%?8oeVqr_8>2_*G@5Zj0#J9^@514Bj%M^z2vsaBES z{={#ao1n9+ZoRqF+!=P)^nPZ2HsU63)NjOBc@;G{gT%9oYITkAQCf$wy<47lO7v&; zikYkG(U2mfP9@)Efr?4X$Y9?yE8sR+a+UGuU!uky_|?+q;Sqi}Gt5l|ew~@OmxpUk zN&m!s{SJnjSvbdzCYI2T$9A?KF3*fCgo0vdob;W7J&yFjU&OyAduEw`0V>AOeK3o$ z%ult!xexgUH5Or?c!0%0wadDNsPfs6u(fq!9@|in<;_!K(GZ}kuQSW!0>o3Kg?7PT z;)$JPzm?o>@T9*7Pek21#eC;2PGVl%A^qE!ftRzZ;*INRfW(93`DO*fjH~3@%33K} zw+QgqHr$@E>F|1M-J}S{wg*T>$^UfO;4sA(I#w>aOZ&eKq1&VspnA9 z?XkN$#MP&S?r|b-F7{~+Z950^n6&0*86B_+B+w~D1GLUZ5;!KRq`)Hv8Kh1*0yz*$ z;jnk_)`hO&!U>4CJ)QSd_%%;odBMbT6hm3lq~pl8u`{!DbuNE_Q!j0t;=<2*IJF(kGWURwd$IwbS+#ib5jk?POv>oOcylu864&eJgfW1+vnvZ`0 z?NmZBAS?~Ine-mv9NOX(!KIh>#hFQBlq(L90J#Q}sut-IGRm3oXWkN?qfPO-nP-(^ zJekwi&%m3VE;g4F9V3vTOhCY^<1O&Z70#PJ3MNw_lN{r#=d@tE7pNP4_sp^i`ob-S z7HO2&p5tiK9ZhiCgI6PuLqFcd;9h2#+gEJ)7WHXcDr@Mr!4$%N2o_;W2Rvc7cNB8D z90;@mZo}>HdYnB?h5Me}VXc%Q=kyB5HyFXPawYL9J1wHbs8N48BjWnfLuv2*w9g#g z`lu195%;y03<^cC32K=no1Q!X~W5eiyGo3V-1~zWYT1 z5a6BkP^v%Q$gPm1fDb9#f>YEy0fmRX@a@XypmVQ@pZ{ymA%(_oWl_;87DYg4kkw8U zQYc&g3vnJ9a;e`5o%;6MCKBElWt`ZFek?uY!*o*effmS84fJS~IgflYO7x;#Dw4aK z-%*-|!dBrC$pINYk2Zxwjirn%!uCGKR{a(sv~we}OL@*nzqGe`WVy+3epqWc@-TqI zW0u+$rdD8KH|=*&gG zCf;Mqy@J30Y#mp$R*gb*qmSFvA+TGa{!OkvKlu0_u~kd}jMO=D_aKCL5ZuhOdnRtt|n*WLGvH3z+{^4If zNH7g%1bAF(pXpx2t7Vlx*qEV}3gMYhit3Lf#GT~4xT<*pCps|t(WNB;-|MRFU8r%& zLCm;EciNF!@rz9Ou@zInRHx3d4)OX<;aU87^|h>fhicuD&OtzI{t8(6C~^WwV*M5v zD*_jMv6BGZZMe)?WehX|%1+yeH!7Q^`t_X&%~x-g776gEJN-SHO)3VHrE&d$=Bt#I zpnF6u9vEN>YMxHV3}WX8`uLeSP?3e{zJpO**N+7Xu+q7D9LCT`72SY9Nlhu6WLM_p zJCL3K3(D4lZmPx7qb#H}Z}`?)j#Yrhm+Io0oA0j+gHIT2oB12nWer6GjqeA9b{uAK zP>p{h1JPJ0AC!ry6GTDENuED!nhs#mq;I#Ta~^DPNI){zR@7RZ18qVYQB%%;Z*S{kXvnc2@}24uP!oN8_`#ZhuU zhb5A$+SiAWULihOIH&WNhtTL1CaWinW;H|9-cjFizUb#WI*P2R52hgc z{9pUlr>4h*ug8y-rM|i4#7af9v*Y&Bc!H8M7sx`*{RY2FOb0zeTxn?0)g3P()DpO`V8S+?M_ct zb!4$$o1Wl=yAkDwJIelY9rD<+9pET0G%Ko6avq#=?5|OQYsbv=1N(ZwJs5AS9r>4v zi1snDiVGE=*vH5|I9HpMY2)rhJ)wbu2<}dAMNmm)3^wh<#K54uA9$V;+m3ypOo@t9=I)q zBvU0u0?ETr?;z*OF;hy6>YWY?RU7TJ1aPt4xpJqm=S7z@K*(M572f;H2}LtCzwe$G zymtTckD8w6S|)L~r-HNU)I$2Y%vc76;E=>tf98&*U)+HUb&7)prDAV3ip=O(jO1N> z1KywCC42UU9)cr~ona`Ux}!;1sOOo762ty@K(tC7be7Y9dI!{s{oa40w8RbR^YG}| zf5T$bDL*W!s5u(k-?$=0UrIE#L&w>fh&mA3pCqO^J@MAV&EA{cSPQoDU{S0j2Qklh zgdCSD0+RGoa%1n#kbZBsIy5S>TF0=$Tu!>kJFW-mb03sbShl9jemG%ErAtlh>VT{n zTZtF+vRqf7iaN|?*L=-ZH1yJ(ehDCi!6CX6-^)(US4E5@%*MgIK+cisX7{t~F9}#8 zNf3gigud#`z5N{%m?2e$y2)SDG=_tRH+5u-w_Ur!+g# zWfwpl)Z`2YT49u7Ry#1udZ$+@Y}H_fGBxIQO7Gjy?Wb~R6YAKF1lkh}G2MT|iVL`A1@3xYxgEr~-~pAa>@cc`Ug9T_fbpne@QtvYg}WUV~0+m+wthSK>v=P4@Ky>A#ukn~c9ipBBkmhSXlf<6fq^H{ybkJRKQibE2n{rF&hEQcZ>^ zGN!fA{tdNwJ(yH z1|nFuWSK_lnR({)s#fFMlD_mH26uasIk^uC{NcvvBZ}5_hn^>{p@mcCoHrR|7Jwo8)cNRaK;PJy_?8ix}%UxD-RCQKtcFPa0V~mS^9hdhshZKoL6lPbljTk&ynavLttg-FSa%+ z?r4JKJ*A4Ym7(%GHVlAxSJ4a|%Z9Odqn@*h{&Dc(oA6#kqTl?QirW7!mQv4+MHgrx zwT5b@^RU1As`iHx3wBC&KOVGbO7Hy!jv9tEI1^bwOm{1&x{mlOx2X8l&)9F0iG$o; z%z7-lefRjz9Kmx!3x{44UWhGl&!BU*&;(>29)nJnU%dWX3n1kM%nQUD<+oUq`?#;8 znYE05_y?M~izirQbh1j=KY-F4n$?pN_qyl$yV-zC(2|{RwD>TWGC+@A1@(OZzed=; zyn_LggJTF_NZc%aYX3?a+p`YQDsR{W=r(K-?zzF7gu|pwNDp&1d)dN%$~LN{lpbLQrSds&~{`p~%{NP&Vk= zP}e8H#sDY_w$L#Ze`!=;;5g&7ILHXvnnCcilF$|HkqTK>eDsO&JJnp%!6*-Lm~|@E zaYH5GO_EBx*+5|`4>H5Tx+U;ep=UTq^fCqcit-jCmfe1E|KNwkPgFe>R$@@*n%*zkW zu-~bHOC&!YO?^uY$Y@w5$H54vZy7tGh9fZ*X}+iu&Q<&M=s(+Nal0C(J&D#OL4Q@O zwT@J*d<#C3%s86usV=j{a~dUiLBZx}0rWb$EN2-(2oDgp#Hh_aP-xZ0veCY1JEYvP`B1!B8(Y}?w5sdgt{JhMLyu$j%| zmht@FS(rO7c+Va&&zy27C*I0o(1BoYxTLMvPqtj@JpTO+Xg<5rc+I);srYaEQ(D$T zd&d(rEEQ@u%Zz51uGUM78E!qiQ;JNl3xU@;;x<=K2VvQ?O?-5br*p#cr! z2GcT+bj4Sg#v^~KSmTjwo+Se=SfLD(jK}X^n2S*LwF=nTj-Z1ounW z<^t(_Rcq<9zsO;!1YkgDt1No{rfS#iTw0T&s|JaXCki8xKI<+oM}Um%QmgZ%JG}3D zHKXIpwfIKVEC_Mjg7d4Y?;mm?GfV|KmTwP@*a1XjOa+$l8Kh2QuR$} z`R0d1v2HEW?BU1t06G&Kp39~4scJ;_2~HEm1xw$={Ark{&n1+Qy5@@)j9-8AiC)Hc zvM_z`jrNs!yPrFANGu5FbmD1-)vM<*R8>Y@rH*EMb9%?=`za~|<0E@r!2=HW@MSs* z8#vwB_yBklPLf9R=x`VluJMN%yD*f$$L-v&lsh(mY746)WxmUM5QYa>`PM)ZC$fE-{=d;`YF;jZApY0Y0{lW~edcv2tC#95Val)nN=(!%1gPAn8&t zWzm;#;oLsdkHT`5nU4{1#+kdJM53@Rl;?(iN7Z`SU&3XWW&oyiqN`jQW}PsM*#UpvJ0V zBDI1It2Z`e78|cU$@Fb&xjQudo28xSN#k{ThM#{iK+ySbyY#{!uG`ax=Jfe4g@Y*# zxmAwv52$aWvOXr(9i*ltaAnW611HgG%VvW8o~#R1r+Kt1k>z!N0)IadVkJFbdaW_+ z_tNloim4!P+1f?Qz;;8w0WGozctfF`F^zwD52$d20iC<*|LEL>W|AEYQG%x4o{4TU z`n+ripXAvsDFD26-wr^;1wvb0&1r^mld5K{igH=;oQps=vZetJm15Yidi8y9^Z7f+4iNg zkQ2X?KJ3-uC?jydpvfZ_jJJd`B#dQqRTSo9ojQFNc9-CL&0C}b9)-!ELO+J#NOY!j zL%IHkAMD%5U!hSO8E0ZdldNYNGv*i3t%6R<+t0+L5$`8Vo*mb&Zv;ctH&xq6o|Mti zIA`d*TBW@fN4Srug}pNoku!*PNp6TEs$<8?){hyIp5rm>`PC|NUx7^Rz6|gB)6YDJvbS zgxkRmKjpMh=NBB@C^^m$LK*WuejKCbq9>?f|9jyUc~fmMCCqbPP57Az^0CzDQF(fa zFpj%&Eb-iz)Sr;=I&JZT#27xg(Bi586CR^SV#O2q2ob^{^!48@vip}JmKCDyIJ|0~ zr^rA=MVFLr?9#%L)$9-mKVS~fE>6&fvz{yn@{!hm^Tx{R=1!$qVq$X5Ig(;+3OCbSBg1LPPWa#mG-WB3#BaV3VK_Ii7qot6Rto=_n6%>Q43b4%FCZ~# z;CK(+eRsu|uEZKIiEmv6u;u-&FyqjPev5Y+Fl1#i8T4}Ecb;p@U`=|_uyh1$gB`4Z zY@T4I#h44MFE32-)mt^}iujB2U5eDqhTga8G8hXuS?(CIM&$}_?T@eD=;~4{df+F^ z&TTw8AJyGcc1YkpS*KrNZzs4r$H82m7pLvksKeVd|7>E#AS^PB3lj`{ZYDc*Jcr9H zfipucmez7D`BUTGmIWI#R8EmB1E}-HD8Dc#%@G-D$=n2$Q9zgl)CbHcAxwrRf6?Nx zgZQE%GsFK#*%ADoQg&kW32oyR{(SX!V9B)-sJ&6wH=B7p5h2?i7NE__B_n#E?~_Qc z$jEU%t z^0}AN55Kt8#z_lqvYG8o3+twfZ+uN37TYU5o;r-`M zoF_TGs8IZ~Bz-`*Pk%(OZLa1Gt8y#Cr<*-C+{f-XbExvb>uIqR2Sv|=sSIjyH+yZg z-Jx*&_pV6H-($^cukJ1;tFJq;jrhwa)z5X!)|AB-`1Z$zW!}>SFR_v$Pj{JjHuQ38 zT}d$9^5|Hv5Z`Dqls4sa6(t{B9B}WI%r_G~n*skA&h_1VrDR#=;@@9ZF6Q!JYq!wf zjRQI90yM~?k7&4gI=a{zNk}&i5Uj)8&|}Fi!&eIBx~RU=n*~}sULqoT4VHLrD5+yk zt!zYD79KfJku$zqG5q&WvK|i*nlu@C=fojNZ(3|(?9hhk(%?Qo=C$vIaUxjis8?V! zRhFcZRp)xeN|UWygYQ=$2Ec>^pk?DG^u+#7Gj7bcNW`3os!VX{?1;xUNETC0s(4VL zky`3W_SfY^=G>#I48{&sYTX3F+dC_n11c)AtXJ6+AN1Ow?~eUpRUqmn`%wal(QA@u8rU zKEAmyVr67(@!p&(&$?f!@MIGoZE*0&O==Gpj!6g(qd=cY#|3*gC2+Lbd$|6r(pHDnn|TGD8<;~mjCRN%239_Oa!hEcAu)rpaPRq;B%R?h-Kf>B z#Kr$6#q6t==1j_G&Qhy(>er@P%}Ww&RSLON|5s&1_zOmc*mdEIs*Iv5PXy(%CEl}! zFlEV={o^gnzReq`yX;Uz)lNa}JXDIvWhUGm^qw;t{>TU(4vPacGr&jObDWICZU%Kf z+mna0t}Zg%nx{J*t|;mGkVTgk9%u<9|B-{pA5!dWV{N0XLq2Y{zvTDu;ui>50C(<$&0S1kPsC zrbWxy>KaC=X66Pi`P%}#n3=6ejsR>Ij5aLe#=8_djY9`7p>Se|1Zfx{wqC}k z)p1hJ@Z&0LWYb2!%+US>_u*>?clAo4X7hr}bE+~1p3Ls(@K3xh&p=ZtUce1zj!fVD zi^@thCl+0`iR>(HD!t$Ox6fbb>7TjgfeO-Q6f8}1FE>>0`@nM>4D04|j+RLQUAnb^ z`YO!eC!L92pNlZ|Bj^&J5lBg3(1%y=Tzll0t1kz27@`NR171DRiX4Gts*oeJ zKj-FAZI>Pi=m{`l45}uyUpg`-yQN~+=W2^`J8O9E<%slZ>t`PTX4&wLogL>Qqh4MQ zBkQDqyFn2Gzm9*`&Z9BdXdX?8@eJ;qNFHU1$sNPwgUOIJ=2L;AyQ1of^ux85vs+yVNsM>- z0{Wh*&P}K9#GOmo8NPkwpV)4W0mI(hrFZUs>NNS!f4|Fy`b8edSef(3I0tDh?yTA_ z%Il&3M8+@^?dfo~Mmeb|zw$lxR(wx@?|hAT(6y)bxJ8gfo=5NW$@1z?K#J2zp7Z@* zj?Nn2-r}W^gvjPWU}bBJtMB9FONgPXB+ry6?o=r!vO8pjy@0stQFKUYKxLGPd5eas5@vaN= zclkhbQrF>8|BSveK3Aza4r%{93F#w5J$|1fy(h9sp(S2nX~evAk7!_v}K-M+;~bD!9jF`h84RZh=!d_U=ybKI&AZ5dg#v%5`#6z!y;i zC-Fx*Rhqf{ricN6+zL4x1BfxQ{V-|HPSxX#;S!kmS_v}Q)4!)<)#!r;Sr1&vO+{Dp zQrC7XeDt_xtfIea`&vx)bRD!JA+kTEwDrRM(j$*@XS!ax&}8 zzzy6{|E)JD?BNf%f1eAe<33MI^T+)Px6Ujl=yGt^Iz(#A7vl{MHe=c!atyhACQzKP zTtG)ha-a)+2R=J^)%~oC$q$r=rK5f}?&0SZesb8*FyDeBzD^LBT6y?icv7~MXI~x*CYCkQ`vVE zrQ;|{7$^&Xs9Nh*vMoYB+XN3IB=K*@io8!wei>aKZpBO99Bv_uZqO$vs z847MPmx)?J%4U*SPw(czSL=19=f!O4))XKSHr~~}Jojg;mb)wx>6UhheOGz&)%h>#&1U2;lUDzs(6;9Pq0oNq7?!0&Rl1KIL?Nv< ze<-v$6pSd@&a~mF#RN1Lm{z}!^3?$tZI{db%~#LarWX>sNSPH` z(LCqY-#cw8r+mq4G!1J4qzZSE^O#7Vqb`?xIw8TE@DT#tG z!NWsSJd@d^MJwlts|ytq4{SWuvQz$GX@~!UrJbV~KHs8Ia3i0~L?rC`La6EH;shYM zXDL1%dn?_RpaUhZ7Pp9+Zd)gAuder+ZjN&$=ZfB%{-vi`Mv7JP6>a19b91PB(~-64VC79hAokl;E5NN^`WGPvt7gU`S)JZ|0h>iyq$|Jv16 zeY#qzy87(id+l}Bj;4Or`Q#d%eutavBr*YVMt*YNd@Agu(m)g@=Imr*YY>ST-7)J< zMjsZQ|KTAF2QcKP#OP2yA+Epsc`($^B1{TA5AzwUo(qXch-99Z{tun)LM#f4tn~Z- zQ2h7z=mx#t(trDI2j3muQj5%fP*7zl?IlDb7?s*-8SHu1A8V+hqKyBczHD@Ng@RY> z-^k1uGaT;h!MoNVZ1co?gX5!*yyfwm8;E|=Lu39QJv1G5j|`rReUA3<$5_AUS2e;T z;yGU>X7&t6G0l8j^wGQb9%K9fIl^qlD~E2vgAEp9l~EuXW+G^R>&xJYT2+pjc|M2+ z^=sznl$ALt-{2JgN9d;fwjw-59yPVR@vycL`m~|ea-JxFCp7(tlV!ojoFY&d@_x$? zzE=c7U0jbeTBGjb8#ho@)?p7-M~~r;E37l_VW{ht#{RH}GwZO&>zT)gTkFT0r}=Q* z6VALF&deO}xH1Dm!5ZZs?{=VJ$h(uGM-E<5Al~EJBXVsS8g|RH^$vcs~{vofK?P@B&gipV~bX zt$ZS1+%8hz=48NCFeso#8IUPAWGwtFe)^a89t==lBwdTHPy)M2b25r33u#skCE4@t zq<#l9R7^Oil2(R~aeyL;5jaMM)GMQb^wj+vic}B>$R7J%0^qNGSAh z^t$Q8bgb@17V7qLNtGO~IwanjhEy;tsSJ`9d|2^y#jp0zkf`_oYB7?WCN_=f)g^H# z>0-O{=k0(U0-Y<27zsI1_lB0PyX-!SV=@Oaq4E-occZ&3!Xo&yMGL3*37{grWp;0F z<;j-GpmdM7nTp(k5|SGtqlV`EDbDjhU&q4nIz2XUXs`Y`=YZ(5Fu7Rmj|a zn0ebuuAJO*A1)UkPRyMT9q?246o~EMv#mXEF0j9ulDx1?b#R7a&7_7+zl5IZhCie< z_M`ST`cW5EPty%S`Y3{Ye4L=~GQV9S9lVC!LmyEc*8PZU_vwhct>tj!-L?D!;sk(N z27pj!;rCl75|4ZCpfGwAGdvs_2oJcFCklt&r#zltCl);*PezI!LjvFrJInH@A$Jh! zNd6H5BR`fWz7UK{LM$xzqfYvXpPtix3sbmnlqYHj^oQLH34&0N+eg&(25RN$e}7f= z5=T`<9t@OUrjj>|!+Y$or^RE^g$;H7!P0YFCQoIFW*-ibT@&4-aVxlvT( zi>@z_tK(pjOS4^}zVsvnpZk@n6+E|JWBa+4XmazS+26g5)m^!Z=b{#PM`QYe;rx5H zY0nK#T{6Fl7diI481_O_E${Ro6IwZlcFJ0Mk2G@wPVwA7&aCGTzsj~hu;E-w=P}{ivGhf`$s}tOf|)jDGnJ^5@t&Jqb=*OyfKY zZBk2gxyU05+tT*wlUEreAPb4KLaH$w{>14b68wH$Eug+Sp+773vvH#}+IrAui!wZr zX3cy>mfJ4U?GuSzgiRO=1KyWILrcCxN4(e%_!1d`H;(+hv5Ifi9lsaf`R)o|5dfV9ara`R|XA1>0UL{4AZAYv70LaGjr|`$) zGt!&7g|yk`QiIEK5JslWto{0ppu|oxMTCs++6jt@z^g|6)XRsvP_tg&{X`${yPXhv z-CT{}9EMFSJSrud4791NXra7;`^prnA?dRR_JH$jR550CXp_5za%2#z{S={xpx|m_ z8-spR9-tFVY`@TH>V+O@DvO2-)^uy-P4sBQcNz|oNxAS!fyedOAV@ze<{k<8Ovkdj zJZaXO=oYTu0NeFKJ#l6dQDIy25p47vbUXTjx|emB#7XUR9|URYaLD zXt55oyguM9g;!KiP?DQVr@?*_KSPmdY#t=6Xsf9ztw~e;bLK+8q}C|io$1#UU%vHI zeNPrmmxG&1H*X|ZE4kwEc$;sn6F8%MEjcx#4KwCjnA>87d<4vnc@`RcegTy(+I0Am zGVghl2}B_2l5~>{zlH94sRrFhDzA|87)j?9tJpN3jc1LsOG`_a4h@w_gPzmNq!yZ% zBWS{3(nipD2k&d^^DtftAPq0~KRvms-|(pJJ?YK=W3wM{zw0&;ziDR_Vn%i6<&cXs}&F^OyYCGT6J`i7z-X6|{eiz=>hdj^BDo>gN}bA7@2*Y9v3d zn-bC^`&yG49^^+mEU$8C7=2cKu82#=#FN!OE-%F89=xwrlLxjMjYVm_aqzs&!83d`Br<^geew zc+}i^{)an`(eNzN?LGVN+WU&KiOA%A-^jAJ?cB{O@_in&*@Aq5&wea)LO2u7hKJ!w z@6$+}rPO|dv_gp1*bnHFIRZMq^wP+7EmK||*ZqZ3v`)d~p3ihb8#_tbcg)WUUyOcw z{r1BO$tSg1yhej`RtcT*&+G=7uaeJeX1p_B1-BT|eR8;EzH*I+dyC`cpu<;B`Pc)v zlCo%}%6{ieAI1tMEnL()c^d*48RyqgR;S!wW?rWjZnCYpyF z={zD$ZE6T~--td4$;=$DPMGAfVG`@d!Xi#c94(V1>hw;eWF1{hd1t-S(A|3;zB@jO zix&F|K}7EN7#EHgmemO^WfZoW8mC@+V-;4}sY%w&l(8{~0%zbtu+G zE$h6l;30an7lK}KdqCZ5tlBN}a(%pAy=w!fEB&q?-`8cZp?S`MqW-`>3OQ6<4K|LsK0FF_#+N ztal}*UxciF0P%Lei|i=X4`-pP58}Wq&>MEg4Mr=RZ@o|}X9bnWX1yHs#ogi=bg&aE zdpQrcFc(@5Y__>kM}<)tmMHx~=K%}j0` zvKkoao8H?6A3uFz*$+~^lMd)! zd?2&pF^0b-=1v~!`GZ(9;LDPXHw1@|_V1D$a1D=C+fr$&f;Z%aX2@}&i6m9o8>L5k z650$TMaWeDNcoaqqpb`P;dAapCjBQ7|6vL$xG;P%t<`!W&^uDvVO&zccx)UU3g~^Y* z`&N9E@}iX`IzbEQ^LYo$m8T(}b+#l5&|aBQ3ZAWZXNw++l%&DQW>SEIX@h2PRobd? zT9=tpl>EgSQKYT2WP*j%$hH`(PkHo?ko`e$ikX{2pPxi{a@WVHv;#P^|q~gc2gZG;IbGsfWv>>;F-j%`GUOjwoatqy|-r1hKXe8|`)x$Ue(lIVTWONhj0!JX4+3Ce^n z%W6XIB^WBV$6hcaTy2{(S%e8k*|ETLB9=1x=`zIRaBdvOAvhVahDuw6P|9~l#VrK- zk+^#fy@tUt_ASV7u*F3w`l3`Dzt8S>1WDTEh*wv_8XOcxd;EL3ACq5pBs)Qif65Fc z%1%ySvJ}QcvP3n`MSo>{^Um%6_YUV=7H?*cM@%li)bvA?PLYoO^zKNWR!vctrihp9TcY56*@U%jo}Qk<&5}q`6>&faYDp>b~NQWRj0< zNvIfJueUgb3Wpf+T9>TRfJ3}L6YcmJ;tO+kOxx1p!i!=a3ZvM^K3F-}a*?L(h1s!3 z5&k-4+|R#NMq(x;Z#JJc$Kc8xI?AoFZJktvI)R2)=H~7oJJK#HbN}MbKSFJu1Qp9x zj?o0-xiE3DbXf!lJw`D=u6EYXX@5o@%0FuQtJY#$)-lhNHRQaXc?*$HC<Qw$ia~rZe)_wZy~*OOmylpXv~$Ti_6e^89oC}S?I=#AG3%+=Bs{_ zw(Kz+a}dFIHxn0GA<@)-1U$lJiKz+hW%b6+xr-tMEf}P;$zm+#Rqc`-Af z6O6@}Iqs5AXt)JD_S=M;S{H^t*DH!_x-Zzu@gox$DHfa*{E8aY6rWz%&$&H3cIhq4 zPXXlQKYgioh30XeXVy30%^LF2)2ww}n)3Vs6Mj8o$EQ)}4mwAMVJK z0k#feQkr5qqFWlV7*f7)IOe6OrJR%Xnogg;eBj~do0`2C$AF6I>Xn!l_w|JaT?OP6 zeg`aUd8QR9TWvAzFeY9KxeG9NCR%~?HV35SMZbA}E6}{0kxWYFaDwzbvuB>s`)&{n zLY%Fi(cELNqdUIXF?cWq}4(Sb6lX=|KTXfPd7ac zJ?|I5a5RccF*7mqqd7b;z8w$1jzK`m`^916BU64{*u908=XZDtJ~o9kP7Uj+WQ^ zR8EfNLvua!TSzH$VK)5F#OszxhOpqC{tBYd*JA6nzjS=wBAl%ooQ2hj^<`zRzcQ_U zX5fP<+|pvW(U&k)>ksV&;D2h@!RB5G`7sw%m_lN0?-BJn!xIObyszGj3HFKKx-WA( z00SD+tb8OJHYN*=0F>b2>qt=*3h9qdjW!pTo2(|pQVptw>KxK>Yr>6&%**#tU+YWi zT>?0}#d(K)9-dje31$sdr5zw!rq_eh(**scq2JuI)U9zgg4zvpJ!Z#d(Hj9+tRD7F zXukO`K6`;?I~y^G%Zy{=kKP3FQTgF%Lksl1_I*Bix_WY#yOrZc#(Yq6vsh8lZMlg! z=htZX5HKF9R<`qc{YSyBO~4ob;7iQqz?_@iUA&5PWG~bpi=bELeiD#6AtXB;edGzm z35^-q;*~YE{%XDJ5IS>l2E)&z%`crJ4|^p8-PXBG+pqEYf(teqr_nu>Y#C8LWt=(} zK3aC;%PrW79pr}MY?SNDhpV~h!p$~h@eZV99%TwPEjParS~n#86EEB<*sNmPbQk}1 zI6lY)HOLvbr5htZ76zt=-j|6{bu?m`So_7hySiV(zA=RNOEBv+KT4{Td*lB2of`BR5@teIb5gGmIjyWi%W!!V( zV(6oXr6^ZC^o-zOAU|#^?_rZoes=;GeNWmP_UkBz)JGMG4)reds54w*MZU?kkvu8( z_T`!UuuaFkK>uR~m#we-9TlJZPg-vNFgt|l6-H3&Z7uGqG*!~d zR{q#WOXXl2myQylK3Ln`Tj@odPo+%JRW_Pc<_JcQUEY$@AX)kz*k1Q1l2)SaoM`C2 zqt)_Q#~NFKOlf2ls~yIQUqcdjgnX&J2~muVGr>7KnQBy*CCjevFeQBCuqeV*|H%E= za2%o*RD-j1L3Fm5WzX!zsa;olWSG!+Hg~9$g*$324dlCMlGe#s;BE=-F{-{GlTi~D zr9ggzV(p29SRkyHh<@#TM`1xp0CcYxR{vu0Yfa9!A*jMow+60cK%goG^7#x)QDI>v zK65po;MDM?zrsqeuG6DqB5sSZxp`q3_d2%~-+_~@cL5M-m$X#KJdaW=gtkalsH+Fk z1f?4=)(u9VK17FtH)O<=FV4qa@LLt^%I@rUZHavA5Aw|$9#%U#s;atzk8sx(CVvg$ z4N1P=O$H8S;Yw=l`o+pe$(TH_u?t`Rv~GA#RT(-Q_^Tsw2B){|PSI5A!j zMs@dEO}M|w&UQkEj1T|LbbQ$$dRU1GUf*K!WjWrb;Ox{gSBDQw?eJo?;{AA69;+|; zu~5)-0|@#gtyo!xuwe9FAbX8qT<5QgA=;lvmb^wm(P!2b9MP_r zS4kL&II)CwEE2ELJ4vtmqKMiE0x+U+oIXH1ZyCsJjp0N68R=TVB|SQ%*KDnERsks# z)GS|Uf=C@zlTO~z#Kw!G^_pWIO9EN5usSk}CrN7w$*3JIK7L(-HsW+0`t+r?kkH4u zSS=5jGaL`Ue%0qwyU7r`fd|!1%k@cXA*C~d>yPbR3K}|p%)U?$QMuDUP%pR6Q-uHd z^8$+1pYUdm7K&B`%HIiweJScGC? z+#b%>ks0U*c6!Z}i)5%UbCB-*{2y8VFH>{de=xL@buabuiV#yhsp{$hCh%XBQ`5~K zJ=3VE8)wbFPtKsr7bihRTD$IJ2=<6ZH0NnY_%1srUbZhEMW+B}F@emX4)PN;f*){> zGQJJ1BB|CRnGXuq@>@ZmfswKtM+8``{`>TWN71Cfxk1h33~SNBUngnc_}ugo`Pw5o zpb8{I^9R({r^?CMi;0r5=5>Fl{YMP)e!PX}8FyucX!X7Q&&2$HN0vTlMLMnvO}dq( z6cvs3=D3o@^_;CCUw=mxDww4@fgZP(4IM8Ch!d<3G!25E*yHI&O{I1( z0e8wIX?{j|`d(WTN-o7!B~^3%%S|$+{!rNIp{>5JN`b~nWxZp*?wVm3o?_KWu)ULRv!XYk~O;~Nl zEp~0|>_7Eu1;&tj)@!W3GJUeD)x7na9h)$dq*8Xn&FbptQ=3|CvBs>4!ZQcS5h{ge zo6&A0GTJ7+zSOKQK)FhYKumYqa;~1jyK@mrJ;tW$n*?#KK*Td?Kct0Oaivx;g z=?_qorgcl*%o@Ew1>bZjLGSQ@YIR;@l%Ak6l**bwiK?xUFmNpPwm<$C`74V6?mwtY z!yZ@qzy9xiHp!-2Gi-*_8pDg=H5!k;N2&C##mX z8hQseu-@tL6zm>&U;fxe0?gD$%y@P+)dZ(!@KXvrmpj83WKWZgcQR)v5%EP+ma=8! zVL0#?q+L1G*@riaZ;j*{^qPN>TFUPo1RW&yMhC~ZS@f&&PAmtYO)JAy*q@!px(B zmX@VyKggwlz~Z$BIh}eXf9w8%Fiyz>0{a#^X=&LlhdfTn4&lNFFKyhx3H?2fWZ+$B z7h!MP$PF%TJWG*`q_lVRzWXB`&;E_$J`f@J=A$AA0S{~6;fqa$Eu_mldMTjr(h z>GAeB43R-clAFr7BC~8XR-*L4VqDq}gq8}{CaZ+>-L3t4u^t>D$A458lFRmNN*R%hQ(FH><1Pf2q-W&Hir*rv8w!+E7k3NAh6aMnAlKnRdpiac0s8+li&Jl9CVOxUD?=si34H$et8BH4{Aqzec4_(JA5VpxfJaa?cM3I*z%OK9+d9p*?5?*h6*$TRO9+1hG0Qj(=wVYh#*kh3& zS1V9o083BiTbbS=nR;r13g9UyK zZe3z}&!{|BtfB@Rfv~u`UnLP>k4Js3EZK1)8mhAk)S+XeEY3{fATFl@2bvxX1z54w z^Qlg>w;xSwUNA%}ax#9s*S7x?%o1?++z3I}=$HO-&C0R&0mHRl^(H)yR_+bKFP?A3 z%^11rc_!{Jsxz}bO6u7`9HNyTPNOAKtB-uA*;zH+(Ol#?EuImcw1!2*=zs_u7|0Cln#`zPSNq?V$3DK|TE?R^*yLKxMkj@py&l0qkQLHW~7TpCYOo*cl7vkQz+MEbLQ^&EOwrl8sqz-_#==q@kgKn_kj2 zrq1z^4x}IgSB#~1q&$N7v}@+d=|V;*LS!!9g@mN1$Q03+dDSQd_o%mag}vftR^Z%0 zdS{mhNGUq7FYOg<5Q@rTJ(X}+-iu7@PVKfS2h%tOG#&c-gI##KEuqyY5L0@dUD4Gb_1ew^dWwGS9n6@~3hosa5*UT#1!%kciI1z~b5%ty{-k#o+K=puc4Y0Gz zqZ;mMdF|hWbbC5HS64>@p;tipaO4`fMp0m>)cc--g0*&m8+!xu-pd1SIiPNE3QDRV zD=~-LH>d9ZKmtG64dJ1g@j5 z-jO=qL(@r+yumQ6@$}T@k099Hx8zR7?8WaPnZ$p24*ago5l8)uG{(VddwKB$Xl;{Q zp%65I&mba485WGCIj|m<=_X-)ff6c2x#zAsyJmh)*!`*o3n!MUnBQG#1z$`*iPD$+ z<-EyTjC-IWMue*roeq0uoWaM#eszz3M7xoDbdLi@Mn5)ju3$<=Y;+hz^WB3) zuDg4T!HkNQI!_G36yvH2`=lk%fK*fyqon#8nq3(KTA@N_d7#|3G;il^@vC0+4h3CZ zms{G-tS%Z5YEbii^YMH{DQ9hX?Dy$nEA~t!PNmp`Uw^umY20cf|4zpt?rxl_e>sT3 z+KMWb>i-g`r*rJQ8P{0vz{;G#6XR>EhQ$HwSx{yi`AIZqdR<>jGNwq`qT*WO{m2^P zH$NZo@%I;$z5k&=#q2d=C@c!oNrs&tc%G4w4)45Xj?w*cQ7o$(tCUM}BkI$czoY0C z#i2IBWwjOWkpus90mn+>#}UPQG&Bl;H0kex&KX zz|h#Q=pDir+-0$4xe^%kkhFX>5`Oo5Jjd(m*hO$bqW_XA&#Yj}1|m#4AYVx;AC|*> zF%5Hg3c76yQ=A2}C&>@23WdXfa3El78s#v5wb-~(=^k>)j|#OY9V%09d5+wbRQC*% z(1y(&+9HWA?buW+LZS*~!Bx0LuJajHE8lE$w?`&2d4gw%!UhZv5f`) zuaT{sp90WyoO7~zQG@vdF2heQCKv<`Ch1h@dxr^{H8)v!k1GdJ-Z8hnpObdo7ILp_ zSWx7ijhFLDrQgM{u{}{aQqsMj4ftA+?H^h8h0Cx!#-O+g65+xX)HDbD$OLz(YW4Hk zYz+PMWsonmYt%=46iaAw={)F6!SsHMGKW~2$(jJ7VEq;gFPaG#-&=&Tx9ON&xOG9( zz%WSH7;rahg>l_?to%199-?;`2~rn$k>-~UvBcfGD}=Fs`uaqYLPTr2OO%K92lTUV zDfw$@#kaV0l52Zj%s=%EL6?)j5oZz7aD>oiH<959g3bRY;WQ#`RNO>6?^Va19lIiH zmoelW+0!f>*>;R6))hmJ_fU>WadFdKO_OIe+t+@3#`KYSzD9QW z-XldPfNVOxexbm`?W+wuDPJOxOU@0ac>_KyQTTpfRoKs&hiSvC4R)`P;Hda(-J-Kulucw2Ay7&F5<+vtAb&|sI-cm0 zF16n)DjRd)@a?i?z*ZQD>Z32Km7?#{kbfAX-;=jo`u}MGFfo5?t{(JMKRh1ilSA4h zh^#!{Zx38ge%*hw*YA7`2Ho~hrd*0{u6g|j?DfAOSm!3mW^`>id2B~UDI)WPcYCNI zHOf{I*NZ_(kU$CGm5(D&<7)jLTq8bbx%4NPCj8w*FyrMSmxjvdn7Z1xFVfVA$>ZC)g$@g6k{S`X2)$w3x zKiirQvPZ4K*J>0XC-9<# zB0@8UAOlY&T?tzEc_gRL-V1C%KC})lkX1|-*$DqK!9Cpbowp)i?olbEp zHgUy|=>l);q`w>8)}w2tjq%9)1qC7acaGjcaAAL`8N2^C_qrtcXttN8Y#wm=H6d_4 zset$L?2vY9^2^-(1<}-0(!ycDyez{vQowkB2+DRh)td_ z*V&(FErliq7W$?9%c#PJ2DH$i4y`tU*=!FZ-c$sEqQX<#iBaeV8L`0u`kQ zpLTfs6T-dOyu5Sa|9?JG+I5n@fO2+2#3nakk-1{<>afY-XO(crHb^lp&~ZiJ3w0si zO8?E4(^DAWoPXDlEs`BT(lvQDwADOSyGSqMbg z!8ONa!Tc6^?k0`KFy_};EA>RGlPYbcmUw1SwwBiz_)~Smf<&kl{hJe>+|>R1twS_v z_Hd1ceze(C(AWJX@lhGZHz$8S=Tm^SdX@sbNikEw*P3`Q=(9~}-O-$g2ieD;Z79-B zX3BrS6$w?x(unLFrc;SJ*b?Px?RdAXmdC2u!)O|PM?qG@=35XZQ`1pq8}#hvebhaj zqdGlli;REa8vAVeD?mo{SQ!ux&KL^#!Vg8+?#e}uhZ^xPdbTm zo>_Lg%rP-xrx1Z>+k<$~aG7~8+NRaZ--s%jvYhkqYVE(i zyWwFy_2{k^T0LxG1sU1+3^F1>#>!6u`^g?=IZv9g;^MDOavJiKYL6)Lx_f3uVv2HE zJBfxkInsR~;AegC`KKC`*6g8alnx;_SVnTQh{9VX2xMAW7R^W+Lzp=O)5{N*98#}r zoNk=m{$mWpkyE=r;cP`X<|GHQ6v#|2%%Oy#jE%5jxdF_Z*XDiguXyVckzd@Hy9KA_ zcm?~F+hBSGy;l>2IUQ7vq7QVWOUf+{C2>BHp>mT6|aC?th z$A>^a9Kow!VK>PA?in*NIdIwoQ!z)SoYSE3AbT&O&Jlf&WeWc+-5uadH`E2+?6gP) zF9~tBdWs&`?FEMR&i*f%>VV{s^fRRUY?x!*pA%HftCx-Vb5b&Zdnv^1)7FQGIbCsH zb-)I-5!*#HVYVWQ^A$SXOXpdR)e*!x%CvrFtUP_qcgA6+%zpW&rsgCT_lk%J^CkJ! z=~||l(KjMP&co5k(V<5QEpOs2pW)L7QXHK$dfE{%M@2n`C>YTg6YpLxMjvA4aodn-hhOtM;&p4k=-*Ybg#%}4^P=+3+pn2ABGsN#qL;zAXd!4`h>B% zMuzQql0kJfwZq}-lgdw~wXZT7-OrmkG>(j-0AW@Y7VRoKwocuiwy|dy0>{SdbOrnW zpr|cYIkSyT%cXd+mr@#@K<0-Se}Cwi9apeL>DUkQyjLj;cFu8XGaS`<_6Wa1=1^p2 zvYEq|A{tO{?_l&bHa!EAu<|~FH$zNZZt%zFeVPx4cgH;Z)|MX-l5%f1N`r6D7Umb( zgCK3oa8T_mX*e>J=Mr)3Wp^(|S~J7({_0--0X?+6ON|P+9|9&CbO>1XkMz5};R+u2 zYbkr5|0 zQV+}?^Ger|frfbylYmq+KAw?G8ZyY$!xh#OmSt6Uk>#v>>r4Lx7tgz5x?(Z){;c|{ zvc=SysMjV+B|g>Snf9DPVaoER$92(bF1WcD&emvB0udFcS6XC(}MIT zSHgdLQQZmVZG-jU)SaBse%dVu&RYhIP90GbQLEXJP^W8z@wXE!F@X{v5kJSb%h{xK zNx-FwDJ@ag9g8Wuh*)H}ckB1^8IjFHqiP0ys!*%c;6FlrFDJB`-8tM1;=c|sHhm7d zWy5+#It7E_bxW7ml-$(%4)yttij!oSU{Om%1xpmLv{`{W$qNq>cU{siqodTAQX|iV zB|04>F5VD<+1wt;2I~?lY3o~RS|}Txxz!V70*t)obMGZ9Gxz-|PE;y@#jTL<<)m$% zyyr%o1Y7`>$~gt*`0xcMX4^3cwS)2iTnsH>%`Y5{>-Hjk zQvNX`ffykt`@|YAdY^+#`rCA?7Ws^M9a@FtUw<}DCkeQ1N3NTjTNKOqyTQl;;|yvN zo~j02Q$u?pk<>W{Tw@C-J41XB*k!*iBH*g4hEC%tz@5mYrAnEu9`x8j2e3}}4657i zT#eT+AFe#- z*ZY8Sq65lshs-hN3;jLeb#0IWZ{vFL?XrADQ3#5hiOHU;K<6?wB&vviIvQdS35R(v zX~UXAzdTi0Fj41XP$FHAUN%w~sgvzPs#gdl5>Fm8)bB&WJ`HC8C!A<3`O>s^9GKuU z*)yCHu=&)4TFA1ZpiR{Leu#I!u-a(+Dgc6ClxtnT_B@BkI~u0xH(=5I-$jy~YRsE> zt#T4z@e~dCiH9S$Gl1&@tC9R7_@imE%9f0%>@+h$(X~fsuRRRcr{&Fnwh^5l_$B{M z)1qsX^-m$0Q31STAN{EEC_kr9ltbeY^*6Yo|8p3JRR1&6Ylkm9DkJ+Y;G3<(2ASd& zu;=}6QwCN-$u_8DejMr&d#HQ+LHOSZRrii@eGTv$SD??Mt;3*b_4d}8)$Ck46W`BD zK*RZ8xO;U(t?*%5#CGX$qvhaqhLk%YrJ$$2B8^lrI{452zY-Ob%U0KA$*6WHE%hs0 zOESDCo&%c46^pUT&5-FXT9p6RvoVrRnY+?g*}$Yo$zPILrn~hk>~ES=dp0*C8=bZ+ z|D?+*UHmzU{e)YDG_dNz_1G9Hqg}o0}`i3YZCQYx8kz zX!TiaNp15|Tj@o+hW*YKq;-JsV8l>u913PMlrX^QEWD`xC70+-5+u0JKU^Ahb}_bwfj1PwHDuhX@GeTc*ooG z6u`(&aM_uoptD0MfCa9k1sUt0_%PH#Smb)xJwMN-f^>#lsR8TINXF%5H(enk^qdSd z9)0Xd(J>hvNY^bNgp2|9gcsq?(E)2ia~m!NuA`$ZK@IlP{;})uVFn}S#(4nfcI4_E zgnRFaeg=P)kYF4(Ed@pDRPIUol#&CfLv6wmo`||eTU$4%b@b&v<$Q*!eOma6pa87l z(&TUnV$b~bpjvPItL0u5LiQj?Lk77Qfe8d#;%t3Z$tw(_Epvb-=L0{qn1TPU{^IvN zDrShW?$+FY=J#KLd1ofm&#DETbW-3CHCm^lSt?@$ECHKologXd2o58x4uoOiF)6@? zSbWfid`bgA#PcZzm>UA>m%af5_W$laVS?Jv`FfYRKubr@lUvQZRKTV2&)SH0QzPSm z+Ytcc50us;-L#CkWo&ljZ*oUJJ_yOxV}_H&`6+Y|NaVhWVHBAyjm{?!+H_(U!X~ih zC4?d@s*Ox=twR09VmT6xJKJw)J`Yv+Iq)iv>_1IZiaGq1Yx(%wB<{7kjk@+9VMGip z=dFE-G0A9!_Z2Smvvt*efW+o$P>rWc3540FXh@8s)CKRPcVyw{CvE^3(+*>(*C}wN z6aS~+R}t(-`vKXsYks{Ix;8yA{QJ*}RG$fm8G~kznBG&g2Bf!t#f}+bEq(uwha3`9 zQN6M>{F|(|8Y5b)-olp-bDWly%q;%gj`s7!HB6E=jgZ~1H1Zxxz1l_Ia>viBEh0%E zEh^1X)dj0CVXZ;q~X|%xp8m$V&e_y_~%q2+){Egt9mwHZl zxAA>s$_}=m{wZ_wnH&W;8(W%hc4J!j7DyP49ykSmif0@g90F*2-)W$ZXOb2KQ7$c4 z8UBFzGIez$fui%dU5ZStiX)iN$VeHDnV?Pv#q*F%gcyLS&?YQydyKXZHu&t(!olfV z?VeWCb^OWI&6>nf&LdKAz9W1;KSV4rK}SRu zOK`7d9P>ycGJc|q&pw6ZFcWt?tA&8HAwzajXW^V%9y7!{di{PA^A5T7yq&4yX|3)= z$QS969m1AYAzk;dYvVjq#u8HCBe&e&0JZp2LH{?E4!HMXgo3X%51^gw#xwdRf%Yb#D-OcU^s-o8!^b=V7=~$EiEUvZ@Fhbe);2oAwT%)ESMBt zeJy)HUG}-gbDh7i9DsV0tkKg_S=1BUvs&~#+Pa-a0iS2f5q$`fif&budX@& zG->1=Dd2G3&@ZE6Qewa6aW=mJER~&Zc39Fh@&6m%|v>eQ{4U%LG4561(=hzDQ^< zfq?=D3-D2Tll;}^&JQrK`AIHP|KDSVmv#-q_k9tt^i`f(oj<4I;?(!F?=M~uwyIm+ zne<@iy{sr*H-FeHzVYrd!dnt;ZGp~}bSh&y^E>+x6sWzXVZ@>`+=MJw@cWGWCA?fy zEoJ3kWU5iao_!q~AQ?_A&5@Rdl(O6E7;hbde*WxM@vdX8Ocnpx23*$Ly-sdaKXb@q zAO9`21{tI50B*0(8$A0*2Gd9AdpYds+%CF3(2J9R}RR!Q)UP+Xb76nYB9S zZZOfitGdXUO_mq0+$j++WIwCZ0La#9XgXi#%-FAAZ(QwD zZ0z$*WOfhHDFOy-Fv!}?43D?I9i97|h3`!iq~RAmqcb~|6{rDAJBrP)9cN~|Y?9X% zoebZB$oSl67Q}!f%jab`LzEQ z8=H>^ELWB={EkP4u<*=M#h<4V+Z8jNc45xXgIWR0IMc1Rqdx6Jp18+f?mnL!mm!x> zf8`^r4zVImCW@7vWqJNZ!qW6)@LS77Q(px8C!mHX9Ff9rA8Z)dstH;Hl}I1w&EoA> zhpuB>Iw1qbwt%f({b#6+w>CjZvMam>?te}x)X(_48tt}#mt2o+joNjWt8zB}*iv`C zF{oQN(m7;e6qg5J_7uDcRF2@2nFwlVr~a%R44w-a#l?RZoRTZu{u|5ctDwKwDFVS! z?F`EKd%(YX=OL1ig)O68of9OlF^kVL-8Wm9rA@f3!y?w?`Zqg`=2FQT((5Z?MLavJ z7xW%HEU2bAHz*{#VeHuBL(2gDtHAh5B_j>0?ZEQA;oBYP4ok_XCmlYc7Gyv~l_4B3@_r1X-K-edY3>y?%e5=})RYy05= z(05O9ha#0P)~eLt<$ZqD))Nj$`*0?ZtL=xHzQX_4bIBc3k?NHHM ze=Se*T$d|kqu2iJ=q&cS>|6Npca1UU*z_?hXjD;!OUSP~1TrzVe zCnPhVdzp@(dk{mT(fd{|Yg18DW|uirDn1zc;qb6(Vqc)^yLx$#V!%%Rs^|Zub(s4r zgm!*6Tnb5YVc(iaCoPAbN?7UZ0% zU8mIFu_4WBg2ZW**+sf96t>nan`3PCKkxAZCy_rRfBOet-mmW^ai1oUaHg2+W==P? z>Ge3kCy4+@sa~)kpxQf-wLYCF^|Nut7;dvbI-xheo1V|t6CtaGS-khWte>VxtJ-Lu z*1EmDj;Ta zD{dzdv#|^P_UWvj!13MP7yQ#?DPEjX+}q+5DW2fLDems26nA$gI7I_Ri%W1T?rz0`ySu}e^WE{jW88B` z{yj;aUwiJo_FQw$1((kgTiHRtpT|?IqEXi_$j>D>dmSldFP$1beeApYcgA<>&NhK} z8VB=q6+s7(`gj<}r|fEe)*#)?n^3ZP9IWOi^|?G}qxf+=33=Xe+pBy!sGM36WS{&D ztbB}ytoV34N=U-)_2DvO21?&uE^UGB+{S>TjuG(#PMl6IZ)doUoAY&D$qe^}F>9-Y zn}@RK)O*(!rsgX}0<(R&$g;UwF}(X&@TufKXrlspNa!|+4_)Hz<~f;i1Ck3R(pROE zX_GxPAD^z!^wTKw(yFaurozYgCQUr$Cjq_5}Rjf@cKY_g-Z-kuae`#>$k!$j%k zK*t`>bO<}(3y)Od^ybsiIX93?s9Ug?cfb2oy|{+U?xCfrt{3Ssx|4l43SOmH7aBLl4~tSyp{%Fk6`v;goIC$RC?eER+KcRE(n$y|F#=i2 z6;)5wfGieN9SQk_XRnEKY>{J0x>~Sv&!?VkvJ{G zn8!bJ=$cJpypp?Qjlgm(BGe*{bI?8-pxeLxhjHQCuSkpYk|R$vO_?WuaGvVeBPME~ zm|(8xN&z`F#DAvk$_+A*Wv>MqG{?8)hk<2yV!CpFkqEWDV9?aB4oyW>BgD+V>K{#~ zCptL7$Ea_eWG8Uo7WpcRzP<##DN}D*elv z(r^^F<7b?g(I8r^C^6+#?!4ii`Tn(@5T@<#8(w)}>;6ojMSwNxgbPB0OE}vK_0!HM z*^}NeH;(=074UV{Ft2)$km_DPCk)J6{H^SlsQXvV4NJGnm&5Owg@yOpi-XX~g$2Pi z;|sn~{j@?RV8`RxT3kKvt+m_ZFAO1WDuw6?3D3ZdZDj!%n~Ft;{3pR8=;Kj1SQeP; zcUbu>;PaT}W@YXX59Zv}he=ZUUrz3-`@XoUhaS~nW`e25&o1knghT+_2u&oxmt(dI z?|kEgbE(>HDNivvl=_9xQnOYJUxuP~tgbkz#C>n;h=2J;RIH{KwISjZ@={JNzPvZz zY)$my?rUjPB~&6vb}#ZscwW&;%RSVrJc~aO+S@f91G|GB=5A=tJI|m{0VVdfD-4`} za#t`VKtUKd`+~Yv9y2PDd$_+$NfA7i973X_W3WayYiaeofc<>ePc{AQ^?0>l2Y+|s zQ$YYN&IE)T#v?xB5OhY<&d0{{-_|F&#eia*tgIA*?IIGYFK0Bucl0BH7LCs|A8t03 zHqR=Jc^z%@9PZ4s@8xLsu&Ec3J{KDE$;P6czJ`>!tZ_WfX|VD*53wdEBObwH2pkG@ z`iUvZG#IR#`i%Xmac2=_zZ&x~VV6=zyH%^}r|((ux`o8zGj7n+wxv!@DV?7{+X2Z0~1D$9a}?6idT~7JFH(tO9g814Ae|fo6j)k zZ@FIBEQ$iUXn$1E

ON*_+Z0rD-Qn?6*ktN<{BiaDEW)5XbITPi&W5G?uk2_|#_{nd zz&2IDTNpYUus}#KzLW2DD@u|w6f(sK92Ok?>h&aa3O-rMy9GSOWebfCnvU$xl{0e- zbhSWL>8`pk<(v<9h?*ZCSOqfVr~1yZ%PGpH9e6-#-?PW?iI^@bE~bB^8MJUI@m7pZ zx=@<2UtIoGZ6)ybvIGO3_V8@ajDUln?A6w4+3Ccnt9#3FK3MYt9wX;SW2$+R=$(0!3Y*e@umAPq zHvkdW^xXPs_g_@3#Cj>-TFK_aKLA^cikpk5cYW2bfjGVXaSPBLOv)Wh0snR!Wg_TG z!SzySFZ!I)%Nx&TuHU;FW~hrz z`_NcE3>&8j$M-0HahOpUmiDv)0S>=9oqENuRg&frj&82`V7^S!*DX5kK3W0@4ycQA zg*XVF4gqG)CV#!o1$*jU80PUZp>EIDc+g_xbpI~mr;9RxIVSHzd7$AZf2&A^pj9HM zU}ct#&|;IKFc!G}NEAQ+7$mVqsdqEZEzQ=m%}-y_l|fRaCuPt%5o^8H)vtat8@Rgb zzB=a|*HZsR2^wma_WM~c(4hEt{0o0klp;+ls?F=qArU>#SmAYnw#65-(PO08m%XhX zR;$kVs?gJi?4%zbuA5+e);}y%72Jt}lSZNt8SF*oUd{89N zHGd?~AGyuKGuBqG(Y63lJXER!wx{y0%dW#dDr`xHa{1$a$Kz^y4{yTl51R#aHdS+y zU}6k!LJ##w`I<}|A#joVu4@Q{IJ;n_TfF4rtf{AatFHg)=``%IwWV3CRP)olyQA-h z8$c@J0IgvBjW?@BvTr$9Q~~BzNWuL zv3L=EHiCDG3@%w0q21u0zGv6?aN*Rdx|x@>YdQt7wVMtT!t#49f+&A{I{lEe+aAkdSLymh;aA0@$y_MT1Ij>eSz_^bznEuY{3i%XG z$$_fqp6^Dz`MQf|adnsGISjn_vfBb}NGuu!rsqj`EFZc1-R)Jo5f}t&!s!)c;=zKw z|DspU$X(u0@pa3>GaC@i2QBNX%!hf(ef}B@_d*Km+6Q`29CNGxq7uUE^CDyBrnx%% zeDi8L8C@zUo8(k{frr>3HxCG3k!{dKK*QOx1LD9~+TWH(- zgO$z{HXDC8QjLFBN`PCyx2aCCAu&`w!e7Sjk=U?C0DD!F1Ss!tW$kqg&ZZeY5m#o^ z$R?MN_YmzEIKeY|6{a z`iS?H(aHkZTQu(JU`eG*xLF16)8~twoJP%16Z$hHX!t_fcE4!D{c(J4XE%ub?EHYY z5`GNq(zQOeh-t%)+d68+bq~kg<60H&^-{owyGua4-IWDv9j$fa>n-H0v)J=-O2BX6 z{Ul^++LAv#Gh#A|yh(Fon>m~f;+1Z)7kG3aJ+T9SL`g7?4CAM zjWMsgv3^fq&SsdK`qQvTH?x0lj}N%{NaOR0dU{@Q#tK6)qz15NJu9lv`1OIhFDqOq zABIQcH;fyxx+>Yg)8$K-(3<9+pbNT1t<|FPQ38Qw_K7*m);!VWUW?fMyZayQyj|mO4 z$GV!LgSM`3m)XG9tOGLLqVkC%sq*ZWxAPkVu6EPHsE0kGE!T!t30Z`M6;YgI)LbLn zA|n!?hfCE}yWXNg9tu?mKCtb;AYv;ly@d_zjEF|y=DAKfovEEh!;mg$Q}5Jt!VH+;atqYyr} z81FkqotoAjoq~DUll$-IZ~;w!YIKp=FL_V>Pt)h`Y}yHb8o@nDeS{= zdQ%Yw-CQ|Y^pdAbtRRiRvEM2p??=WzIR^3H1+eU-DP(nUQ|zK4crWP@epNR}NJ~Bu z3Ztynr^kyf?J@a zr6611{iQT96hr3C@`y;pU(|ni2#*}N-7BIhCjh2op1^$4AS-PWx=K_N?9W|pchZ+0 z%{LcJrx;4`aV(I@&9;7M#^%alE1givPS&9}C>mU3?dlp>aryHsxpa7ke~-%V!XM^y zO9{kziUV`8JKBv|d8UUwE`vF##@PfnnP<7i7)4dNteZK3LxNL9cWL{oNrRaeT+_AC zj*Lyy&3oxvy);fLR^<`_QHFY-C-?G08@KFGIE$FQ;#&RR6ihY*drdrFE&p86YH92w zmUSK)6U7Q3vLU$$u=Ad%%S}Nd25L>9vVQAF0?OlXzFV4A{o2ezM$D6iZNDCt9B>Ag zH)C?=^xMAH>9*X^eNbreMvp2m?-IYC2+$M%Ck9#)eUEbNXe%&M2oy47hy7-fpdSd4 z3iY2rK&Ha=Mm-cTYA{?3f&b&M@VSo|Yn?o{`ws2pNsm`8YKWWFPwM6+oaMOuy1TU9 zfZ*o3Dhjah^V&S%l5M#Q%4PM5ZcczECd>oSAkiJ@)?dn;hR)?|qUpKxhsMD!JmB`G zw#9f_YSND+du%Vzg~34odR|v^0x?WiM3>^k)^{FCfd&n&zw9f0V>>y+XB7~m(RHoC zMdEyrOVo=cAQ>c_<`tXkz~uRIAcV&9h*sVjv9Zz#Emy6&o>`*TISvL|8jup2`F;L+{43*1%vXFbz}d9c)~V-|t3m?C`IvSjD?3Q<-xmF~7G0Lp=2P zk}0OY)Dk@1QG@b?;y=YI|Bz2#EFdj{(57m|47goko9_=jPA3Rt9SxRHIEVb z$I;O!ddFc%k(%+}%9+b~gy&qf&E_e^`zj(q?K@oN34_IkK1rOL`k0Bc1uUG}sEtl4 zqa*`V?|ht8#Nz@vl#1MP98y5Y9N(7s8|Bda-ws*nJ2vEBbu>4d&0=h_qWTMHwFkcC zv^mfIHMTqyXojnDV}u(F4T+Djya$J{=adUm4Hhb3hY9_*LNFrXqw1sLn;bLRg`eUmva;MLX2>q7Bp`nZ8b%Il2+?EmkcPpH* zFCf0K5LKa&hi8#&F)3%F zM_0oiIx1X3w$6(8H~d&bx622Wm-plvYktim=3NeZw397e3hY>_2CcIbH7F>DA?Is3 ztbD=GAlc&4(B=whlFYlIc36SC)ZM`W1`zC(Db+u|2Yg{qakq3z3xf$g?Xa%a(6!Qj z^6lTWKx1q9>p{m|$ycCa4QTeB5z^H2jUc}BfPE_Br_4+(9KqgNmqrSQZbAUr_Ff-egp+7Ie4SzJMzb+n%Nr9`60tTbvL3 z;Nr&}>rJ@p-uuoUBK#8PlX?f(f_sJq^;}JqC&@T0=C2sGUmR^r= zUVDeZkp;Oxlc-$^Z+x>Nm^W}+4xQ>@AB#oxHVAN>hAx6PionPRY6o;wUaNrmXh>qqoSA~}Bu4znP!PU|y1 zG@3B6e!KXip?3!}X11(c=lvST`%o4>)YVO2Wdky|piS`odYd(Q^zA=Js9_iq8%N_$ zF)R~F2I^|+>D#`)1f&x2lYr5lQ9t&Xb>C-BVO-y;)`v-wsyY<+?ghpy{+bij!g`xy zjZLd>tJDWpI~+m?g68MA75n!;Kia%+`&dhxK9j5|YMx8aaDhyG9+}B=q)KVec*0#V zuy)+v#&L`*Y+&^+r@y@I>xEBudL)?V``2Qu=-kM;4nKJzpkY3%^$?sVLh_qkcgCps zw7i6K^3LFxZEpHntw9FWAWrS?H_A>VLS_G`T-=)9ng1M>yzUH?F%Ql-kwX&NzCW?s ze=&wB;Vw#kSq)#)*|Hz7N=iGH+OyX`)`E(ZQooxAU76!odWBfH7O;1}Z`F!oOvFOLO{?Vmh)J@!=7&YZ*9xNsKsV zJa&3&y`01Y$hNC&WNq~) z4O{TBC_O1 zcHvTI-jhH3x2HYzN2AiFI`FFwWyrj)XVM%|tU`C8D&QzxWTk|IXC+W$y-o-NC(0q9 z)nEt|@iocuZ|%9O>}>t<-fbblEP~HE9t{)M8A9%<(J;0|9aZQ9r$pWSnfBxp9(Jfd z+8fYs7Pu%txU#a@Q?0_L7jhjE7VB<{Qcx!xv2zuDi0tJ$7lTA^w3My-?E3GrP}x_! zi3f#)pGMU+)O7u470p&R0)ye;x0D#K>yJ zf74NrA_QNkkz8TyqG}uhNuHoR(BJ#{<`){;?rKFSvJzq08NxmtLX0y~(RzYF9VXqx zn|JD*3I{k)6t(Qsc;2(0PZU#p*i_P_#fF)~Q?_CvB1+w!Apu|K_z<-$#3e&#*Uk|m z?!_dJJB;a{o9lDrd)2J6Dt6}UXjHxxnd6Cuj^K31|1x(q$XApx37zapT{IVsWv{Yo zu87JOFo64teM7(m9h`2xTaUai*r#Q_#z{6Y=Q$Z+D-rn%2(03E`@y`p;LF{Z;P^qV zUXM~fs!RPHict@NF|&KED^p7P-9PR++(GtC{l#&NQ|{k0rK}QS>o2d?A%OhEEZXA> z>L)XHP$He`RdU1X?^EwbGVa0g9kygn@;qr~Ip(XyEZ+UjwlKK*1eiO1y1Kc3`-PRA zeUcDJER?~Y``o6_L>Og34RkXPNbx8J0)*w18r=3@?~hk=Ero)?1tw7EXVSLw3ry$c zHbu9etkVa_3_3o>@ju)8TDnp{?bR0D?oESmtW5pDZuOehPGN^@D{GIB+VB?I=yk`S zYt$3@CFiO4>H;h`rd*im;!Lm?lsA077eRj;z7L;gPwDSOHR{KmJ=xRqSz%oM;!T?b zJfG)s*jvvty<$}_XUICi_tkGOj<$f*@+Sx_8(h1&Zwdz9SJ|0N~(>tbXj=&uyp zM*m@3{F0}_G~^tR)&vtk(&+Y(I?W8?KLecolyaC3-8T^%$_2peXkJh@P!?G3VK zl=a=%0fnwR>Ul=E`B=KY@pX2Ve++Bwe&iEJ4I>#M-z`qs&Fi_>I=U%7V{Dg~17I+=2d?37CY+r9zE9Skz5yHiUp%4JG9Bl-ufOK% zwZ^Q+S=py-8tkT|zkryX;QBh-6dQy5CA;PPjLM3szI86o*F^9>Y>_m}QNasT1m`|i zZf`iDbv|7!jm+>=iaK?GtfK8T4E*I00yk#;Fw;I+f2thVcbhP%8M+qvKAj@pDY7zc5$ z$xi>}2{uTwIeR;Vugk(Z?L83o=C_*6+s07oNj8S)P_V|=I72K67vo8qXK0>2%YUfm7Z*3K0Uv9JT#W)x8xi|y(xW76HY*{8~ znlLWz=1ua}WA82W0glhHUHS2Sz6%Tj8OOee5{*e>bF!z5^R0fs*$4s3=E1%G+Wh8< zHA&kLJ}QW>xpAM+cxxQ{2cYRDI^4Nb{WAd`6sWor(7p>DbvN8uTe_62#*VW&A6-n4o+0#JZ!;NMR*;!q@=$~>3EkDO=O~Dech(CU zHITB-@-k$Kq6qlg|2C#plg>vfaJv7d&$IYZ9c@)NJ5;|7)UCrEV6)d^h58q(Ip^(A z4Z&IC?pdTnmzXs?^sW0xXi^w7o^r1_E0u-Nw@Sn)RsUTiZT@dx<5czm9t?C03cVBo zAZ{p+^Q>XZ1s$M;Z3taB<#>W_(!%)!=a z8;moAB+vSYS#H3`Np{1VQU9S2>8lFlplVt>*}W@f)?u8Q9&BJo+N{3+u`h}Pn zhtM7!0g(!m*;r+{u=qMGl{Fs*QO86k`|s!n=RZkmE$0W?NJmO5O*)jm6|8$HZo9mZ zyESa7+&*y#iv9&PU;OFMry_aRoJ75K_vF62xKCLYd|N7`5DgFN2=xTP)1%8gcIxsU zfiKT?6T@yh9}@BWpTKV3m*Lu>Ylt36Kg_cAq{d-NAq)%NV_4m89-zCtYgW%EvnbSc zklFwdymwnIk&e2as5aI&>eM+;b);-jDUkub{gcEzsq5Au;di|H#G~^IZcZAX7TROJ zNbSMkW*R3_8lCE=TF&!=_{j=B3NGI=osMMZg@iD3cL|nnEdsN!ruhkb=TUl=+pHE|)p50dV+@5{g><|RzQKHv!gVf(D7HfSz zCq^{`@tx-H?pE~QXQ{8Tza5CR_edP9{YOAeiJ8grL8fbn$h<(cJ=d8Tqwr$JB#-*?=}kx=<~ zv**A=U;ihteL^4gjK3t=rN#3s@0tgj-zZ7`uI36=tFx20D=yXIp$ava-^vy~`G)U@~v(!Vk-Jqx`Ac9&n> zPD)Q_|14FCxoO_c80r6NzRmU?^HN`#-OX~^$G#O{mIpCCd~Ww=rW89V@+~Y-PG^a= z$(nxWIgoa>?DX-8%H2XMPt3^SMIbVpgV=!M&Tka!mVPEJke|T9+MxOHjtaa9_)Z^) z*F)c^O9J6bQA|Qy z-q)fi5_dlIW)zuos}^qMoRs4k+%7C8Lr$ zx?bkz2~7MK#RWAcy<#LESQB>VPU1$FGV*K7bwg3YkV`~#*YH>Kis@(O&L48~>;^D0 z{S1_qQONP{?#x9JcWqhq`EJQsx7=7dNe-aTcDlB|42C;7#kT)0L^202Tot z-lJ{N<*XW>jWT%36N0R_cFEs<8d((a%yQAvdlT_W6T+P`w)<(UNTIHXa_oCh{9#J) zJ@<0IMGfAMTi4@Fq9RkF6J5#*Bu4&w(rv)Ig8Kz~;7anvIn?-Iw-^ogYZ{t-+crD; zJFGgFP>!+p{XDPV#^mzty$IlB16G=_2_(&#J!S!i?pD+}Fe_9pEX0A>NE)vQV~wO$ zg+`_cC+Y1suVZOmR<4-pA+*bPSJp?qR636*=To64D9G|m$l2Po8lj(HG)-g(0`izm zI20%*nY`4J#nO@0v`6XRYXzp?Flnx*F)H-^!7t-pu{1xcP48-)=l>K&MH5pBtT7W* z|KrY#&qVUEtIph0EPIgGdIZ46Q7dQ~?azqvw|(Lj4Krf1?6v_DV?;%(1doP|$b*ng zjZEB;s#tMZ`{nbjGRH7MQ(@$1dWV27ri}Q63BSyib$5_a@I9SAa#Icy+6F-s0)(#u z=Nz!rgQ&f4P((m>5mj@y$=E{}t_z;(e@fzlyh=w&B?SD&g8O!5YKs`@YrQJ0KhCx+ zfJ)v-?!AeHB8Yt7p*k?hNQ^imV#fAwd+XRK>9m#j>MHazg?g~O@?2x@;Qh@VA)AQd z1vPpstM{x~MX0H}l@-?IABQ@r(mG#91>x;bw3r`DKB*V=SYN2CaTu1e7Nhlc zcm8%@F*~%;i&^kK0*XlAh^mYLi>V!qibG~+VNIo^ujKtvnTks3r=s)i9W2(&y?-Ju zDF$n}wZ`O+e{=!!&hVH1$|Uhvz1YjH!#J$Uct!ewdArq(gnQj@=Qk zOl>@PFh)#bjX@e_;-L*muC>$8V??VlJ$}py3oGH>;Wl0d;S%oV=G84ED5z3#)boCP zpW2!~oME`VJa8=jxplsl)3qVC5PCPE_K6GQJzaKQjl*W)zvDzN)&CzpGI03x_V&8} z-NI|#wTJZe5hwu|Dt(@Ho3d)|`^W&y#D>nDAMT%@pWR=<10AosyIcKkuO?UkoB@zg z30<60u#!vg<;5l50En6@z#BOMuxhEYL`X{Xilh$$3lk z%LpO~|9(K?8>8?`bm{Pg$!21tXsyCe$_%mvK^S?BXq)8r^7o}Y;2{?I)hGdOD}lYh z3UO7s09hLTB~tzI8iN}5YOV`Yh>#Xr6TNh#4X4lARn{KT_&4>gBpCgr_2U9F$PU&M3vU-3(y!I z?qX8I>Lcn*ycb#eh(@o%8dHBGx{YD`;R2nC0;ov5GMY~vx>ehqudRM z!A;@ak*K7n5>>*Wa22Zc!-nJjyyE6NuPr6%;M0S>q(T^AUxc=qJew7wPE#jIS7UUJ z#ZM@6Mh6B;Xq4&E);Td3v~}oyJ(Z&MTf$ygm_hOT_D4U`b+>qpQbO?BK+R?xbbZ$q zGOMC&@VUk4wRtqF#>tHxeE@RHD)I{KTzI0p_$) zxA*NElh@5ryiJ7<`=Ur?mLuxx-J{_^O~GTBClvpAL$mFxADjD!_$L!PNoolEf)qb~ zIQoCkc7YcT66w(DYj^JpfJGVtd;~5QwY9tL%B$;$KsxZ9UK`cpPt=*bgJSrtiMiC^ zsb} z!-%Dgb)g;r=k{tw$9#T&3mo<}t1Oixd%ZAfS?Tjr3cvbO#HRfA<4xv>*I_}0OOJKa z#$%dSRzE)rbFxkd)7XiOIL}M=8Do|;cd|VY;gyk=*s_`H~ZvxY2i=!iEQaL;kM5Ls}bg@LA#tW@x zkv={{eS88Hv30G+5mmHs^l0k~qK8L^l5y-NI~&*hkI5#p)_X^k@?Ys)DOkZHJqLjA z`Kg4x$@(8`>$texmyQnP*+;=zxPRV|ZgqM`TBU8~D#VGrvc@sxvFRd?a0v3RF`TBG^57Lvm~UGW`-E3h6cCSi?EAwdVSNGcxWwXGW7Hc z&BrHN-!_+y%hUH}ACsDwaCZy)*cE1ujKcOoi2OWwd{kj-Zti5R=_cVnU}8=eNai@&uQc7B(8|xvcY+8#tyG_$gphipS}c+N}Tc;}duBsGGF3btno! zpSFYEQkoD+m|>broanqVBGJnf+0~3^9~09?AlgD!ACtdMds%sTNf|l?n3~kc1Fg2U zw)1pyvA!CN_@Vb}44chCy!s+Q@e^ z{m)7txk;AOqyh+cmNF6+K4pgrAFHcFwQXncjy5%EsIH*L zzpB2m+;EN!)PAC$SN`}%nrf_VY&{&onsyhrG733#xf~4ww4=mt;Ndj2h=1CGO~=jj zi7s)p7vtL5xnS9pUtzx>#J(R2vSP0|o{Wl;&DWAO!%aKzg;LBrRfT=SgUxDwCUb)h zrn_9%*qF9q{a*BN^(YuAFHSruq+F18kb)?A+6~A%v|8jfv}YijIAX-ZpLnbRahKJI(xIsNiFX-@1o6DGows@l|Dw= zaa=r^Z)PL&LiCSBg7@suv-z8dt8!hk^GbaIfr$$WJXS_#N6Ro`E0#&lw%T%3qIDn6 zf4qUHSP}<|*hw3Kj!^B>B$T_XC_4B7;-zWMgum|9oe^ULQT*mLS)e(XUUx`fbgux% z2;F}$0t@#vu>4<)m>`=N@(~1ByZ&)!QJfbzYS6mv#o^c>7mW_J84CYhT_wL&G9tgn z5;HE|V#3W0UQ??rxSmf@l5~nwv=rq0GCAdBdkHtb4|H(r=C z%I%jMXhn;T>uMH^Od$`k$WSbU)@?9Hxp6z#}`RWB2GxuZy zZlTiywbnuOeCMYe-^Jd_){4Hz`_utQ^@F?gZ!PZkptBh?fsO zu~7OWOaI8D3~oqbL%?anAQt&ocVT3=YG`^U%e5|=Q9e~%7owo0?J0%A7CDtJ+nNXd z(sXM%qR2aG(ZwN1g5Wcz5q#RPiqFW*n%Es%5jVc#ofK{5s?7>ghkos5{JW9^%!9ts z+ogRfim-DNC$fsV5~J@7nBzqPu9;kFDl;`aM}pO?JGrxUXrs zZffNp!&3d%;fe=r>r=`UVQFk$T67pJpnh$l)#^r`|D~#Xs|qP)P+2;-Qj3Gwb_}GP zyAn9Jc|FzGqAl=Ee+4XiKm#RVXO+5kad}%(%bbsvyeM8(K~O%5I+@aHX(s)3o_8n+ z3}B9_k`X3jWRaxx7Qr^;G~CHOXmwT0W#P{ms{2^5f(kB8wcmMl6lN=mv@c{cF!(n^&hx&O@(85)kt$4WkK%dn7LSd-Vh zZufb_hWYaIbR^-gyVTWP)DXnNtsgh3th)7s-C!X$;XNi?9;oBP03CLsDVSgOt1XNc z=XtyGgwOx;qP$VMy&!gt+U-fGl*du^rxhfsKkiNpcop?jzWyc5RSF|_#BG*O;`4jCnc)Hq2H(!ks_zjhBLD?C zV^u#6SXkmN1eJ+5g2ne|Y`#RUXW2^YL#n(02WXT8^zd2cZ< z+ub%s4vpqozxSBJGiqcEf6QP1gg|m6PoCz{#;3bj>{95g-0DST(Wa^7tflp)dZNc= zP1uyUi1Id4w){@bgv51hQ-jYS^fOXMCd2PcA@JzREW-)R~Vnm+qtL)|=C~xj<=BWV8x>S_Y}Z z{@ztkc&0#H3~rsg03uon@^ZfGm^fVk?9cXxlNYp< zPFUIP6lWEO`@5-)8`a<&)IQ06pj>EaiPkT%2sMa`L-ge2H#8D)8UFU1wg?0?fu$Z` zUbxFlpZadI7y2^yFm)kerBx93uuM-_Xfc|fFnaZZg*n!YHFj6mIBt~M?_WT4C7d{Z z!0r*rIy1Ibtb|Bzrk6uj>up{bUzk*U!W@QueoW97Zvxa4=0fwL>K2dU22su9i_&HO zi;BYi#lYX}jzcHpR@TQ9+*(zS7ZHg-B9+iWh<>QeK*U*FEbDpWJREymUenU9uhSBW z95PW{f07W(rk0r3`+%k9O4W9O%WpMEt6k?DLEdVXJCdm#Gjyc*2Sn?wBpwB=qy7`E zu|Z+0|J!0Nht~V#sY!*mNU=E%`IL&no^?XkA?3EY{QBaq)~28dlW6@w-#8?R7O$P0 zlXy0Hu*{>N<`sc!yVw*bAvugSmBgtezPKW>W{61*OsBjG`)p+u`?_eZwEJ@bT8kia z?n}~1vQ}=3R8!k7xA^T{yOn4Nx!24KryopSZ75HNa*)c_uibhYn||7rW^my!R-2uT zIo^>zEfj?DZ3V`9T^xHVNp3O5)|<9hr=qMwy96PPk55TEA^ouoCDGW0{hP;MZ}54R zyNFDM5TRUvZ-Jlf{N}G6`x}0yOe+d6Fm#L2zt3p+k<4r8L_z6T>}I5pvU-&~K0NrT zjU_-MF_u;OWaVr-V|%Q{_q$~9VLxTN(#}X4#R>2x!Y_3d<^@^4f3_PeQGdvmBTvU| zxj$S@s$6!qp{1=SQ=)wuVm4raJdboR{9E=9eq^-Fq#E))19v1a$h{AH9QRotc3k4^ zAUJvMU8?ZN(|epNCGe(=>D#RCha|n;jgN1(uZmP<44>H#V2%UQjpPsm8k#mrcn7)0 z0lT7-A4?#C-hwkb-LV2P6^&0S_gf%fI2|#QbY!qe1G&eM^}25>rtPyYEoBYgd9dkO zoV+?>%fU)ri}K4;D#-k}xkpR8tI5f7Sa}`caVaG()LPIFOqsIR|5#!3^IoHI?)XR1dtjug z@9>A*{;x^{tj4@$`F<19-Hv2G)4RZFvlETn4r}+-o8R5W@$=@Od*t5tnHr8wOjHz7 zEIGpspa|ka+-xG&7)HVYL_>sE-X}Zzj7)+Cv@J7f>v;H3=)ZC+X03Icz5s`v#w$~P zFmzonLVV`_C=S1&#BW(=Zs1!;HE_;8>R8BH(<53A_e zosZzexefn#b!>IImjt4E%@De8u``Ry4S=ske#--!{^%V5E zFKyTeXb6a#XJhl+ZgT8dXQq&*x@p`d8w7$_41KfyhneQcM%x>AeM|$we3ICPCKj+u z!|bPU``b2%QobvZt88~a`9N>lunQi! zgMU7pFvI#CD*0CR{VKTy&~|?q#~Ljfen2>ksgq@$H9ntvctds@{rDtQfp*6EIZ=|A)%8WNG*3+?(BNEhZdWn ziBsQzA1j$X%W6+HTsE+)z^xMmJoAQ1f8R0(9$`#(`oC>q^i(KdaY8C1`$Mk?L(h|W zjl+FuL$qPiU`WdVcqAssa@2=%b32k^MgI}gVel>OGlDH~Nw$`?9U$L2hj%rNhiKad z>p!(HC~TE|Ty&WMkjSrZlKb`~30D9xAu z`*s&Lvc+2&UiVMqaN03c!l_Q+s?FS(rlYGG{Z>|9Okc@lM3QoELLD`vDRI_jZaAuR zo+P4#r>=%eQ4qaf+Xi5*rct@FhJhR74;@zje38LrnNlk%cy?m_J*BWPMFJq8q{_#v z-WZG5ghL-H#TUs>z&hTFAm(;;!0tSLiTT9(S1za`jYN=f9*AV z$mT|B1*uwbXE*cM&;ik$yJFD$x!S6XbRF}}x%VCir`LC;?Tz&A3<>RAkwXO*Q2A!k z=6qjEGWHlNuETh^8zi(ZvSPRA7-HR1>cXulV3KVw<5Zv9J;#Q!zLvbxG z#R;wd>e`k-fOfbqyXmk{d*0AMl$T|}Q8wKI#e1E9ggSwhzD znfqg`22%3oT6(5TU>#U1WmIAFSv&7tv-HD#uUoa!H}2>J;itChZ#~;DZYadu2}P4{ z>w2c(?cV2GHDkOJLTZGEjD)wG_1AebV)@^GPf=n@Y{_Y)Z?{`!seHZ11vtsmgDXA* z;VQ0B89n_(BkOFG-t8B?Q5C*`zHTq35(203YxXYVlha*=zj72%1aP+iZBkB;XO7?T za9sp|ohRt!x)T_P20=ho6tw$xiBs^@w0@gX5W$0ow}17*oe=u$9>Zt+>glsL%OKe> zc2fS6QAm6F9^A%DrK>2GCH)YLbiK#s2F=g3oY0|Su6LhgOJ=S?j7f)yysQ1-WEljP|8T1&`!Z?)OxfDH zFPFdR+=PD5h}9{9etq4zph)D)mbSx9p|9=rdB)VrR}!tIR#w9p}|01>Jm*^k|~ zP4Aeli;mXPE{5<+=PXhA-{!jqCH)f<6YB$5#0BnB6v7Wn=VI~|!+Ow!fFlvAQz@Xo zF?eJELt{5@*)-1?__C9~HO37DQblWvz6722N8q(wtkZ4v>_#NH`+WW1Giji#c<<+v z*6K=PjVrdv+Qs)kwN6~eh*f36^Fz~Pzs%BBS9v?1C<;t9X2bEAOdU2Aou*!f7^nO? z_8)3KsYxMjTweZK3L{yyGGSBYmsa~rn}#I&cr`kLLPhM}g2WRAW}PU?Ru3bLKO0^= zqU8d|oHi3;H6ZnbGeeaMyp>tZj9*e(=SpzPzLjy7T;8LV7naQW)Db&;%vvYjQo4-5 z+%4+WyOcP|AwT^UqEQc+L&R-|ROzawglP{MY*;6j(c8uAf%8iMzSas@z}WD2Wdn-QZ*9`a(*!M73H$V-QJ$bFf{H zCuQ&4USG1vX?IkyM%N!P6=17v53|6{xTujU0cyJ8GkOZ?MZyQZ3pWg z888Acxe5EpI!naoT_$M)fPlZ>|ID@Y%~)v%i0vE<9J6Wqsgm-~aRzA;ke#jm;hykM zVH)by*+I0P87@#3G5W@79FRB|a0HTLGni|p@6+2kI#!ow#eTZqqJP=g{AiIQrIqcJ z@0L24J}UdCmX2>4Wmzno!=P)>2XgslNM&76jrZf=fjY^Twafn3IM~YNY+J2=%Kcv<40>7JCR|qu5iV2&CC7n%{*Q&B< zcM|-)iP%XTa6=|^lJs>GWLQ5fPVFZ~J7vw0%d$q|OfQhHY$KtwN3VS?+8YpKzkEHK zq@;UX6y@BcT%e~(`8-{fNW>j&c|4cpx_Ue^y22qww76Z$g&0ut!2XLpy;*2U>6FqC zqWeK{S)ReLX1Tb*4|nm9yQJ9vooCb7J9n}Mzj)HZn#IGZWLMe@o~YIM=(e~D6sI4u z`@ZH$+QoBzCBOAsmRm>Jn_`{%R<>UuM%CYvm;$mE~p z^G98!0U#?gwNN|Bwtj6WJ-WI7EBkEvKqI$2|1n^{*(yn1hLk}pg~7dXAXdM??7&^bLPl6mkN zY)~s6tg&y+)g)+ag@KvipD8Ogz{_N$m7-snuL#zf7UsBrdD`Tp{erbA_L-9Ifk;FD zC?GMmusQJjf%NUpE5K3$Q7Q+ zw=MdfgQDkWZS5s{xukeMz2$tJspy!d5gh?93hD7`+vRh2l4}4c0f+s_7FR$VLSH+e z-A-N`h^b~mIO}&c7X})RH4f)uxAmtu;N@HSnK#H({RYR4|1AfFpBJMP3-s;jC;CKORGGjGaj9CG^XF;o z#4#?{nrpGCui6V1wH|lKH25W=#lI`t{Cyi4a)OI+N#;r>Y=LW!;dAe%6xjayBbpSm zKuJ60yX+l@DIzz#ly}L72-V}+kE60jZV`Vm*rjIRd?KLx&N|7wzdB_hz!jwLHew7_ zMl2~Q^yj4R9NPLb{4ytvpgA@fN{{yz>RegGJ34iP zb$u}50FSE1mp`&3?+h&v#51Sd$NK5pTXZ%2J|knsUvks_Y+Oju&W$(GnWdaNF_jzs zE{%#RT@rAMS6-G+{Hs}H*5y!iw#W6)`8oG+3gOoe>*EShO`#Ucs~)%Nw1s(b(HI25 z(hoGXf%dF=q^?KfAy#-$+g8WF6i3tMn<%Sry67{SA8V+^cAIbzn#1*cc(R}wy+61% zKUkQds2uc$Fj%OA-(|qq8yy{;2IoHb!`%!=5lIX&v@}=4&05ty=Wg3@4WiAs>*TeW z@68CnK@L`C*G2nmo;kN#B}K&~Lb+g{rcZcNe=7nvnbkxZrM@_VC1W7)2HHk+6Ngi< zWkLjsE>1!AevXa50$fN8i(5fw=hU`f(nQnAJQ4r7MIq*j(sU&5s=XpNQ>uuf9Ty3c zxXA(&1~$M+X>%o7X!C0O~Wo2~=k-VnvuKfa5lhamvxx`cA(PkL8-ZH4` zaFN7Ifn*PZ+JGZinxJa#HuYMd!qrS)i+K@mz{bv$%{t#D*ZA(_dX|~Y6=L?rIK?VQ zusPiG-ImBct#1zQnD{)=q0_5x5k4!dT&N>y(COa>I}L(JgX@s7L5F48LeZ-WlVPzP zN@s`q?Z&^eDR_>)fp;=iX$|HR>^|nVUsmF)9>Doj8GA&-1Bj(`Vf-1bxHYperOoF0 zEn>vlHsICnHJwsPW7Rl+5v-}NKj2~e+@SP!8VbHVhV&F(XS1jZ6m!SIfrwivK!9Ps z4DX(K1o;m0Wb^n!{DuFU>f`;}OD7#zir zpA5L@q=;IPv4Qh{%KYKd{1%#G22SqE)&@*_EK@5Oo*^3F*S6A)c3!`MJsl44Dk!eD z9`3x7_|IH|RwXs8+7^@MQwSbbPpCrDe5 z@TYY)+y6N}kE(#(o;nxh+_KPNYx$SdGv14RW)wc`$@x@~y6Ddc=D2UY_9eLB_I+_2 zcznHRU&`}Q38cR*cv$1UdO^2?WUVHcF=M3fCI|`slGYPkd<^68|J&^}THZJ;vsSov zNxHZGR^HpzI1>YLQvqtUZ+B%V(P4K$M|G)lU2n5(lyV)`ygImdZw0${&gOBzVR95B zfKyD&M7mrvz@nAws04B-K*jYGCusG(2}SlCGHJZvj=I2oE;kPIakJE)I6i-xz4Nt*FlDXsee;`7^Ig1nNzU&r_% zUi~+5@`3uN8Tm#=J#Eu5M8kd$lp7oFY}UKKYiKPrD%A#NtJz?oIR5pav*kuNzI4o4 zzc_!g*5rC>S48an z?(B3zxK4CI3Hl`jwf?Nh5Axc-_4=m?{{bxP2$Kn8DpzMWGW|pmu|$7UJP)*+xyZTM zTiOreI=Pf=J##xrHxIf66b)-Am%(Mae?3CLn}^&4k11f}F%7vs*Xlo^)<_M3sArV- zd(`b>6LPM)tu4G6)ao_VC!B3CWFvZBE7BUJ2EX8!*^vc(@TVILlKSA)&ONU?8Fa}x zALkW1ZxcezNW#7N*|npbdCG+*3jOmPL)j{Jc|oQX>Prt5u0lw=+E?nCsjtok=3xef z>GZA3ebdyZjLW&ZcOwCQ0(w%dczMGf&(Ij9oPQ_08Ayxksz7B9Hj}tsBs)jS#ji>? ziDq#L4qTOJW?{51;~|*Q^@A~&>(joGPb(Zik_x>w{snOibiK@jXdf>j((b-rZHQ0r z_>!dCT=5qsb2BJaZ>{ZYIuCs0HBZ}iM;JzT=oWvQybTb69_l_t+1DUC*A= zXoJ+L>z7VVC(5W}(=1xvq&|-JWTk47lSIr z*a$?lXvIj6uCffey)%%-9c4eEte#dlmsU$s+tkBTZ@NQ(xkX(OoDJovtD)mc#!5d?t z)l&>dZITlE^I<3pUK+}>C!uxEOHpW}CvQ+G+rJDBqwGJxJAn*J^A?)WQpHfYl@bLA zI(v_+@>MeYJY7Ev3(Nk6+AAFuJ@d8lKPwhxoy~|^VCw@axHI62`|*K6OvMA#<#Ij` zG9<9>-r12SX{-@5pf>iO)xB|WI7ju2^V(%F;S~Vv{@rrMM0jY37bYDW&>KpLh+al> zRQcm3P1n!s;&aWmm7c!zB{}T+xICYhBOys~%DKhhuQ|BRFZbesJwOcoi#{isbpz-_%JeoU zP)yU0|5N~c0laVaR@+rz;%>-7dE2i8a;S-2=O&S}W^k;TZQeXR4AA>J^gcBY@^gsG zg?n|K$DwwKiFdU@ih`r+{6tum;EHrF&Qp^9k(X zB4Bv=fXU7X%YNJ7JXq~HxQf~TtrNjWjOlYbPH-tM8L&qK!yf)~jy{V+IntARC9b4d z5&TmYpks=WHX>rhGSy!(F}0`m#i(6z_afyoF5^pDE-ilterYrn<;TBwhqOiaNS{rL zp9QbS=K|&)9NpA9lnteAm*?lOLWBM+53 zMyDBMo?)D@zo&1$!a!GbI zLV)Vs=ZRzkmNXeTF26vs`)WLEof%0yLZ|3jq5a?bVOHkqzoM_=6vK-RGcs>#U}GC2 z)LmtXcEMA%%55yfVY9a~vI(4oEG<*=Hevb%A=_3tjX3`XmQ~l*#&8|EGr?NZ7-{c* z0}$NmrkwTm#nYnKt5WQF(1KBs@wiXpW6%GUJ!y z^X-X}5YD9fKvh~S@Peupwcq>I!Ko}VZSuFh)^eruSWQHtH>%1rM;6+K2A6Ib=t2j zMh<%P-W0j|5$ZW3CWmXdVbuM!kpIDgUV>tMwImMWj9^P$Hg!oN1>P`c3DjY5MU=Mw zR#W_*p=74e`yrLGPjr=y?Yu_Si-{S89`16$4^2ytqx6)~G!1IGZ0n0o{L8__8165{ ze@zg#P%rCUQrS&%SbmYraQXR9cw7xXpWi55pPikO<>gLREw3-osn>pEfwdY)(zNgJ z!!g_a8@ngVcMo4!U3^94MsVNi79$WNdaar;i%?uxq(wc<>AgbIb}hgGH@`lB~w5Q?pIH@%bTS(HGRmeUbWdkKbzPC|kf@I@b#)uxCvQlX!JY zGg*g93C@Us3H3{dSC5Y9P0)i+|LWbF=HTwoq8$^pIdrPEhrS#nRUpOkD?#Ye-f=)+ zUfR3mR*tUU$jE4afty3#`!f{}jHc{GYRy0HwmQ8l(PVEw5*EPUK;ehReqq4;shLH? zjFr#M`CP_lOgE7MmczOtq4h5izseX;lYP4(=#@}s`#B%bX- za6pxNwgh1b{tw;e!JelrWMDt{@i~K(HQ@;%ojEhxW}z|US!UyDp=A(*dGp-!_ymUw zzyB=vA18?%h~7Gx^#BheStFI#Ff+_JDG^~rJwpTQ}D3;g(c*BX$d|GV@*n372RH82w z*3&417xrR~B{P|!eIF5cD(BTwqR6Z17x-?`w}6ZCQpF!)f>pZH3}(e!we^qQ2R5;}-2E{?czE2n~%_RrL~7Yrl1h0C39x^*%hw$_;$Npgu1xv6bflUvPoNcD(C+mX3&bg7xaqI& zAb15l9QzJ?v-*%ZC9pU6oKCiUEzM>d0JMo@ZV!GUwT2%gC78X4++Uvu=8K&B24l7+`cpwtXfv5Mhp)sXRKc%bCluFAg;PL+9 z&24c}t}UHO7qv0{O5wIHtuTKZKd!$wE!7BEuQ1~OK`_$ zBr+#P;!!06(2t53iS}EI zv^lMO<8C$|&3Z{N-~FWP&<)8*!y5}m@~A+QlM!X^CxQI#GXtYcojW+%VyVpSul`%c z0hzR^#S4OOMt=uD8{eq(jLFr=Kkf+D3cpw-H956E-Ck9y`SB0hCO^ZRpD6bou!3MW z%ly=@RIB*2K8N59TA>8S@`P<|A29%#fxd8I1&kjbj=cgOtoqvzvk`&&bb8}UxC;7s z+3Z+Q0PV8gugKPKn{6&Bxn3Z=LJ{cBU-zWZ)& z;c7#cC9&&vjual(rKOEk#k}3t-d+khv_Y1qSLug0zsqVS3g#K^T08S%j9x1*1A|JX zRILmrA&}>iWgWf0fW6MEU7cSusVfAnC=mr3v~aOX1}?_;?RgGR!Vjx}NyEUqn62@x z0w8DVDF^!i2eTY`4>Kb0sn_Yxg~+8DyZtvo1EK3gfffkGBur@!U=ohld}?nDX!X0k zqX<1SBzvQ3dRXQRL|$yle!0>^?v+3G;W6vH#fX?Ec*}l0sx9c;MUo7Dq5ki3_7D*h z_?nzq37gg`&;x`UMNxGodY8?<>6hvSM{e1Djf4RBv(uHz$m)j?CJjQCE`tbJ(BppTf`RZg$e4Pqt+f(aL8O zD4CG{j{A4Pm%P-aAdvG{z{BDLBOz!{$$8F{uah3jJZX}4)!N!OV-ju$r~A-xy^p*) z9Bud;Jj$hZR;;5Th=(2>s#d*$HBPvNl8Rv9H+k;;jq0FR^+2ei2US7pj?gX`e0Kf>o>n^t}kYv5;Ga29TbGiX5B0px&V6bhJ5eOGIoPW{8dJU`KPW7z&9!n^&R z#~*5hnS`e18WzEhEBw#jY6SYqDT_(;hViV;-rpZXN|XeQENWcF_i#Vil&HJFZxUD@ zxp^w&EQ)s%`|-AZ37>?-Ill@uhnq&6EbmG+OF4gD zmx-zwQSB1|30sp+KA5HaJ6^5QO4bc4h_8aQK{aOK8QAR6BC>yllsRMkoOPaSGeG)^ zRXdhh90f6G{7(HytQ0Ed9B+qg6v$eu6uPU*Bw2kR=~Z<1$uPsK9bs|#*G8%7{!JH=wqOMxxtg06+JwTfx)bE=f`QSSLM|2FsKkuh>RzGhxuxBEjCQSEBGpn& zLV#48W=GZoLbd)%@DBy1UU5QZ8}QsJq1Hw~ZR(dry)JUR*)g2dC9wACYdUMXU2TAa z{1vX@*R2rUf5*deq7Pt*{f}Pke`=xS)y!q=M(1lQD{Qb~7k<&6nb>9Dw%dnK4nhIX zUO?QPBK*e7#(rIVv2fali^LCyzoVSf?geQ3wc=Wf`u!As^&3w^p*tD7_c{G|)Aa!Z z-`g*O#N0>(3S8$K9mbbmu#|m)OO5?%!l2Agxi!*lPnA%5k^rOEX+N;+ zeU_vzVB-ZDMSgesEfg6}HyatQX+zNHq`-a0#T6=GEr2gV1MP(#Dp7R~)tIzu1O%7k z!@^(hg}Ueu7hBAQ+e&vKQhMWf{0MRpJJ3^L4=Mc`+2^3QLeXS*;B5$iA){o6q|dX+Lat{zK>@;-5gJD5b10Bu7{#G0ZEK=K9bK|URsT=#-6 zO71h;)KjWxWezpGYzl1b=f^Dz@e@3h)205S&NaxK`k9%My%-|LX{5h!t0ObE>(5 ztGN4PFoE}RUE>+B2~HwX2k-LBo~H<1A%-7@H0%P(xWruqZM=U^tmtKDef<*1zEjVQ=nwwGGa8^saD6!%N&*2=>HW^-Rq)ZJp zq7<*;Gf=iR7U+e%yyQt%n=mQ&MjL6c;=k_a~Y)9hZT@5dr zGBf1+g-)6TMxRAvErj07OL!DEiR%G?8QRM_QW%J!9ReEDp^6V2tkRQB%-wYai`&JT z@oj0vRW688NTuh4kB6Pa*_N*dzO)1P@@{q%RV#Ap3Z{&B@_}|%W=P39*N4kL(OhaL zbNG~cAO~?^`Z0!n?tr=y+83yoV_J%uuYvsaXmP>>No~B|WH<`zi?laP5Eghn`-wd_ zckD|Y1$ld!B!Iys&=~?e@SERT-7GUuqwNjDM(iVbe1$Z>OKwUt4a4RXOl-C@^QH!o zx=-XBKUow!cs*Wj^vY9C^I+vWylO;21`kpsG6I*sE%%qp9L=)AF9 z#r&E{osPGM$+z&m0P2^`XDDrg=w0il0{ctoy>Se(U2p`Ay=!+xg}f+Cb4{tYLNtpj zp8-E9y!ft4w?V&lKc=r~jn~(#!MZq@Ttr>hezuePa-7)vu-JVy**Go4wbsztT4yHu z*2`CFG1C4oYMGNH%K6nISl7Fpn4!SCE7xl(iz-Sblwh|HwplRk>-m$4>!FDlx@`*E z3-|816nx8x(PM9X`emFAS>3>9ir3rO^3_X>-Aupa76AZQb7eA6umtT9^g_92) z`(NkXC?)(u4^{w4^IoW%Kp|D1c(Z# zT$Bo&y1WYlNS`a+&HjExvCs6oo@>9DR~y*ORwB@58?ds@#@T=GQzJa*7QaK|cw+6l zW7mK`k6wBS^1PVX4!H1@XSu6f3HMkB>3yG&o@QF;C5PtUaMTDeGxt%Xgy?e$1}%GL zls>3i{$z*hjwe5ynX(aAYr4(-x$IQRm>V{`h;Ca}zNzS!_I|;R-^x5b_<3FBg}s~t z_xs@avsv1lVdj1wBwLZ2Kp7)@fbpSqAXG(h4CTDAa)HzW(!w;POp-jT>f(MTqp|hv zS-&G_?Kew3{9MFDYhEx>*A2G3z^$A1yPs+76>wdM9WBlqYO~wZGKSWR?`LEBV|l~N zQp9#gjoz~?_1B={POe;q+Ho-k2D_`!Pob@?4XhHk(qVkm?NejkL3qB^k<0zkf=oFs zbuUcltXSYG%~@^rLQCg`(N9@gTSZ=7IjA1-Nl%90$aqdZvkFG zsi{S)1}y!cf1j9h(4A$yQJL!jF693K@pIierLuF@EQezav%=hzPft!@(idP%g{giIe8ReLtc;uHGc30f-;3h zK_toLGfFoTqd1|#WEwaQ!OA_{pb;WAw6vx8BFKW_dmmuWfs#})^3wsuxZb#!P*V1Sd8C3BHtZiF8W zrt1xc&8Fwyjh(0bIv42Pj7%P>2C>Oi-c~p%?GZw?jSCH}64h(o|1nkjJ zJTEh9!?T)D`we85_n&|ehh6MNpW8|Ha<-tR@N)lkyek-&ZmTKMvF`O4!L%BgGC>WH zb7(qmYoR#&jjAq&1%0L1U?bskpt7BNjH~O^#L(~Q9ay9NML)u;AevQAbbi+x(>N_) zPrdGxqe3iHt{D2v+2og13j}V3T#Z_&30@@t_xwSRpe%aZ!>K&BCg)O6N1^PE23yGga!!^e*QJT_n~QN)?5hZ zpYFYeb(~Q6i_-r>XMbp^|2UQJVqpbXsPtP}CF?5OPOu=`Ml!?$O11QH^GXZ57!7w` ze1w}6ylvAH?(UbgJ1Thg81nhSY4qdD{kTqYTy3ReJJ|>2ILDp4^EkZ;?H8R%-_$VE zLQPMyv1nm`RG^TtwoO$X;n{i@G`9|HF8mf*vp9$|(mnUNBv&evj#}M1%;;NKHxIH% z^Cnh0Az7zIVj4^K>bO!znLNuB1AQE3!Cg1+Ao1Dr8+Mmd?rG3lP^-nObwf~QpkSMP zEXtv6uR9aod-90^TY!hv(HV|(_WfQ8Eh>XR+WMg< zwd?i}KVkOq%8!jq>X^#l?3(O%<#}B2_Al4!_kHa8NOi=gKf4wbvj$iBRPVL-V^jiD zX0Qzik&L=(aY7$PyPMRSg#ICU4s%K@YwOIvyV_p_W zgR69QQ7|wX>c<|}y7heU9tw+c-XIhk`Qz5a`xHy$Q31{_UYbx56PBv7Yx>KFJ@61z z8nr2*@)==yV~qx&zTeu|BeCiX_Ed356EbUoA3Nrv9lz~5OE1&49q#SfgsWs`OPQOM zBm$GC_QPo_WA1dFu_ryL04ztsWmo2B=r_ouDz;^d2%nl{e8sRqA#LW!Nk-svWKv(H zq>syPmIMob6OnA5g*zKGe^e=HIG9k%gvozTxB=l4Cri%Y9rvxv|4G<3zN+mpe<4Zw za#Xi9PnF}zBhP@nnC&i?Cj_N3k1O$lv!tY8FO}CNpd>O0w)4J1joD8l$fM>EvMo(5 zV)NCo3QAop>>xSx_S*G>v}`&a%P8Fy24iXe#r)%`U9|gh0cUwFmlVh`vU0qbwr}HR zjISM9+|Wb9Y3pz*4&Q~ucJN$6KK9rW?+Bp*VXi%!J5ik#i1iv{h}!h9X10p=K*0{b zm1kOh+D@*FW7KDu-Q6x70UD|OI$`0}ju>F+vT94Vw5Tr02p~`o#E^ZqWTbPdHYZRSp(l0rlBi z{n5SB;#8=~ed>bO2(rTwweWbk42p1O6^9W0!08USZO2ObeUmcMo`}N1#+C*v72Sn- zU$DsFY48Km9x=f$mG=MI1WK9?ldpyEN}oBB_uw7${V(H_?C6_x0jJvW}0FkdHkCM@T}bX(~|e^#yf`Bw$VKT z%ByU8h62LyB>5o~i$zMZb>vQe=pts&hLGN|(>hS{=()+5nK|d?%t%Zjh&diEGQ#GU z`dsXg@;k}W@o|rX00RuW2B)Ilg1|y7))`f;6sF&@GV+-LpJ>XmZC`lwvCz}d!NOOd4U|M-|0>@kC6f>Ud9WZRN@&i~p) zN|(+vPuDh;(hASTk^$9P|I>lhvFW57A7}`)sEKrhC}`zH zBRg?EXlVs@$LzSW+5W)Y+g7YOTYlj)X0eD`e4ef zEZ`+Z4rUy}1JlnS)APVK&?z2^YKM4vdKKq+kvxsHDq73crDkOOOeQ+C+a*2YYJyuv zJA(GW9S>)%57?-g>S!|K`L=j7jCVexmwc+3l>cCRI5{RC40|3QOI{H=%*rLc z1Iy$<0&1$32x&045{4*~cUP%RkX>iFFxjRFb`v1zhtuM&<-}tL-s;+x^Lh=Q**ErrbqXi6M;{qr+|oyr!o%_ zgM#j4zuP3)dv16H4%c@}e7{F&F9eexMiA)eC}JkB=8&8ueUhW@LJZrZ5t*CaI-YtU zCu8bEfGcH(GYzBlX0j(HCKYeKr`(Ao^t_cPnS%LO0x+viIuk$1ose4B5d3WLpP?Hh z_(}FGfjpJ5dbQ%Zc59S(5oe=NXU%oEI?B)=!orobbflGpvQ=+UzV1C=a~1aX=-yvb zWF1!E2DNH%c#cPG+bB^AeS59!mDj40wTQ`sLWSpZN0sTf2h2_I@jKuX`ta z#(3dYqAXw|JKJbB7`oPTY;mXe^Y07DhHu*Cy2dN?aDwsdCjw^T^6R`6#$UiikzPK_ z2nC=dajZC5tOV7rdu6M>?yqN?{} z%6A}WeuJx}u9yG)x#+m^)o1PWVXx(_lrONP{Nt?Spj&=4S-Z%2e@AceiMtg8DZwO2 zf=lLdc>k}jJFN3c&rb#yHOro4Zx(O3gZ;#Rn!7*fmYNvB_S&d~aB))NWHa%3e?ub# zy1Gq^ea{iI$C1&@^Unmk0rjhkS@Q>POKhU^LM!TBN+9)_M_a8$N5lPol|25eR_THqW4gcd+Mp&g^jsE8l2`;tLwkf!9qMBw*>EYqRI4=>@ABLqbm=A8TED&c zi|3K5zGzQzj%u&v0w42 zPFxmHfsX8ixlMWw(j+=(NgqBxZ?IG1t{M?4?X^b1o2?L*E9uav*{F7yOG4yelyxP2 zx_xnWNW$RN#CSe=w+3AL;1zyX6vl0}6suVIXKP0zFs`N5iXBVTP@VmJBQb0c;5J>c z(0VhDuU+6ICv;WD-lPtDol#J46>Gqb|Kiin`R9$y)eQ|Jxku$z6F+ez>X|yXbsa=E z?*Bm`P~7++9vxm<(jnV1^YoJCQC(WvYxF)Et6G$@w z*m>GuckejZwN~SHOjm${Su0yh+pkCFLfwJ=Vf0Y!nZk8wKZAaq*-!;=b$mGf8Qfiw z1e1QspTSA5cShI^wFaH4>>WH6_#cCC^ewYdrdyzu%Aw0YLxzyI?&CibXVGUl1UDiS zG@Ct**A#yE&)EXtbbDzAn~bUtgTqB&pn5L}*nx|iWNgBozW)}k2D9t_ys(Dki(?YS zx{p^I#YKNhq~2!Th9@%l$q!W~S)9x4#KX}v>9%f1WyASl%SMr9Binxmxi?|nKUJn< zm#ciq_zH`j;~>2l%Mua!_q948Qaw|c(Xiu+vbFmH8eut=YhZ5l)_nS9JWmWNpzxmn zk^jWS!Qh!Wlq0^8Z8yH8!T$4AO(tVGTwoxo>DaVEp|Kl1>o$rh)AC%Rsta0c$PF4z zyn8O5^|A&aOy=Ww`57ZI#lh(nWQjMLE=FghxgjOuCVv$1o^fJMx{p!_hrgJ}KvCe>-9@sv^69N<*O_ao?HR!kQ0&h*TJ$~w~r)qDPvBS(@Nj+O8u-r*AN zr<~%i7PbDV+x|EQJ{P%>17{TXct0Y#-=W>Z^y}QyHaH6)X{^@5-l%P)VwUV1gSGoz zTUM&O`5z@ol&;g7EljegO>Q`*L(BK20}Q(p?CS#7th&cbvkLk|bgR(`*knjr`6VHW ze(zwkZCL!wk=E**)zj8na;-aF_%PRUPlt_}EmdI+&;$7HSA z1U+AW*bWa(QnHBLSJxDqfr`ep{VEb!J4=UC&&22~piU`Xup101NDd-$$$mKe8dzT! z6r^SOef?8)@@a{pMY@pRdQAO20@D7tvJuX?IbNIOxf3TGo>B40RyXQ8ZY8(eTwBuD z2JW;f(%N%jgGYny)`N%3neO<+@R)a`J>h@z_MCGfJ>nCH#p4o4-~!B<5ZAIQs#j?cVlBcvSgGoc_*y9 z;^Rf~ysEG|dpAT{09p}ZITmc7sVmHErPEvydyx{6@2j~4UT0QYqX^=#9E-4~_;1YGM#+pj@{VJ)liYWe}7G@j^PCvKehvg9^=>v!GJ!DaBd zSNGs=b(+KU?HGk4dh(W#Cs@h6R5Q!bwx_uA+guB!5nbh1_gnV`N(aw&VP?yn zXZwE38e7zVe0cv|G^#BqdY~p1KkM8@Pnu_?zqu(@ugP`i`ohd`QxnrD8VO>LO)qzw z&jZ~BD0*32U9SDkP4{rT^6*~pf26}aQBy+!v{za4rZ*H5OEJ)yL8v%qlwHtc@zT6NrJTb)FM3-_*r4v|G|)qh&e_n7t(* znMUAYiMw7d8Y-yqtIcg%wko6#A}?v6I_z&g$*lj&TELegv>vje|EoCWTyu{b0r(9M z5EF&XF98nUEp488hzPYv03`31X%*Udc$(PB%QD{~Z?9^qq)@no%>A;-u_jQ_b4)Ht zN>$-mMCLZLjSS#A`HG46tdOO`@~z<)C+YdY0vg`+qF&Vcpr}dm;W72Ice@*^l z+VuoenKZnUF_q{9Q!~lxG`28#S%-&w`=m3`E%M40SR(DAlZ8vOQi``t^Pm?N>dTqj z^%Rpbr6V)MHM2@XC;vU8Fu(Ji|6r$4gyr+F$XpwO!>o{co=7D3pd2NELbE9COf#=w z^dGBF-=5$o{*a#$@)wi166mCl_h&0=7c7ta(Z(E3Riztv@N<(Mx@4r=RKdNp}b3;8~svr9We0?x+g@8ZaRRu5LJZpbE@VIHz0!}

GBv)|4yd*`5 zpGDu_SOcuW0UZ_qT5@k19zswzyeSVR%(_2b>{6Zf7(FXEB0b?vXz)Ba&t>%Z+U-ek zMbrxF*LJ-mBbt~62LJ~9qhawiB+$p`MA=THb-&Z|xoDctMd1!gfF4*^-RvR|$x8Wqc6TX!C^Q_Q z=NA_lBL&`qaAi5)gjqdAs%EPb*PChdut5Q*{;xDcY!x?7_Vx`29nGRgcW}aqMNqf( z1pGtH!o_y6DdAU3fzwzmQg1{DeYD#{fpAlc?j=v$!siJFv8R9xV=o}BO9C@8?%V5Q zUE8iWtN;HO8nB6S1`|G_ZpQXXg0+HATHTMAqFX~=&>HQO25zMx=_9pq%CA?o z6_*$t;|7n#OK9^+(%rkLjGDc&m*oeeD0V7SkyNtMqEl!sb}SS99)FXj=we#!t}ZsR zOkH&Cik5Ep$3qzPx$0nmiSn=#%9OgB?($i7ZP`a4Gd$YtV=2*_vecI)z;GOA11_v7 zQW+$*3QWdQ(om+}^FpnZZAVAD^Y9d`1WzN0i0sQQ7PIlJ zu>UH3#!?0&M2Sxj-VdmSrZDHZA@On_4waS^=f4XWf}1cGGjyMJOnQvK*vWOsjfi7* zszK8m%KpUB?~90f3WdTgoBAAl&=w8({_ZgN-n}T9*gcGrJy>u5XF(9+I-_BdUQtg6 zZWIL6BWb(2!Dh6~r-=R?_EH8*x9KX_Q5#{F zwDGsMNVS9QkUF3_Le;V-Gtq5Lu#ZwIHL7VC&Dg1>+;w8t??$Pmb8u1_9PRDt!I+It zP3liJ-^WPIG{e>u_5U;L(eM(hEbTuevz))``%{m1ZIYn$Ok}Wg4c7|v1+AT*Zo3r z0aGieeujn5gE(qqu*eR%mF7-3yivKaQ?rQlaSsnv_ukHXQJ?!~(d2jYDrHg5rGLwy zm8zi`g+jv-b-nDu1xEjethWqnD`3_|3l#Ta#i7vRZowfGcQ0Ow1a}MWw763sxLa_i zxVsdBQ{0L}aX9(z+54Vz@BW?jgBqO-N~nffgik$jrAU+z%u zyzQfAQ3T|_+l>6Za~^lrIW&;num9}JHR);jL38t1z%G^gWkXf|-Q-!vKN~pp5&hQh z&i8d2DZpbyRaDb3Lg&HQdjz?T0+i#*xVGQ<(+kI~iD2^qFG6SGD%y3vitBgzKWuV= zh>?Z=EH1~4-Axw<4G#04eqC=}?fxvl(QP1qFur^C!;RG0IG*CCbhVsHg#AH4BqxaI zR)i07^V#r7uoy2Z8!F|#5FI3!+bRFur%z6s!S^n^L}`C|%I|#Ct5-<6uKAv@s2@3d zShae(ZjE5^qL8!R=SJ^|Hm9kufHTGpWL$OM8{3T!^8S-51VYry7pDHbSIY9;FLRK0H4X~?*G9)TGvd1hRQ(@S$|~e>Z38j3#ngnX zFOmo(%qmR{RaIOjT^L#*H9;c}ozseh4R1U$7crRxQQcBMz+g6DVw8cmc?uml&v8Tn z;!HRGJ5^5YD$xE6sz#MbL3AZ64<$MxRiOF5FH+kdKC6V}$%wv)?D|KS(Y7sYGIWAd z+!yfUNofO-dASfarvzPunpVNiDnsMwYk^g!ZvqQg=B)U%xox7E0(4Nsxk4gBed`g) z6wYgt7J0-7t7H!U7{hqKz+L#(tK=yLC~D}r@l%Ce@xuRTXEmRZgFcS-$eO7}gq~5i zRlLROX=vYJX(AaSOTu!nu4}M-uMO$ad9S=#S;Ga7o}kR49jx+_&JwQ$qVrv*#0}F?Y!FA^(e#2*37f+)Qx2EecyvW?f4~DOt z;?csoEM0u~P?J%y6@K)9%Ntl6iUQx z+v6{1Zp(9vK%bW|F5_a*)}$EIFf18wvM|G5A6Ug)nJ{bGV0?C(Y$AS#3if{9NHBMd z51JJt{S0)f0lmR}oBI(S@(>Zf1iLl1u;6;9;U)1VWn z-)-B%0S_p-ARj+v3*h?fX%)5Jgw%w4J@)TJSYwUa2RjWu80AgP!<*4<0`4!}_4|MQ zJ36YWaS*Sg)_fk>PjC%E^7D!ruAI9&-x7Dme>nb?uIxRv7?KqMW4zg)z4&ib-QiLw zL%2C$L!3(Gs7{NHOWdD&=-Ug{-u)uVWyGiO>Q(OIQMlOtn2U(0^xtmo_-tZg=-Za9 z##w`vNL%DC@uT=1{|$FX@;)iCs)i%7~lS zUj&wc789n^v~uJ*aQJ++iQ9oGeykvWWa%d--=1~AQQ738e+E0UvA@NSHdF{b7QBXa z?Vp%IV~md_-6$D*akCN=zhzKOZrr~Z9r)LYu0CS=ytHgxn<9v+iZDC-4_Y&fEP=8! zXtolDUcw_VUy|R9IsVr*#rJI;C4z5H_f+M9sk7m6B^^=RfPptl$P;n3uZQCyQ8W{uPAjPe$MA%q}jH+@f4t8%v)S|)PJw9;k?>pzCT z{{&ArpS`xYD^Z=TE{P7G^#l)`xuaNDp;b-hPKsB!9hQrvh^M69VYX=QUw)q2TdgfK z)Obu7^@!nTSh93^6|vGmaj%d1Y$a6j@c=)))?et zq$NsWQJT_Kxj`rZi}=D`!r}D+^URia3d6IIuTDzEJY=@}pHr`+i3%LWZDx@-VokXn zSrrk@?a&JTQYxm$L6@Rb^+QOMD;7?Xad5p#uNVFSg!-}VG&;KF*w zTMlVkrz-CSor8x@Wzx21i1cmk!ajwMul2W|)DnyIz>6__w~ciR&~oGQ+w4Pxa8nuV z@i!q@3pD6BO{Af5q1|6(QSAU;f(wF)tjEK|i$m|n1_z@7z+40wp?7ue{WCQa-$^Zz zEX};(;U;Yrwuj}T<*UuZ(eoS68;{1TciX?d508HzAO3smIn;jJb^GG!!@bNWr?bm}$m zjMI<5;=tn8{88w#jB*peZFnU26=mQWUIOgIJO^k~Bdi#kS0E>uyWU_(5C4As)jqv= zEluO!!pbz+UBzm)F+~9Z^CBT;ZfD6lP0YF&wh37fiTO){toh3&(MZfm&+W0x>4ht| z5MKyl7jZQ#2xPuFn;g9-U?I{)tGoZn0^ux@6aa`6n*B^VP+?~z_OC2%c;EQJ4D5Ge zp|@_(pT2KU*B%B3{@8VVguSi@C^^|oUww`sKFUf&7E~*3Q{x3zalHVtHQHDpppz(f zr8ExcfEad#=tX_s<)rf9V9YNdFoO*4f`NABc4vWJ@u#Njp%oFYMd_ z#_P%muTSNC*(Nzkpkcfpd93!>PuXL5VDN6^`#Sf7Ei5R zlb1v==iokEL@Q%^FJ&8o`X^f4u0uE3ahby4msJzH`(KuUE}c-f^;Cq+b^cFisZ$M~ zI$tYmv|IB9Alg-G-yz= z+_B^`_>4Z8JleX&V0%5|s$FzAgJ0s28;6d4I)$cNHnyhYv0V}SjO$fH&G66h>l>B> zP9ET*i6#^cXWm8`)7?7+vWw?9VxT)`_*rr?OXgi1seTUcm+_nZI246c#o$?_OLgH& zhkjfa#G%Ahx-3p(7((en2m5|UMLE5sx7?!k3>W62{Y=Qur(xd2R0M>_HFAsXOz!>+!U9>9J>bU$jEpWE-oewkx&7-L^$Sl%cEKC>N@o zTz|1Hj)+*9$!^kO1`JIPh>2>)lirEMAie-D`MG0pz;0}(HV!k+)sEb2>PC4lh>J$m zqcIy|AwPy^FEzfY51~_R?-mmE2JEH3TVQ1-|TU zSb1n{bUuf7?El&@lm75zbmkl3d#)S6l%acG6kf7%sXSwtFy+5jz_t?hdeZfXyCWcW z&0%2vcL&#h|1~9ox|1wH>^$zZ>}mY<@@nSE)K2pmwQEkKSr;=oPJB%yN$B0%eCZ8U zzbDTXq1M;+jaSn9MqK~lAO2go;;j2q0?qm_tvRpA_hGM()NmL2Z0Y7h)z{x~VwSJIu2ec0I$tPXlrOi?FJ(uBU+o*TfvZm#ou+ z2)G1NewwXha`QQj+g`Qw^VkYEL3>Rxd5m9e^OIeVan0(w z3G-}nM>)PaFX9N$7JF)^#&>Y0DoNuNReV@kf1bF+UepnVCVjyyGwJtuXiM=j1hpR3 zuDE+L=g#io!VPPmmgyYYYFj_Pu82Pb4BLcw%RG7dKQ@mhsfrM1N5%3!D&>E|_aS>y}0FN7(8LQH8ZDZ4inYcbitFl=kj5R&YX zbGBD57r{O&IpBOPk$;b}_p}3)8AJOkviMJESn-^}B4yT}e?p^z9@Y$8|E>dfJFH$< zCuSE3)MsC#zRsGNU!aW|vKHf(-HxV?UU8bs#SWX-MkNjl=d9-y%D zwj?5mOKbRD(4!n{)NM2WiRSvl*jh~5szt3>8huk z%~WMSvmU)r`9i)9q{H60$CpfFzk349dH%@btp8kUt0qjf0K8*tYvvHYj*qf)z2-}A z)f%E+#AHWpvtacwa9(&$6=<73)De zBZ|63>gA))1KQx{8{x~N3diAJ1MYT@Q6~oKcY_-fMHIyCL^_;98z&(+&VQH-m?jG7 zo>t|QsbmE1qEC6mg6#+QiOv6A&efeCz~mkFOk3kr&UI^v9&Dok0fwIn)g|ydIB8q+ zJ7oe%)Q33`^9#tUD^JOy>_=olpXkrNRpq@mN*qz#=Dt0EC}nX3>LwT>Wi7YF?W->a zpc!=Ju+a(#D{2^Y!9$*&(rxZ5mN^MfTY(}4lKg8-HJPxR;}=%h8NO(FX@&PKt-R{ z7fsV^%cw2Vj40dhA5*K_MSj%o07n?_io+qxIcH5kpt;s;5XnxUI>P3!HMb#ju%tf~FsRbAwOx)T3kQH}B9k}@C8DlAf zs*6&;-8qO1I?Eft-Lw_pDHod5qNoB1RH{>->B+lw9blLyj{UNYO~QI^Kvo@aFEypy z>@mT%Dc_`C#L674%`(=RXrz4^3XO)rwvi9pg zMA2T3PLz4yGAkdP=ojubo1p`8iziNFklo&r=x7bR+Ki~ef9o!FBcy=vcGa`}O)F*F zrM<3~<`=;pD@8qW1Q&Sz;Q@O2trY*kJF}}icYz=KXM)tD*e44IWOI$S2Mv7z!maJx z9$?HY7rl;v8t3MU-~uz!6?a<%LB{X`KfS0X#!!Kp8waGv^nJDAY#GVhr@sv%p`Ra0>?6?z|`bqEqw2z0M)+t(POU_ z)t#2qt$Dq3z&o|I*x%`zkRXS!b4?0wGX4L4l@*c#!bqo8ArI*45d%o0FV$;qcfP{S zEjJ9YDpS3x&5$OEv3jqlX)y-W`J|f3a7*Xo6jhj@Y_R@NlSq{737!Ob#z2*=vs+HF zYrtYW+v(T|Xq`h;Ig|fgl)%U3jWqsc6)L^#fvQshK?hBT3l(cYt%uexXAwALA4PLJ z^`MdoJj2rG``axq8W)76-_p5>$h5*u_}?U-{1~_&`QzD!C3XGS~HsJEc)#w_hD(^$)Z@qum@D zMqIK@ZK(v3n5Z4M%UB7`IA;;D$C+>A$)W@Be#p#9y^`+65s7h|W{rpk3aNr5|~ zR_E>PRcX-OAhF5^Sz2G!W*OKwzye6^=lVcDQLj4rLZ~f__o%m&fJ6Q$yOoXta*-sMiW6aq`tCw-bG9?I zmJu2e2ddC3JNc$~?TsvbRjCA_OlY+|CpX$OyV}Coq&wJ~{LQ@h(nv$VSg8636Y*+E zv{j8&(P7uU^|dH&>_+t!>I+v`C82r&6&OQdH{)lb9e8R~_Zfk)BZumwnbWb?hH7XW zCwaEGwSnT{9fz%di0smgWmVF|_&Am>fBsGO*qO{~mm7A9ZNL+Q+aF7^%U zO@v_Xf&ALe-}sT&#tr=6QGvGKTSuVh&_1a3(M}BcpwB~3q+gu4v$(%H`j^NZaG5eJ z^?@IY4eT9*l&h6P3#6u>@h7Rz(Hcsw);ZdNa}?>5uCq1s1_T9vxLm_YW+y@Ukf=}JRZKa4ix-x_?*fnD}T&`=Qc3n);X5=04qCHa_ z@oAp$0wAZWPlIgm-7^2ll$sx93t=ZZ9o`KTsYW8tteX`UVQN%~cjYK!e%$ z$y!iU*NQZ;$fn&MjO(RCx)=wRqBKU8hRHBCeHa7bF{i)_ko)7^ zovm0;Ssm=rs)KYU<=jh{+YkPDWG%S@#vYHNqd5qj9K5g_uQQ^R2%V_z2`4e9w*MMV zAU6e0osABRgpX_K6#g6CH@}~wPM8YV#dPuWQEsYP^Dc`1AaGf*wzj=}K$Al$P3x-^ z$yjWA3nmRpNsfcwiU{=#4gH~`DxRH$+HuTVJlChK`h77rPMvS$gWD>9WDCXJHj?)f ziXoN5+$_0(7IPK-_f9602kEKX>*qm|+n2V1sw#kxbtto=Gn64F-VInZg#CgX6wfUL z+pMm4A=cHKL{DjoOW0{EuMvsT6txa@cAE_+e1IAVz#0>#LlpRA@ zZE?5p%pttkoRZN&dfTf)62>eI@BDXOI^1_@L2l|fT*SRuJwf`Sp>qj+c{rAn54IOl zKO^;yj+7cGGL~}q9#l(5WBJ2>)&Qw_-w7X(SpR{$mAw&~i9d@{_kE+LJfoN~FL+Tb zuYt%e+`Da&S%DKe!vtjBgg_ZZXAoE_fkJ^D+VG57iFc1uSlGvJR!INi=$FbL{_+sY4WUMu7)l!>wJXV=4tHC2)5mu2o(g%ExI-~p-!}#dc9O1lhNVzD%U?hRy*8}B|sbSZ+DW%+?0*q z`TaQqF8g5%Es2x-Kj_7a$5KKZe8hke5TE_l51gf$+M(il$-2{)s@g%1n5Yuq&K9vd za9C(av9k;?epeO2=N7{J7t#`ztf-;f2Bd6D?Ym^ndZG=)(l(-Xpf$Rd`jM$A+swCv zOWlyb1N1(el5gge|MbHFR_vvU`&BW+s|%Q~STB2A+917D2KmcD&O9+w0^*+xGFG}C z5mCNDLB$Jj43ASOm-^mg^0jXR33{x^)N}3_Auitb2FKXN8c9;GeS(>VfgY<2}q;-aOXML zAI=fps7zc~L^*uuaf1WHxQX21k6PsFZuEoQa#ErFUa%h|bn98>lz9zgo8LtkHmzvZ z>K5ec*&BEIFc#ly{m^^6u+vI=il*z?hzCW!&@eOd*mpoD>s&i4gRuA)lt$Zk-P~&Z zQtu<(VvH>)g$$^kQ0(k|!o1w+BiY%+1Xi z%$r$bB%?)m4PdM@dc$(-Lp_|0nSp%kiU_${X{w!RpLg@%L2aZ}yxyfl7njeii_XKl{5=-!Ug% zj-JKJ+uQaMbvNRPjnly!^wpZYpRh7%i_1OjeL~m27sf&p_^NLtCbPK!9QofX^#2Ez zIHqEq_klDz#ByAL&~3VX0lUnfS4`PQ?6KH7WHD0;KEP_!DytkO8Mz{Yrj;CYdT)qBloQP zyeYd6QUfxgMG%8-!#n80d8^r-TW-zeB-mP7+fl82yM*-EF_N*|Wm_JE#l_*b!-JZ^ zMLjR%_NeV>C%dyMqvcb!6a6x2<^$t}lUaA+GnC~r9>$~WEYbv7Y9Tt3y&1k3_Wf~7 zWg8ZYrH=NGx2M%3Aw|l1sP-h6Z6Ce$n#E*;$UnN56_gtHrf)BQ#CC-yk?*<_M&(hv zEP5G{wbnDbnIy0FTQDi*y%7@(*%A=yb0)q&xJI=3!vom&p}0j{Tcs!d#!_IX#?jUw4Y38=BvQ142)4FLt%7Vu^ zz82g$i>`G90li3T^RFoPtLg00hSYVjWGByHySuok_a=JM0?(u6pZu+4_0dY}H?scQ z3xImrAW6t$lsgyXk|iFO6SVoo&^Is#)WbnMtMT*yAoE!)NGR69nWMkl-yO$lm*1wl zY${@=?^F+k4#;=qa9d7bDwm^Cb7qI-GtH9z?Tw!?Cg?Fjqg7l|_qUzB4~ub`GCwnz z&|0wC2ex3337CQViCp?y%XulYcD5IgD`G`_x0yt1;^ASiEfaw$jQ~1&`Z!nMtmgYn zgkr;VF{*YN`nKzDL9eiJD+jo#NZuu3fGgHxgt^RWwAirxc>}k&GW#wra+N+`VZqcV z#3IzzSwSH_HykSZ(gi-Og!nw6viRX!0)IiKFabs{cKrZL&r!VHtjN4pPN!Z=-v}2j zm9_47c&jOUS-G^mJ93qoI+0{-_B1Uo&!f+VIC)~GvX&hNpO3!psYS%0{thzg;{_b= z@h|_5S1RoUfF)Q+?&My#ztT91=suWLB^9fo=5M)v%fTi0qFIEo{HjqnOqgBnLLp4< zVv`N%a=D&25`t+_2VAw2HAZTEiO?>0Wv10y=EQn{cH-gEyc!X7?`?0t7{+oMPNdR0 zQH6Ups5d=OwiNOT$1c#>3icirzdOi2OBL7E6Q9}i%Mf{ucClcDU(bdj0Tqu&DHV|l z_Ip7};%yNshZ)J96;Q^Q<*LVYEty*nDuXsJTT5>(6NFFflO6;!yC?NP?=DTUNU(G* zBFsq_D*_4nKK4VG!&!F7sf#4@3N|5BJ!434eTia{y*d}qc&X>#xi*7tzuxAR>f}i4 z{^ZzrA00rpBeK5lnEO}l2Oa^Fl$({Dq;^kn4xe3A#!$zxhry=5f1aFA?y`Xn7}ExQ z!s=0f9#}7yMhnP&zwt8g9F%t5k3_G&jwX-2P8bNx5XJUB^w_h|^T59vWYvMwLk zIOi9@vuJE_fLFCigF?4QJi%3vOq8f;0N1Vx>h;_(I6muZ@!_ngH3XSLfwu_J8&{XC zka0h#HqhpbayRzvEU9fY?}ntw;G`CV5eCaFcTj z;wm*yA|`ZOK@I`>kcn(-=e?6}e8ZdTAhx$ozHv{2BnFF7(J9mvlfBJiXg$wXGQame zzRf>d@BYZ(7#4W^sDSE@T<>qBT|u_Q1(%!reuc};ihwz&;=_u8PhHfv77u_eS4TL`Icspm zUmbIjl_*S%P1gfo_-ax&>JI_n%9}l|zTx(=uDLG4;T#)+-xG*-Yq0^Su za04!;Lzg}`8io}`^86aIWU$z5#dLYG*EN5sb#@!8mUFfSf*5vH#Q`50e?k6h z72_=&?p+vmp4TZ_=K7xt+W!afFmNNCA|>p%K3=~e6Svdn-}On@6lxErt|?pDKP0PI z+1gP@y>WGLPn4A-on)hro4$MqLOR4iImtrY} zeJ(ePfI*9N!2L^_5BkRFTe1w@iVAuA0q+EBqnS8TItHyQ)CmdkCvei?*JbqE6#sw( zKSVaDLfrnLP;9$(eXm=S3^l~3+~prCna_I0R2Ko@DGUc01-H7onyk|Gg=bDzYN#Zd zwj6a`v_=}`mP!)CjX~(KgOkP30X#&a#W037>uqzPV(YV`N6;2}MV01BT)_QM87~Dc zOxl~0$NgH(B4lelzXaa9Kcfir&{aF^xIAd(7tTPSycYl2xSx3)BB>m*5c@lt#j7G? z8XKf{uYh53kb-Y}#i@}C4c|_CM|t=&eHTZ*x&43| zU|dIE0Vy_|b00;0@)MJEz7Q}%(=td0KyU!Vj7)NSK^@y$2*3yHXUuV~*9>c!q9ymP zdYZ`;w@K?aGxIhn2bgMj(<8Hmd5>0}3B@4g5a$Xxx@$IUD~GiLbj9r{>su)dM1D|0 zMeXMj`-5f~T@D5YhTY!#tI18CDf{77I&4CBPYYKwT*^s{vfTKJfn5xYMQun$)nhRU z7qt{Z$9HWE2H8vQEXou_jPb^aHj(ay1AVmWyfyNnK*h4qSleNn+gpCOXyxc!PGclv z>4=t$!8l^VE*9W^ zo<0c^KG@C{Lj3;Gw*Je;tZTYsj$AqBPFP7w*j>4N00o$Mq!}kDfswhkI$R0=HTHFc zLtU@4+Z~+Nj*Lvg@a=A57jM!@Nk>N01tHWgUxBCo#3mBmEzK=(?~-N;vGFwcOJLlS z;pTt71k6Da;$My!!c{`3#ry=JjcPZabM&QFkBV8XAuPXp8sWAY)gmSR?O(E-A4D#U zOWc0xf>W+wPAbg@<)iwB`xMUC0J7Z(G;YJTov9QDYo(}J(hqsFfGsPrskDpz>P<+3el_d5@~gjj`=QW)Z*eB=vfxFFf#f~06^YxZI5?C|LFF$!lQ((MmQY4r z|DFGy;ig!G5!|3Hx4hnUbUIp`!7n#nWe#m0^?MF;I6gO|>50b}fNiYy@f@kiMhtD*r}%J0GFvP1sd~I=ptLE5e-q(z8p8usx7X?Zcr_62jt{N+nB>#{IADWwLcke0MdOVHrMIuH!v+34L%`!dhHpIBaKY+5^SYhkW zj2QQT0s&X*n5znn*4Ofme`UCe?kDaesXB!^RWvG#KoFSN1Z(KG8J>)kH;h&`5dgF|0sOksOq7B-dWFrxDr{c`?~u2{&tL^}jtm z>!RbZm^xoZpw8OfB=!v|=*Pt?ZueU&fc=ys`4s4)Bd!1uTh_lVO*_oRORwWzfFLbK zhH7e$hoTTYb-#XedEr8~irDhxLHy!TqCQEpJ^jxT4ZfFJsVxH!PZG0pNWh!;?05Rw zv=fnfOOZ1h6Am5Cy-Yxi#!Jd2}vF-J5P>s{JQJt3CuRk;u# zmObEK=L_0;UWAl?7&UZjkiCf-&os)SsoTDP z*_M(P)*R3|WHh&>^(EYQjmvv4Hv2y9NJo;ao$m7MMbK)iyKd7$GyTeN-uGBw?LuL# zv2cIwV{2|FyU%o9$u}5ppJ1gd0@+6oyNFnv^ZTJ9E*I%YOGa&R z3yxGwyQInj{wGoqKzcBh5w|!6x#^pM;nc=wVqG#g#j!?AO%@Vebd#Uf)*9;p@EnwS zOtp0P;bxZMGyf>ba=h&kGcPL`=5fb<@5*B9%mQ*|am8xER$bcy$lYc2)`>*Tt$(F0 zP-h|Dhb-V`A{_k)k)?KrkVwgHBUx!yt6cIYs16nIh9k~E5DhD*xs#mQPp|(}9nOhU z+74CYM4`IMdXQw&eZ0FWHkXaQ9cRCF)|P0E9etQEw=9JT<*6LeObAgrsjN1#5#n9r zCJRwad93hl>+1ZL-aoh0akE~1pKZrwbzF2axusJqyIL+@SZ*HGLuobj@Paj~-5v=r zt;0p#X%U|^tK!R@qBtB~+@M`Vbt_D>7>^$$&7gAPD=E+>3Q$E^{Z#z}xgrB* zuA=#g*sP;g32&PctI#Ya9P{bcFf)H~K;D>wD@)$=T=^>YT^%1HNvc#ZHJ7>;J|bz< zG1>UZBTFoGk>c(x-$6YeS%krIC)Ty`qVwg)0-zxc8_kyf@8nL^}B!H zVyn_4)C4GSx0{P6_9ONj-7Of7z1w@PtTra|&v73025O7E)!w2?)UFftHlm$IZZT?s z6lY7Tf{lBd4gg4gjgg2#cBTfm-pC-I0tu)=f$it3Irs_b^c}_pX?m-RB)dp}WcEWW z13gbG@{)l0aZlRrKkC<}O23o1qS}Wyl$$-IM|9qnLX)rTgxueeFT%o{U_?0LS9gdK z_>_l599b!LU3Zk8)W(0=SB(DS%y%}r_H5|sHwq$88?N3 z8ARb0>^3Rf_uN*o?2Gw`BNdhLpd@HPI|(eA^$mMjWfM7#n&=Ir2t{w)(%8jQ0+JQr z*8jXC9P%k14Y%Ore307c9bT;mQd#{Iq`iMn(?wj^$Uzw$?AAt@6X1f2ZvDHw_K?ou zp4f9z@8cTr;=oYM9E|4mTIR~pRRx-4SsJJ^h(^}1J(WW&NVXzVYJRvu?|sw1wGGf(z^su{WhJ)dETa`|_0&Nat2R9kf0zY`iAm*)hT zP{aIS=oI&1 zq%||sEE}YwU(T2aWa&7S0u||3Men7GX~P6btlTqF?Djt zRc?~miIl(HgS8dotm@DKR#trt?uCJSUvPW8vorF!^#LH)=gwW5_ zw-!D>4TuPJGh*q$pM^+;e;i7Kv4)Q)bc- z>Uoxj+qQ$5n|Zf(8YL{swFBbUool-ezU=ACV}3xZ1Bu2y3ShbZ?L0${yZL2dJ>y+u z_HKet2m?n%qtV-ZFtNb&+$~H^_p{dl%f9-ogcC2bb%s21sHU`L9nqN5M3yaVfte?M zX})4HlEP>s#!lKYr>g=R#`v_wdS08aq!cr?VDzvUS?wR5_5asWGOK+vkJw z8FG`Alel^fCKV4*j)X(%oYwC^K$F7I!U33Y>k5D?V(=LxgmH<@7HF$&)GRHF-w~Vd zgTw*UeP6xl>q5A79P_S8)C4I&x9QArll2?|X?4?Epjwq>5P?X*!M4Kl+ezB$JfW`U zsIBKa#=oi~I|KQKew!JFzAqF_HXAZMuif5k$ z)=rT>ol@~*3VC0q2i=yIN=GC7n?kD=6Qq2({_IT{AhpJYXk-xgqNXfqIsT6>eK;j? z7v%CaXz;L^H>!f*1rp1&hVyu#?M$gNSfY0?(FRuD`Z(iWG+p2vHJ7K>< z5-EzRLo8he`GnKH;_&Bhrr%b1A{r~NALfn7R;wR^MtKZ)w}cO;m|)1^Og{<%3|OS< zqnw_p(Sp+MPCtOLe{5N@=o!I=@y2uh6}L00q>4J~1me0l?`9Q&jYLmcJF01x#hK8- z6m#4|iwY!Vi*Z!bB!Z9`DGY+}{B>TLp7{9p5p8oB0oXyf^7KR>{JmZvQ>m)A`;(!b zhti+Ci>(=hv+D|e+Nk`t#+gKC%WCP34O$+EM5QakQ}KT%(geKQ*(o#x1gzg{lNuzK z4S7ua#Z*nH@36)0eT=K`ZoFwT1j>4q1z&a5CIB#I=}PHguKPut_cwL5d@L&mb?aW| z5~&+4AKO_J8N$PH+FdpZ-}UziKhjB?*}TCZ%#~Ew40g6uo;XKE1v%r3s)DJ5PUPGicPHF9 zo;oLGY{N^tn4|Z#x9+#DIFrj&pNr*w8(~5!`i>Qb^f|s=RCZr8{WMK1+iZdWr>smA zV?SsI_Btba|I{TbO|iYcm2YQnFZfhwI19X!Z`CZz`JdpM2k8Y>@o{86?t5M6&ZBEl zl8l_*U)EG z-&1shR!R_WInX&=m>nk_m2)L(*_?DkT}a|*hs%K=R!rWP(n;H0Wd!3<7pd1y3~yf4 z1RLNFS`_|wTd3#RirXJV1KR+6C%m@F0NSEk$5p6R`?J;xht-<<6fs*kN{4mjlCk+W z5~}c@$sbY7?;~pG+W37R1wZsPZNPW`IG`*<1g4Hz@pmVX76auVv(SY&PVUS%-j)Os z8NG{lRoy+#nPuHd=L1|eSR&0YNjx-Gl=(k6Eq=Xn#%cmBvi`gwSR1j^&2GiSnlM3X z^YeX@8@@VZvk~Gppl???F#qF8V%m3_i6jF;B-__d1Q#8DU#};Oejn=xXX_o^3}BMf z4BUod=K8;ce+9X?eFdre${+xut976SErw|niTwJ*WBtS5hljOCRJ$}!*_21uKVeK7 zWY*Q*g;%b3GR;qDmpPajT+X6I?qfH*18jb4lv@<8N~pJUvMk}-kz{9~#IjA7a17I9 zY$okfNz48N!+E)kRV#G`XxWl8Mka29?xB4KZ2qu+%#t(Y15Uc{VJhd`7@HQ;V?G)z zDdx5oM0MDNzlY4t?LNy4VbnF&veE%?eJNHl(pcckz)o5-5b>(*+pL3uvgqi^NJFm` zZNbNbLZxwCi^@wu(qFH_++B}#gpJ>0DPp!2k(RY%rTS{Iy^+>#1P`Pm04~=hIg9Zo zFH6d4u#*$}R-d!%KGj(`?<%LTJ>?&E1VVCco~nJyf+#)=N)1doP*l z+8)~i6mAK3%QDathPfx#3$Z%vR#CCc(M|4V^;ZdFgB=)Jt+;XA23h!K1#lCn)!(U+FjX$(A;4u5z+t-95zpq7VticRDg_%Tss2K5z+ z>(KuA_j2erBWc!C`Rwg|YGQbOLRxc=mZ7cx7_`Fko2N(sRezpR@gW`QF?t%mS4Tkg zI(jo)@>~&*^d%4W9Ms;pJvnI0^NpvNI~4?@;Fv^J|8*WLUTUUOq@9@@_`leC>!7&W zZ%a71LvV)>+zC!&0RjXFE*(4sr*XH25G=S8++7-X3lOYvcXxNU>G$6I`)0m*=dV+z z>Z#M!_1NBPueCOv=je@P^ou%;QT2Ps75(Q1G8?A$r}kamx6fW&Q%e5rl33ERc;ai= zdt^f7fIqEx*duJ+b#~%9^v*NgA^FS@f56Y=HU_7%sqxJrfp_{Q@SoqMkI*B5@FnNL zA5*FhietI#xs&P){FA38ys0@p%g9wXI(O34| zkkQW=Go^Ch_U@3C-v{*?3jXmj&)60Va|DhvcBDKnQ|-X zi!~;q{Rz5UuB%)EKy1?1o8W7xrgVPdVvN&j<4;?gCu3B~kq4YSwtD$dBUVS4$hA35 zcAQ=;M9GHKSIuhkG<=1@=!Tb~vshzPTofea|| z5fgODj(oO#f=6Fs`bE4u78oIUcQ0#tFu|9G>w|6XZ>-=%a>?3N7^@NSq#BO{=5Td06x3^kVWY^KPZ z7k4drQ&HAdKaMjbg7sY^FZ6ncOCDivx8pQD&xf+K4gmAzJ?FsCjjT!iQ_fa?DC7>= z(GT9M?dOK@h;p!Q&LCs!;|027qZ*Cu>vBHf z*Rc|{JGaNZ>?&k-rQjfVZmAiG9+zn1p@(~(PNH?|1#iwYl*G?K3W_vecC!a=RYOwL zZwl~#E~K&*^>b)LsO@jTbq8f=o7p@ION`yHZdguj>{)2?i%q9o9=Pd<`bV1@7P(395rN~Igv4kwpZfIs&T&40ZaGypC&AmTIAYJJyEiwC%?LEN-Do~d zx25PQxC~eC0_~?AVJZffZ?3K~L}R$+x%Ot7932SKx((9;=q+>a!I=6Z9@dHw2cq$G zQ7st%Z;p_8J0reg`Op1=t`I?Rp{ZLgU4`$q>AZoq1kW9Kh&qc&-%&RW=+bgQ`9xBj z)hHTz*`ew@61Cxd7UMyh44`%nFr1RS(Lmh+Ix;mHNi*c?nx*+3mWd2LR|FB^HhwTmH zlq_McAt(=K=JDbAoM~iWkN9gpCOF1#FB$Gm3f<233|nftIHvauG;oDb%SPn}7Q|26 zeEqGVwfh1v401#VU%u#>K8=TkcbI*260hwJ7_C)h)W3o0_Tq)9_GFJnr&(nPh_k69 z#Kkj;l**aI( z_iJiOQp~zk^v^kXr_~I9metvw+goC0!C@HxjST-JK9#irNcv%KJK(USmvOko!X|q`b*Ts zN9`JR)x`LFYhe+C`$I;b)`s9^b5fjxHLIA=htTrzuzq71S1aS{<)q)j3PRdCY4Pdh zVPo8kwGNJew+yD+% znozNBj_|GnYz+^6LZAHq7s~$$iRUoqa6%GS(8T*w=)jNT(%ON5yJFzE5-)V&`f1DB zBh*QyL0^iB#^vn;49faga{6wf_ke(9c}6;3J&gm8rF?NN%344l?a3#Qx-es%hrXSC zkkR&<%Ug2rkov@HI?T*-u-{oRjS705!=q$Y8PlgNg3DVlt=s{imZeQU)cIL^JG?>g zp566Bpc0#jvm9LXDw(MHqmpY2DVfDCBEf|vx7^9+edhw4bL!&NU|ymiN&=#{uyXz~ z_0A`oXrs9g1*vKuhG=O&{GjvSTD*%jX&EbL!7`9d(_skWiWXT*kckU-(Hfj~uyr+< zr=8VwOb$=t+iGF4!+ibvc}QMh(|>?WecdXSYn_Z;O8sg`B5yh$$2RDQDA>Pm5TfFG znGN!ZDV77N+Hc`+vZ_9OLkP!1VAyw{`8!@zfpDd$t9k)nB+i_y%2$x9O>k<~PA)z+ zyIq34m&M)nO9m%h!#+FQf9o+c{Any_W_L|>tYT*#_t_n8Jm?U8_1#&U+3Xduxldee zta68kQ|wmMFWcn{{f#sg{r5^F<0Qbf+YpWb^BQfBy92_3?XjKk^T-a3*uD%>n9Nk$ zIx|CBl_KzL;6s|f{zsaxCQc0;VIZ&S+KiZlx?mHxTkV*qZpU38%^Mb4rhwIi2owQR zH!vaP>ST3IEyJMz(A2q{VRE-{tN6B6(~Mdg&U+_KO99T&A}Iql61#SU(0+PDtJoI^jy0Db~mjH*sh?X-$puK za9GkjZ7tVKZT_oFXf*If+~wir@A#%gGe?N6O9^JM&-d+05LnOjZa*>luwT93g(&uP zG9J=B+t&nRZ!4kfca~ir4Awg?nrYD|J1g&sL3mRbHOPYbl*MRFJp<(qWB1w)_#BtJ z1afTV8*JYKi@FOUociYa0s$^^cxUviS8yMIj++b>n zAwL~zpcNxZe4&3NN=V4@d}cS}Wu0n1;)UAjj4u^TpmB%@=Cx z;^8W*wKVMcGRh&zL6#Dr!k^sQA{C2?g5GkzfD>4`x?!S)M4HOHQXStp-tcR92GS-l z?J;OsS$wk%y~vOJ7*FEGAKpV89O8@=lqw#8;6Gl2J3#;bYF-kZk)Atb#6=cuzhS|8 zWBhkR8teJ}>_!9RmkdebPYf68x^creLu243MgS<%VqJ zzbG7!Fe+ZZUhzAaPiKJl;O%R$<4tiXHy_r0dG*u20!;UrZj+`c7MK|Ulaf_Qd$5On z=Z6IlAR3CE(@@tygdBv{g5{Nhw+0nimtGB9fWNG;ajp&Yz{R+UouGJ{)Pe6|x0jdP zw{xbXseM9gNxS0{hM&ycAUd&oE1Fp7&F0>*4a`#kF0< zruDh>7K*w5CS_szfoYn0Mt6(#zJdPBOjHLAt3qeD!{Lq1y#I2X$UmS*yI1k)zd(=f zbhuY3hBo^2e|X@#Jp;};swk$hVuX*>Gn+e8*<$oqzUiE^5vPNv#w*O48o4_{)+Ft^ zFM6{u%PLv@0EfeVVFrt3Q`7_WNmCmAa14J?xfm3`x19F$?wzO^;#Gii`eVkU6GSd2 zF0-p1^Ukv1hjN1x^pmpXCsbVY$J_4A$3vw)z1-Q)$CbWc%v|By)32GuHRKp!8VZ+_ zuMUSQnH%CW?s(y#Bp>&r2BOYXc&%1B#WBiQuY|+0?aC#%6=jA%j)#JHTg!N1f;`pI zMyG@qDEFoV+nLc;>cy#7k( za@sn}f9B^>nUE`TP}`12Fe=1~pwmm*9w(Hm0g-17*|Z{I8-RN4zWH^-W`jg!pB<1| zc|`7?vR!8ot_VIs=WQ)2RqKHus5SJb8zJTT0v1)PJX1Ib*PC3oa&I}kKqw#*TMk$TQF2Ta{e zAJ#oQ9`r|{7^@y~R)L%f>~5prT)Ny-hBWQ=U{1s%o7rvOyZsi&&FQsb?bZ&a)Kp!L zV8;7cqAul&Wd*SEf7t>3e?d1)VJt*CHj4X@?I=$B@HeHh{~)g{R7V(=&xwpMQ!|>I z?)`+^nhsp9`;k+i+QA#eo0HsV_uD8GV;*lgYiVx-S--_!K+TPqM3y1CtZlJv50z3gzSqkPn7617Frn)@Ic-h+!^aR_$ z1XlnGZQXdxObVs2ajc7GYwh&!U+VdqyBO-dh1B;;fbWzyo8p0^5g2VwPi*{LJn{9H z>qFsfzB7wrqTkv*M>Iv_rWnF@~W&=SRK3@Pb*-q z60faS9r$an_yLyHZePn6J)Xdu@`la6?bHTw=O5&&A~1=<``3?qKv`%y^=e`j_m^DJ z*zI2mY%e$}=|FW9@OExl_sS$Gc@K$A9GKp8!b}=EWC^l(>nVcG2|`L~?MMz>uVkPf z{*eL+ao>wPZR?0EU6@n=(@g9XXeQP8Mo$2;>OpUvaQt!6uuW}!a924g)?eyGWdoS+ z(@*pOjK#h8jGiFp-coyP-Qdh*@y*Y`42yo{r?ygV9g0q(4G9{((IpNbOLe5}VbIpN z92l-*Pz@?VF975ixbCs^Ft(J{;#Z+tnLO^TN_V%BGBYvANcEMZ@*2FX4iMQHH8Ck; z;x=GYz%q}1y*c&9x?l>B>aguFkY#jtsfYv;BAu`0!&pnGQRwSBPuRlUgSt#Zo0{`0 zT{k<2vE|m;lP!o+qyw9J7cn*X7h}3qF;9piBC?Ekm}H~Gm3$9U__W;grb{}`dEKME zR5OVUCeC>@7|MF_=7#R6t=FkUTi5C0vE|4kII_5+VMithb86rQhS#%>7TSu|y$Sk3 z*1_uLW}+`jcYH7m?~FXDIrCo_-cRmtV%7|v%W^>?lA7NgN;UQ=o=mJQq3X@bn`9S+ zuCY}Ya_+I|be^#p(U23aJf$4x)ao=RMa~_snCy1ipO0vn*`*-NOd4EE%T)7D`$*d96^AkP4a?w;KmWo{5h#TY@YosX0#)pMYnN&eyZ1?aLxl7_Cn%{JLu z&@&iT&BmOhn`yI9mX}YBVhaxMmdI_fp4JqQ6UP3Xey?Sy>&sa`g1qs)^nPvJMCmCw zI~U>Qy_iWBs9l$;7R-ENaeX$lh4`uM9^DVO3w@ zk1i#v*$cfwA<@g{e!2Ae37-fs)oZ>)VVmm``wAWst)m-)DOyR|LuWGRXAl)}c&i4v!7uLzU$t}ztQ z{2yex{|=imJ&^CRFDq?ta{7Fd^4kPcMkkw|-+b|*Xd`Z-OIGq^KmFmZSLDE3!l=9} z$MNXwtE4Xl&qwDH)14UyBhpy|`u}kpl5@lQgIF0!kAl+;^b z>aM?-E~FBzxtmajG>+F_CuFm8KM$~tbK(5}x2v*C2JGG*U&M9NaV$o=l#1#H)s;*M zhS)ol+B1Q+lLmkh+BIL5!7fp zpV$v1g#n&MNKweQ`gvaAvyz9n+jmM_uRbbO>YAvtKSnb2qm%bZrMHWBWw-2}yUk58 z(-%pZv)+bxw~)8E8!etc6n%ElNW6gzq)!O+??O2H2g69US7cOM+QT>QZLDcuKCawM zVO(6zV_X!EiboS0dPrTw89SO8>1KdinQ+8!weDe7@GPN+lT5q6sdZW zSApg-Th`e$#x4Y7v&0S=g5PWu4r@t*> zW$FU`ZtkymsyK9fW?dlXsBW*~z@cIjdaC`WSZCQ3XG!s|xK%b4?iHW0T(`Mr0NAgb z{t|4(Dkbz9$LfNoHUh~vfV~`q#TAB2LUDCcHUMm#S$_>Rl~6XZ&C)CMofpT75*5mX zHh7hj1vg|QyrPwPvXBO?j7H;RK%Y8u8s*zB{aZjFh+i_K`taFEqmjn%!Z ze*+?EO05B9*P!6Em7nuQwk8U;(MXA<*$lAAiPE{NcVXllh=SKyhd&Cv4w|I?Ttjlg z(wd#{LUuTu|A~1M6feuVl%YN-%49p4v%hA)5^$ewPNX&x+=<63S1!MaO6cU77u{a0 zx|RkYd9dn0dK+5zMC%?wPRNisjF!jUU6>Su(_8dZ1i#77GAVBf ztQWHefX3=ce6G)1pRRmglk{4710@B~*P7Gab2*wGetm9w2UBy!JWjho%?ILsc!Wwi{L$ZpuH%0TF)7J=tkYLe(~nhnJ1xc z&g{9>kx@Inc56YwrtcI6C@hgiL2mVScJwK{g^GCTI{(l$D;=+*LUe~O-)^2fnF zri%W2MyiB{c8tKYip+Svl7g zg$fho`YJd>x=T=*y4~vxxbeEA9>{k}*>S;Y)b6sh?G@pNYrSP=R+r@zo+m7AV_mN1 z0>Pu}HQQIzA^}n@v)XVqj-RlD1nA^((oWCu)vx~Dt3;FLsf@}`(O>ygGh?Kojw?IgcZ+(aMtZs8r;bVqAb^}=fKMM;iH7&Q8#qwxJdYBAVkwtfD{U&E|M?N3( z@7D;S6pMMYs;IL{=Rp}XD@9pv+Zjo%?F?3>X(-Ht zq6if(fUgU;{kj=VbihJKZdL8y%hxTjcHbxgT>^uP)&3*rA}7})7tN^X7sM5!ETgT@ zhucRy9`^?ej9Z(TzWOisC@M^=sDMu8Mc2L7UGz!G#$lPz|G13(AF0xwEb?9FMP+mB zm2=J{gZN(tu>I|R$s{%e2yp%~}XeuFHlgY0J>N8ZLm%S9)Xd40XA$|_nMI`&Yll~dYgA)RCQQdlA=TE8=15^|BU+KTKx{ z$~t~|2^Aa=B;&iqE~nQg9LYtu+pB1ZfK0AZqjg~vz7}z>~N=l;U_enGW=vmqR$CUv5LaS@ZscpF4%q2k<>NGezQN~_89cupNm0| zm8zScZf8E4Lf&(7aV;5`3;2vPLRx5ay;DdL zp7?j4uXbo^NyzHM*1F{Gj@kB5tE)T8Cd%vOhkHne2y2ryOps)#B;3`&F{pN|e-Q%Q z*~;HWV;<;^9o`H-O<%lQZ(|;9-#&&JBuIN~UpKd29FVJ(pFo@DMLiC_YgNbL4D^XP zDc?ZLp)!s@^Www7cn|MyY(C&v5-^}Acp z9HhoQjcO36ha$fHAd;!nu5a!zy*^h}sE z>aK+7c)lamlVhxHHSY34n}-&q7BW3?k-hGGkk1_Xk_N%FsFnJVWUxw_nGx?J+t>3P zI05VuN>B}%2;Rez6F@;EZ7ady9&6_FJPS5Go`6mZBB+kFYDf_+|SNd#c;& zM|HO}O{OL&>3mCoO#1Pkck5cJdwlzOns+_Cfx`Po@0*9l6Sl*2e-}BscG1%x;oMKN zwc`Ugc`nOm;exAg{TQTVd6K^Qd;*$zt}kBqZI9gOZYe`HMUE5DU{&4NFZ{uhH`QBCd`(aN-4}Pcak1os{h8jbs=WoW z+sDeI{kiI-_qpOt^qH>*1@SO&G#B-x85Y*S&eLP`iufy$Gf{$ps%eipJlBBV@50_U z67`;!>?iIm;6_TiQ|@}rR@!)BAvqP>$`>@#L@<1WtNxD{z){Lmlbx^Di@*4*tH;e# z?NGb`T}R#f=>!zDkK^9tD89c-zQXL)wiB?J1sokunhLkZ-CFg(^*8@dea`{Iu8~y4#V6V2_1`s0c?u9Gm2rXQM4gSKAAMj;zc?w8S7Lo zcfktD5m~?4R91qUXUu*yPFsrBxyOd*7d8&QnH+Jpx1C(RM6e)Mr8&j;udHMeF1fwY zA}QSrAZM8%Hbs52|3-5%Ddo&EtszCciTGigSjOG{e$F4590JosqVjde#JaB%NGsQq5(E2#5g^vWa7GKa~xznqBz{Y z1HqS$*DbgD_3o~wL= z{oz%#o9UkR*C{*l{$Ly=dV#%Mys=kmRD*W&FzN=uvWjCoy%F(Kt-ar3;?GYXgOSla zg=o`Q%SRbuS-w(KczAz)7%|;%jFCQr#<^(fyLD2J^;C`l4)k?5fsE+Ub}>f7ucW_+ zVG7S=Rc5=~Z+fNuOY_=IjxG`fqo!MRvsC?mj~YeXT-0`0H1D6Io|9XvM1C&!?=BJT zO{?W=Bd$uolBEs7S6z(th!oc#kg5n<0K!b&$H@2Yl;*z#^v+utu01K6U8@8h7|=KO z9!APxh(ib4>0=mY|E#F9%!o!qUSl9T%=N+)@lb&&>$i$Yh1o@QZF6AcP1+K5W}-59 z8&bvwo0f2$au&Cf949ai(v7+pEGuH}=(KeIS5_pI2KN|}U>hs*xjAsl#oskzBc2h$ zb+TDH;liXG3=!Ti(pTg@9=vn%P2XmPY$66zBaXE$oTW@LnB7ZJ`AqJEjrhA70~1$4 z$V|kAocYJB2#@j|g!Ni06t}s*_ZEGf=QW4aTjGaz{On6+dfGjGecmCU=ud&3`VO`v z{6U81-I}%Kvhz1xt-J=x0E}895!AkTrXi2Cl;mce;_e1$Y>mo^`^>E%L6j9I4SRHu zC8K=O{q|>Va&MD4ep)LSwHDV)Z@)0MZHYVoVLnY=KY^5hY~&CkoSUgE;XCO=5DhDf zhgQkbS(`iYVQKic>UlOm_vpaizn=&e8(Q7;R$gaUX?3Ryw=iZIw`)o_t97Jr-Hq|m zm-q;(2e|<;2|UDRCMO$ZWsv2#km4K>USam8Yt8$uLW5X+Ay&R*m&GhtlOR3ePE|y= zUD%Pga)c_2OVM-Ui4z2IVF#7p-~Q6Rcco%EnMU<|yPga}a9BgheSr zZ^5r_{lXRcv4Opi@FVNb$Tyc`RsJq5U)7}<@0L->FHkDV`>%(0@T=O|*u!p5Tj0G2 z?wDo%Svu`amKOh7ItW8=#Cc25!cNUkDlV6=?_Ezen-i(^*rQ%l1jLgb$1Xxjsj#6= z5LlBvQKd)`46g(pko8wF$oCn_4f!Yx{~a_~e!UCxx4b=+n7y{`lzUh&)y9Ugthx&^ z?};4QO^*N<8(Gv4@hII%YO*$<4UuxnB#Y>k5nkpMLA}YJf~5@>0)gF)yxK=^0iZO% zIR=|0G8YAJSb%Gnk(gUY=G*SD_@UtH)&z>-@EvDr^jII$jdzQ^O506_nUw=LC!G=Ne zMA>bhdrYfwb*8UTId5S|+IkDOSe&%%U4TXjNR48+-`PlyY_I+00C@7*^$8DsUEPS$ zUFFTJWTP;xUW1G*alLB*XuT!UX6O*xiiU!6qdC8csB?V0yyA-uP6cB|276Bn^% z<=I|OioCFOo4RLKnEfx#6{ZC89gVtvRiledhcm>+$NpHc!7li)cvSMyQV6Z#V%h%S z-4VkoLgtBjz9h^+Hbi%C&`BvB&>(m(^@cR4`MbkmO1^FysI08Vrk|*RyDtj#39y$9 z8(Q?w(85au(;v*&#JT{7K=y9#qc*zdSMyWRH}pa!PU{QPCoJaCZ&7LBB;n!S)BZsg zLZ|q6_V~=dj*IDIV&t#L+xgf0OJ&5sH%$01BXhkbDB%bU5 zs>FvqO8;h&Mf<)fDlgtc_7;Sh?_%Q;31yh9JwnW;S*#>v*hYdV+wbD@qFI$&l2sH% z#Ih1g>6yjFpom0YP=D7Zzi$WUSLjH@`f?32JfKriSWi`=kG3&ns9TQ8l_TLBv0{|R z=%^(zRY=UH5`USOWMQ5G!F|KXi;EWvjMC^0Jx~syh(yvIltWJ)tB=R)`BoXORv{;| zYrP_9-)<3aDBph@kn0J?%J0htvNKu`WLl)2U{~l+`B{H@gF;tCQSe^#L!F&rB_U&J zO}Ob-B4*03R0>t`uIO|o(;bvSB4p__@f=4of+=(LHXy-^U$nYz!PJg_jn;qYt}yF) z#TjA>S45I8dtpaL@vIX0ay~&TN84uup0QUbZjRbmtXFDPq8!I)A6btpI=LrVRf} znDCC#rGagLA+A94rpz6LI=D@j0|UoA`G$&&I231_VL%f-F(poHTNKKcuc= zWxn2QuTR|Zx?nFMy=-Pa2_7wxo^lyhcSfACKT=hjqo)Z37$KvUTji6V6C>zZnU7g#FJXEGQ| zG|j-n%$ZXOHnBAmzjP0uc$`xFpas%lz*M>W1Cf-e@+yJnS#wghX6I<9IryVA*Q^rt z_Nwu4+A{$&<0dn?l3yS6p>tn0tE+G<1i!+$#Q)weXe>}ns~$E{+X?=C0hnE2i*yxZ zc>Em7^v5G*LbJ7?W?c=yw>MbPJk*U(5j=7YR^s7p+`4TUzpaAmq$dS%vj+~~2l|o4 z1;+xA{mOXW#>e4^?z2Z(@TUvCmNgf9Oz|Ch%A2&z{DsP{srUgvF3{2lWFQrP8tBO} zZ6UT`oK0Kna;H2gu}orji48udCCQ&;@LFwqMh>KWe}yW4s`ZYix@(@Q?wFg5{Nkf5-VgZOy-u!4GhP0`%j-w z#c^Ndrx(O|*B8}$Cp>iq(D5HWX*zDUhK?(#oQ=Nsbm;XUqz_rlHkskxLF9lsWk_NP zT9~CMjO-vKB_xyxy~gOjW(3Y#3>lrio=N`{oXC*@?765N7&fSp~R|`NKnf# zZ=PZ-EPQAh+x~03#*=4>GIJ`T>Um@IRw#Ur$dfj0nZkKYV*M8_HqK(bZ7!1-;d6iG z?%ZUTALBBk^~!FRyX@Wceh0YzBxDpAl{)R^7Od#CfqZ{bZgdL)cR}t}PxMn4$=4fc zy=9l4B43Xq$=BWK06ydtsjK@9U9c^?(umgXHVU~DUYkQ)rF;!@R$fBHX;c^42~Stg|KQpq?%=__AS@Hj(ibkj6}3L!{egX0c!`HY+S@2N z&qBQ~Mfyrda~#Km12STR?t`wQ7w>8*8G+!Q!ZQ|gwtOwS9X8d&64PJ!$CuNA{jz~O z*7KGlp{J8lh28O*rA&;0-%&^3Sb@NstsJUHR@$cG6F!8xuVWRT*e41{kMR-pus^a7 zEvXnVy_5dwW1v8?Y@udYN5ObH0Sceq3<(}k;S7&)S}3ltulUS;+FU6q#2mh@XL&v( z?6ffM3vPF&Kf0_DTZlhkV$@uQy0hURXZ3umTl%qXmwKJ_V7rruUq zmLiHEnb~R@XJ|@QFrs@8d!dNqbDK(7~X#2D*4i zMWpv~h>oJJw=g*EL$v1H(ijLHw90oHYB(>zXpjHn`BRA2c!KEQ@nfS7>uMh9-+cHI zDm9WD+JxzArMTd8Yd*!N-kgw%$`7KJp&F_DEBsO!>Z@D2_W&NVp{&67M*6@Jv6ngT zjc%dQ1p`dEg&BGFawk#fyyJWorI|@@BR$~z67$+4zkL^Jcuv8iTfmH;^FsVZ0l}f! z6xL_{onJ=m-#(){0=Hchu(?hst;Qy0ftX$|F7t$2LYIG@xF#>G#8`AVha__h#*>~> z1a>~PkbDlg)HM{9iw+G41bkl+u)s(SRc>_Dp@(?Qd_5?=7`iO$!%QS8=aM7ADb6lp zD>vtCPg%WS)_xwKz?G28C1 zon!q_f%|FBrvB_>n$Ui&d#4oF9Fxz|iwfqo7QnGq<%{Q74RCUMkVD>7N&7<9_A*bl zp=sCUL~k}}Di`kk3u>Cy)ywEp$a^{KS{>au$F5It8~0kBx_rTp z9o>AwsaR*r4*1~5{NEhQ#$$&)ctPartIrdLVN=@wwf+8Q7yjqrH!bmlnAX}kffYx1 zggsx$_#7U^1bRr}i1|158y9#$+66k9$gKvIqshD+*KB5Q867zgL}ABj`AJXyyPObS zuUt)Rni)qI!U1%G&Kfcw!}`tW+xSv}(rZ$#V#P+tMU7Dp(-K6)x6e!)tUg-)gv?e# zNV4`>f?O{VR?Apa<4K(Om$hPCy5-Lm50aQ|zH5>SpR4H>IJZj!FMQ&!-=gzm^yq=3)M!mgbmOPgA-Wp}Z)}Ty-i=O>8$ltY|8+jGfu; zSc|vejuscWV=6m@XEe4(|79cg`MaOzI7CQyF;;c)yrLvlIdUPgygK`7y)QlS%kPUw zdkj4Ozc`{-W0funOV^22yOqY>Vgju;f>-gA-EgzQA8b8Ov0+mX#kbnTYU^#7eDbhT zXKdb#KoKRqN+{4*#hh`19@T-HLFFGQo6{F@B07huoVqsmCMtFQ9Q#sq?rop``rO+n z=h*a7c+u-Qi>UWMfY{+uK+2dQ~WXjb-2YSD*_C)130Z zkI(;1+&^z$T@c;p^TKl8w2^cRak@lTtBlAoqttN=19dMDtiJ;Eos|rjkDDdcu|weu zv8NNhPuMCICH7Bf>&&J(s$klPE64z29Sbjmen6;ziF^w}+ZZw)u{G8sax{!M&?<=q zb79t8(swJ}na_ z#&OCfFxxl-Vvc|9af2PUN z+nu+Zi=heDu1F;Gt30RK9g|N8rgFl*&bA(5TCCF;tZkl1yCK4cN|cX`#IgIA(z^G5 zU~6C68`0S#l@MiNjI{;VG5=|(%ht+z1`Me5oer|mC8e1Yyw8Nn0e(bUyOjI`J7 zzOqZ(GtvF?z4L&Uo07Z7%~c!}>qRPTQF~cIi`VhVy^=;%pLx^YoY%BtvP1=VcQWq8 z+#GKIx$XYXq)cM!ipLWBa~q)r}$iOURx}bXbV7&T&XnHY48iVczjL z%~ju7?GYkaN@u>9_ZcBWY7iwV`+;p=ti-n=0b~~S15y+L0bJx&B6V~k>$0Rr(~~Zq zPL7*NskFRUi%iO-azZvKvXK^m2D@7AG+7f2WZ$Yab`yae*-u~J@P!};QuxEM4KLip z@Z0RmBr(e;&c3k01Ay%}a>D6jbGS8sUuV768%+h?O%E+Hd)wrW?-FwRZg< zPzjijw>@U|gs49zt4X=!XX|w_+{%xrsOTE#9dKyKv`7CeQ36DaT5w^!VVes)kP#&x zh?WnU@`2z1+GJ6CfI zICnS*4irtrLG!wydV6}YLgXv%t=_8Zt^6lw&-*cqBxa-@%Cw)14A%mk^YZ8XwW zo;k->{n^N~CIdA2;rJUJldjZr<--SNyjXJ@wl@U+7b1(lWL^6s74%tIW->0%=l*cZ zOhh=Gl}pcl$(QdncfjbW1!;yjQR_%qqrarAl#s^q9vF?#d=JITPa}{#BRR;VKLl&M z`I=v@A-rGW_Dk{iDFFIN6u=$>kx!0WuP_95^9zg=u}L{JktQmjW4U7vC(<9g@j}fc zY+l5QlI@mc1drMDLnG{M$jH}GsO&$^z5aOaetA5lCQec))2i8YNYMvhPp==8La>1b zE}DO28l%op?_}=W!o6Bv=k}o(wfS|ox=QINwV2pWbK7o|8HSxON>#eC8f;nmU^WhO0joV zpCFIcg1I>>J=0a)L;KgU;r1{GQsHZBION3O@NzYr5-D9(0~@Wb!X&nE!5XH7C?9Rb zK~)@H>BA-GrjOT!NTzx5tjCkZ%e+sx=K@{hb+0ma0ei;{t3E~@&o@|)wu=JRi*CAe z^)4W9?|~h(T$9T-uiJq1Sp#xcgBl*an#+_*W0aT051M7BZWj?}rs4>#zW<6BzJd{t zdI*M#h_&AJ(PLpk*(;oS1BV{8edo$1DvRAUWfUZ>pacFBv-Mp~4}UUp6_lOEd;7?2n35<$bS-;O~Gw3nBzKu6VMR*d{aqSe5Hw58$XXwtVJsz56l3Lm5P z7)xo)o21q?e7+~$mlqmS#i}FzUKHJC!=ys8*Lgwa%}0lP)C<9-B1Rk8qjXCEiKCMI zuAp*GQqI*fN=i07W(K+ru8SNsj#luUzJGn5zH8jze32Ttsh-w>T)Ft}=2fk(6tq4j z7UK`MgpdXb>F$&+ltfF6+Z-;jD_YKx3p74dli?O zzO2@PfZhQQC)R6ygtTkq>#RXz2>%6#{0}PfKMyW?_(sg1s?WG-jORtaWv{pcx7Ssw zHCq6C_CYjpeSf~PQ!`_HD5A~B)R1M?lq(Q(f`UrfR87}}=H4@JXVE7gq-PQ%I=iUi z@9J6V%Wd~fi-#OHel0DUb=BtHXDQHM8WZ6hgY$#dmJg(ESc)rV+YtNkO@sm8dVDX1>o-@c^`W`@*`K^h_ zbi)?ubZf9ljY$iYx7!jNz5gvVR4u|%w2WiKC9bu;Gzq#C8g?mX9R}wai2mkYEx2Sd zH2zePHxmlcs?(|eTmrbzGT*Hw{}LiVDaaU@Cc-3piB!)v9JuyNVo(lx_z*sdJJ=_; z@td|bza4j_x7!>e@`qgj=N-J~{r?7){(~)jLp_6sj#Xb@pn*xGm|e1J+6i*1Xh&;V z3c?9s7j3-X!F0A9H2p7;hnA6rFn{Yod@$t>h5qqv-E5(;ULnZuhrae!UU)6tB+obY z1HF6->zMd*?(~czs5;I9Junq(fYm}DYv+=VnwghE7izg07!+5I7I#x;M~j*MPMw?40Y;7wfOvzpQo%gr!h7U55jG95lg zaV}dr@(1?egas?E;C3oJ^|_TO`nuB1GW5xkTIjc$#U`SOLiHAxwWiPcQ&TZrK_W$w z3H5^ghH?DZO?0-Nas2rg)B;yQj50SM_5Rd;8!7;$RpCX##pcF?%$+>0>uZxF?AqJ4 z5^5#+_fepOcw~x?5pdArey1Yq>y_L+Vktl)O%_lsHTnChl5_rR@`w%gNFCvJu_0qg zJ}Y80D0xdx8#0nmxUw(u?$7imcBs<`S=CPx5mx^G&}!3(C6h^p9cxOFV^jnavG?#; zT;6Ln;NN4b7;gP6{cjKrnFR;e_eA#Z{Q3x#?=(K4~jQU-x}1v%cm@Y_Q#c^*VQ$DaAHSWcdZ{4UA9SomX6-TS8y-Vnkr;j#~sI% z469w{W^H4gaH|C1M<=i+!ramnfJhA8At8d~NH;@B2}4K> zEg+3_4c)@f%`kK$Dcu7K2t$g%5K`(L@44r$dyhB%V$E92g7vQbe*4+a{_XvNR^UNZ z(=1B{idAs|(fwsrR6H$^2?;7os_+79tQ=*48k-Ff7k$AgV}0)i%~yJjbO{P{t_tRt zkS3;$JfqbGdAG`~N`t#Z@qcgbIoj{^-<#`3Aey1(u@93HZM6+4@<%lx+MbF0csML6 z`;DZ*%A$xjmXaIw3Es_La-`!rw<>j{?)h*vdMa2*Pde^*B>a9=vtZ(gfhwN?yq*sp~ZfM#FqNfY) z%{&j_UfEUEW6XFbwk#X6mEuPFOs}=77w|@%nygbgz+rZQOBEu(YiX(x9Pz>&M>dwj z+$6HRQ$FbU_KJV3*^FV z7#`LJ<>$@id8AvO?AlE;wDs%g9jXb|C4UdgyP%?idK4`CPr-$Ouow z8lrg?ZFG>Bjd?R$uNO2dN27>&NDpMce5h4=S;oIEJ;VwpD2}4H4?ju&JG>* zQ0*1GX&L1VIj1toCoExedBPgX3~4h#Te{xT@OR5z*X6Y@h!^8D?Z;>za9meCZ3TBq zj`hWs@;}AFO}(OVE8ABuFJ(>i72*?Fd<84Z-C1UgBH1-Z?STu;4fcm_d_I|HJ+FGB z^!X$Dp;pKJVh1JAk>dpNwI*oQqhJ!5@R?5kQNJpR-Ga{p8y@OY@ia|{Ay9t_Mdk-y zHfGOJvz>DeFUIR(3wQ|q;ypor5`Q8VhI}OTx8wD{92@47AQrY6VMB(nuStoP=5tu! zKCPaMy6}Ql?^z6~8QdA2G#3fxiKCQn93BlJuhg!J3p82zEf_Vz72mAGE3J-#aD9@T33sx za!J^dJ_S)n;6&wneRcM=7ez~1vo_mn?tiC`DvcMK4Ek~IvP@Yk#@$?nRk9mXqXU3s zmxhxA7tXY6_=vEKgFGepC~Cn=g2cZif|veEEeX&ZCn6 zpJ$<1h))k_0CBxr%g#BE&P$9Z!y@gq)QpX25j&f=xmyODWgBb+A-4j%bM^Ql%1)U@ylE{U!R zb@83TTIIA-?<^@!zH51L&2^MSRxZ{wuqlNTHW8}Zgs31wBvK1ilU$fcuedWht4)Q| zo7!!gsGeo5xy8F8#-g+Gp@z9WI!?paaHwDPd$k`7o7C(D0-}F&>Gb&SC+YusS$h>& zdWkp@%lvJ~Q)?o-OWpgsg|zT88Q`jl)9PZvXVIr=rtK)J0m_Yivd3Z1ZU7V11BvD? z-lI_}`C}1Mn(c}-Bt zV;*vdS4GsH3waRy6zisuRcl#NU?rW}{>gItVg*#6h{clowapkM;HaDIZR|G!VSgIQ zuSSP?(_@by#2UhA#hFS`#OMmy7Xmi}FD0;x8?3dNwz+;nuv$G!p}(@+;&*x77q(R2 zkteBUpO`l%^hG$Ba6dF4*bMjpK&pBVT_LUS+I|^%@hy=ML>+X$V+_U!4Xf9|m%5mr zN!ND)9G1Xvz-y#0fs{!-^+USZQnG5d>Mkl}Dz^bY8o|}8m)!WzC)XwV`K;wE9sb5+ zQN~p4KkjKrgko@py6Q?WrhIrz=|ODq4BOQOe2;0k703k7VO4G{j9B-v8W;AAt!aH4zS)WjW zm=d1BQBl+SGOL@hred%C6+Ff7{TIJDBsm+OQ-;lw-#C z+%FZR!sZW={mQ6#Cb1+pTDoJrvS%~g=u!tF2(#W3`D!(a$Y3PZ9A)6M<|^Mv&WKEK zuTyKxdX@09ezD@K3so+zOazbJQKus@&$J`7%!21T&l^U7C@4@;~RO!XHOq+IQX6=Q4RZJ*< zZpP8SDkc(3pz=ITgF$y0-5-0g1tZekODhXhTeJffJg$UYWWpMgvj-3}2GmFUPQS`6 zIol17io4v&YaZbO^S!f0UQcR%TQGa!l2&K6t#|FXQ?R=1|CMVhbhYO$uW0-jD_nD( zY$R1UCQq-ssG?u3ep;}PCGP>jtKPywTHa9q5r=z0et5~#2~<=ge8S$f-7fjbdlX=G zW4ncTcbUgshoq<8+6C;m+{7x=+ETtuX838znEpWNM{(XkPtN!!&cR!^B(!4#;s$hN z#A0aAyYK0kZSImZbJ4~OKCKXQFHfDv6q3x3`9PYM6D3)tjVd56isJbv7g zzzr(>PY|!9TmI4{JiG&w03&sVX?L5+Rc52#cuSD`evOa>1VE2KzYcvLwL%I)ts%BJ z8WuSM>$ zWDP|&LP~gu+d*mVoZSzDUlX5>r(c(!>UVqOrwQKMPa3JRlYaU$&e{2vSX#~Le7`vC zTM;d-b-myTyGi=lS2q&Znx>TzqWro^?2l_Kd^t^5jU9g87IPBtmy=T5^{-@bisXDzG(=JS;DMB^L z8l=XVfa4xHb!_>CF4$#VTu(N2vXYL^;1>&=O5?Ed>JS~ivZBu>SL*fNB3os*{IO>? z)1M1`L1+SoV>W{W(Nw6RmKZ(xXclKc#&|oqwl?+?JX=O5EM8!_ZYe4O?6q>38e^wq zT1o9__==mK&pWrefw#`ZcSx%w3D{)`;^TWuAt5f3x%+wzs9lZ6M0 zdevfD_YKEAVROA>m2RFUil#o~kVX#>)40y{jlpNfH<}M3W^11!0;P}9IjV1o8m`!A zm#UeJWfx)%4TsP*xtAsI0W-||d5aW(1!77K{V(1>DE>y0 z2-d>fZ#cprf16rqlvHkBZ5}1lfW&K@gxbq#dc2DbO#6j22ln{7bJQoiC4?o;WdzxT z7{<%B^YyUV<`WDL*SF#t)qkFDuS<)OXw^I;F{wWHEqvPev32BIwt2j_QDoP)dw`Z>E#dyc%tLMR|q*bk^y4mTt#EzdjGkx?R-@xT?`>dxcw_#q#4c86Z!*K`Q_!w;;aFK6`{ntC zO7WuyWsnGrTQIfY;Vbk{HCHc6unc5x?VJ{?=KJ2xuOg@kxrXsLGAR!DFi6lhGxraq zq8wICE5~wPc}3?PRUXlwDw-NHKo=H%Yx~j2IL$Yf?Z1>aLZb6D)2v?@Eg-;_!+W)! z)`?*@Y8L^-?V;(%*F&q!$Hcq$f3n|KTSe>^9PmCr%gE$V5zgPs_T5nvyIMoX5bHFk zx{=1b=#Uv#L6%oA-|!yQ;L5aGKF{TeFo$bV z4c-$G43AV3Cm+Oo*JR@_ttB={oYQbvC2EMM@^pX-rv zJf^|&=8|~N-Lg~-zK7m9>qr(M0w<&?AV}N&$6De_a|IuR0dWhc_!AAQ+fRRVg^!`v z%D$YUwZ>Y1m7(m+&$WLK(u`n_oqV{y+%hY2M@~f`<_&t?x>i^Cqk6Ji@Zrf zg~q?`rTt<4Imljxr`PTNW4H8lKe08~v`@rLaD7bU3yPmJ<_38ELvJzNpJf z=A_KJ{?Y+*u)28OLwI{9s+p13g-H=383BQ8xqFg%JbzECHhm!0{lBK#5ZDWOf%o;` zF;xI(M5m}PT`1gEafO@#d8rNhmzlUV)Cq^~^;r`TO-Xs#5>&EK%T}){&V^E?m`d#!s^oZmbdKI%5#QmWQgj&sNlP0&KQLVL2l!RiKiks- zX$NV>3BbjUrMA@={^+PJzNig5l3zqA-n#oENs3e$eM}D=Za)<;TU)GRvI$9q$XWQ` z`#k69%lB^>UJ;ypd?3A_4U#%i^IHkaP@MmYK56hix0iwObiT5l6A{xbPk@xZF$H#< zL#ODP`5gTWm&D2#p#%M@*V^jFQOJ%ja00iBjk?af!vn|K`<4KgEI#x$EWyL&9l#H# ze@BWFmMc1*)6tg$fo-0=U6%<;%daeR9?*^$M?2_F^%#JW9L*1o0t{j@Zwp^OfDSyd z*@fSW&! z^jY$a&e7+`v%e`mBV@l~QfI(+W`(N$WW zCO8pRvrP2|gk|tR`!mFoY~1qgkJtiNXJroO(!Rg55ehX1o*VbuOI8; zRW{Jyulz3L*i!VAU7i59LfkB+B8WFJoS8*f!M4Lz1D4zDbJ?w<9S)Kpp7V8?&d1BD}lmMO7zS-yFehPYY?Mt)5DynLrbt zJTl~4jJ8L;dTzPUP?@D&%M<1`0pJuReBeubfUXYIf9I$!d|=w=z!iP)^U=a7fM1GW ze3Tk)6MESxTczbnf96^D+=aG7Tre))eqK)llfJo^*T5Ek)3={FUETP<>H8kG8L}4@ zTWfXkjI(ZjDC=@oHHuk}H6ES4I3~2aN02jLsh8gkk#8154X3?vp?Y}ZI6kKLoFva6 z7wqBsiW$@Yo#ESMR~MxYP+HDLj4!HM4K!>VHO4Q%2)Tvb^F#C{i<*7He!f^MQ>>0) z2*-=~d0MrYsS)#1o^GI4Kb?O(d4!8FhImQ|7)^%Cr2)4ywKm!+Y!qB^H&F_5y%9<# z62TE0aaVuMSD9&}U0|=rL>CGmUU1aCHLaR^Ns66`?P#!Hgc${U>5wD| z@HH#(;QD>n+-fmChSnLCo)cc!F zO5OYg|LFm{;SRABW&r2)QDXy<5MafeWDSraP2gfa#G2(RZrDDM9}{Q@XtJ&*;dO3e z?X1g6pts?$lmpo9llrra8nM6dsKx&o9_`2$_FbMGfL#(7bm8aHjQPn;m_ItyBj0FD zTE33qw!tAuSt?H!WaWxnu-|tmf(pnPK$m58_74-pONtS3uLz0WlrJw9#}+&5&Bs2F zLGMi}#G+s^bsy!Wu=%W1=_)YG$LUSYBi0%Gc`Jj-MwN((kYs(lu%F zQjOF*YNw%L*1Z`R-YyfK^Qe-&(KCG!lRYRESEo{D(n{9$J23^@aGG7bx8`-IPX0D; z4n%ikG|a;}>2hUqtQ=?1NRACXc_K5FK5^gMA%lLb8xo_<-5Kunrf>x(6T@%v(HP)* z0(c1npE*ejYx#t#fK9h(D>UipNQk=^mA+1@;B*u+hv52(HWbbRQPB7z;)*v=ujyn| zqW33Qvx10(Ud?L~KXI_0!emhzH<|2i$+-!+sbfK-+}Py}67fvhKJE$oZ?|vLp@0CLF2YyWJBrXwn|DnSNtac%=Phm3WUUmQ1rIHguOl;}33-~lJJ zl~XA{if?>CZEr3K_F|BGm26sspc4k?df4m(laz*Ea!fAbxC<98Bos0u*aVYFmysW^H~jVBcfLocq;CEsJ$_G4GpMi@K#Cjh6kR(%=yJ5NldSkbl+qV-4cTh*=m932Nv*Ft(2b zJvcnj%54=@WR*6BJRJrHC>J;SIl$3sAITb+tVK+}R05rEGkJ))3adPwB)|>k?uU}R z36ZGq2|Y81jM&N5E$IH7`FVwa6kScG>F(I>NZzrxXTbxe7K*or*1A1xxvKvcVaWL4 zYUDq60sIGc2YXp~SebY~%)4az>nSIdH^ z$`N)0RSBKxL*Dab!f|r9DVCS$EhJknMn)Lsp@5fA_XstBB}U($Jc7}8jxnMX>7pao4ytzFz#&gaMP2IIrkAEJ9#_G7f`^9yB?`9$p z7>3UsauY@xU3AGLGf45!*YDu0ngDpZr|3+<~E7b_vj>z>SnP+EUsVg9LH z60{Ywdg6~WsVs$$qQ%Kv7R3FMW|~(T?XAY7c>2Tj*B7_;+52=to|+y41sB2AEbdc@;1)F&S^Yg z0Gq)(bl@}OD`2AJ5BNDfG6=(i5pFVUKI%gaIsGk->!@b)hyT?tG}smseJDa{-_b#& zHt9Q*mnQQFZ4ROYj&BaL(mSn;OAnuirsBf{xT2c%%rQozRH3s9(CXSbw!Sy=5+3sE zNS~Am-$l~rnE>XRd%%vk-~L4m8;G5!5L(xrybIZwnTMN)Xic}}J*GDk%9@MNbrJRC z44k*OvyJjx1Y@9%ik)o6KB3md`LvXD+m&}SiQn@Bq1r6E^+kcB2}0_kY_we|Hn|kK z&T&hLs)_j*c#>D#DF?tlb7~5#da>73PjK6aSPs-Wz7u+A;A2cT&*-zKF#!3qB9oxM zm?3|&;Y;(`;jjf*t1>Bw7@6{BpEseRidMBEUYeihqGYk)3{!*Du-dJ@8kMRT>npxb zymvb^U*l-a0l;_Sy>9!md^)T_|3KaK%{iZ)Lv=PDfXzj;IQK7MsQbkMN`9Ac@{pS! zWc)XETV+fV{T~`CDwsmhLB!whrGTFCV>xzE^IYpazsOfR_iUO2N_aIY#5bfeL!lmj zbrgFLeSvN+)d<`mQfI{xF%_V>^bp(Jd>e&XBEbnmZ#m`;dYe@n%sX}PW_eQ0@q0Uj zM)K2l2TJ&Mw^|&e{>(J_5*gJMQVC`fP7u2v{E5pvLm|_XznmYRaF$&s$gE+@g=g)8 zV&8LCo}HcjDxocQpB1Ya*nS*oh=!Fb_nt6he+*9ZPL4_9kxzjz## z#70SYsk2&sIY_cHfYj&ZmP;v2_ED<=j2yi%Ms%1jh<3MxK;bd8SS=Ukm%xU{$56$4 zEbSdQ^z&AzETCPh=*GUK`?*D7C#!uS!J2*^e+Y1LBlSNGl8~i2S)f z|5nqlR&0!|juMT*1eXh(u<=RxN-4{eXCCHnrzw0jZt>gmEYBM=8cU2l#Gt53%fEIB zF`~Ml3Uy-rpPl3XIi&I$Owo&?AT~?qB3bY`Jtj!bj^ zYE*jw6+oFO(g9V}5%`Zi_)=v6&Vrt`0hluNH~Gd`V`Gs$))7q-GJU0=*VJ+>H9t57 zM;lEyAMkYArCmRXf;=;fh6_a2et1IhD9LCHW6-R;ihZ5ZR&0j1S~Hn;>{vJ# znX~c0qc3l&Us+zVj3Uc_Y5t|CUUuT0NM#JXGn@yrzRh_gQs@%cAv%BH;If1Ckgie@q z6uMSwdodEh2K`i_kT+_tekfB+x}VM2DXJTv<+mqE8+#^)q?x-RX}*Yei_M*)q5q38 z?4i!S{WIV5+KRjvMcmaH(hn3Cf5{{ecG7qsa3pU~Dz&$2SB1vzOfLcNsdwcy5#LNF zP+r1|>R`x^3lpPet1~Ifrbf4woOQn^r$lht55}6_bbKUod(z|y1Rl*qx}cv%NBfTvZ)F|jWY-=Wt z_bNIH*RXbLx&h0}AF{g(3arY1zdS4D%Nu7Gj2tU@PNE@Xr(P7h>D9)n&XGb5`K?E5 z9rtwH`B_Yxs>o^?gHV2(JdfRlYD#nDo!W6r6$M3M=5@Sd{Ux6s&HGJC=8QJ1U~Ef z75!_=u#!*50vyUkqs#w~;hTZ**Ng8G{BbN-JMk0JP9+Q2m=ia0Y zaVeco#}}P~Y=K;(q*Yst-in|?rizKpvu0(iDhH!`5aQbU1$&oU$-&YiAtMpQ*he@M zs;K3RpU%dGb_^0h(!6^W=tkU&VH6hCQ}-JmW9X}Lr0~1$mFt+3vjy#|)~DP#fHi{+ zN|6_qn~8b4aU~z3x>w%=@2A;HePn)wLp515CCXJDK($esF0M56%t~MQ%~ZeXn*Xmv z-lGq}UkCO*S=ARBS+`3qDi&>8hN=jpt_(h32b=1wdmaKfIzO@07JMFTYy=&20n9;{*bj{nlGcuYrMZtKVtcF@_){6gWxkG zHfC$#MrU;|kUWr54qo=0>wm)nbw~PaSj6zWN}%khfX8tC^l@*vH8OdY8hSaOTuI`~ zeD)!@minLxvPj%Udh6c=Sx&d5w;}ai<=-vgbvL_(LmbH+g4yh+2&E;k5B9Y?kX975 z`S#|NvgEA>`%%$!W~tcj#A$Y;jZD!gy4HnUE0FogeZ9Hbjsd+V(assKpPqau)NEKI zHX`Oq;>;Y3^Gr)>1hZ@CP>uKbFbnEWajP{c-RdES3cKWZhK=C^dYZ# z#&1cvb%*P;8^iE_vOE0Cl-J!p^u_+?=<2N~Htfhn%R5~%Gh}?Pv7w5;98~gP=f^2N z`!&CacX-ok>PdjfF$fV=5OG7Ki^y|O<55)*)0nk?Syc>{QGr_PY`ShwNVyABO~Vn% z{7yBfFK;8@wPR`LOU*0c5AcTT3_|N%8)svHeAf0|aov5$_f9CTra5-Uw#_5H+>j>& zwQAAiyu9UrEwOGd=#V zB)P8`OrysE$dM~K|I{gZ?tw3moRt3E{;7@BtEqZZ1PZLk9RC6|_S)%a&vl<3?xffF zDqU4}wKo@o%j_2mjVM0fH;%gGimQU@D?C(M zc#)6Kwl6w{nbQ@G?I<2CNK`M&rBo;87;o}^0hOY{rF@U3ekoKCX(#y($8Caqu0(vU zcfvjLfLl>dQ06c0x6WDc)sknLm|Nh~v7 z^xo=daG?3PZ`^1q_}JF5N}N5vVZO&!LSKABS<>-Dx(?#;JFd^kk*$&b*k>bBN zFCe!I^72zygG&q8i7yxqRGYku5}ipj;+&jvgNj1-cpkG9UBA&z0YhlA`d5rw+F%h4 zB#LK^jp*9z!Cv%=)6fi@x+c`h$LBg#4lZa>yC^8=B3#p z`dGym?S~*PStw&ub+w$7S}nZi#M?}Cym*9Y(eJ?JwbO|cNg|-7!xq!Fl&Lg_eF+0_7Va1%mhlIJLY@SWd2>>i#l)8 zx7o99;xSMOoWk-kK|o$YTL%r>`7r;=Z+nCoe=~8gVN3eV`OggKw~a71uYt9 zBZjRP0|~k;P0l>QBvD4Kjck(RYGy93S8k+HNUk z(_4#_@7LnM3txnYSL-}r6|WjE3{cZDiAA^cv2HW1@6YV2X$QSi`lz1g0B}c~Y#HNT zebiGVsz1Ox@$WZ=98|({5pv2lH=d^Y-S7&tMz|@&+#i*Ncv?I;tL9we`ff6YmAwwS zXimpE?BJEF6zgVN1v9N^ssT`rWmwCL50;L%unSPl4;4_m@uX?^Rg`#_7=BBpu66-f zNcVdRUSTl&ng17tFDOB!E)4)FOo9R^eeT@!}5paW_}#pqvara?knndrH?6Xh6;rO zNagm}ht&5%V+7SbB8`}&Sth;~54+#!B!Zus7I|Cy9lg$$fgB86nmpcBugHNWfO<>p zKh|!{hgpjjjBaEnr`jD}GHoJ=Cp)-obf^57kD88V)3)0wEM|QcHhjW;Shvt#N|=F~ zC8{8;AOF-Dzz{5f+~qeN+m22@joK`BK+=66p|4IQLQWTDYTh+NJHX3Q*!x$JmxKz>}hEWF;Ev3t9PUn&dKjl9psz5<-P9tkl&X{4P#WWmiAamH;d&ZlCnzR+bcp@;bESN%we#<}CSnPsB|Rk1qG_KVxZ9tU^Y|R)}T0M)9i7XaT>9B`rQ<1xB75h|W?TnSH;u)TjInff zk?!5O&~h&JhcHwTss4rcihf4G>?CK+$8hN)Z#oBS6yO8%5S#qQO)#TL-lJl9&-eT|{wLOaA zFYNh&?*=YopFh8BE_VO_az>2Um=>}RaTlY44{{aAsVERn++2nBN*nViUurD3;f77m zM0pp&bygTpOu0exjpbztkmY)I-868VTwC+mwLgYvMR6D7jeH-|B}IzOmyN$k*mlli z2jC`|$R4F*~OOCN)4EkQlxD8>Ik9nzui zU3-cQh#SHT-155j50@+*_uczQDhS?P9}&R<%75VLLqI--$Z_W+9jog_d}RQ4bv`r| z;n8}O7BW1|-&C@neRfe~nq?U42!901TUcppE*QAZyf}6#IC?ebJsx!>!m{UJ1(lE0 z+J9rKaW=;xC3ysn_FLSxNtpe8?rMDriJNv6t85N>HsurU8pE*pNBCfw?KJ-6v71?Q z&|gt~V|AQG^C(15OIAzvA`$Nz=;q$vq zG9$p;LBtn?3#gag=KD$$XTTIvDDJ_W;8`G!g-Vcnj!f#O4gjC%-Y+M0 z(voh*UT1Idep3shGjMV|^3;4xS*%aE`cVU6_LB`*04GQE8LD-BV}x`aMjWnh;Hmve zEx3DX<~gHeUdmqp#65qtdEivEHHpQG0YqR+#PRS{t=7=l{r6jMTW2nG*=S2dz-t_eZgE|wcWqXZcl86a z6{MZ-uLhXy7CH;=4ANLYEpJJBu5)_mNHM!VPSTsENHZ+GvmBxtV#sB`kFWDb=gql7 z9nW#5REh^E5><}d70vFEY1LW)2SK^bUcpgTMzoC&LKevB4g1~h$=JntI7gPTUV1gB zF>7#-Bh64L3KJYVM$}Phslr{8&5nDw!k7EB?-I%pk+VX}&%BT+C~yJeR*1ju7-uOj zP6C1)ces$``7o=~!#N_|IAy(jd+@4e;7DrvcK`^Gw>`6GnuyVWlzu-gsc@;mYiZ4Q|b!=|Aail4}lh$>E$YZvc0p9Kyq7+IQ6 z*^fF{ez*-|zUvi`n|!!IH`M;K>zK*n;$Uf>VjZ0>5mom52z(K+k`?=H=wz|R@6kT9 z-0jLqF#g*6O%}hCFy@CAS08B>yb4aodnmhqU(_u@?p|Cq*9FQt#~f48(pdPuXuX~K z?OfwCL}BcSD|b4o6`88l?dP~P3v7u3<$H{MY!NO0jhTYR>x{B;j-k=8ILkJQ+I@cP z2mXPt^17HUcnTr#{+egMiDZdbpmihk1X5PeJ+u0FZ9Svs4&}CI6*cU{_-;UIU50b* zEKUUPRy?v(epWTo{lBuLX!_JfIvr4UUdHTnBzsG3=}Y{v&8lbd3z+d-v5gf%J&asY z2N$~pZ5K0>aOQdHI{WCYeP4V0!|hi3X@(S7Z``Ll0?Q~>p_bcllJuauQ}+FyA~W^l zpI5_Cfj_@UbLq@)s$DdBq-CKywj11iU{FWs(|!i7NOAHp zXZYcCn;&~tV6oVm6Y z9m6rAyj5vKCu3fX7CV~?EUhA?O06*lqEdyKHhaV{AY4l}mFVYT-@zQgg^G zwGh3kY@=AgK}zgkS!aBS4pb}hG)Z=K1?UZD#>^8`lYg~@BjSVgzCLDq48Ae1f6WB zYE|xzPwpvSJ^wvmKk)0g=TyAE;1XUIH7xhTy#^+CvDl*iJ{TS@=Z;HFiT#D(54dw+ z4+>hdej%Mz?c71}8@bfYA#>a|mB;%5B#lE9)2o+{oHfjBROk2aW z^xn_&1t`D#yTE%C&t{S$sfGk~;91T(vHcxdKx?Be0uUMZja3+cxact_JbEOmy;r^ob!CsKb-TXq8gZ*i!d~h9jJ$_ zEdC_bCbVm_ar`~~54Vohr8f27{2(A^N5HM`{9xMssiyk@>kgC9s817cOlBfOPsG3b z_+EcAkp6h-J)=bb`ZF?y&G2B#ng#=e785G)s4k4(CA@%IqTeR4!`qTUvt!QDCH&Ec zT8^g2KhsVdrFhe(@+YJ|CR@sO`N@{02 zZFX{2#}-`l)%w$Fcv0=-&l?ie&net1f?vPstidlPeY$v@SL}iPl!0=4A!Nix<_pdH zGRUp7f)*%VC6F=@BMJQrZS403c3{8{37Jq)K=5G!{{1xwt~I1 zL2-e<-t$!E_vz8$o8q*%t>-7 zsZTT(RL3Nl4Qh4Iq^c354|Y>~>#Z|0=c%W07quLNzJ6Rj&2Q6qyqWX-=PHlJucz>e zxARq65{^s?NPJ`)@BIM903NO{|-VKy-%AvX&sj12w-_@TsL&p|Nggq=k1-p z*B+!E2Ml_zk{dObfw0cxzExq5+iT6)^@CoTU6D71}uodAKGr)B0JABf)`@E<2PqnZ8XxnZ+Xe!Sgx1J(sR*kbPwrbp8MRGC} zqi34CDSik^H*kpgSQEk3~IeQb?d(`Cj~8kt9P>9O%Kcs%}JDXvoUU7qw!#f5|e?|tV_;yR10SE05EW7q6_M52CKf8Z+ zZT>obSCIXx?-3V~?)69C?&+^)wnoPtUoPHm+6nxbJD+Kg2m)Kr?PzRro+jwXc##Ln z-fbqT=G^H~wn_36j9;uaHYtcVDTyx%dACXbAb8Ut#c01 z&UP1iM)Q`9F(>n?g-u-k`qKz!u9xB6Xt^sq=^4A65N}{eV<@)eNZZxw`r8$9R$V2+ zPV?-8qZ+E>ce*jAN`*0$FM3^*+=u9X5+?@C7gxUZNIiac{BE|#E(&oKN;8C642#=( z4*x({cK#^}P7%d*9c!pYW)g6W)s9*Bqa=BFY9BGqe+$lyuU!UB27#6ZzPgYukahq0 zg^53uz{-I*sQT;J)-K%fL6{Fxfo zt1S?sjEe$?Nd?~D1PbQTg@{56c%yK-D+>j5XR$hVKbH5|2c8$gCn9kEQ&2Y!aoF(4R>faJlc0ajdL1egp zfBmKMjrqGABleR*pKyUy<*Sx&_jB*?dtAfM0^HhL2{sy{cJr5Hr1p!Mf2sO@E@u9+ zG7Vb4L7a#@KNHz+I)VxKsreo`S+0UR_6T2}O+coq1kgA+!VuDLsv`blE(CDmv95|BEpc=^G5+&;`Ulv)S19TJ28wQg+zot%pv>Zk^-M^Bz%viKJdu;9Vodq4XMxX^>GuuO@rPYy zi=$ZnR>54q_1n+8$1SSH8Zc z0hMFUDtNIzkpOwSk!;BR&w}%k6NW#3T!(JZ95?U2UQ7lLm$)wXosHors;W|9@iaji zFr|{y)fK0l$)CWJtf_!!GP^5N3Dj==(>UT0WS@Gf$S`|OX)*uyyA<}ii{~;|tYi;* zElZP^BdKE%bwnN1I0$-;Yg}X;6}tLk-kK%WdJ_; zUH?6h^4e3NPq-pIwtBy9{tub={U(Wt&zC&FCu!~Ha(G+UV*JYMkG#U#C7;GIH_ij+rcvUjTXkbVKC zslQARHKE1-JK$krQ(4_Qh33=TNh+LJI0fm(WIRm`>4zTa(2#XTsnb#kwSXmT8Z0u& zjo|c~j`eHJ*0a1EmE;yErsOXEHo$yu9U*rFU-08i5A?iU|8=w;sUq`j6Hv#zLxU}o z;6V1?q*RRR@I?9Gb!e#-ZbV?--OP*D8D`rU-etwcX6;RG_3 zcRsVXRoRrGj$UWB6L2Ep>0-3<+dHzO8WF7KJJQeRTUD7^^(bsqbSW=>rKeElp_aNP z$!S;ZRl-Zd&Q-^5BDF({RAx>rz#I7FcxU3j56g&@9+K{-`)^FWby(By|2-}UGCBpM z5h*DF=@=m(AR#CnA|fK)wU9e4D6V{_VYl9W+n)1uwthAI(#r}KaL9T4I>2;sF{k{` zg<;Aj_k^D~Y@#4hv&(O06vMh&gl7g~VVtAq8n`+EXC841D zfExOQ4fK~=aFduEAN*_h?huR)hQnfmLGo~qypAJcF+BM76QoHz!soP524!rjT8=Kf zse7R}3`_o9X3_`1CqVN$6b+^Mw|?ZM-UGWV7>9+r-`>t={XQ@P1l%<1d z9dX2ZXh7&2o z{yAYbKn>eFNLQu3wAR*Kk~eOQkf@i+t$X3h17x}VxD#}@dHniE(HgpH_&fq`tTspuu7qedy}icc6*s2Jxxje&VJ1Y{*n`N?0ml)HJ!{PIg;4!(_SMo{ zKm3%Wi56N8Gyu1VTDN{Z#kb%h-AzD|J;Ff!m=E6g4AJwMWhV-FlH{?p$AO;}TzGB( zVLLQeQWXz=bI6*xEmxu^1XRV%0&q8p(87zq{^7vVJWD>DrYsuJ^=!HL=9zOX_ts?s z{_~5PMBS=~&(A`c6oJ@vU_BZTl{55zrkQA0t&?9i>Dr}#QcCT$HQBdiJLW5Cabr=+ z&vOE|z&w?Y%&ivsf4B7kZzq6}=~STW9`ZHzRgB>C3Yz!WDkLVJ!SU=1CcE%JdsPm4 zmV;^Auv~vmNDo#%E1-_7L-dy@hI~E*MD0f%qnIDKhcEQXxq1_tgQZH%v$kq?KeLql ztY(OuQZEG!G#cP%)v`5B>7|lMu>UO#Q=Zm$W&DPAj-{DRJ0P6B`td9dQ&(ohwL7oj zSyCXJ`00$#cJLmMqJOwDb-e1YMUetm_40Wof?b)!LQ0Vl?J$zBKX{sl|hnsCYshY&cM_p4?+r?`2 z(7pUbSOgA>=)IeeWn+eY{K9ecYu|k!a_C3Rm%jLQw9)$GOPS8&_=l_VPKT_ED-U)Y z@BfeViLdz6j^6}3RHZpyvHz>$Uo@P zj`2R6cdnug_*MB~r2#Z3*z_vVDtp87u5K0pJ9qXJppr!%Yt1U(xO}aG#g4aLT#a5! zK{k@KBG(gv%2+(OG7YLi4=L&U_tI*GXD@E>tp+1+mRH=}5@WwYj_KyrHhY|?8^^hy%bkB82|Y(VxDbT7%5Xm%GusnEYjX7>i7I1 z;Y>d2z^u7Pal(-nRs$L5Enh7>AZy;Mq2!`36XBNHV0CaH2c;Z}h91Y*jDLDq-l6x^ zW;&&walLxQ9y|CIW_PA@{;IFPaGizhSQ+fqzVKcPD>8Gso;xQLm`t(k?;bd0S#lX$ zfI?dQ?_~F0&t8;uS*msD!->jWZ{x=~{|Z6aXmR6?_u?%Ye&!E6^xw8+UFm`rgS=xh8#6KWr~ija=23p(Ixkr9pY-ozWaHOkMrpm z^*utL?eVsodL_6mS>&RR5A(@I*#bK2C|zrkS4rRfKF9xjZkT_GkXi7imgVlsvE`A> zS6Jc=en>OEXk+yo-ENnczPrV9idOs}o;&MWo~4IVof&VRmYN@w@V2L~-QM77XSS3xSaSh3*#^iEOmVbSPih;$J<@~j=loJiiH}Ec7_n@_}J4vOjc1COE4NbuvTkv^nYE99H7EUUT3<{oSoCQ?(Z3ivtmPqkeWG?8$hbCen~7LS zI6}Q?6wWWeJSK$ju-!-RTzO8(i7WGacDQR{DY}jMO(h!L;&F#DFxKdZJ+^?Qip}Or z@F6?LX$E{sAxbO&vIwZ+h}VB^XmHrxCIO1H;kOZM$1E_xk+9C%iE5w9QmL<1Q#rij zn7ioHm05fD4343W+wp_f>6<%Xr>fchK@Zoh{$unp+SW@Oo9%zyrJJC1F`E&D9=b`1^NPd}T}qI};-KEN~=&ef91V_v;6%|8IPOBZ^k4xxk&X;*hfG zN90{cr^ihL*?W8GeOg5_29hJQYck!(neoR(&9ry3XRND=e#00AxtTKO@6yH8Vx3yU+oB)%NRs_`BiPrpwV%1 ze+C+0U`^nvI!A@~RW1|b4dmupynziYvBTmDA9*<&I7>|zJn>fossbSU~(tIsN@BdF4#^HpzDcMRq7zF z*`#B4+#UK@?SL{FJC9-gji(*4(Ue59Ac$N0OUU(3DG9d71fFVYMY~K39op*?yIc3z zOkKj|2lucpGj|oUcCE6LK-9MnkNu-`*PV~wb4fpXwoHRIf$r$q(k)}RWZ+0I?A#f^ z^cuTcwJ5aWPvJXUs2?vA4n6dSF+mPdP|-V{vsp%IQ!7Xy#&7XOz~Fb7#KjQt->^K` z^<-%=Qb7J$C5)ep~fGRO2@k944Ep9cDQo)5Wf0{)3NR=l5hrofvlp6Q$ zb7EA467(Zo!f|k>P8up8_GsfG&%cXbaZ}J>nnr}9stf;;%~zSAJ4`)|u2+eK%=^m? zLLlIs8=W+zEn`>9O==aWc+)g%C03>D6bj+DsqTc_LhiLWuSF0jKG;L9p{Iay@863t zUE-U!E{PppyH|cATy3L!c{R91NpDSo59G{JfihM7TzQ0eIIKPvWr1c-SaE zxm%tu;yB+rr{{Kcav>+{?ht3Ocu!Fh!iswY#S9-U z;4v>o3kBJ^z2|$k$%{m5M4Du#X>k;cW*KN?U`Qd%7I|QIH!T&_cGmqS{Pm1i`oF% z4=anHQSUs-ldJnkUC}F>fIb*b1C2tsx_K`gEME-5s~ibSSUvNLa2Bi??6=GYx`%WxC{K5>v(oV`WBk`tes`r^lYLd+r+K zyxf-ZGTuy)2X860{qLXmp`PcjeYvRi0Ax@%TA3Rh662e%X;pn=fmNG2g?U8x-3(uI`jgj>tLy!&%N=Dno_gqC@5}4^7#9)j1cTNt~9Y71(k#3 ztvH5!K|pR+kqLoyOd067PUhz3yM*XD$#n}a>|WQc1dA$&%WKH{RKvmGR zB+MK>%DZw~Bgbh}C=2gOg|Q=9kI+0;v!gr8Nn4$FdWDoVT%Rm?OVcFeNb0-0qKJx8IJZOE^%x3>D|BGXy1aW1~~9>GyhI}E;V z*KCIG_$M|WX0KICw`)PfAp?)9`f%HUiP#Q)W%1iKR_^2CxCP`z&&Qe2)UH=N$dT1pMQ?J<|HgmeR-V%10}$aeVpbU~Q?xveE79xr6Rm%;h{X z9yQH-yw-lFi5ZLc*mx^T^9YJOaUYO@lkbQH4#0juWxCEB#1hdzWpr2xTS93n<8h)G z3>?Uj$AtTM?TKCb=eZt@aeu!U;de41LmdT=7itHhMke%j+>glDm_lrBcTM}-rUqfF zESylZ;`P5oDr(5zupaIxEbwCVzD?{d<|elP2}}HId-B(+eKs}spRy1HGgVLQcf3ms zwXU)2OL$iWFkv7PEPTvZVfK63K34m#=IE}|+wVdSu?!yUu#)QJ-0H4tLk;gZ`Xll( zuSQ@li^4YS;e=Dg>DFl!|74EnTHO!X#nsNYf-5z=CX=+DB<^OKeVzU%(|gR%2CKN& z?tFds>CY{$Cvl(@22Q4EUDE-#A&mqBBaQ;ztb5No&bK`(_D|VFW!R6NO;Z%=t$ctd zfQ993k@B37=&@>0ufAL{v^JMWZy48dRgdvfTz>U#eypgb18=avi!~R>JBGu zBuSq7+3sXRyhoivF=t?|4X&?F@nWXusF#!ywbg!hzFS_kZSCW7GL>$dI$rD;s~v(m zY>SFOHD9m&_^$s-(=_uw2p7kG(>(I%`g~1SRNt+m1vDI{fq5`ph1B&71fNGu2>iOD zJTZN{ajVL)h?AeaMcn)6*b_xu1!m&*{iOvaYaG0iYnD%G}nd33mtIB@+vNuVSG<$>LKiSd)C} zT-BMjU*2%WeSJ7*K3&lDR=Gau#I5Vr@4(z@Wne#=u2)~-AZ5St=FnnY*QokDZ6Y%XKq#6C>G(x#@lyvhXw|K0aBiJVmg3%48jZy0JoKWna!v)84N@pP*u_BFTUPs(fPn@ed5|&$vrTA{+C8opX(_8Oaoy#G*(-V-xfkva&_mIvibj$4} zW%V3L_r#j$I0v;r8j2=as;ju1yp_JIK*J!{f^F$51vgwAB$lo%shu_cGeK?yLs56t zvJLCMcHDVQ_ZGGSTYmg}aetKkTfMoP`KFxKNq@Hc_7(I)Mr_+b-tez;_Y0*TN>t0G z0@8JP;bk&=GQ02AbtB#?d#5-uBFC<7CqYWHrpo(AJ$jiAe~20Dr6YCosm1te-a zF`9e%TThm!n4BsNxg?L>z(rs@-n8)FPxn1~R0>O~*0PBWO+4D{>zAxZ=F0IrPU3-Q z4vcY!D$kq_!7H3+tc7#TK9w!=cTFwJA~=P+spZR_$WpV#V=0Y!-tfpf4yMdh_#C)+ zYLBwQ=Q8?U?F1Gd5l%l)txIlH{Yc?6Jy@8<)bO93s2;h~a@zA>R8CLP5741HZ_62! zbtB+kJ06E`B1p*}0>q2G6IYo_Pn;9PBU1X}zpCFZCT`He;DL;NZ`VY~s^E_mZSzv) zkc6>gTXWCbNbX95R%ZABrKcsIYMP^;r*cb2q&e4BZcv%`qxEZV=ZJ|I|I|b_^i*j|MAG_#Zn-ToPU3NP`xtmm;Gx*z9bq| z1MmMt%Oq`7t*me`X&gJ7?2ilv3OQ#GS?D%cJT>;}>=T1rY^?;}$+F(0#Uf4SV%CaGKp zZGR#aFNxz~=@KUTUkLB7@f{&YJRTfyef`ESuTNx}V9 za!~;``%Cuj3&UGklyz^7fMHe&$CWSgt#;;Cu99$1mfV96TO1n+Rs$#H$K4T1wnj9n zV}W=T-9x_Y=R4Y@V`>-fs{5^;iz_eOtnENusKv$V&20*FcJ1_i5gja5wDkUa#OkYkYN@fb-J-1~| zPH*Nn)9)jt_Gbhsbk`}mrZpFFLqVoj@?f&6{kDR#X~B<`zO38w1^7pbPcqTZ<Ut;J;U<}563)khTQxCn9kTXo42An2rz78;yw$@GQTHKmD)_8TLn z*AxFfjSWt1jOUc8RAtxAWPs_xjvLSQ7Nc^qpY?p-4mz_h`fd~CCSPFnn=PL@^L~5P zqrHH;tCms%J+i)}_hhH<#a!cHg}&W6yHQ5LJ?8V2X*n0CZYls<g;f9S5n9!<A`!(2sP;uM|wAyI{F6{vo2$Cu<5`z0o(x5qIr|%x>ZqznII;!j++@gGWa1pf(bZJ)bp_^aG= zxAWG2(yZWe`)z0zyB9jRZ8m3P(_*(Lv97Qo~!D1vD3K*1-Ul`xRiXY(`> z!0EH(^Zt-rzx3kleD{AmPo8+Iarsmd`LpV( zjz$mkGw*hz2vx@zQaxu^qp}?MXNXF3tkROwwYhY-FvTX3f(Fd=Lh9U*7tP25^&PN+ z%WTKMd$n2aCAd*O8wA~<%^99&uKZ!9n*nIADvPGu`qK^7yvMPton^G+#2B;A?(v)8 zhLuIjqNO&hP2xua&w0o5%f+sl4jy}I>!=GYt<>YgV6@I7AJYQ+`c%VmM4M`cFBqhE1t2oJ6a|Hvgr#+XXlQ))U+U^xq%L2M0NsTMTIQ zY1#ezSv-K7j6s|tu6?(Mz9puQ(w>;~D{_~dRH0sHu0tjG-2Ri{K78;rw@dVMbZPv0 zO!pe*Gb(Lb2o<-vPWx*yF65@*&4;=F1j(oa|BwVGdOU=|73;h@ertcZ+!Ve$#z;VyS-doPEo zzp!xCn^>-r+alJ~7~2!i3Cw96mop*Bb{Vhn5WlW{_Y3UZP$a!B^oJMT{Z@Ij=1j2A zjAl9KT==OFXa82;#CLuf8mkEi2ewk2rF4kgS&<6o56WnH92RA&U_y^s7A)tkINs%D zbah>*oKtzWWTq;s_T;(sUV#ocq-2+TzQQB^#v+hA#qwijve(N7$j{W7^Dq+KvauG% z?7kwaP`@@y*2G{?MFqf5MEAy+yt_ulb*|RIJTp~v%usYb-%V6iR+PG#gjGGC_L)s! z&|wS8`KfBJQ-=TEuQoTnR||$O>6;dVEQgJb+3eozOBdpSLkw{#Z4Flr7m=phABNHq z^6uI#X&7I(e8IxrqOJqPGA9Z&H1$D!_P(b zl=wB!j25wl@^Z3P8s^wy6;;h>+ZY7P-yITCUW;w&yi+ADD9~YCwRdl9tg%{k=Ia5P8h^Os?=}pZBhT7MQ;DSol1=SigqK?0?DNc%eQ)!l z)Ue8z`b;UD8=)SFaWLdD-*@=JKWR6MC#8d*5An6!)7X<(g>aTtGz_GCMGEfw73Bqv;DM>%>7+FSgaB})DJHa=!NyD?%0Nv~-)I!gRiZvW0P}S`r&5kw7 z^_RBuTH%(#QU($+(x)8Yvm}W>_WecQogI9Ufpz*9s-HMRUdxxq4pvjYGT*|gr;S51 z+?U_QbA6-_FC{b1LuI>b)8sYUcZVNqi>P9BYumM|5hPrPFAdX%Ch#7FjvrN|C|M-$9=XKfcglF$nEZ>ILiENl}~Fx}H}Y*vQC&IHDwkdxcR{3j1Rl5cB2Duax`CMo+$; zR=*jHR%H3sod@zVs%`t0ed41W>Orch#IBP=mE>->V;0exdL18}j5dzaO*|#$Cfg8p zH~XoX6QQ^!4L#pXAAp@zI3~PS-m5Jcd%hGE@{uh0vg1wQD~FPY9w7l`p}R>J4_)`> z8=PZk3~f&EU!Rd9@+RlxqBL;p!50*@14YW_#>1e?tsQ?lBmEp%ZD%oaquoSD`41=^ zM+C-DjvPK-dp_hZ_3^eBZx!r%uAUTd3O9dX^q7R#SZXXCr znf_JG&T^}bF^KRTY=z3>h=Z2>~Q(nymGME;}ero1bpO>ib4;U$ZTRz>7vSavCF04gx zEXo7vk9(v&W4$<-ETIOEKnjzb8$|QuxbIVlCkz_PBW+Dyf~2{L#;_mYOH?(&9?5=H z5n7U}r{x+ahc{>o8stA|U|g)Ypr^&Rr@ym^BkWVu-_NVue60|FX>VWla{eex7=fC! zI+pKsm9^=o;tG%=@#GvWM%xU&;6CSi^jiglT2RmuvF9wXysT{eSYc8^-o47*HK^Pj zuMS+jW98a(rx@Ng-a4?M>z91Mf#6W|&Qnyiajs4Dh=~yBB@tE%`qpnYWyn8sKOd9!x!=d#Vlsb)bA1zsV7|(y5)oOAbj}KLSSobTaX9)3(-5~_$_#e!RkXsnj)c+ol zC5Ts2wE)+AVI*H``w;<$%P>N%9g3?@N83_J%Y|H5>>CnRXjc7_9NN-Z$-9-}^ccD1 z|D}OUSZ|Cl}ApB+A)q9_;Pk4fO&h(HymWUZ1$%tp=U%y3(xXQFD^G ze(+2$Wh&_uScQk0KU14-BYGHl&U2U7HV{NEqJ(ZL$#vZTjt75W$Wg0QTFy zsDS*3u<|ONq1dZUjJ9-dX(6!sY)`yuvxTB_83X>#C4e?92kr4OSp~c{zcsI~tQ{Pr z+_ilY_rUG!%}DUpL(Ydwt-b~c^onIdZv$G`vY!GP& zeSn{SrbOSe^+uwUkQxxfmDlE?Pcik8&#-EE=1z@g&Z8$@m_r%Xrop(H|BNDql@zr) z7aL53{PLj2fuGbSM99C7`DF2h;YDgnN5x7gXT_JMSufpKJ7dQI-tsS2%Xwj!cT{0 zA>k;5ymR`NT~6n8i+OmHOXhj3{uwtsC)>r_tz8(lCZ`1faLjJ_y-!%t+@R_({_+{A zinbEAoKEUaIB#NhdP{Bo24yXIB-;AcF!Q*1#gw){fpH{!-DK;H()wI|>`l}iNGJP~ zihuvv^x00P7f0w37R-9;HLBDr$xyzUZX4JV!j&U6v!0kZ6yE*A&NbSI7Qh-S+Grd(#0FyZolrN-owRJCP_n<m%C)}33Nt;UWCShRY_MN%-Bh$9NLkqXs9?4sC}1QRQ6T{&)ih-x zccOvM!aiO~gk5nX$}-&mc>821mY!=MWV`s;yaq}B@83BDWb7DY;amU79M6nkjM=4Y z`*GwNzuv3q5VDnRhLiJhp{m}s*4T!`pc;KtUbg%>vAtb<{pGUKFniL{<{GJ+qsfu* zeslPWKRoV{Gi#>}_14WZ)#>Gu;MA+mx{7fBMbFY&)L2_>;|N1x;qFCJ_aD5==F{zO zh2;2+QdrQuFsLS3z2!gSQvI!q2iqTb&WRE0jdDNO-VH?!6=rmvTy@Vkbfu)4sULBe z>+OkIkyY>xH9or=e0?sbT0PfPj3L}j%_ZNVZvYarjlDtQbgHY@Sfl*CvZY;Lm5u8oI>#RHPJZ#cE1qxnqbFXi z(#!rBSms!vG)Y20CYs=((HjXQ6kYuB#VsU4#=%H>dYygVpG*7Ev0j|JY4-LSSTF5U z(=y2UWUPmpSHSuBAZjz%Y%fw3l}T_0wiz343Wg_ys+lN5U^QC`sGPcyrF)@XTa$Pi zkK4KP>X8J`p4Jp?1f^|M0B_)7-aM|pqGNcbG%skJLEwx1gNvZ@Uro}^p7d{i0tIk* z?xI?%4Kn0?55IN7gJT6NUh;7H+k?3#} zpU9z-^N%l0&N3ZyGpiru+hUNSrHk=>AMJOpP^A`g%ACy3DNB5MSt;-SDZWLnsU!lW zKl_~YBm&JY?9YZRR4N74io@u(!D>tEH;mg};qeQuUFx;X7wYZSNZe8GG&K7O62P}0 zkc;^p7v&BnOx|$laHN*UsD#yg6sFPSUJSKGp&^cWQb|q4VcW$EjIWfvj>@ zKb9Bl-I5(%z7gX(_10u$SJD_U6@1P{(04CFN*Mb(Z?4TTF`q5_LMB+Y;`M1b*CIN& zKS}PcF@+$K>>oh&>5Ulv4uNqqnu$g83t44$oQ=N`1R=9t(JTT*g=h#16b)_iyuWN`RLhz< zJjUXa>5!&P1zZDI%6y|f*vkCdy3GlLZkaE5dYbRE*0LVx@7!J@B`0~U;LoB|s`n>< z){W?)R1IVLJdFS18S2|?C?t2k!m(;Xv357Ik+Jr*`@z8<_1ig12a)}7^lrc*Vd~)? zBw)Lal%Ah2QRnMA?-DK>@FxK$gf}1Fi@I3*xaA~B+UpZ`xD>%e73v{|v-Q#%xTHt; z8TJJ(;y-z;4&{ zX?(r&Cp|UgA(19f8lv8*iVsXawy*};lXIV`1dm^4bUxanlrZ!3hxW2BHT?jEB~$B& zPDLxVZ@Rh**ZZRun~Vg1B|hesq)(x_JBkVvVd0Iw7jLsB9qU0K&i^3Zrin{Yw7)L4 zM@@=#u_x8+FJVCdxp=@h7CcHZwC0o7#h3W`&DSoYfQI&`@VB1}qTnKBIYT&5oJ^^a z#yTb_JBKqG+mQZNaB=OFxQ8Mzz$)`3?u5arSHXX`H2{7f%Qm zGsMII@M{{3J(h;?wf9V2Ssci05hcu(ZvD~8@(gu#LU`K#jE?hc%INQT|G3Y{o2R z*`p|4Imgo8iblEFN^25lPFB7lu`Vk{bf^cRB4_?@nG`NjoZ@OrR74pM z#88H4HSnePR*B``9&Zto30hDylfEqhdi%xI2Fm;EQM-n$;&&oAb48@0gKS~NAHK#B z{$raJZxROW3$g-UI8v zVp3lvHr^7&eX%`>D9^}5f7)m!4M=J3%xMwTpT{6A>e`}2a`4~Ck0P;0%q+L5gsPbP zp{XNPlrsX^(uIbFqY@2ci1@}bH9Dh|AJdDnTOd#jD`QCQfMdlfGh(Pj&Q zSAaMVQsWO1JBH}`?4UfKHSGaCqmR*~#LuOJS3~ge-P6Et*VBzay1G^Zs%2ufltl6z z5{`GH-x_;aN7boTn-n3nL^yKMGgOM*$J*|bAuWXT2`K~7R_;Nlo$~%zn3TVcw@+_$ z{h=U`Og~p4cxgg~-DBZPYGDg^b!SEDdtZ!&-_moz&PT(7b|m?58r@a5`bY(B83@P9MpV3(4=S>~pk?1HL)Iz#0J zkA|D26`W{9dwwKX1P+=zzLa%(qI@XHV2ooYrBMHHj+EQ_WH-3emFX-h9_ffxr&coj z$j%m|q8!yHsYy6_wMoKWXloO&Di;Q7{IX2~JInT;Q&U_U?|N%00xP9;UMfX6RfRXi zO*G-K(gaFd;9tQp+g#jc`)vjRkrP17M4vTr_ee%{49GBsMnGf!)adpoy2Aga^_%9o z)<7sK35YYC?h$#Faj$r>j1vI~Z;g}mZtVCLa(9a6`YWZ{oWj68$dVsiSHi^>dvs=_ z$?dbE!DJqU6aRE}PIzs&{CF`iz(D`yOyMMXMEv?wuI?P@D)E4(MUfG(tjY=-Hzg@* zV5$4b->VDqh?5KeXZMer72y6s>F-7p7ko`)xwg8m{HqBk%+2j^Lb1rT%}lQ;fTHQj9yZ;ta- zWL$NEOlG<>#0k>;g@=z54)zs@sb_mGc%&=_;fJJm-5GKGlYe#99r*8eY;xOSvn0Y~ z=G+~sklxZ;?UjnOPmI^U)>W;_X^&_xJ(N_HJx#5BUADbcp59_3VDNo*9;$ahD{C!K zEU@U?+p8eA+?642A9+C1tC&;A6js}g1{xtJelXxLv*Ll%Su?5m|JK7722o06Y%~tJ zp4U4iTziUVfP*NDCO7MnS;RcxK0)67!0zqG0>)2CZf~M4oChCD()Lpg2zP5IdXemf zAS8JSQ!C_O!*4GZY}xEU3{Q%4#Udgn6>j?rBe~s*;-!=Gugq#C*8)L>DQ7tJTxMCE`Rd`uIu!zEym`?M8|AjB#_fcUzBJ)_?J*yM0X;wFwpp$zou1A6JMn@=&+q*ON$!8 z>D-69f^O|Klm92Rl)Vav)o0lV0*x|EN6EMD0Pg!nE&-gF4^)CICbR0;mqEbGqV#0o z=x2~}7l!4NkHvZ7+}O5f)37qG;o^7ITN)1X`jflP(==pFUx3STydjzHamF(Evf~xa zamMphdl4Pwpf9%P5%PqD(k?9| zB^~wd!PmZZ7Ua=np=!R#GE(uF?c)7A8k~DBIq%F@Lmw~@rP+2qncXf-+;y&MTaHZ| z``j+VQuk$%lt$I8M|QQ2{ZE~-G5$(=Lx70oQ64&W-cM;-Q&Jt%B`M)#K6(>+dT};M z%^Pi&G0mVVoBhhz7Bo;NwWkw)#kp(W8a=xoV8qDS`I;Od#tm@n%+D|y*kw4_cPx1| zAdM(PY0{B(;(ISSEF=GMu{m=}``*g^@qXak_xMjyx}3%{=ovTB;=aUuuWvU{CToS} zHgP4Nu1{?o+p*%r!UJ$04gNP&&>NtwKKtr+64=gKXGp;;aHzxdH+Y8fN}mCh?R9 zqQK(njN*5%)H70$E}-+N842d#@E>=0N>Dd`LFAGelIPhy%T%FIdHvKnT~~p z?`1qf&me$%BIz24~(;M@eu2QvdgS|omcySMbpFjU{5$<7*Rbl(pLDCJc7$>@Tv*a?YXg7rW$lk9tX8N_(b8# zL#&v;#$6kT>+l~LT-eJ1Hd_3bD(n=MtwxW1g6F2DSOkJHxj^2e-3~RQE5EXgXR8TW zuk1rT@;1*B@1&Olc+|g^rBIT&#ST`9G1dxr94%+@IscU?r2LN)v6DmxIaTI{E^7Ch z?B~xeL2>uj9@fnd2YcXdX-%Yl1fp_foP>&rB>KCg&@QF#Xd$LSnHJ%?ao(`zZFML^MIKz>kyI_5EjI!tZW1Q#Ya2ow~dIUp7_`t*Rl>`6T zzSMWOYd|efFB_S&1Jy4H{`L=~bwL)21cz@8jrWviH~z zwcOwTlk)VO*J2F@^tG;h&^qVt;jnC)$M6dyvchx= zN;RL7iN|l&{b`{@E0T?Wz3@)d9==xhR(k2TYH*Rp*~KEttl0Q_rH{G26-@$pDGg9s zjPve#u+{WXT+s8m;Hr+=J+sxY-+JdYGI|0;Qvhi8UPYZ-ztJ1GaBVlK1x_5~m!u*H zV~AhR3x#`K^AfFUMBlUF1QK#XFsoXaVy?s?^g8wy-<55y%%DkY83Q8qrM>iHR*t_+ zK5%Pb5oz16rEC86LD+VPQYC5gL&F&d6O!CThe=g^MhM`3`2T1+3%02GuL}!;3?R}V z-CfcR0us{QA>9qa&@psNcS(0igVH@H(mB!{L+5**|8>1zfML#@bM|lVwbs3Te;?`| zW)MOsN|nqERWyrsdWJWx`6!YUZe_ho&=^U>($;OH$Pi_w@nyy?{-EsOD5O-|#kFtj zw&#f70(u7X^3g}EcRZXV?^JoIc+l`vR04)>Z!5NnXw0WkL+n{UQ!c$+&707%l)29! zUM1_iH+!9&V9i$-fOfGPT(3iZR?|6!cwOk%#U{M>meKd6N3+t!;kZK?tP9w=iV#gj3Xn zT}IDB{waw=F(|gh&paxQ8**vfsvmOp1)Kd>7#fB6JDW>4IVHa5&0Q$5+xmw6X;Ft| zIqKLc#gb|)avfvR<yP#R08MZ#U>0Eky@P+!_ z%`Rm2&gVUk5CQB{WS}0?EBrzn?+%@k+tR8E3&N?J|OsL-`jdm_5d5 zG*6AUE|Q-I-XOwE*Y0*oY;c9@>L1;r>z8C@y+vc)N9qhlEXVhdZV>+N%Q}{uunw}Z z9!WYAyAPQ7bw8Z=qG|1T9KPo2knohHDkAPalPnh&0R?G)!vY{rPMyc`7RR1*qu*|h z7HPnK6B$QBRRK%`1zM~8d&|zfxj~P}f&)UipH5eqgWpFB&w?Z#kqcbEuOc}dBe-R6 zYKF*QvX6y1!#_nY-dEi>0XwH&QE^ zweSb;8Z~-bZp^MTe$e#gxU(r+OeHH-@?E_Min!s8HlE%25T#a%J~ng_Tsi4yQk79#s09$ny{ZgG7SpSL$ZP3$P_Z52lH$RaNd3lt zGUv2IVSWN5XcwEpm6y}B50@Ad0{VOry=M9Gab7mo3>{V5`K{!#i!BzsD^xy3W}%!L z=d&A-zGujOK6VDy%r)f5fay!&5ZYa2e1NAPO;CHhk+=Jtf6grSSilrY(d z`F*&MaypjP0~xacQS#CK;Tr~f`5?!qI-X^Rrc^_RZu@>|xSHZn-?v+eX6;uP=$2@Q zSs_Ar$eh+~;*vyBtbHgMF~QWveWb*zx3k`%G91ky6O$F3ESN=$ z`Yg-zDFywYJH>^R*Ukg+lZfThZGVE#T55{vn4p3VWdY@<;`L0A6l{aWHxg}DXC4@#*WclmSQ>0F%cyzP$WZci8D^t{I458JCkf~dZ3~RT(tH; znMElg>H%r0_?{hOP7#NAywc`*6LA5(Pm&H(fw$)oNCWkKQIucbY7&?{a%jIrt0}M; z;8A2(``8`i?Q}KoySvB)9by$96->PAEG(C1h{||<5-18eGuE9o%v~fUSeL7@Ruw4! z1iWritzLlJy|=Pv}qvia_;WvH}?A z5A@2pZ*Vb6EG>6)H085O)ih!U|9ld^`*X24FnTdk zA3if!=`XXY&KV0kRMxwKXk8T@f;y00S-(q$W=}Fj4t}&x#g-x(p4&PD-p#N4@d!As zBO~6}Cx!Fo&6t!Rtl~w7RoRf;B%c0|zf_oY{}}`ydkoYNXDvRNAI8i+1xGFw-FqD^ zsP!m2PZi0%UeV?i`WH!~KwN5uq#LK{U8;E@wXd+ug2a1lPKCCS z2OzJLP`}ebf*k22_Oy!)wyS;8U7?2RLRZ%86}WBLn$ZoLa|T>32MpZ1m*q@#zx?|5!R$;Ito z3gdpwY8%m+Sgg*w8n@tOh|F|RD=;|bbzO|HkQ-TH$9ICJC76>8#^GY-#jk9}@M665YarjN}7m#C%yu#MAchBXy`r|sBn@C!Xp*|*6Q2$q5!Rj-3 zjf%CzKY3d`9)lB$D94PDj4?Qe`NabZj7?~u>2jKp;38^&H(hsCOP7DM_VV+h=n)n& z-rri8+^KIG8vb|yetFyJ)wV7B@*1BQT?A-t#=c;sCHC4IRca^93SnQrXIbZI~XptUg zg+B4lZU3}SCNvMflB)4i>->5=QP!4P-~kNJj54Ecoc=RXa`ZZUNdNn~RfyA%zc0t= z>welSHr+=P5})o0^!#7SxGdHp;z|Hc7IEiNLJIAV);rlFU(`4y>0v3^q2fd=a_XZxn)!xZ7#oH*Gh0_ zOg*+riv^|>5xgPRy;&c=Cy08QcsJeM37;|oV=ZdZNR{paogKpZ>{zYHM zMVsvf{ABXx-0Vi~qi_buU;?Dvw{uorc#LQHwks1P#6DHW#5F8Hp6m7UI} z&kJ1c6SGx>4oydX9}+e8X|(~%Q{QS|8>Tr+R^}|2!a^ypXN(vy=PR?8qkg`v6x*M= z(FJE8nXCOo=6R_$`k_6$0s!Fc5bYv~yv!v{zlu3KM$SIoY*dT59z|)aj|GPIZbuAN zTdO<_nL2-icj=r23MP^K0|79nRkyg^W%*mzH^w9It5P_-HwMCw$cku6KQ_Hb-mnSk zoIh8m%g)bCRBm@Su4;J+d)e+4CHmIKvgchmOJQZhp7`4F*CqtMKlL})%mN{*w&-;| z2V+})zx;)RWkR_cB~b0%0BZav455RO;%{P&HmyA~DlY-s(|e#Jf)|C4^~|CYSEUF2u&6GIb7hhSoGHVc86i~{!jNb+!-v6UznJTZP{?n{JjNF`@K z7H*tz@8`DGzU|4{65m8%1?vu88-6AqI0#I+AAY0A+AkYBvhrK6^d9`OdSg-lp|7A& zeEPnUpq+B%Rd8%vwK~&4TE+G04nwTPlEdAR0ooL04Bmw!9)&zO+l`5>wu`HMInjh5zSz$BJz{`cLbIrF-6c_I_hm<(?A)j}#!7W)Q z$_4dxRs{2xo+EB#P3JBK&4?hO*KWw>cmEVP=uwuqM~Du@(|{2)H#b-@ah(r?HSU(oV^-_)p>|D;;apBCYacd5>XLJMFF`@#xBb?jS`!L|-^c}Z ztk=l7I_WjBaIdI|rpZzW?>&Gqx3bM3)V<92oXeyooK$pbGcE5nZ$murn_ul<5%^B0 zh+2WiFsh|vlG^;KP)FwsxHp_!@NmYQ$JvILv`;9W;ei;CenwD%4SAk@;rlNmoK{3^ zmVkTXx$VQc9!A%Fmi;7Ro=;)Q8*16R2i6pqrk;LmU zjEH6RVM@>`!q8y;=GHG>o42x~lc6jx8XRL=0v3Bp+9+$*ZIOa<>-$v35ksm>3eb*} zrHG}3=-}0;FO2UtmlmJ)OiAHgkf+9!(^qv$hBJN&B2)c>lH}yI0rMs4$iTH=vtN(`M%Cb%EyU&T{rUWG56WsgjWoLzWya@}%h5{-Ak0FA|)7~57 z#=J-MVIvUd>x8*Fv$_#W&tOWSQjJ1P+6mlnnvpF$5dX zribPR!4lpg>E|!)J6ZMvpV6W7gx|Mvz1C6(d8M)5aUu4xGdynjU;dU2(DVNE;bE+* z&dRkHLP_OI;0QTeTbjDDAm2N#FtlbVVIUmj0d$& z=;Zk`?zGF#H!=U$9ye$<9asZ72h19Mg2hR2LUH#C@OLfo{dO`(N5B60>WqevbecW? zy^g<5q*1bZK}t+_x1-mJHE%wSbw4tp!Yf~_@vrb~$lka+G8`Pmnqa54QYJmU_uXsZ z=5e@T7o+RgzcI3HuLwQ+atiJz&@tN@;n=(S;{a-Xbiw&+=m$0r&(%jNr+U6b*L3Vh zGWyYmVe;e^zZs>W@ts!z#8j;3XRE}x&^LL*SQL*s_M4EnE4#~hK1Xa#RWazpSp$W- zMcVK7wgSm=O%8Yd`%URsKKPX=MDWwJ&Cr#6DUj5I?;y)9%&B+8)w9GY4Lh zm6~NY$hJi2mlsDM<8^O%4Xc2-_=RJ{Z?K0MMQ{W1jU&#~IeQ37wCN06!A6AZC)jVM zDQJJBmxMPt^*Z=p@dK!gysrD&j%a`%juyt|jN*8C@1ra5&HQcwSCTaC&-v1H%|!pM zGn4qZ#9gr*pBmx-oYo_setc6N&j8Y|p@20t#PcLc;vKPz4ATW%jEjGwA9SOM4`m|J zr9Hh>r(uk}zhxdljp1&Hl{oe~r^Uc9qEaE4zD*wV6j|T1PXOy}vTjZ{(ZFK&{w+Sn z{H+J9WS`4!B;>1smVk?OR_Y(7KK=%$T40s&5|qu2c6K3Un6X;|?(^(Fk7%u#3pMfk zb@M3zz4+p4r8i%gNYpA8LLS4EdCSA@@F5~jS&!fU#V90m|GY!Ax;}B2kV?$-RSJGQr$1Dg_Jv#}S zhW|{A%2C%33_|QqR-0tq09Ld0D0Kb_9Y^vnQcO&pV7`cDG=w;?`QHC&Qm2U$6u3H+ z6<~QB!)wAO8Pu|08mO>{*!VdhR}_f3rQ<&ZkIFP&Ai+lRYwUVdxD}v=X9(T$XG6{F zsF$ET9jxfkV|ORh91gMCrV}BnU`M!$`VU-2V;yp)=-Ua^2gDMo4qB}ZC~MLY9`c3oxfz>+X|gSw=#)=Jzzzn=qi zSB)AwMx(-yd8l~BOLw+6POHhATeU1J>r^S7Ifv6P2b{SPJu~f|)*$q!eA?F>U8-*o zLq!#uxVFF{t|4#;S_MFUetCY#-_j~9Gi2DR9Ud0TD~VB2#Hw{R-XUJ~HO?h~0S`${ z1tN2J1g*MuyP=%Bk1-4M^h%LcAO59Vm`a+a=!8*OyAi}-y*5iytoe&pkwxJpDNXM@ z^N~2g$0B8A-;hmWRfl$T^M7@3W zgS(Keo##7vCvP}WIK*U z<6Z)53Z8YrAZO!r@~z8V?k8A2L5_1ipM|5MmY1zhw2)#3EnB)RMZm8o9WcVfN@zk{ zB4kiR3w7%9@`~fv&;t}bUe>M5U*WnJR;5e=v{*@;F%?ttMEb)?02NTfCtchJLomG+Z*OaP?=M2u6-?D61NCPSDq`GC}slOerd8dJ!~35 zKfLwI=WfFoSQS#8+xF(*x4AQ&+RMTdzA_so-3JNpak?WMiCbXML%bS8kn?1ih}Oqc zHbU)Z+g@jG6!gcYysCP7aH3|CbZBrgTVEm6D&pmShZ4)>J!W7}4~^v_H&mqf!(nL2 zbaNx+Vz)9QX^^VUCq~6;#$vpoU!&t^@l*f46edOgETS0PqC{#1p_idVVovY%Ha*{c zibmLemM_w?laSAYtQIJt)ba$>XaR8y!+Yrgta54BAJrzR!@*S| z6us<1LMp$1+n)|o=e_)@Z_709ZbLl>i}f&0fh)oCC~a zDysKV2Kyg%QySF`Ny+mGx7C;&e$kasmXB~)J%H-|N;mZfDgl8(0?2wH^3WTS=BAVD zNgv~#gc1FL3J_X0#!%Cg*s>m%&Ef*r4S^$K!$R~vEQzKiYTo1U<3**cDq;HmZX7n` z<=fS#_wkfi-bTPO5>Vl7cjJoq<#d7cfgjl33e$Pw{9>Ga_TLB4jQQcq&=#x<%(4a4 zNqZ(XRb^fY?<22n;}~_mgfrglzj#2&jL>~Gk0axwcP@IV0O~uGHjLbrHr}_?X6wsd z@>+|KmVLB7DZ+pZO#`iH_JeVC>q#6wWY}EKnTXTGFM&p2fTBzz_WeK8D{?p(pUDz` zd$!xx%Q3?!QF>eLof!qJ1qs&B!b5aIg>lP?6Y{sHVaa8{nj7+y4Kwa!A3C!$F%@FR z;`kq%gjej|R^s9Lxi78~QHtzj_D2YABS^&jL^w2itdYW{ zkA?bSQ%?*qCkbJY34PyU`A`#t-q$}gqzH$`^>*3;wLRc@ou#c$7t1N29Gkf`#0{E$ zAqY(#e!yN&83zq5Fgatdm3h@|!6GQG_uk0vY!nyESWA9Ig0*0A6I&Do>0;$YWJBS; znQLOsRTQvY(u=S6g0laxrrQRur0ggT*;SHTbLf?@sip^21nBTl`-n&g=M-}UjORvH zV;V>M46&xlxBVeBM}y8Kj&qg?n=Rdq3GSRY83HUh-|LFzwitmWp zjyStgFUNMeA>2O7yci=EA!No+(daZHYL+S1tb`@_0qw9-ou$`*LYmFlfR zVYYL-p1(=GvdS(IJk?VOzAfkYHJpppJZ#lDz@cBOUkKO9sItg$vqxGL4-KwE)i@#@ zwGqc(-ig%c^TWMPvU-?rrCiF;u)@|g`Ad9uP9BY)u39wV*9yL%do@f^wr!^B0<#L2$wj@GyaFJ?N3%UE#=oeoI4=kjA+m z@#9tYxNxSsA7ogL3J?>Q^pSWv($CNOF;SyC9!aVhpMaf7j-Ed_@ug1Jy2lURYTheJ zUT_V1)X51U^mRE3JZs+C{eljKxU7Uc8i%;-psouaFGZX_6bXUfL-P;mMrbiCfnQRb zV>@*nEw9Dn1#%~Qw`kSNwMptGwj+M|bn`N6sJl9K_yoRgx29VdBz7*H+?~o*%Q!b? zNPm=T`LGSC&@dSr3%nTpoV3B}VK+)`xPMirhXixNuBEm^?ZXs4I{ThJWSpu=A{iJq zSD!oH$>ykocl@+3JLi-selpF<#P#Ddd*_i`p*2!)S^^!|fN6grgxx&}Y2Qmuke$92 z)XIhDTKlLIs;C(iBqLimerRZ)l&$jrEC37afJGpq_&&rdyWlqqYTu}Ah)YMPkod*k zNVHgAH#@`A6K#8E5({05Q_4^$D^E%-#wl2p>0RRZ`xL5*P*K?##XrVBs+!T+z@*Bw z&+|sM#5R{?TQnljWUGp&_o#i_KY}mRR%%OMt#o)EZdn!53#>Av5LE}+WAAwn=eiW7 zB5*hfnl(2s$ll6{p5Es#)tRMPVJlNae+(0xqT25cRvQ+f-VRx}t$trjNJg9snd%3V zX*Pl|!&1=uMt`F3c7+uZKLXl=!_&=9wli(F?^WX&5X)9rsKJ47uv#KjURAK#bdD~~ zqay4zIxg*T8KHYa;>D~5c9`P(buO2kp(9P2-LS?tP6eeuzKJ>8_6R>L3ZLFPYqncu-k-1Q{q-~qtycH-n6F%UdFXu^lOFJF z3=a&lP@-R(4NU$m6Oc3hptvZTOa5;M%i$qqt9eG5jg=(k3?DLvOw_w{bSmDFohtm21lF8yWv&*NU$HqqXf`mjl25-5(RrsZ!$pM=OS=2ShBY z{8|NjGF*n^Aa&8S*BkRO3mFCu#>a{qmcw0t!qdS)YT%3<#6c$n#WbXw__R-W37~)d zQez(dbc!<-QcW<)p<5)llha>Ns{3UF&iLcLB6V$(ga-6NcesBg{rV+Q3X|9V_2ZGZ ziEkGLoM0OKGUj*N7_1wI75+-?vPbN)ps8eQV|uS4!T8?+5%)pN6>pDHLr8q#SRjyE z(!n&X#e~~^&)OXzI4TmK&&s+cHJ*L z^$;B!KM%+9z8Gd|#kjCO-IhBt7tSV_ea<_(yPBL|&lnu#|MT}5cs+6tQhKw9z63>x z9bbMUIDcMBv1}4nne^w_f!BEeF??^p3k}u`1$3#(%KQ#_N6H-Q4F!&L%1Jo1L*7NgWDA!UJSSc8LiEoY-L?@s8PfP|1=E+;?jtF64v|cTuz3Zp-Ptx*j36 zyZ)|Um^|BQ-GRD+-#w%F)&AXJI`)-S%&haRvbIYg`W2+j3jC^=BY*&vDK-%BrGdoB zh{?w1>==&krA`&e&z^nXBL!lXlW_l2y&=nb{k9h>5hnD8n4OjC*Fk3V;XWeOvwzn2FrRvfs%CtK+c zKMN2aB!O&AF*J56TNbaP@kj!a#W2O@JDFwBC0?~ZU5Ci1pjWbi((8RqP&=i{-t+u0 zfQ0^W%kf+B-8B{E*LA`XIc<^p|NO84ZD{M(vmzkqbTDXnVonJ;Cbr_^W zzp;D`=F=ces3P`oq~ZVineuQUA(>p%2NEe1m>=NdR*Cnja-5&ZPG&Ftg4OSD2@)+G z3M5IUa)nW^f&A-2q2CYhzN*BUgq%tYPh|rX?YSWW&hzUza*2(Y>!o9b{gm3&~ z|0#e9W&31&)aLF4kYH_7)UKjp|IIQd?v5cHno%F8d~{tljmwxMr}_|E2*?-*B3Ew~ zG#n=42;6+V8drElztNHKD-*!pHb09}_v4;y%k#X6analSMmScR2`Hk|nYPFZ1TY*( zFHZ|m!S8-KUOb3~cg2@hP??eh7CRkIOhg^ks@r(YC^hlx%1JoGns0~A#^BCFW)~Li zgTA0edYbL=Y`eEAU$%1(*b!r5?Uk*ItB(C~P91*8nRbo-a@${wIO7eP9OA}+s5lAN zN)w2K{SOlCcAzxyk|iIEIki6|>3sa|SLwt|jRAi)p{?py#yb$E#4Zq-B_LF;Mq+Aw zW&u2Ets1S0w!uW!8>lU)!BR?C&%#x*SP*z@P+bz9_3`TIa8Y%UfI_8xI8|xnV3{nb z(Yc7SPEy4pP1kD?^WJM3Sisb8CX?mI7C7(D0x6iMROEa}3I6X%H$_W~J2pel?&q&Y^5_3I^OLdChm{}qv*)3l*GZiVW)4elyqmP| zr}Oad+mT_#GI7djD!jZEUP-Ea>*QiRbB0Zh1S^1(ST%ClLE|24s-N3BQ(v<`n?y@8VE*)#*2{(EpQD;(Q+oZ1giCBA7j75x2Ew}nj; zo}KzRO)o6jtHEu~ourZu1hqzBR?rbWY)#`Ll3cBi8dW!Zh5@7GgNTb@G$1Z#@t-bQDk=%8Fopy z{g(!09h-YGy{Dp*=Wt4K!QvAD?(j*_g<$r;!ehJHCEC`goRY*?#DL`SXS#V{gyPna za5is}Pfwep)F{M%4Y^W$WEVOMdfFClF8rsQb4uLEMP7STppisLN{gzq^fTfX2%T;n zg$>WIdrQq>n2HS&9DXqIS+umYm%?KTt=sOawqnBa9w564fRQ!*iw;R7xDy?+(jXsd z{Vzav%lm|m36(9EK<)|lNvnREWdx~P`J)&` zuG3=+V|DSa$zfzm^c^TdZF}AvJO1pwT@GcJ^aZv*9YVqkUAl3l^%md$0^J2ghkvd+ z{hHYM3dp|j<^1=ifR7!rTiqOO@>cCi^;@`t% z7-3$_VpYB`FYM2qw}0r9bdT_{`uupStp;e6{QVLC<22F;e8#oFFwmhSz*9&r+5%Ht zSN|03?U$qDt^sRz=(~0YB9LVu^rR@oyTw*Z+uD?RpI1JIWKd=nSfA`e0O`!ot6TpvG95@{UuRd z<1un2IL5|cfMkSTYC=UxFQsPx4UUw1VVpze- za=7uq1eb}*iNPcB8<(k=cx?kCvi8c_;sLBn`ZlA%94WWT`J+~zXMbf?t$vD9Q+Qm! zQG>;AX@VB3jb6{IS?$kHZTE`jG=t&Ft5S%PSbkWv$!GNKSS)va7_;0q9(SmGI0mo7 zlCWmV*C%A#!cP&9V8dh@oT7&b=)j_`nBMKQY{hdCbVi|3{+2)AC&ONhRUdT45j$73 z*PB41QtJ>&RiEdR-u1;W^gc)9ic|KEGele=e65HN*8yir$~wu`4br#U^obGqEe6sQ zuw?p7Givy0k}NXtkGj&@;=$yB}2IA|pVJRi8>|ALN^`( z5a;@p*2g<&;197OGQu&TU>*V@<*y@2&amERPt@$dE~#-Om}}t}Aa8%8d=$rl=)8!@ zp|^nNl*?lSar+iu8?2BU+5zTwNtp28RNzbB@Qqm=T~ldvs=5P5I%gpkdd!%FZ35VP!UlqD z%jg)nD%0bgoVLr2bmJMGv480OcyeNiWs~^^7MHki>0jdK6|Dmbbsn)*FcH^Do>rxR`)bQQ9N&b`ziCG;RiM>xHrgG-P$>@1<)5}azP02J z3A~G+c8Pw^44EW==pQkBsQzcS{r&q|6*5BGTc!zIE20Fw)q076L~;{2K7}Nh5CnF;(AXxz|F}{t5xO zyT-D<8+Be29ZD^IKcF!wQ~jR}=%Q-x^3feiXW-aUV#0U-9$o$Oic{!S$?sd`V)!|d zI1nrrPxHHdRj40@6|x3cR2D^FnE(xmt{$n+o~a(^6(j9dVRH-;?A)93uaQ|)LF_mD z6k)LPnL?nI`A1D!x#+Ocv%jy!e4V>AC8)w-7c8QEFApawx&8Sl&Z3Rrxztyy|o$&iR~!*a28S!lWWKXX{&0{>pkKc zr_Xlis1PM#PzlfvDGSdIaV7fRc`+uDY1z1&Ew0@JvUaNdM{+t=*Ii(2z5O%;JgH)R zT6`3&N>|wNCO(9k05VqAM&xD%zR>msd7(5!W!2Awz=%fkpV5GKeW80lMrd-fGOK8B z%pXeDZL&8>?@C5;zcMp1V8<6B1$-XGwO@&|^fZd9?;Gq}L501Qw^asNRnQ!gjG5Dr zQ-q51nvzYDYS2_OE+OK1RMQT=`2gi9Lm_YDxE;9+TKWAD_Vw&t-J7^6L&nCGm?oYW z7u2K7KyZvpHRU9J*jNz;(Nz7x#Nsb%4f;U9F1Cyl zpmpwNe-YKlrzExUm}GX8oJWmYYb?=XI;A0PbDcx$!RJ!dZq;2&V{EQ###fIBK)vkRH^NTK-w=)KgijlRvOsC}=XvU6qvBU#s<{1ipLNxleuOZUwh57uD9Tn`+N zEBw$}P0bOTmCem>c{}zzF4og~OtOwKXFa0<5B4)U@GS8!a}A*XB7C{+r~k;aYj;(x zyT>W*j#jsnsJr6uUXvmtJ<$} znj4c+8ZV=qkS1w~V2WtH7;90jQRf>T>dti%eFz0}$?w1eVMTrM*S=Tt0=h*_&sT&y@59KNYy|_U9baCqjB2=|P@F@F@}( zqMJNzKCd$3=(+udCH3`c zD>Z=!*X)lVc&7c@d+LdPL!{*H`^VsduffRP*Wopr07sb}9O;!mg1meZvQ^u8qBte; z^frd&UP9uM=NQ5DCiy!u0@PC5~j3KF81O*k}}?YjtWDtM#V+ zCC%-OWuwEqK$-bP{m|ORIeq7KkRNApq#6@GO14Igj{YoWd34#TlpMI9dulPgci?m%8C^t5-|3kX%zCp8KUlYx-X{vxQCHp>h2!riKI(jNM)P=O<~SdM-HNO5t;`H>)VshYho|nUewD_qmozpMv-LaPy(?z8aT!+??{F&gW3fDTIOoil zCcS~@`POWzZ!X=nQ`nymp1;uS@+2Kdowu8~$7b*D-qHA}imlX1Io#IpSJz9@hIciV z&{(T_ce)as$Qv9I1M$j%ol$rCt`z&cDwwC5JF#0>qK`N1ZsyyeLCB(5AIsI&(V2-B z<|BY0Og9MtH`cH+QNEO)yYnHPAFF@rSv&jGy@SipPky5vvTHmHH?5)u3=Ec){ zDKeTz!z#z+=)}S;1iVALC6A!@!|(NRBVDTFbE5rveRC)pnt$RD_SqegwG8g>5rABHH`1jWauGe;Zf34)sLTK&or2>UwTt_GncqWg`wsCBwPVxs zq{(Y0sF?jTw`i9f)|BkW){~OBWV?FU#AX??{T@jcV7y+G8`dwuc_c)P8y&+n@lam= zjQc`Fg(3hHHW6{Fj~R6|Y`60DttlilngeMU{C3vQ@V$tv?}pa(vJ38iPiEF8sS?A&^UE_EbkD4QDp)>kD^}d! z^|;$3rd^Z&YkZn)0PF-9M>p|zoM$B@rAZlp5?%Iu*`ABp@Qk@&!#z5@Yiq%asqBt0 z3_1ei>p|eg*>L_|&NLz)8EqeE-`SsW4r?g#hI+c88!EKp_b|iO{CS-MuZH>kdiANJDu$n&p>P31p!78vS_lm$$2H(b?_&aMV0`ByFG-0s{q z5A9C#yC}Q7>hgY=zAsCF>g@{f2px;vZS^wDqsDhMKoZV+AL-fz?lxZU81^f{1XNNQ zg80K234dun8pneLWzXI`w%*Ke>surAgU;Erc=kun&da*I2@4f}HT6X5#uO-qaCk>v zU_(yZHs1kLDQ9EJQ^kMaom$Fyp;Qo0Ho|VMtkZo0raKZ$!dsenO-lv!9sl&i)-e(H zTVw_dMiELRD@VEbk4D4tq-+My(yG5rF+voA?M~yfkr0*(`@{8!I=`OM+t+ADmaDdc zB7&bW#9F+dw{W2Nt$O)j^Y}Pm8z)ebQk?46&Op~eMcm;sWe$1LeA>}v0Td&HN)hjl zNkB8+UI`=#+h-=#V_PUMkn^9d{93>W2*Houy_ZFtkMVW0RgX^J6NeqxR)$&@x6g^kiZ_ibj`}BVEo!I=^rIYZ5va)f66$0 zp>Y+=LEBuXa&uD1lg&Ig3PkB~U!0*-A$R_&k`iU`dQiFn3%=!?4sf2>g%|5V#VG1Nn@nock1+* zdMHqmmbQ+XrYbXLrzFh;rOY=&1^w@{)g{qG1oK)zQvFZ3)3ZL;dwQI8g;LHu87|9+ zn#e(IasH4OV3kaxFEx2NcE4;2Rk!z!!rtO&n;MFa1=VWB#iGx6O{+lmuTlycWc6hi z&Gl9AE}75Ei)ajoke<{@tYOfg&qlY`I-6P5`|uBMEOk#enHodZXDEF|Q8|^_6jehc zvE-9s?bpTr-1W6l`(^bYC=x77A9IC4!W-Yl;~<3YgN>h}^ht%XBzRNrZ_pq5=g;=+ zct0o~C&Z}omz3czwgLXFl<#vh9}V81Qgpop%km0byc4^=-Sj7>zgcrnC}?`H_JfX~ z)L!LEsurBm{W7KN*!vf})VVl)Yb#49aqIK3xQgs{pvDHfmbU`>!r*C)bDfgDR;g8G z@vc2QXf4^E-IrX=n`kliGdY>)Sc*cVG?AC+>H`(MeNTye=YrcgT%hxTC-1tZN)GGu zk1A8_p2)mhkxg$M(BQ_Vs9UNFg9o+S{B;mQ|(tQ2)8mmTi<3gKER*t(_%jy>#>wSQ7arX zZ^LTac`YHceSz_(iUGh3+5!&#y>}}4gplItSJeU)nS|Bd*VTouM()3I)^N-9FCDhb z8{6yJ#9@WXIIk{MKB=^W%K?p*61WUA?AXlcdqUEXWkf8IMfQ85WTU)(j(K(RGxLmpU?zgNA8urdN`J*t{3a+0;htQ#G!l*yuiylXPMIsz3j_d8K)4 z_+zW1y#w0`2-1!wYv;C#N*^_qn*6%ejm_%}4U^gsVO^$`-vmUUO3JRau2VTuu31>> zj|Kxecsms=gKUfvw~C@Fz22S8X>gv|_$Ic#s;jA^Hj`?Ufa8#}crsyne!FB!6~DG2 zv9*hH!zP5Zh!+~tU#}4(sU;VNheKw{)e^?)sL<=eo44gv>oJ$uB<;0jh!Sdqi=PgwIFN|Jc@i zF%%EC^4!(*?}yBQg`o;*Z01O=t;6IcN}GPGF&B16x=Q(+G|S#o{T>?IB7a3q9YoYy zeM?L+zGK(h0r5=bG)xg?Y0t|xyWs_u4}K1YX*@II8auFsC^j6(X?_2@kn0{+g;)-+ zFY_@rw~^SE+LA!29z~fvlwaC+7%;^@fPA2Ht`VpTak*yV<40UyI?!w#8L*3I1zu8z!t z8?%n}GFCSLyH0wBT{nZQ0u%x5T#-EOBZCU#6{Uy!FKmjA!|HDBi{G*oM2CR3o@eNO z?5W4~uXWvNnQIU|ftDlBQnx~gs`-;Qkp|!_;r^c0YxQT9veyEn>c1I`ao0j^Gb3yKafkLMx&(e4Xv%C4JE@`W09G1g ztsh#LW2hua-}25IvM5Zj7sh9ippbcgq}md4M+|JM#_x|Xm68y!JR@bSk+PyMmQ7Ih zvG@?@k`n3FzrcCn%4CVN)Gr!7TaGIyi*CD#+t-0pl_{@!h>0$VC($$mT=ZPgK#;l9 z(A*Iyi+_QVk;yyjc3~ytY=g#-0Ct}RHGpWG%o#Z68h%~e{>tI56jc-4qUIC!0(-#K+{+CK;b>ILow^Cy)Gs!Jw_{nTYsV;%mF^)JeZORlqxzY zCMTo&#d|g+5!suTq8E$zQ)rDf)nKBqK=nr0ska5m3%%GYs%Tga)JNZ|#H@8>cXBFMjf`ik)~zb=Qh_5mf)eZ{G@j}sFi$xz#I@f&2uKJe3i zPPHGsHSpHWXITMV8_hIV*c0}5&mGu$0<1{VtUoM-3G9-(kELIZOfYBqIJcRi;Et)S zNfTncWehOfTQ9-EGOF^Wp$WTdBM%sWg@~RIo!EvII}pRgnC*{{^=QgXTujbdmH3nD z535*N#BFCvmD~=GD@wX|5T67*_AoG5`#2kQRY3OD+zsCBIFQhfLE_#NWtifRAAYgP z=VA4U)!tKK3~axDyQY#gp8LZVL)HGx5%dQ~2f&xtmH9 z;LSr9A?v<6Qb5(b#X^cIu@4?49g8{rldK zkv1sE^RdlQ*2B2Vw3b5vdhJzt3RnIZ|& zfq11FKPTtapGGw*{)rhZ`57{XLscf)jI!r0g$q zauI6N)4NguVz(lGN*|2BQ=19m5>nWCrs8|c8$g!yPu|>HUE=9=m3!YmQ*#!DP)>Ek z+#%E$7r=|Zu+^j@{`tC**K02j9rAlfJH&-5^v>%oG<<1#k8${^{NeItZ0<9IZFj?( zkNO+s7zFU;_43$n;jVy!djJ!P8W-(}b|OM71?aWXjpB@NsPAuFyOY`f`ZkhFGTCA>YxHr9L0yvIJ^|ygB^l&%t!((9Sf9C`jA+Brd12Tj0XiPD&H2xJE za}_gLf*6+3VOzQ}biNHK68ytP*_MSNw5&Ldjr2PgcZ64dsjQPxRnl?zwa+V8Z%Lw^ zQ(Fi}_Gel~Ay*N&*|hWWAMjWxb9|=+aV9W42n_aUM#?C1gKB$kzr`fOa2`9Hh4_%B z6TKL1yz~9P%7dq{Q|Hb1eldWpR-zpP}OkW=)sAh&AS_>a4;4Edz7=12|}xy`%K7CV=@hRY<}8 zN(i>{bZ^6KBYYUq2s1nI`OcE+KH6l7GqBEVG5)6ykzVeQW*ub?kHgtNsY8Fqd#Tt{ zy``1turWw}9cS-Z-$lYXz3*zoj+@VMtyl8NW6^9ln4#kQ~ zg1Z(8rMSDhyBC7ArAToI?hxE%@_qN-HFM|ATJr<4PR@HCfA_QZjploWU%ycaMWiPx zJ-P5y$Qh@D$ztqS9Lc(i<9M<1VFot2+49qvHaV`=Zk0l3ZG>&`wo*;*D5>wtn#x4< zgI0sk$US5dlzQwG_H&0nzI?fXlOO~e;MQc;jmRBBHFN-{_@?h>5$h0EYwFf*rkg#R zB>3~+oRK5V34My*0h4$w8M3UjY5PLkLrtf6`W=XYwLiZTnGq%b?9JQS8END)#NyW0 zCVBJ8MJ8`fDMwzLmB<9;&W6m?foDFRpC)3nIbb-&G*~T!(Ja7tVkAexH_6c&&~v-7 z1NYl6PQ|9$Z!HUK7!gx9A|4&z#;W%=+~P-4u|U&u%{(nM!p_MKu&t8!!icNsSPOlU zmhiMdadT&vq4hBqJ%2XeWDR)90*JC zyun*$(yY-+>LsNGA*ZYyN+dD`FOg=9N<<7lWZV>f;Fd)J_DxN1`~(C+9lK$^C*8X_ zOWnN^pNu~l8(&>zxpbELKHd+XEY%wlhI5E}o(O<#2r=unrXgQi1exUyf67gDBZ8u0{>8O6_u*&18VKe|p{*=i*TfURjL8mxUc=D!#Ii|iJSptv~N19|m- zx!wK34h1#1jD^@=>3au=kzerfyj}5*O*I5lWh8xM@FZA|-)f!FavNlDYeA294{}bL zhqxS}?bIBpgTo@jPhWLQ0g&eD)-}y6YMu>g;fFzS&Kx{_q~7Ye&#_0dS>wNjDv!`! zAyA{x)z;WAa7%GrzpRLQiZs9zTt@`a!6Y~NLYzCgX{{(?;oF<_<}@*v z)-;o#UodpDtDXb0vZycq+@-o4s2t##EUc{jB4WI|R~X1)5=F|VqP0xMmnfci^=A=& ziMY)ge<>*ggZ{9_yLh#VlW(v$!}f2hJz~284OU;C;~wjCDM`tU0_T*D*mEBRZhY?o zytY5x8QP9j1)xwU_C555|HPW~XQ&^)cmrC{V}t&OfcyLjYlZ4up9=8#ekE~=sB`<2 zKCl#^dDk_>0GTy5=wS!-Ghdv!ky61ZZfV=J!4L4}8xwwm=Op25IVbH!J#d;+^FQ4H z@oy~TfZkHJGxJzU*K5H*u|)Cla*B^T-C5q@|Ydgvd;1dgA0 zN%kPkVUM3R$W3sEvB0HFK*d=kOu!TI&j%<10HYOGsN?w)Q!dX2rN~0K%Vl_?xzHKV z$m;U1l1TuQ@aM;aEO#sR=ij_%z&=9Yqvjp$F21gLlknY0u#_{cKem@PXg)u( zBi^~C{bMLC?i=I`8vOGTtjpi?^H6UeRYMn#p6Zk~s+><0=5Q8<#^!uRQdw_o3pw?X< z`X85~TXi6O@1#@skt-bbNyLO2)+9N==7rn&8$9P&jYI zpM!lnZx78b6$^Mb$g;l5oJ$jMR0PSSyIyuD6m?unn0gE0e?D`Cb_{J}`H%wu&b`NA zZL9HU7V@U%E7NhcX=lGd6nev_SQq=q>)mWU+Bj}e@v~dlB6nCJzIyz?O(svs1K!;O zS)k3Pn3;i^Pzr6p{JJ@2H5T9SOF|;G)Sh!rnv8%(JrSfn7$5wH-fyH|u)AiBYF*%A zLZhAPq@r>l;ZpUN<}xciIBdL-(D^O-zOVf)QS%4*m{p0b0Gr8p^fgQVI;imi1`@8IMIA_*l_^!I8`82uFkW^~+fOs-t zt|w2|DZ|ZpV*nHGUg~}JV4Z>NPVjYtjv%k;dZZGsx0ZU|ZQ63#Pn5ffEibRYiub_= zcd;(zkr5W?a-0E*w*%`w2yG&pZPxq=G9eiT6MyGtVBmsP%9Rfw%(;ZV`kmwAyLNMx zowy?0pV4}LHJjGGdM4$PtwKwF0t?MN!cOBhgmJx$?p*OBFxU#&GRGJ!!8VeVNi=@u z4;+fL-YA_3EUB&U za!*Dm#+w=aF!s3cl{YL=^T3}y1TyC1(4lE{o%zB#{||a?IK$!H$;o3F3gQ3EtUkr! zxSbzm(0cv#|zO*tC%Rg{&7&I)FhBEyA3MmJ~;2oRHMm z<>#8jdDd7-2*XE3OZMnDV9Yx0?(F^{l@zS!~!yrOQe5|_e)BZiCL6R3MkJ}^lE`Pz#B^bB%Sg6Z@1 z(O~jy*_ZCKmV62s3i4o??+W_A^!5w=6zjdTzQS z*CvL$sLq&Eu;Cu0J#IIeabgY;aH$?FOvQ)0+|J;3bP)awlOlT}kaNd3b^raZxzm-; zJCsiN+8;G=-q^<9>^z)Zvk37|$YcELCpcqK$(62ZE&_TeCOta~T;;@%bBGB7pZwwn z8NgtRkU0x9KfZuA^>KOZci%(oU$L{9-IQ_9KY71m^Lk_$OvdQ39zk0IG^&0Jcs6UT z?YYS2>Rcg)fW5@gAm1@_`~pLuzBs^|x=>~4P1g}MR1nj!lZE#AC{Fh>W&-^vx*wmc z?GEj@d{8icH}Qgv@OHo0Ov@P}I^av&bH-3A_EQ~C)F=nFy;-v2lf#)Uws_1tUEbAO zaqInSs&$I2z?@!e$gzy8<0_*fXyXB~3`TKui9SSG)Ds96aD{jIcT}~#F(LT( zIEfV^Vt1PiFJ8Z2Lq?$}z0W9=-I zj#2g>!9$y^=4YMg-`D&x@lKbB6oU_85h6a}9ovs* z6^OUlW6;m$>C^$I(tI`;qg%JQnd@C;Qhe|H{!@}06YW?X3vCQ1tpF<(B;Lr79yh3~ zTn=_S(aWAD#YwIPd+2GlpNoAbB!8n*4iP(u42YDF47^kmzRiY=njcmCY}OEwK6`j_ zw6D??nD*pqqW|~FtXpD+YT%= z8^79(r>F^>7n5))DRtY6jEC#i-tA}h^R|TCk%8s=LudU%hI%uK9Wn!H8HYS3N$mF? zX?X{-|?+!#0Ka?vcoA2Pcc8q#ri~Mqb#EC8q*8qBMqO-uNEZ zcbYD9lI4Wa_(tDg#YUr<{(uQl0-x1G4y;5id~_Fve!Dg+7EZ&L&mBG;F&cZ+%M+(S zSG3VQIsqY@)*MG-)@PmF+iaf3r*yHTY&*%>TnA7OX#o zH@cOa9AZx1{rf{I&fBwb{&pN)I_<1G2>zJ5&6av9DW|dhiZSN%ZW}5|{Kop^UVu2- zcSL;v^O)wM$NV`rDl2j%d67P$3zU}7{{A81Up-&6nHcZ)cZ;#y$TrZ_<1)_=&3 zM>DeiEuKn9_$hi!;jjA6^!Nu3{II*(*51ukw)oF-*i2!RkDzF{(Oq0Q?pE6!g|Odx z2fT%rT^PZRvZej(^E}tPp;$P`?$puOWmIj(v3+q>H%NF9v+>L4Y>50qc=7B;YLQXB zi{Y*nS>5nd&yPv51(t9_sQ!6s+eQkw0LO|v;%pyvJgk<|E1NWlre+5mY-$OfK2$xH zltUDFm@R`W&Q{?5dg=@Ye}Hws0r@@kA2bMlFBF_wl&v6}_}<4cmFEbihlgDs(X->f za)f7&V*dTILN%hU$F&)|UmA4}$flAeEVo)gx3T!@E}_{bN>Eu5di>B!*9?V&q&(f1 z5u;#hygH&k@IXMA9&n&i$R@{I_g4Ip^|_~4CdKwj;Yg)&Epe@;kS#r1Qu7H(rx1tV{nMy&9H)%=35Ome5rKws({(piTSv+3a zNLqGA&7QSeQuLTbo&5~q$W^0u1jrt>4E@~cT)lE~o@ye3(0vvk`*pvh0_M!}-boj9 zm4d|xLKC9trqvOTFENF?Mue?YP?&fnh*weo3o>wf+=Y^N{Z_$Cj#`7Cw&pFfh|DNf zEQZq<2kBrU%mCg0Bo6encV0*Jid(iG3+U4_^@^vB*zAn@(1b*Ul5Rjdi)0HCfnkhioDzw}|QMwXpc(x{>^VeWFP%{#ZD`THcLPmQVuR*TbRdKB^22ef zGw7G?&s$8l8UCEfZ$r#@E+el*^^^nxm*;~lO>IV;2Z376%z3A_7_Sb8XDZd<4JNKvOtMwCWrdJy@+kQF;kvp=zENEu;S{|k7IemSz6TZqiR}IL+RhsXHuzc%%&0c0!@4#p9u^*zb z;aTQ)eONfTk6`nc+RZW@-B=kgf5ep*dH&a`XnWTC^6;{p<9jr^BcUa3LmN*&;Ow;) z*K-MqLY{oeecc&R8BPMx|JMv7=7w&a8`M1MW8EkgP5^MzNmNR4*Q0C^;zn-1W1O;W z>BAJGYDOQ?+h6@i-D*6TcB>fgZg@LOK}o)EPVvs^vw_7~xeQbf5`T*ngK_E^A&vtF z@?Y17*qAYR{ADuPez-;+jWG(^zR9t5m0Rm?ASGV!KiN$PKXp@Vn=i^ChCotsT0F)J zlVp)Zns?%xq3Y(XZ`6&?&&ckQC|G#RU?R(YO&99GG1`Bq;b?cHEkW1^9LNm0>O^F< zBGgZD4f>JxaMyO3t3rmQqLR7fi>={AVN2l#ETAZLw&U58cU4w~zyob#CK8$fgV}8W z^0Pi8^x=ZUfESYN#$=S#n|yQKZ;|=to@!km%emb=d@U*z5ny^LOyZAM_@g4q_B{0o#ML3kD-6aI$gM*?7 z&6+EH8io1GcfC1a^?Nox^X1mm%nDaIC7xn2YU6<3Q9tDaFVK-JOyLRg-gJ*)n?rP% zCZ1d_PLqcnw^jr_CX=1$Mb)Cue9%*2a`~a3d;KMuM#TYJv5;raG3Q4nW(D1P9iVId ziAQiNWaTjGkl{S@Tp;((<7!81$LvX9V4IjT3i;v<*p*VafIeW0*a@*h5!!yUPt~I| z_}91XnWt+_*7Na9D!;|DBRh75jUjg;e))>TJ*&0=adKr z?yyiyAtAkyO>`<01G4j165B~SPrE3q4;tf>d#1M=yP@SiL!6)Wk9M2STYDvRAAW5S zrBD!bSW;XLij}>oVzwcReT}@VDPy`t7>ZOBIO_B^BEYVT4VZm9tJ zO3Sz+dRZ^Kl$Imb)Og=g$H%x*o)SJ0bh@ttl8({$Y{Pl7$p;&pF7_DPex4u$Jw!cZ zD7Dsd7KPBQ|J4ZG`&{{9);yPDAo29ekQXyA9wJJM?MATub`#&K<#? zH{$w9#TV6&xYw%uHSoDVYL^b)eIwai6rcb4e{liWARp#DKVMF}sggnXYIxq*WvYAo zKRy_^h5e;J2h6FD>kofRb9v7JDHtS_?_~Uj?MGV~#}Ib5Tl}x_Gw9!^6{ZHF`eAD4 zi@=fDW_7mjFD#z!xf>9XN37n)r2`OMU>&@1LT^Pkcj*o7TuCx|yiM9kB=p}m7-6R10MdA(1^#iKSw7Oi{xZb#d0ZjVh@-?ILs z3?ZZ32*q_%TQUuAZM;^U~JiKv`(nFfS!kJB)Q zuq|Vq4Kh6TF`U(C1oz>y&2whHnP=*%JnH$W71?pb1YEP2s5{v8)w;3q?lz0D&!0vV z8T(LQBPi-J;SbAb;pCMfzxb~b;B6T5+)E38f4`!TZTC(+Wwd3VBtX&eT%zFW*5Rk? zMA}EE&%CpW)l$sRquS=#j72q;_}xJ`f(~=M2KDH%jDnUbhK7$j6+RJTHDytptb2{2 z|IdqD- zCfYvs6Nntu4K;_M556u{S4+RoRwWci2vFNaXQK4n{dQ(O&hOimU=z|hZ4cjUwnU#} z3*bS_3%-w=!rSE7F0YjXUe@k1N^{R*rk->S17?lcU{vM&pWM2&$v5@a9xkWVEt@T) z?FlBf&?DyimoH=O4#|2^d0iuQ(Aw5wjr@rNPwyV29#@Z9=1lXtxK!$ z=n{ro>3%h0FIIdfkG6*#-?5>o8AMf6#S~Ku10HZhD!RES;ywMHU{#o+cBrNc5T5HPhzFu5{lUX|CDbeI_NQ56AP&AxQB5uj4CNxZS$TRD4v%=5J zLr!u!;VBcjj!PDi;h^O-D~4A=aGvgY+~re)NH16Mo0cVqK_`iB?Erg(Sm1dXU~Iry zr(K#2NpEPfcLTn#dkVPxl=;hEY&k9Dri$xk#k02;8B=dE`TVY-n3hKBhpfY?k(!ZZ ze%DTX6D*+f_`{snEU$WJpUB2mJmEOAy-xc^^xLNg3|C2JIL*M^${F5rkQ^ zFMYQ!kc7#NeH|}~=1Q%YzQjx1TqZ8|fAd=%l~O%eVS?G;X1+>X7GCyhgrm69vBWdo zCM;L|RaSoL4rSTUxPsZ4cM!+FC_Vj-ySaAa7s^eNU+~^dpR*jS$KveWIZ1)x>T`5! zsk`p$^}`v&BLh}9T7@3aFxKE558R$JH$6O^UwGcK%8u<-5R0FWIFB_B3ZFUFbqZW{ z;#C8=gjZNMgKv5tfj3?5R+tyh*+N(GI7^B>@p=gp9!8C{&Rbz+XHVZ0`A0~zX4U47KUmy*^{%(FfSWg3Md;n9K1y;y>6}?$28dBVjlaqBg&Z^L(8k8x z%|nM@DvV?90<^&v+lSpi6j*hXF|*C#ZM3uq_pWVHkz&cZcJ_T(+F~0FrKQIVyNTu5 zpzhs0hWCe482{W1rV)9B#|n7(+-jVcS8zT5}6xy@IG<>zJT6DC~v4~qc0 z*ZjOsguzQH3kV(wo%B9c|%A zsXLVTiB6_v7nAPl&za_`)R$gOB#`4_zMY{{Zw8S`u178s+AN-4|GJS#`;C*%6A$3% z4y2+9?3S^-6%1o^iO%#tP0zsj;@?i?wB*=&aotA|?iC8f|8=`UZ73emGwt>(J|2X? zuUx9$1A^nY}+(b^EOpt&;?C%a`HmK~a_KfmRBqzi53P%m8mIz9p) zW^Qv1JOnzSdwZbPJ;nbjUc)%h?}xcFJpWbPy7$Q*ER?AjXY+GHY((~s7cK>8N`|oP z6e>q3&YZUS1$A^k(#s#MkUi1`D{7t=V!OXuy0t0CoqXV~XHeO-bJS1g)4+UH=ZOyi4c94F-pdH_9qi%Rb4BgGGj-+NK31Rhy20LD16MspT-^1$7m~0QQ!des}r$1J*n-JsNLP*hKrCiO`u{;Vc z5U)N8%XBAyk-G82y~n zpCjv^zlT}WRS(wN6-3Byc+LTZGmvBO=z8Qb&f6*uDOEie9qXJ8_E+_Vv{Ju(Id56W zIy>uaqYIZ$vx7`_8ZN?BBYBtkAs==hTHZOQ>?xs&009;{ZJg1m(<#= zG;QzQ?Pk2rtKz2s9tGfjXdMjhx{TI1fb;fts1DPro-EO*+i%#CpB$*Qj|=_2S+^a?WX-3?>y?Q}u45Or3Bo?V8vq;d75@j|8or!&dj zCSD%AJ=*~RYf97P^LvT!e(Z?z??dKKS7Iy|7?N2Qol`B{T)*tvrZQ*qJ6x7pt<}@G zBNnhdosHJ;&$Azs{H%@N!bT_V|1$4;dGqkJ@!{d(dtDf@0?F%%{)E5_J;#WrZ&m$| z>U&3>cWA7TWlv8E*0vxwV_FE=%DOz?+eyXcxO1u(jdpXFCLAZR+sEDdX+U06wd(0+ zE2uLhkvhdRK=j4Wz^Jly1TpN4O$a2nct;$=ZQcX}2s3iGKAu1OGUN)*XUAv4T((Z% zb5mYeZBwpWr5FyYrQ1dOsycb~!3z@lk*JLBM6ho^g$=!0mgdhupQswP;D?kBccBCU`-sYmb8_te1cR*WnZKlAymb z@AYj>KcAX7oSh0khPsWtR0L?5nPYkkwx8I0{T`%?|X`JNGaL%f5N`q@o6a9WCf zG9;sbo^zFmi z7nR%Usjp&RNKig}PoS5Un`~hG*1a*@CERgj}PP)P4BogcUP=O52ZR-jzN4By}T>$Ytbd<5kU?HwBLb(9Z$XICwMwaiyd-TDb zR_7q_!g`dl5Fl*R_Sp!7Fu3<|8)M<_0R!8Ct=FuhB1`h@@!~}t!>8xS!vCo>}N=vQp<*<>Eg^4_g0-$q8yv_YV7dLk#*jqe3GR-8{{I%7K*| z?sLGwpg5-Kkyh?PDS644(_?YmNhuG@!d<^L>O!nB1X$@)b}4{!BIyom z+Yy_*F#o)D;xF!_Ax{k35sXK}a*}O)JICjb%l-QLvn&f?1@tRUijAXik;Al<094J0 zziDsEQ}+Khn~bv)$6K9=#Udv$R)RDCl@75JON)K#IrgePyJz~>vZmvP0Kre!6p10N z=wI-*Tut?B@=^z6YT_})U>p|BVjfoC4*+}cg7_v3Q{jI#9oI>2 zs)l?H1|jL6AEPCyJK*f?tLYBuMK*(2!%k3 zohGO`Vw}pak_HLHqn#*N&-7MiKNorMwVPt4PW-c>Pl6q+T;_U)8P2==6A_Kzu7~pC zh(^RpQwPJIPdv9Te9S@3%S^o!tG?r`lc>!KaG$x(l}RY=v1hwZFrBTJlx~(F8{>;8xVmT9&8nf(!dsMw(L(CeGy+wnbz4>1PY6;?IJ08;Y<%C4 zdMCrIV3}m&inWE$YU{*sF$X9KId;n z?rBc_sINX)MR|^@C&`xAAz0c89&a=j;tWW-L0|f9sPh0#`2=nU<%L}3EyV!kZ&LVs zGhh+|*;F3wepR1V$8D5H-&oFBpzpn2w@%aE<_gFi(k#xuam)xsy)0U!dqp;r5v+&xH#*I_)rn&KpSWv&~TJG&_ z$w|lIDWGW`fCw-mP(hny;t_;ZD1-!=U^)9J+$!CVI4VMrApg4M=<$Phi!Jon*||-V zVLV>kLiB+GFEl%z7o+t{UIDfS?*nJFU^f$VTvnt%uyvTs7m;5jvNit`2)N#_eRoepIT7wXj)<-8okJ~tWP&j@__Nvtv`JLTA= zkCp3fo&F{f!rh^nLo8{AyKZ08o&vl}N{l&t%^0L_nowABw!Exo;ycuB{w&CWIqDaDD8ipCcLQ2gEue%z$*+v{a^Nq(5~C=AUTbL3}It^-8VogK2;%aD!O8|KCf8Ram6N|ZJ}`%!iE;ALP?s z-jCVPeotYFnzuEpaZdep<}$hYkrnuk7H)6l-X8a!|Jd0vm4zrEV#EGZQEO%ryB8}8tArBr9nz~ zI+5}cpsGO({u$+Fye{rVh4D-T?S2N`txXu=ysU@?%spOW1p+)~WemgPlZm3Sq!cOY zA zn18eOnL?xqC)YS*S)uThE>Ce0YT^`lj|#~!#Ndm)mEb8ZO-p_arY1)*-`9tT?- zfonYaS5G!*pr$#{X%dB+J!oXOhml#Kq)?u{!mGdf^384mX>1=i6g9BWpJ43^kSXN z4~hYrzR`*^x&M4vhU@m-SZQG_K=-IV zseUj*=emBuS`u}uXTBgtbcB+T>nrV0m$h8`!M@DAHRE{>vM z8PVP*X7%w9)Of&FP5-KMPb$(qiJeWl(M67B(oCz4f6uNlmgbOst}N$$%w!(aU$C8Y z^?p4HV%c?~v~)GI@b}$R86&4}_M(s28RbqL!Fl=?u;8fjmf);IoAPWKalbd5DD#C+ z@edk4S-23j?IK!COYI^eV}b4NnDII$nJRLLCGl3sPz-MrB)TrgHM$S^S%^tZuhF7q zX%3hQ@o%v|JA4*rUV8=EBr6g??i`4dC*${fAr6;`R5!-~UbVh<2H!?#OMt z9WkGRJ`Aau-$H&_Suoc9Y8dbEtZ7a$wEFjHOBCMNi9iv|O1QkBo^-hfZa+)<-~Uu% zrYg=6QKptB%M$9JL5aRDyvxI{?ZEf0-hCH-U4E5)dO7*6dcH_DPH?UT4;GPeU@|Vq zaA-qjC5G-{d01a#H<)B8lmyCL{P4DV%jBj*wCGOtWYzb?bvoBOq6Xu~20R?i4ox_8zX`WB0|B^l&yobYXNtW4PE`h94bj@f1AyK{*Xf z%HCh>i0WLtDk8803@|lR#@Y|@u9OYEB#4plNv!hxdw1sffDUsqz-|Jt#f93)sSn#% zu&p*n@m2uw7?2ClWC=Ig(l0y5)g=ldL~Az6AVNx`Umhq!H%c%x7&FDpEA6ni9a}y2 zDRSDllSK*{0IwN3FujvslD0Y=?$Y>2#^?c4CTl{LpG?Ob?dv(X%p9=(sl+m zyG3QBWA@2r-OFPpwA-n8a8g_@6z}yvHrvD6#rPd_tHX}hpbIW;#X^;M1kz@EQD}HK z{FL&IfzS!oR`{taLkR8vDBJ&&kN*>x|Le27NmynTC^{G|E;uYD(=84fICS3HV;;a$ zpNf#DJT;wq$ExnB!;@weuDPyend}qFoEGGX>mpt2V`yECT!T4ZHe05CSqt6bp=?_d z;3704h#vI&P~><-d+r1$Zv{!ahOo9<)cdTSN6C|6dU@07KhY zLCO2K-EmppPl8EeZ*UEd7v0F|#ru%-12JzkI~%(Prb3D)vS&d%K2nYYjF$i|pH@Pg zY(jHB{kecP?>;E^E;CsmkKE+j2+3GqB9}|8iyh`QHsg#R5#-gi$CuSy3OW{NHl|`9 z#s{rqp%LbB=>N+3K-x=zADoWGD%=6@V5yYD56<-CP$K+C+)N=`fPmkX;Sk;-p!GAX|-jAr(%ulzShri&)(&v49f@&BwaqD1#dqKXnc?V!ZRPC3A>N9%q~770?)VDDCy7zl zE0v|}m*Ut|cgbw2e@uG)wVM16r%4gn&x_%%$M*eXx}JF=F^AbuDwa7d`yR|x(sJx+ z#b2s4;@f=bEyZ+S{5f4l)c0vYzY7Zwe5tSVF}yoKiF!*Ai61`DZ>ecbDc+>fEH|#W*eF$oRjS9JtK~pT^U?f8wX-^}Ov;7`S)-uKoEB}F1=HsX>YZJ`GT13spHGQ5F zglqY!w~tEoSN^fMwE!(YbEv~RW@)6MF%Jp-B2z=Hq}c#H5n5agRPDBNItrAP^cH1L zQEWk^(NJr*(kw<2=|yd)jJr3EmK_9N_~yb@YDwrZQ5hXfFitBn&*-sN4B55pXnxyE zJ#ELl|4>?GkMp_^;p7V#%2ywjK9IB_-U(lNrKD7j-MO3~Q)~>8Z6IazxFQzj-}^=RKb0IV{@T|GZ>|SopXYtP}&8UhA7CT8g z0oi{V{JaPj%*6lOI{%mZt5Ty?>?iOJ1@DJ{tZ%8Co+eI-%$a6e1J$=QO`oUv%ht+G z|IYAQd3{txILlScWy?%kMh#lc3*^C@^obqiM3tAp;oxg;slWgGrk4N%g*F>JIZqt! ze}H4VYaeu3erdVSzn$b1G(|nGIZ)90ERE|IlmZ+)1de(5brh#);Fy>OreGrZV=8)v z5NNg*!?PC&FnZKK2BG05u!LuUn~;xjBuHAFTY;#Ne3z;Hu~3B`4a z-fpTH zQgi&S_E_7^F>%e3bL!*a2z1K)rpT6%{dyBk(7S5nbc;(# zr0MJ3J}P4hJ`-%nepW&a=Nz7j9+j;;T~x1iWPhj8_lBBn44DDBigCMH+ir1Cusm<8 zIWKWm{Hjp)xGeSqJL#Am=o55sR<7`_4fOe7$?c5BdNF-xpP8-jPs`l7^0+&zAX1WD z#g)Xl+6k`{N8P0SmJfxAkubOL!a28B2d zC||cV_*YB)wL@w_hyPfK{OXMIHj%C>Dz`T7=Ay*$!tC`&@40FeSkd$>XQw(uA-?%H za6qsloq-bVT=upPPo97kF*Ew#9RE9U+D9yx4|42kROPe58ft+q)FCr1(;&w}Z%5P~ zWgAD|GN^V@>`X`VzTp#Exd1-1YQifJS&GUThnRwT<{3Lwob#-afS2@AH3 z9Lk724qG=^`^gqm%H-g=-84OY5mrntX&iq>-PObTTOAPY4lYrYx$ws}8xUclE)UWf z(Ikl0zOi(Z+YwaPP+|{`7}(i-nJA8-DZy`dcmJAe`CLr_c!;R`}9Iv`W9^ zz(?@kB;MqNJ%S9I^0r4B~JF@tRy!% z#~WUoNwE=a&|4c{?L7lZ0?w@?0c$9@@O`FiYsbfIH%;=Au#OZR804$h;)1n*FVULP zlxY|CkwMB9x zc6(U;X(pzd^nHB<6$%(K2R;sE4$O4MgGN`EbYv#mcn+|X4!2h`*JcNk1ckEGE)AcK zl~7p7AYaR_o|0D@X!d6b>yOK@BE>QWe<^%DTzuuxQ9awdsW{d0Pnfh+VUCM1GvInv z!!$N9tjTx`iwYgQl9Z#Zh8}uSd0|8p(b8nj_mNI^t-0uHaq;7G?fBHbJOMg>fmK>v+~R10)rz%!Fa4jI7}J8%jp+X)j~7Yj*?kT}a`8a}sdClrwKV1D zfaY6N6{BJumCY4RTEn}H>z|hv-b!?aDP4^H95=Ah%V^-@*luEQsnD4fA5f4;HCL35 z@7Rvy@XV&3vOtWm;D%F-$4AYnLfPK*NN-VoYHo}Q84MZzg%Rn5$RYv$mFtvRv1}}O z|5AnlV?g|x{CUAu1^_W?;@{II)8P9tU7s^L6P!}LXRx?o#XQ~&4LO-iwMrw@|0=ptGi`uV+fQl7TJb8 zEu>yZ8d!`@c+*#{nU=2;C85w!3BI~V@ne4N*g_^%E#A5oRboM3!Q zRcOO}Ie}p*UD>Ri$wD1&)Vo^M4vS2`cg6kcB<9-2D&=I?fA(AiVSfsn|CQHQtIJ=^ z+{iv`m!|ea_Quiu`#9V*{m!~lQRRYf3Hdu89Zhs{;h(7_-9*T7}KDr(fL%VqjRPcB&M* z=&vFV=fkAdLbc-zkK;!Se>}9qSD++HX&C{;izN{4%?QF&1}+!ob>kyojfWv?b!~ytfzyfckE|#>0N&Wu}-k{WH%clS5 zv3@6Bdxw?q_lk02pG5W3o~+?PzKWVnQ=)zM4k%FK6i-XInI94JzUTiOh#n2OYU|}c z(%-{dno2uvWB-A=M~rNOOld`CvaI$_pJ3?iv?6~!uJL#z^SXNC+U;}>=*iFJ{NE*l zU!|^i>r%2QsgAE-KU?fSJrHMmi}LvquR>xRTevJsNEp|zD#H&h95yT3wKnYAyKf$X zWk1OH?N&|K7x%~nl(T4}05&K!f+nMbW+g6*tvk81zSbW@d7@)vsPeHj^!f{vS_bU9 z^)gbEBwq{v238&5S^5bRFL6K6lwYmRb*Rz(SqgW)s!HUSHZ1LWTY>t1@T<|te&*cY z*CbfbvWMuve8<0Ed6Mx(>A=yYj_e;F>aMft;~?Ng4TPI3?fn0^xlEsW2CpmEocL89 zpXe7rT7>i@SeIdXe?Ml;e8vQH(?L4s*j8s(Ivs!!WYbo!sV$b>;v^iwQrP+14@SI( zsNhj&b@Y&q*@&z@he zSq!(uN$VgxfN=yY{@s2I(Y)9;z5NQ)D{51rS@4WbB-orOi#`O@ECPZ1#d4V*&Q=$e zN=%oQ9AB!n=wm59?0X|fojET^Uj-uu{920K(Cq&+2dS!}iBu*Qj6{oBQ&#FgISDk$ z<{LCqD|Bkg9p#KasCVZJeW~DVP4fAxk8_lhblsvZYWtr~D52F3^aE!QO@7ib1!SZDc^p!2^WZMcw3pa!!pA0aN~pDBECRCDe@m{*2{cg}utwpC**urd(dD zQMY9bi(wR})H}lZrv6;b%Sg7X;87J6Brt!Nsb3|vD!p$^=3kLP5N(ulM3yC>Czsoa zTCwE$;E95ZJl=u=WdpRJ>Mo{5$Ex9uRLL`EUS7tkpDL;E20(>sFUe7}*Rf(MwF`Am zLE711fPc2o`d`Pi6h{^Bxuidia&$_?n{f`wMH?P5P6LHpcH8wYS%@nYNQqQhyaGZf zXJIq#zy3>mzHI(~`Y$3ZDyiiW5mnlBe=DfYAwZ5F5XxxfM=YCnNPKBg?ke+e?fnt{jdnpTsf(o}7S|Kc0_VFqMhbeAn9s{Cpl$>1{eWOMuU zp1w#%px0V!NqmW{0NZd1Ff`VvZU-ku>oQgnNr6qH8Fd`%0@Y{zhn`3+<#B~=^bRpU3_V{ zWcGuNK9#bnEtou@!qg`JFUGzyEb6yg7X$@qq#H!(knZkoDQSk3Zjh1^X+fmBQ(zdn zr3R&QUfj$@YG3cG4%>zg!t$KN z$+OXIgf;(l1Chs5s{St@H8cKd`13EgI%3r^p3+YoFcXTCQf8f1 zVm=C~ze}@MEd^nv!#@^)lhG=Xke!$*P#kpZFf!NdDN05(4H=6?r=;Za;6&!@TSG<} z^$n-UHO5SMEK}C=5cQi^MKh>EU$&iH5ASg#cVC~-PShsj@n*a4q40H+vE8|M>|$mj zYnFuNsiH~V4a-EMb2Ho*rG&nyP7^!V%LlzK7lfozHy>kz93mPV4BUj9l`~piAph3D zc34E-m14pJ;<_p6lgv2eN#Yp*qiiD}5q++2H3jkoUn$E3l z0jmR}KlRK=Sn#$k6e%HqlA?<^^mjQA%N_3pn66yQbLtrYM^{*-@>HwIB`#5DX7}Em zSJ*O`fhNurjbV;~;qUxt8E+gf{J%8qLqOAB#Ehn1)g7rryt**Er{e`DKF|_A!Dpi| z+hwqst{lCs4>CXlP4LL1#36&2>S}~1inYJ*&ihw&u~G1%3bqzr|DiZa5osB+;;N^j ztLK*q?jbd+AQsI=ONyt6f`qKd(6x#l$-A~;);=jdXO-&|EY*)}qn)5k5iOd7u!;oR2DAOw;3E@_Wb0x%tTo7tp~{@6>Fj4>OEL6bWRaS`^~ZjBf|{e|9119H zpL?qpHh;YEb}^~x&n;!A*NX0(#gzI8FRmCOj}0p~#a%7a6UK376&FIS75f51;aj1+ zkXK58m0z6~lo9VW7P?`n3u0O=Z(5#F_YgJe%AuZ;4;#N0OM6GBn1BL&FwHSD);x02 zIA9KrMYugvL_2)< zwM?ozG^IXu45~<@paYE1Cw;I_B-h_^jkrRrxTm<_q;4u-=?F2fs)KL@qhMDCo|wJ8 z&O0Sy}4OsxWmooZ%lA79FPvH)~5e?X+{e>eu zoZEZy)+D}T73<^dv1F%%QYBQv_=`3{)H)dO4*9;?ul{-5Unw|5doP%Ym@<~nyaGoW7p?3? zvp*^`9JRx8Z}`H9z9{2zud>j)mHwrRy+V8>bg1Ct2CWR8aQ^H)tfhK4$@rt#SMhm2 z4TS8TLV}q;q|ZzPQ1) z8#4FA>~Us`Y>j!vk4`i~H8p|t@5BCXZ7lmgHg^BO==jlHKgwllm6XpS%JEK%z%o>F z8pEhcXO$OI@8JcYA@%jQ zhoR1XkT@5=kbh_`J1P=u@jJa3Z_>_w*~Vb^Qx_yJR@YN4X4O-^!UWWb{p5#%4!kHK zuO9OthkKkqqT~(zQF-`KzdKd+RyBelyO9d+&z}5}2fn^4TT!@2Q9BhiWzfo%juYaq zUF|r6Kw3q5{TdT?OfFmq>d+gvcWHfnZLalATi$3c(kK~+*r?X;HbVo@(VSKR3$8jJ zBVf5wst9W1lKZ6vWIG^DV-fZXF(OoZv$#x^HOzg8*rsHM~oYrVnr zGjzM3!;TdelOYbKi|Aup^81zJ`8!)1>_j{+9PX6Kqw5nBvvVDVy+n(|+!`1npXd1y z>oWLHKY}K_PBSLso$_R&UsLj;Jdk7NmcNmEB`I?JRy|4voLRDVOt0*yfj?i7K7&+&u zH)K3@dhbq8;15~7H%+pZ29-{ph&IenS*#q$*2|__D&f-)ZsIHxJye4dsAA6Cc8T_z| zpU1-vR2z!p&!}_ znWl0V*(wVKGV##aOh@2w{rHf$vHMqx2w&4U2R+00h z7^xs$q88YnKB-Fr`FW@o-D2Zv8H~e zo8?5&z*~luwGS%BslC0c`=hEwmj!jL0HE$RJJN;e;w;Eh? zBu!lBbp$YZn~d<)-r0@tpg+qKF<)QJA}-7Sj?;N-qrgrWS#;1?wcL4_ATGHeKO(&O zAl*!=@vU&e%YK`OGu#o(E%63j6&!Ia(7uL!Sd!_oOA45~1TBc&5A_{R=RPh`0me;K zO(T&HQb4u2LL1zF{qK#LIrqyDW*qh4H^J=mxdp&JRZ}F;0>MQA4~q3I0U*l3&)D!; zE2rC6Q)_%JMO4i1`DzhHIO5+dBtr_7KW7QHHkHVG0TDo$7{4Fs5Crkrbv zdOw`=>%F#YH-WL_x!QBwWbRjQ>{tT@*BZ?Cu&R2T!F5w07 zGG`yAI#tDrXO!Vo4%c+VC-rKd0nn>Js(L}397*!Tc8F$4t#G~FvlfI!@)>b1)>fL(@nSOxt?Zp-I-Yh?IUU&Rr4)N3u?NE&rn!;xVwzut#m7lgg2AFoVKE;)TaFA5#1-=4mw79LH8;< zWqh{?IgOp!Roi`0+;A?thb$&lhW~f`j;~#rT-nqQ*vnliild-V6+WF-=8$jd^@QTQR1Ly=fu%xhac2ehYVWy%=xwEm^uIij+odY>K-kYlD}Q z$f~H0Ek^1Ra+ zm;Ei@kO}c2nH49psPi^#H^l>?dSNkk`mu>k#iTuNg4j9c-Ek{s8I1rK4l=6hYqjU{ z(2sdYv6|8`-({-4KzbDdVB-XvGHPD+4RHA511R(vKbgSktY zAElG@vRqC2=2MRSCkZEFAVwIn|cb!aWhkd`_$%IW<$^^z;l0TwnzQ&a~jWV3P* z{t%grkx4fZf8kcd{~^40nv~dy6jBUEq|^tNUM@JZ;f({-yz^?rhE!DE4zH_4fdQEg zMA#+E42hHuW1O$6FS9WjYiz!eIE>cYX<#1)Jy-0Pf636GE>c(L^sGr;mXr=rlo+P* z)p-K_GQy{;z|i;j)!MJx3}p(MPjy@~x>?B@rsn$uSKUN-cyF}hR8>nZRw>?FnmBlz zJ_YHPO|qLLN=GOR7w*WN&@yM%!BV-yA(8a_WuUxvt|uxM(&^k+RjH24us9E~RPJ86 zeD$fk=e26~_B5^7*CpPwkSZQ@3{8cJQI`g5C&hQuS8=%)|paPW*mIznA%aE0RUkEIrmk*(@;Iw0>Pl%6n1*hkz)09h#hwr{@Od{g& zC7{Hn?7vQHH~D>~k>)ahyP%AKgAWSUu_yKdyMhQ5tVVb(Rn@)&|1I1O3&b~?fT`)vv6!T5G9P|~SnJEmlb}Xl&=shv#g&fLP?f;}qWa8} zQq)Ze+cNXSvc-5-vTq$ul?Irw`M|YVNb>mN!jJPa&J*>=w@o6wR*={kTVX(>5% zI3o*nlQHLJ3rAVv85NzX?(lBJy#L9g?h|m(sBgRk5RGh_&L>scgtpT99xiHwy?AVX z+AWq4gaOR@U(Wdv#KgHi&4BeqelkNGKPEdk(fEB`|KGGQ1Yoj2eYICv%Mat^5ZO9u z_nH^KTJng49Hcb-;?Fb=y4i$JX-FJU2cA!4+|aUzj{)A>&M+|O)quj1j)s_COv56E z$H2VTN1vuY4T1l-KdcpyrqI%C6p5-C#{k4cBe54PaDrj8i9qP#3-AERGjhNd?94K3 zMW8^76uwPoSFdritEoOG+geW67o`?kTAPNO`SvHn$N&nm*cY`2!~|8rL~QYx?oCNv zTxzK`GkO$yz3yj=FYg#D5;R`Z*g*%2k_Ak3kiuNQlpr~jy4aU;n)Ax%$BNp`#ZTDv z5@x%#<=JCGr9HK$VRfcjCy@souHD++v{)pS=P#QNunw3CakZgJ%(*Fq-A~X7Pl3uz z^^+r{khQfAz;Fu^LAw5wjV+x5ADvb|P8f=9?hgXUqA@gfoYhaoOLls~6!9!^Zf&5q zkb0UJ2hUy^*Y76-!xV%$PzVPiGfn2YifCL-bk-qc&zE^_KgA7r03?LtENUAd(E26W&7{hZ!(zxwr9>~zxY`Z8Gdkt>Gmc3%JEPq_ckRH zaZx+Ray6;Kvqbaf7|rKc3a#a@9<5~Rt1+la=sqvY_5S%G#fso$HF#3_FwH7xzXVWY zl>FpYvB$|JG5b)r_=qs`34Xj=QE35HjR6G3F8DBG?*8&wP9t2k-hAvdKTcxDxpkM} ztynfNae&r>U7Bu)Gur@%m8OyaHRp(c;~uo735nYzKsZXeQ}k2pN))gd!F8i~*inG* zH;ifV`>7GH()exQHv#$VZH~1q1C7S$X4Xk^OQ3INYc@G#G)is zOFU{pl(?EFR>%8rJOJPS_)M?a1qYik;NPQea|ymPJ_IOzwY%>BXdD40hrFalbWye7 zg+;0K-oyaA z;foO^1fTYIkV%sYJxHua`!fkewojGV^IDQ0G9&jHvXbl1>2b@(pPU()AchL#252sD zV!T5cJo{?s3gd>FrzpJftkMh#DGp(#Oz>Mu!>9t{z z41Lk+4SMCYc*AjyrB|v#%>a!3)vWKnTK}*pq<@z0=Uw5I7=aU3yoC^+_I#dd^x|51 z`S!tVx5Ar?tZ_Ua518+3#~vk&3(CLyLB+v zcj=&hWScb%{R%q5*`^V+mmGvFRNy_k{X*xPYh^XWKc?IS5I6kddx*bYu*vM`pT#)r zdKCZLDu0)WSu2Ki=b2Xifwxu|ga@2(f+-!b>-g1wytp`0u zjX-Zh(Wu9pzl#BRe{BIrZCzlA!+DyvK3s|RD#xuK1RCxXfvYG+gqx4-m~)xVw{-)B zr%eks6h8B73Mp3PUazG0@m4nIX}o=gECZ`nZ9W|Z9R)ZqfWCPNEc+JT)wA6Tz%}vD zl0g4xLi#?3CY&n3_(#6!!e3 zBQXkQej2F))pVkAAJS}0ndef3wc|*ma4wmQ zNM6)ZsYSJx2`SFfK+LFuU#7oxlRUw!s%|hrn{KrsKxps1!?X1iWy_OO zr}^yQv#K@UIQvx1S8cfQ*Us_J#APyO1V6XQoag~s8aH2fTmfQ(E}?ivh2nazyeRDX z7;0%w)Azb$JYOOQgN+j6Y8K2t80g&dryFbu!-Zl&{6xDV_RjT_`uOsV{MC$x=@Q;F-bK|YW8}} zu+~PaIbAm9CSS{b*|K%A+7hL893pFlfv+vE z2PJYmTui)XcDRmJ*c(&!KXp|>+A^emxclpRM{(Bg6!5xPHR1&&?Xv_UjP+UXoCeJq z??}3?pZfGXB>|@e-Hf!g1a{ue5c?^IP>|1>_)z(*1YR|!y>r|A>RevDtPQR0yk%+X z-^%=U@$-LR=Pam#)uH8|49ZL7j2hotIf1jPX=4`Zf?=VPZ%2ezcf~>EQ;0({h;!|Q zk+`~OpFPG`Vc1LEm&z3&ej+C;uNH9tgVYs*@>A~svY7XR6-El_7hK(5B|msQ%ia#Q zLg*xrb!>M!bdV-7-WlBDm~y?2F91m;n-#Jmk*Ag*)D}aJc5kPscHE}dl}#66qfrf` zvC*nk&K6A``Oou-1QQn^bW zWz92!T9(#vv9D^M534xda?-P=)td@a=teHQ5tkj6rfQ%o7T0TXpC7b7=ZQ~Y9+0-f z5Gqy~-jyh~rF~-_8has3nA$o7OHswjG{a-IqSdQ#Zfl=fwI>6<~9xEAKd!- z><9h1^yxfM7rD^w3LqOJ9(;LZlj&q?%=UQT!s)g6zJpJOWp{IO&Um@r({S*~X?bb( z-k&>>m6O3%l&+4eg+ZsA1@=M#!q|RkLGQeEMQ@WoAK+exAt;wVP0Rk3`e^^c8(Wo&39=-v@qLpGq0JM#&^`dt3f`a3$}MtNXz$I5lh6mOTFu* zE~>seJ!tT@Wun83Nt^>xV3-YFGTzww`0oFbrvGc3gN&@MWFRUi*R%UvGsXMzy9LE@ zYtaTAW_R~YoQNfpw^%XLn>STkb#`=&X~$|;D|OFVQd%S8+olOXR5ebh*=lnaZXQr1 zv9D9DKTr4GP7&$!W5;VpqFj3wVRqW{^8Cka_LWF@Drz|1OF5|JuJ==Ntx_HMbI^Wx zYssj+$kOynbGoJr(~0At54NY;9G@{=P{ygcaf~B8c9D=*QB$-m+Xw2*3d#Lh+pI{+ z-(Z}bmbzH`IwmRguRL~pKR0sJnKwwUW_%YXN!dqv$iyg^NJmb{j``&lv7=ye`SN0IQtlF;xfkewwOF>ZrV%+3lO68`KijurjhH!j)b7VUhu7=D+6^*K+aMZZ2j>|d zasw~D0e3yIDN1Do!C3LKdDsOUxS`%Tj(j$`A1rtPJSQ}!sbfyiXg;84`rqdGbd87| zccT=)f4C5EWz2O~1`b2S2R4kwdH_3arJ)LpB}%xBKTfyJS%CXIJ~UEbasUywSAdap z$!lWtAdlhK&izFCEMAMw4UKKUurYGmPx3fW4L*f}9suu$)3y#3sUFpAVIWdF$gkS$ z9YHg{XUl0qu%`-#A^Qijt5S)Ugy0W4PG4^R2S)t_Sv}y@wCNJ>(~ry;#&))$ z$Z0A5BKnaS<5DL-?64WN3je3Xsr`LK1T`_rIy1;>-+PLD6E#?x-`5iQFfpHs$Phq^OvgihOrdC#)dfC3jFLW+2*BeJMQDD33+$$(g4nj5* zLkqwSxNnQgolE>cZ-Z#1ZI%l6=#M%3ZA*`DsXs|?ia9J}e!g67M5Iw23`VA=H}1wK zeJt2v`)DoQ&TaB+M7TUP8Es~l#|sKJ8EeN0p|Z36kzH@z_co*VrX;XYPLbXd>NRP>O~7PaTO1e)xz(ZEztCevp7gcj#cyl4w86dE+mfwf(&qqy zsq}H5&6g|cH_wD!aaEN?6~cRwk%i#llXAQ^E!(G}V)mH65& zz%n!cysJqREqn8PYRvU0aOKY6qHPfnL7R-Uf;#WuN4HexM&dA$-h(Ii1gGx-|Jwtn zLp`!7gPxlE#ZA9uQDGoM$Jq^V5$ZOFEZCfl(U%@B*yg%9R&}-pob;1e)hxjrYuU#v zALYv1E;AghORpKB!laaQLDO0a!HnidF)%+#lU^l6VNzBm z2CwNYN*5r`OAm$trmvMhl$=SXks-10O_io&ASgiFAaM@dxLKw$FD7D{opMSVp;m>5 zbNk)94nO*4xc)>oq%ew^NBbIsKOxnFz@HCk&l3Q4t_@zcl@A=INq3vZE|wLCRb{i%mTC9*@XR zlklZEVqEK)_}ga^XGYV)7rHw}H8&ZBI4r{uVf5=zI*d9Su^~G(%vS8T_no$m4i-)- zMkF65qMYbhkhdo6L8B-mIT14^YhSGvJRylTd zzTIb6a}ri?Ln|O!*u2f7?Z)34GW;yaOp%gyhljR;rxcq!ignzaK z2IEi>mI)~o{v1+(*$Qw;OeoS_UP5w+y?LXU;hHvZ9d*D-sxTpi>Odiv`w0b^e+f?e zY@zt8r_3+;h%>o2jO5$63isQ4&7vs57r>%rNRPFI?A3X`y^b;r_W-PVHk~}$)GSK> zjs@@?S92QY=L{$4QANY}>pgo!IIchwIDG(K#{rfx&J}!h3dt+3eP&BNXjHllbzk8= zD}B`shpolFrPmj@-cEV=N6EP$>*DOJ^hw)oo{S2E`|=nutTc@o(n7& zep8o@3plgHqfq7H7nPuOz{zm2KF1PJOgjr~zw_|p%aQ2Zm@Y3aKkR}_i&9u@w~NaM zfk}EFJ>j{IW3FZn!{yEcv1C}KthXIU!7EO6{fs00D-TCU*V}d9KBAvBBx`t|{n8h+ z4bt+n3E=q0XhjyfjJHY{vv8hU8lx+$!aXUEw3fdaLMHXqjbXfi5C{#!Vs$e)q$EGG38_#(v1r7FMR9?wX4G8Yns%9?~JJ$$lDKI`=1FHjt;sEeR^ zc=4LHSDFlw;jqD5>*UbBLalmqUS%{Zt8D7=h4mLYlB}g|oxIB4PXFxUaJjy&&+|HO zB~v@0d&}CWjLVe#`0cR5lzPqL^4bYLmJCkS!Dw1bc@$``YFXjZ-*>naFz2c{$>&)? zU8R;wMiLb*RB{Np35{_l#oM_Bo9mIEU44~9?=|A$)g-LM)i%l}zJ9Cpy^5{EU%7<+ zIM%g!E8g|MY|&7hGu&9#J&^Wa^E(=~Z-~h54}!up7XTkTJf@G2-4iCFcDuGXoVQ9~ z|8-Gt;?xA+7bUpwo>FslWF{&N(aPhb;-a5}{vO zUNCHYCzJD8rL*Q~Nh^CtL|RZ8sJ$eyXp;^>oaKBlqV7l6hm3&$R2`LT(b&lY3b>(L zjcWbIE>HhZ2l?frXs>)PySAF@A6O)&?ocLUg`Deo<+PCdhRcM>FED9|dDn61GQ9y2 z5y}Z%3H$Z*0!;$$Y}hqak&J>z2EGSYQ%1||8OumdVJ?wYA67w&w69Ot3!x`u%CLpA zI&k{t2pH$ZIXw-Qs!(_dYq`ptoo=mO;BTxG?xKGe{tn&cg8Umma2Mn-6dwJ1NgNw* zkRo#boEH%j)}jA=s>RfG5=Rf`QlNobqV>#mLUQkZf2-K`P>6$}2Y>iEaX3U@+3(q5 z_kb`n+wfktFXgAsTJ%||ZQ(pH67yK3MpOqvjM1BffRP3uWpT7sIbi|4>1X5M2W;gw z(6{uhoZvrxQQOsze{l8g8b)s;7Ok$}Ds6-w*K1L2P7rvFZo;MXb>P*CnRwg7gaWmj zW6e!`{gHF}$~*UHW4HdVtxj(n%v|7JOC~;Wz5nenh@cvkDpg#*jS~Kx4Ykw9t=>C$ zpP7aYqSB_QaW3)NNRNle7_d$234*Y@7<)%K|jH>z!+5g`XYO;o6& z)SHxw>xyblWSEq;fI_Ij7jtys1vz=u_)OY6LR6+wLyi%elPU!7)Px~47|NRa7epwu z3{$k=DaXYxwn)W!=Kk(B*{avAo%LSaMmf@&i-Xq~7XAdvwwoTk%y_tZVQFobx4xB1 z9D3K6n9rMk807z5%W}g5xjH+ekLT&)3!=ofAfEZyGE)O{9KR?6FKXBd6Pih5(dk3^ zV(yXnGgFMRJJt2ic;ko5P@GEVAbdH<cD;~zL%Px$zM3aYp*@jzYd~2gPUsMXqJ-X zKy|HKHtXDtPz_5~C=%Y+k~j1Ddc&pAZHjC~-97J9wlbCc=HYEOAFY>DV3eR|55$Pr zMM8t-PPP1s+nNvCHa67T80CkV}?UCORL(uL^r3-+b&f3|c8c zPeBBsB_bmpYLO-<-7zu5y=HCy8g3|s z=cq&Ooi_*RI3Y%#U5iWFV;WBGRX?i}wnj1XY(>|avl68vOZJ>kANckmk4_dUXsJi_ zj_GTxDP3(*L^|EU`9OP}@Z$@2-d4g6`u6PL9l$OrioFYq{7GLc9!^&6-B~UiP{V6W z=NR!mt`1PNttZqHM+f^)Mg!0T4%6aA?~WY8HYfe?t!eqgsAT}#%_%@n`g1cDoC0^u zJ@5_>UPYmCWy~@-NC6`7FqgJLJzXX(5Ah;PqV;Jpr>7&FLTv9EL{II!Jh}lR%fnfN zK(C4~=NXPQUcge+jke{Fj_9+=EC1-t2Fr1WfT$o~t2V6y{?~ATDzKLlR{!SpbYs@7w`c663(3H% zIS=dSC<R5*}Zp7NLEe>60+ z%21eW&3V%Iamq_{kcLDB%G)tcwNCBq8~3! z@JLR?@?dSt`jY?&Qxdh4r0V7MBFBYqK}^B&;dW^}1F=QXc761$ea85ew zLlXyAfW5?w>VFhW9N3|eCtJ}`9#z^>SIk;^Qk?#kkuh@r71{#xXXho%v5jZ+UM~8| zv9@z>*1!t;Y9m=Ah5L<8sk&Ei``(_m_f(ufD{i3Odi^qHAxU)|k8hn^<50aN-iPBT2^KGJy8FilpM##adY})RPd_9`rScXF z6{d?)#d1sa7d+4SUNGTaUzh%&&+8c`Q}*ZfP0WZFS{?)MPmxP_#J}G%CjR{K0#(bC z;pwX$GS+@lqIFR9%JO#8RZ~~Pnp*XuA#=?&85WXe$L^&LB&Fr>He=5J0#=>^9Z`r z^GTeX1p3cR_oN!yJ2GK)=E)z1nj{BxU6b0gqywop-;Fz`ywtfQ9!pKsI86zt#2J~= zM<1%Jx#_GZCpp_or2vvbl7u?uEw6NtU*YhpV2IIVPBGr`F^TCUAa~>QKglZ(&l_TR zkQUv3yI_s{W-l|Fz#U~g->F<4RnZ(z=$M>}y^m4!H`BzEBvsUH#Tx6LQP)mXBQ(xr ze3d&%+dg{D9)Tz5Aww~e6z5_{d04-6^W5KHmp9d6P@^IdJiAzp5cwgi{-IH3<7-e# zn$95g_Pm^S`Isd2a8dS$1d<5>WROTZQbs|2qWW7^5ig@uuAO8};!vf0WD%$PbPBJ! zSjQB9#Ur-b!V&J*wGYzn=@R=gb@WT$j68XTtwwwycbm#nBTKRQZDPP4jRs^I%i zsAr71?>0w;&wk1>oLzNw?cj)SBq}a7*!qAM{q8Ogc=abN`XYgR&p~;AHcyGmc`GuS zmOQLJr>2L=2XH0pI(-DN1z&`JH@7H&f$a+cX1RSdmiz#lF?v*&C<7&5klP+%lSSXN zw2vqXw0`1K{giYbG(fvh}YW`fZCjOh76FZ~fIV zM#Gm-cUxY%biQjAcRd~@?qI?h9(o(Wmj)ocZ#>aEbVP!)5`bNbQt;+|)z)m7SZX zvcY~Ii3N*(FnfKDzj@W*x0Ab+CrE_VQK--Op)idRK4jWt<(z0zS)J_n=EHJ|_|IR; zw`2`yRc>=p5U1YbDtynbJ6%z=_^Fx~t10MYP8R*THC1$zp^#38_=HL3o%AkLIYNjf z19Kxu^JZLpQoeJjbZFqFsPP7>{wjefQHWGc2R6dA{q^Re-URaQM`4w}aoJqg-XB|a z;QDgLPOk^uAcy?D2#~Rn` z{rXkDykSj2SNySE?Fak)yliUBtZvZVl1Cu>2r~m=Oew4WA7(?WNQ zlX9Cr%R!6TzP|;p;)8u4)X9v&%N9w7IDv%Crd5Ly3|(6!)%thzI~Sw^hq6ukNecJT zGAH_i2l)}lwmF7JIFGAn^dvthMQl9JT%v)-0##n%CXt^db@E*7lGXO3T?tpD&A$BTm0gGq!GePu)ou?$$GkkPraxLz~eKPg$FPl*P7FM0Ll z`R!|sA;YYc*SKx6)mYV{0adlKmXb^-B&3+Xvxf9EpssZjv`>(PpR{o2c8|D{+p(*x zko%ReD=O%m+rcnJ@sP+0b_=j>dl{zjDkH($Cwj>lC7*=xCqRt4BP{t-+z&>d>Yd;m zMtymv(D%kuzVf(%++2MTn4d;80*5Ck8XDE1Akl^>ro~dVk?AlTk&4rJS2te&oUZ9b z>1Nr9>!2{nHqLOAox8)X6}7a)!;Qe3&0m0(l=|>Hl>Os@g6%x1FoK85MM#UB0K5Ch zz4{KYsbQVeNayZ9S~6XY#Gy*Pt~PF(&E|44dKs1!Gt0XwctZ1VtZ-PzZ* z;r{X}iZd5mJW45cNdnh6qhbw5q_4;GW#GcWKidv>Uv`ZccOq_=Jh~2A@7r36S0b^; zTFN{1#b#@RX9HJ{`v@*-Odh=&x~{~o^30|;)5HT?Gl4)R+%l*@NYtiHGu)`_F?35u~@#7F+yD%!tKk$zN$0U!GAbwmXg#+Mn$)bVf^w_)Q zjxT3+(?9!b;y{dS3WFu`*#vaebJQU0+rwxo+Abd|>AG1pptsE1aO87GI%ul(@O09o zJlS-lLWtyX*ZsN58^{m;o9FX8>_X3N9lpW%H~ln*FVR^&$+6f+{P@ne%Qx^thCwff z=dy~bDWfqmU%o6FPi8E3p_@5Ic~smkd=<0yvcSBs*@#1xKQUIX`)x*4PS|Rw`?xyA z`Ik~N0p<~_)-Sx##>Iqhf2=4D?SeP;=1l@jm#T8GZ5qF3F0$G)7So7))l<$1qN8#G zXc8RC@+zd-B#x6Ba7e1o*fSx9Z~Z&3>f$8)V{nx;BrZBne7(tKJjyA*Rc&h0pVJj< zfbkB$E^oxC5NE=Q(K0b|r%A+RJv!D5;1 zpJa#mQPc%#nq&>BKwhKhw(*MloQZ%$wA3@Nqs6Nn3T|K5`ml69nYS!pQ3FrE%gBNsVrmd6GT;LhXa zw8K?Wg7wNsJbX*!!TI{(zUE~7+?Buema`-v^6L0#lrU$Mm0{ z6R5`%L(5UV&f&S+olyBx{J*mGw|b#GM;3k6QyAqRnL`gcro2sxOx;z03QKcAx47k> zgUU0Y_Hw&kWJalOpWjc`qWQt!vR8js)x;8FoaNoDIe#ch~Dm1PsHOVN?eZy`-x)Pot5djF z%AB6*MSvTB+IMQ03OqExB2OeU-$$qP&{`?x8YGYAzr&n4QQ02)k;N7ReKx-QUHTi< zJ!`JR)KJ{xgKaFYLmDP~_#F2fac`e*1|$Lh@39CmpdskA8VtU7+oG==mjGxJOYMFV z+Ax59MdliGioGqNChpo)3lkvg964&th~KPv2N{O zdw($Vx|rd+2#-M6Pjzna-}*RiWA9&^dQSbG^c@qst1{kP8Rl3Kp*BKSpbp&kH$6PM zHJQT<&N-|fHAep%0tP>NJdXN#w{~Xv2gpQOT59oFnk-g1d$&Xtgmz6*qWY^*rEgZ> z)U7mEoOvOT!)ffs2Rt%`%I~tg@ppH=YuWx^m(zdVQM7pIVho`zs+@tZ#{8y3Eq4aV zjp936ADE}2KH7_blw{5_be);>d_3QyaCLhOo%UEM22>3{rktI1{G7Z(-w^>OtP~=L z^jqT6`ap1RX1m&A^`ip_8Oq^nTR5Sk?N6HZH2_o6JY4cK`-yE|2-kNk20xe#VGuTB zs*+J8BL)+xXk@!=iaqA=xEr3B_Fg43kAB%QktubaaFM;}lXh)XO>Lwi*Ri4RQ#2oX z%+nHMz;#)Pxf=Z=I6Nj=$k34LUIu=4gadQ(0KWg3j=-3*B$pko*8DE6X~N6Q%LAG8 z>U`8=KbaZdR+wc(69dX&_+&llnQAQcT16|eF2A^i-C`K9t1)OJ#Fc^!D|se58)#= zzud1@g3V@92-F38OcrJ~#czgBdiqV-LRNNHN&{!cYAS>~vwEasW(^Vt>fr8CJP!h$ z=U>`@n2eXZORi{tnO5PFMos%<;1G_FCO)@UO->c}8S&f$P6S zu|HsU(7+(-|C`u=hC4L$ljJ47;;o>J72QJ-wm;S%!P#R*8mq*~7;ff^FT@K) zX3xjm*9N|jkrNiG(gZ~0-jC19Rv0s}7(+gO5&Y)AV|}NMn;G{f9;udT?`NC;EryPb zOA5e~;euXzQ6zHNq16WFQ6z?4;WAr%rb!q~EHYO@M|<_Ib(fI;iT+~8SLq7+Sz1I< zK7}Y@q>_@1_(Add0}K8n+_8l+l=9v~UobFoXh1b*w%)3}J(2%1krcsStab)#LIV{+ zDcZr`^*Nff<#-I)S7>sEzBaq7%grc+e~p+_$=s6pv#&gr=pr$juNSLHF|8D^k#$D* z;PLKshTH?SFHgKy^KggZ*QjD)QGb8deJl@ApgTYFhaRi%^#&DxC@<>(G4O%ixr3|f zls`HcChhC;GS;M@ULoF{ULnqt>dvd#=}$AFG}m<9dw*WbNZyVvEBQERFZvJFCK`?B z_W;12k!qQ%Gw{wkBU3pFi|oY(ujP-EzbMnEc!}ViN69=pG+!;LC@SwX3IXRVk<+2V zd#0DtNx5;f$*3 zbV30RSUVbOeELChWJ)9E4;I-ZekLV@N0C_L{r zZ215EBtYata1|WvwePf36F9FGQBJ@nur!T3NnDA66w&Q-TF|YLw1XLxjfgAbowI2= z+iUCE{?xgT&I%*>A4(7|=$_j+J1!l(ni@VZmph71bV^IAV3DF6q^B$623QF+8B;uv zqLt<8CNZ_1a_6u7+Plam6FajHgW=rK?b2`zQ(do-`BOZM-3dZ`dThQ77>m}%`Oxh=LJLoupDVwP?%hgrT@jqStcT zx5`G=$w9w1U!w~Xu)dnPBu*Nsk%0A~-`Jb%8$Jw^#_Aks(WT5PE4V|AOQ#}kc`a^@Sv}sOdemY~R+d?&&4*K|4EB$snfx1e# zuru|FMFoUWo-DebA|+%X{vS_U?ny@+Qf=AKk;;+EXHco&TS*OxTd*L=@qH$HA^YjM z{mEMjPO~RH2pW_D`bj@CMUAa>ENC8GHaNL;>(xGbh;n7MUWYzi9 zPYo?B6-lcgTJ9HdqB&APwIRmT3cmpDX*2W>Pk3w%k!c{+_ z zOzrb)(y>E^b%mel=y7~*8Hhh_nlyi?g?Ru=!-^jXulx5Qk-b&R!AnzyNTfxVX z@1hr7&Cz=HQAy+nF6JhYKFI-dD>$D*;!X0_$S|qgnj6 zoeKeG^9?*A!-Oa$kGaw8FUM`rf7Z{ZauoXHcC`NDM(leIbe+|tTYphndga`?%g_J_ zmb@;*EidtbYets#B_94KbXnAwPyYT&K^L-!d3}Vfl$4W_&v`K|6`y*4rM%2AK^VLz z*gxxKRH9poj&7bX;Mv3T%qwwtwx1AG_J8>L%Ah#AZdn|HLx2Pi?h;%FclQK$2@u>F zBv^2FcSx|H!3IlkcM0z9I>>$Uo^!u@+k{S&B)#Og7bXGZCjtm+aPpG^DC`Zhkr`NPijJJ58$oWx1_Os25F2;u|P1v3$o0_1Th9utM4T32}n~ydnL3bwyfW3s zqvK)@g@1biUK`wh5U_%=_;I0X=}c}6`na>cZthr?4&w<9b}c;eST7)B2;{qY_zE5_5+yDdc8xlq*UoCp#~y z$uwhO=2rCQv?L9ReHBT{r`}5w{*&^!EPFIW=DCRy?uHwL6KS1n(`^ZZy3TVK+(gcT zs#6*nawZ^KkVlIBHRSB%V+b%dLZ)vv{l7NsE@fxtJ7*+N`m}A%4S=4Jr8ezx&M2}| zdKzbxmMz!goZsd~c^`;Qyp7?CpY>N)(RG-x$1SNqj?)N;aZeCmL1QqRpKl=rx~z_( zgA1pQgJ_Gq80A!B`#Q~M-{wj(zEs4e(72 zt5`TJOUPBun~{5GxXT@l3QaK8UUnHV#arS_+nkZrnr)1TCNAp$Zv`|Y(y5|uk}%f~ zydpl`%f|`Km#dV`=n8&Hnza)ff0sH^E+y0@Unc>Pye0zY3p&m zMa$R+3jS-vr1DV3G|EuX#G3?_`UQg_)}mjkl|>LuoK;@o7(F-Cda7doqU-=srm6tU zG%F83SOMdQkHe(@=9IT6w>-PW#8RNd*(a%XSd2B|8)!gSHbIZk~qgyKu2raM{B zJ9%PCp&CT1D9zu_cV>;0mPAckDSRAL{Sr4?#lsBUqtxSKP@rBY%~31aM~Ttc#C4fqth7GEY32KA{2ROJn!4~e%%)W6qotemm?3;;$9luq6 zq=W0VrGkxUr`$s+FR2{(-cumk86j%xsjE*eZ~)r!c3hMn)M8AO16y4ZG2Da`V2hcF z>~r61n8b>y;7I2aE0IO#*u2h$DhdZzz%3Q&h4kB7cWaq_YQbtY6kC)(fFGet1T~Cv zU8-dq;#Jr`4Blm6aF#N3=l{sPI;a-GRA|3duN@RaGR?4$ewygjOoheiJ9U5SljZG_+{SP+j+e15*5jx^Z2L_#6oN}y5lMUVC2q>v<{ zJajUMB-&lB`Z@7g_jQ78E5Ys5{?gBcKK7$jrSjhlza51m{xZP{bj1}iuMZZwt~9T2 zYYuK(tm;mRCr}7%5~OQ`m|-J?Jfge4#7WcJ4oTmME>O#Y_>Xm^x8I?Bdu`ld0q?H= zZk0nTUD9pqC(>EX$P={Zq6)<@@my-0ONn{YDivou;6Q8Yi50Uy@|DTec$`N!Pcrr6N~E z-w|~Cz+dxO{*RaYpC7G}V7*>TLFZPL2blL{h*yu%S)+0BMY zd%Bb7_fmaTki`4Tg`F?n$`k|fAh8!0hxN6EcQd~Dr1yL0+?@MVzOK;Vf_bu1-_Ww&8q8JmnY?n7N4ZaHcU;JW2>N2 zZ?!B{QykOD2z7q!Kd0lzyzAPzT7S2_m%3js>}yViSERn{N!;0Pny+kv2w6jy%(%Dc z%iA4Vtx?q72r8S*^j@{TLSVUwZz;DjS|Pl&b|s|x)gwX{O(sq^=z|{!ygXWWn`{53 zSdz?xfnC|4XMgqW${u@V5yql0dfG|xz== z{lSJEtiGsKJo2CwO@6E!9nePEKg3izvw1Bpq>Luv@(IF*;8qj)hC{U`dToHx6Hc>4 zj`^I>WT-~Ax&dIU6$~T0+Yc)YDKN`kqYkv@h|x*DlkewluC1#GN4F_CcX4xP&3g)f zBX3?_)BXj=KV7bDuJ#5y^anl_%p(d3gAmbnqzuD!1dXe^v-Ng=HyG5<>3`FM2$G<8+Xs!@=0 zqbRYcN?=1r(TTr}O69>oh2=$VV6UjAOsJXQLQ8!7t`HXh+YM$jxI~tvj^utc$BjUTqS`tEc1^=&W;SmFRMAPqc6=xb zP`&`s4_$$BF%$Du>0(94M7y@mGbwH(-R8GiI1Qfgx7=b%Z?HKRTek8MWS7luql62@8Yb z=&N*qQa@Jpico@+c`i&dtlpWR>j!bx910t($G3)P8qI-X6T}nx>x>S}CF|UC;%l^} z*FcilG!FeDccxsOA4!vxrb@I;{DDbPmeAj~7R*4GEYLS3d5|P7`iS#2n&T?blsAk* zi7Omz%EBG4@5j*+RdKD}XI)e;<=-jl!_{K{_r(hR|G!v!P?WP2L zXAmRi7+fk*y6(`um%2%qdm`H5kK$fwS$#+8?8#4}fwQizAxMq3p*fWd9#^$gXZ70G zOLiC)$qpx#zIdy3!_UNz>dBSMI-&WJ0KJ>x0JfFeJ{>zT4xZgd_^KGPFDQ=XKKNm_ySmV!w7x2^J13tcY65`{rc zH*)9xaUw|(r-g}Vjl9{k~uaw@$!=rqm@$#nG zKKn%pFQsdm>-kt*woX&c)QyV2O~kld9b%KyA1DsrZ=Hre%ntW1x zbz=4Df83 z_3;gjkNto}W->F;?-#IMG zWx8jn!1FsXIzP0nNz@0PfoGCr@~q|%_`t1#B2Wb7FBx_S_W5 z6a_u29`I$voU1N}U!d%qfq%>WNXoipgPf0)2v*>gz^1cM{uoHNCFAkdydeyF4{jtW#3)lt+`lUk zC8aNAw2*RM40$ZWn(RGKrR#dP{du7*QW_52WNbL~lg(o0SZbNT=?mwYw)~J) z>2*x!y$pMSbj!`FS0W+)>sh)eS^8GN7O$NxQz9xzv5@lk%ZG>i6bK=``Fv4xE=hI2 zzV0i+_v~8Y)a+yb$YLz{O}m{G-}vbv#K{$Il5gEajG@d9l$|mF@>LV)Ta>6G?#tJ| zWk9ws!e-t41q?B~zpxJia8uKW`Y*}<;F|u+j{Li5Z*bOFu>QmtUk=n`g1yj!ymQ;W z8L%Loj`qiCd1g080SY~V5!DE--s1uc4YRk)rTXfN{rkX+=Hv8H}y zKXh;KVq;b#6}*TY140eSa^_c21;jC(bZfFKMR8CEFSjh#wZ(}&T4X8Xl8$d~jgGNmh3qxP`zl~KE}h-y2Fx?fEx!bV$PX?W z+kekZp6s5*aXf#Dn=H2{I&I^XATWv2@K7F_n354Z2EsA2RCCY+%#L}^=D_{qrW8V5 z6n>3_a6hnDEYWbM!v96p{g>s#gav<>=%#eL;6bu;)Pqx6?1waZ^xjCUjK;O8sC6uFE;Zz#rE*4?9+M=296CU3^BZ&a34}$S{AkutqC6?~Bf4!j_^nMLnMdlpWHY``o z>}COYZwmzTaDv4*Tj#;Gn1Kc9Tx!!hCS?PotomvTKL7*v*R5j@{kF=63Tff1w_MX$ULWGU#_7>>29BV48mF>F3fyF>xjk+KnX#=ExlQ!R1& zOTYbE-*w{m4*m$K!aRV!O`h6DR9x&US-jrIW|oxqBf93cwU5Lr8Q-B8x4rJ_o z^su=m%#(*4aDz*u`2ct~+P{bS+iPJUROgTX$eqvO02O zR#z@vTxoa+b`DXiE#;fOKgy;ly)K$jy5sO5rV`-+A>~)HkGGjbWx`oM**S>C-&qLr zSYWauBgF1Z(GY#wm%^$t*gF+DuA_hUCuh%LgC~_B=q^^ia2C4w0W@_f?V0}8nw2S3 zw6Fhtt+_^k=%B*|hx#PDuGcHUrnkTnV`*QUyKSMXsn(m6hRSdxE@XB^nY>S>#5I^; zc*C%r#ai#|o$l6~yw5q*-+&C~UA&Dt_&s<*Uf6z7 zPh2*5`aotuB!d&8&3PP9BtkXImjVWgW1bpwIB$00vXet|sHG8QFkz@FoPf1%uB=2Z zM@yKM+8;3^*q1yxRUG+>+6B#q-<@ zq)iUdB|hwU^0sDtAJva7gGNWq-l@^Ml|5N1`YAz;7mwv3e*(e;0y%iN!qu0fWUZXw5*0s9eB$l zNJ|fzC&0(jn#B9I^TeOkt)ygtq°jM!emcyfI~H9VMLvv+=HKinxm4=q|`qn>lm zUYPs353)uQk=} zaRGj25u05mvB$+)h2ExQ`Dbr=>-8?@>*?knzrw6g@<-~T=XZo9g!zdFdJJ#)srus) zGm|uSh9>C>!I`S7uIW7GiufE{uL2tr!2@(TEcX>`-gNLz0=Sw zw2!9PE=`giL;~d~d~rEV{!pc>A+i#5GX>x&d6WHpm%WBJzy9kq|G#F3WS#(A8>#wC z&`m~nZj&$o;=Oz%7voaRrnCncFBAu?SlzZHdZu!{g-H+OTH`n*>c6BEGfgG6k+iBc zUq$;mP`#^$x#$o7F2A_so+-MEZPw((Z%pa;}4}up6n5|<3h9(!}agO zIaPU>?Q3l$`Sca!`a~yD%-)&61diiBSH=RWGB@FG6R;={3~=P71nydTBPh+;=*7@E{(C7bFrLW_~_J1*tY$bEp&fMvm|6*6Z( zT0=u>`PDeVYLyqIj_!KFHGtVbDD!((#1=mW3)A6LwL;RXP$Y#dp&JqjIV}GAq@X#R zVtXxve&th?)E@&-Uo(oVJ;_Dwzs0#8i;N=ezbnoG=x$qxf^J_3wSbI6KO2o>32^;7 z4&6~m7&T796>LFlZ8@YNUxh zCnC)exAmQx;`M=!kd8c@bj~z#-ZVGLTQ>Ti_nsx1XbP|8w!ijE@)8y>PjR%zEI&YU z2stT#e@(c(mf+}Ls&HzN9qJqUZFZ0b%1}wQzQEQBjPxr`k{j$wge{X3HxHWC;}Bk? z#>=&)FSANaY||(ur@+{Ti1WGGVE+~+M_WftnzzULdnpRfQdr{ryG!vK)jNk|Suz}7 zu=LI`nv#S!@Y=o~pFSr1V_p*R$;ha5-!vQxpC_AOJ8A%=Pmu`5sY+%JT{{z~nhkjX z1Rw)x>dIik9;)$_q{g2(9$y*2NYz+3zUy71Eu(#{eoXgm@*Cqr!7Y7h@?-^jb z$8??bh~I6aZ4XqPbKE^()O*d>b|AyRL_d6P-Qg4E&`*JZ=ILXomnV9&oce$Zq#_8N zZLaKSbQ4OmRZ?Bwx8JkHXlgAw>d?vWDyk z8f$0X*5z+{p2h~3O<=SM*ySqotv*~7u_yQ*Xqwe4-`bETXc#HKf?-atyxE}7vtEqx z-lL8M>B%aCdDVrbl;I`RcQbLXIRNfi+<9Lw+=^0BotEB$Bh7b@#RtvPl;!1_?#DLD z*5yP(&U8r0Zekra$mvhve)2}$6u`o#e#gFV6a$FRB})cVN}Rw(nKc=}BJ87eeu#b! z;5LvA*oT!afvl+co~}6409W14C}P3cEdS^Goz_zb(})k?#`0c6i95NDnD@l~vJ3fz z@p|7r==U3=Zr>MZVhfj{=Q`r0|I4kvW$gehC*XpYn(lp2KEhC%WlF1@HNRxjdoGN^ z+_G2jxiZfi@OBz0&GpNu`?TvOdD42^nAyCYqBorFv64O{=>DIzZeA(Qnmy)949pA$ zPZBUhe>Df%<1E<$HzIQI7i|@zZBwA??Twr30$yPv{4~@IUN_&VS4}jkIEwwusdNl3 zpHPq#lc$g^rrtE2^o-IK`se0>M7N6SGPjZvZqPixRlKieSp<3lNpe4JR2TzU64Z2L z`QzBE^UZQKas8B)3*i5D$Uq=nLIWf>_&I^HuLUz-Z<|UkVC2f4uRr!o2-=iWspPd| zMx$ALsCvy%5Z{zECgE6VK&#El2J7_&q(7m`R~q|z9*ZGC==xaf6=p5PY2k6ay~fAA zeRh;BYkd->*Y*X-)yL(?#nnmp=gCJF8&X}kq*H}7VK7pKITw-#FVj4b=YYT=!QEGl z*oL!3{>;It`S{oEUqtB$y49vLTqjTQH?BpXI>&&~NQLGZBRXC(fK~CZ=03P!aE|@C zO#5h+IrHdvL7sv2@|1r+2Yuo2SavG~6u(Que@*7(`SMgB>vEqe5-NGRxuMU{)6$LH z$1OU`L55OAsDTM!H-mNw_|Li01Ya%#6M`dw$fQ}l=^i=FBfGi&z}R@a*n4Qmo8B}z zNa~|y+x-r)Wih@Ev(k0L+$#GAm3lQSka6Q5=OOi6?YHP}**hNrIgo2US$3wK7B6`2Jd_y^7JgWqm_5*T`nLB&C zJ_cxs6k&O2L3HU%d%4^=yLv5@*yk4qXdoa(jt!a=XQ?hS_q9?)JX4;APb!gl(yKJI z({VETg7O>KwPW4fHK6fC!90!LN>LKbQ=gpVr!EbeSdgtSE@%m7q}Q`%x0iu(=q4$q zJM`^0iwignMwZ=7JfVtmw7G|nC{@{0%8BeBDB4Om4HWBzFgyDk?ru((PADiDH?x9@wiOufnF=Gj!%z?E-iw3HuPp7)->J~P`iKbH&vUIAI8 zy8Y4rrI>AlR!M%q_Mom9JxQ=zBE+#b5wvCo2v>2T_JN|M_}!)HmPDKn&AUv1g1Bil z)g592CvR>jg1nA;khB&d&=V_6{;Tn6*Yn>5+!{-(Lq4ZZK8)}#R}(Vnk*sa( zbdlLrRE|eK`ZAPwmxmv>N<}KsLXp*^|2Wt2@8ty@xMC;ackgC9fSO|Hxl}gD6h7y= zwOv-V4u3(TEtPyH^2j>OyV|zm)tGqpQ{;KVj?+Bz3YKsO$v6BGIPT_+e@r7Mk@LwK zu=0jK`E!o%Rd4=KL2X3_6c2Xo*V=eeME|_8sMu>PadC3^!r-7LrV7~2fC4$a0lGz2 ze`h|V1TgujLL@{$7?_e^Q!RuoglXXM z2Wk6)0ou;g0#&$nhi}(7b>BsysO!My0Uo`D z2_*_{%V9LjWw+Vz)?b<8)w@|KhTb-u!vx9mH_KM!mw**(?UF?VRj5NlYum@Ra-y?k zkCpetb~R$_I19W>g@LKMpZ32|93IW;d605?yE=no>t)c{>Q!w~*K-%lQuNfayn)+r zDmzvMbRN9mxfy-1GyeHY!>sO*zUw)SjqW_Y@a|eyNC!OhsI?l{PWk0yxRGpzKTpa{ z647H!IsiWoz>Z%zGco|~K*(h*IWa__X+DfQMc3KUyP(7Hw}l?2a4ezAYi@Yok=R#8_;4ggp;)j&TsbJj~hb%^CWP zQ~=IGHo53WJ5|Ed?-!pjM6Sjq$_|{opYPwK0j{UKEV`HLaOo%!>(+c?rX$?5WqO=8 z&^9neR{*SrAkI@+YKYT-#LKuup?-dLW4!b~1nL3G8gE3CKz-`8T#kEEyt*=KbM?Ry z2?!iiTd;nun#Bkw*yE=cGRFR-`i$A4C_<2z@oc%P8FWL$c=QmIe zd-CG|E4QZMCbi+;25p9VUtH?=D|$Z@cWsVe zcX_EYl+t+M4-=!ME*#pz{Gyb@b0t4PtRHNCt*NTzbSw(?+Eg8qDl|X=v*ipiwDEK|uZ(CX8X@98qYw@&E zZPQFUNU`@+LLAqG-H-HkQomPfdup_j&K8U8*7RTs&WqnUF(9-qd5o>NFIC!fFrh2s zbz&~q9K++cfS;~)b~a;0cvgL%q6JqT`x?KNp-}^Bq=p5r(ro)EpZeBAj|ObWiGXe9 zZjR6B?@tyKZTLWh?AE17&fv(AF?aVP>5Q%Pi?$zw4Pf^s0~b{*Rk-braQo+jl{jp!s&H zN1sIBv8Xneq6PaogKT|2*If_gn5j9>qm7R1*`?uvNEU5g?i0pYRFbgv4K}|VA1$$u z6eRDzRTPqar+e_!8o1`wcR<3*nR;A;#F#fNyK~2i#_AOx!W2V6P4d(n*)NGA>PZSS@nu4t$q^M5w%z_-zw}P12$@$Wyf^oILjuA z6!yk`&}nY`In4EzKH~iG=ZO9Y&R&C>&z^sovHTP9@|GzN~rln(GVVPzkT`Cjk2i#Vei_d)!^2gklM=Mn$sULl0K545Th2~QXKMk<< znOEfG(d%l1=USN=MXskshO3W!;`Ejs!5HLz*&jXQrM~2U2kPUfUxGyoF(S`nJHwo# z#!X4?yB<}pXP7+m?n}qR|TldmN7j9;d6W^wfXDJaW;hFykrY#fQZ zx=c=zckfgaw`;CDh3PLpB9&NQL zD6kC!m}Cag-EuEL(q8emiTgY)-f~@;ye&^F5GK@=;Mr6BVocaC)5mk?Bmk4_qdMW+}|h9uM&s=}WRaMNMnei^8z5t!%~p`la# z)>jEG=jQcRiYd;OT>P-IAHwn>9q}H!vU$gs{?K4BJ)V;IA`jC0@xhh!-R70+x2&qH zoUI0MvY&;2I-Zvt|64fI5YG#=ZNg;3aPFhTzIEKytwow#uO0IAAzvWZ1OEycU4Mn) zTCm$jAtPEX65k`(R`#DO@=E;fY<(^R{${lUTfPnLLB;>sWmFmx$zS?4+fXL2HNshd zl{UhIW;1(0%DyDslH+#uMf7C3BR`D6mBP32qZI?{GR<;X7#WAl@ca4ScL(3umYr4& zP(N(=0l1iG7SBFAGyCcWhCEx;$d+wPP$J z>+-3#v79D0u3~#xWnp^zqKa25sjLz~1zkui)GB}@{}Wk(H!7q)Jt7O${HmCQgI|du zj1_Qb3t$=)YW||H)jwb>pBtC;fLVZx`3kWVdvYqp{V5a|d(wR4o_MnjRGTaP!D7-6 zUi)0q3&Y0PwPR>)pyA?NF?gQ?R;m0{B+2^T+GVI)_N=k3!n?#5!-Jsbd_>FwuS$z3 zwKBrKqed;Q)re9t%Nb5#O}zfM@xBRRPR|f}WmIZ_>fBQa!Twv2Wa|cT#78!|o$F`jB`_#8EKeAK*B=0DOKawY+GlgG!*orEX)DX+Wu_oT7)aSw{pr~ zXNziJV+qK(Cv^CUgntbC_mZxA2?3Vw*n3zZj-ude?z#EG_&S5NIel>Q-wIq_2e$Rk zPKGV(We@rDIK=kW;_`aVDD@#2{jKe!933~?LV;*&V|hu&;9Bnkq}ntzL1ta#{*SLX_isCL7prS89|W8uTy;+%h~|9;#B??hFk22^iIav-q4$<8AUWJ8tJ0 zh6`&Wqs}wGnAK05vF;}yokR0!?M*ljnK?^KmJLv39=&$6`$&%~{p%*F5rS4<*g75t z+k`)7#koiSjyVH}o|6BJ#WvmWn516%cR)vn zK~OulLRM21*SjTBs%2Ies0k8gR{O=kYqzd~|Co8=iiUA8>4!-=zd>>Ez*`V4b%-A~ zdH|+C7E^f;lNboniWu#OAc`ubi2}D|JzQWy)i)VmaxkGqkTkW~&nS+`U@x^dEpWad zQrb;Cu#Lu>48OK``Ij3mi$4_-?a6xbs3~r!KT_n69E8Em! z)f7?7g*W`GM_%>`gI*fajBZ*zaKL_7gI!j$J}#9f6M8%g){NGjoT2_VN6u*$8)|Y^*_9>^$83Ex_bx zlDe)1?$G-9vMw>#4V#|$uXSm5jDesC9<^P_Ay`M9nXZ#tB`;2Wq*knuJ<8DUh4cH+ zFpe879$EH6E}bqF{#^k2T-8JEDy{}!`B+RapP=0dlt z?Bg4215 z6B!J_9RP~kDQ&cl;(1uG8u31?JoNN^yq;88hE8+=RkWVvwGnOKb<=@h*lS+D))$9m zWjzv#kN{3je#R`1#EP8%OuzC;q>SSK{R~>WJ5o(NM9o~V%H(EA z(`E<`n~mQj_3fv)dHU1Z`jXSvgN?Ru_*qIXP2~Jn;^b>2<489`!Os;v=QBD+#jOk0 zh0(*O{x8U!*IZLSP2WT6I(;AS&UfUYO`Kf3LPyTA;BAEG*-k45=%|k`-GpPrFVjf2 z9n=BOFrI3x`SsS{9+n-J9q@;EZHp92wP@(ip`hnqiL7wF9l&det_-681bp_N=@zpe zr-Z|t9z-u-IHxoAD5P)YTahP4+a#*9+Qcg_N+f)Zgo8wGS^i?y{m?&u>pdjQbypc)-JT*5}Ihi_+%>zSuPZ^L!8ssRN3;#NW z>qlX*;Zaa6%|3g1(H;h=eOX`>)~H(U+zhk^JEm~LMj_&DJ^|V~g?T}n4$dB1h$9}0 zVXa`xLQQ58BE_Jn8hV#g)1PfRw}ifE*EX~(fL}@3AcP>y6+Ep^^x9jO zQLi%#BQ+ZpWMlef9JaE0+A1mN{o^tWV1vvX8kc{lia9-% zh_=W19}ejav-+GY;x<%x#jG_ULk*00Tx331YJf$i#3X6^gBT*I-VK((8O-fjKvME~ zQ`B1%fKMr(K7!HvNeuG!T&(Uk7Cr@xP=UBOR3ji5py_^jJ#1GW`ia6<#s^I1GF;ksIOkEcDu zuO8e?hab&dZripF3;JF}on^@6j?E88?|R^==bIyL9$m)L-Dc%h+G9)~0M2`BE3HT0 z1=C&7F1zzGKUR^_Ay!G+?EL7D%P0?k!^vG%YK?U*WcW}Y$2!<)qn#FQN;49b zh29^px}3IKLhg4wz(O$HroK8IE_X`pePpLG;wB$k_j`#)KsN@%kkAckf2viVQv;U_ z7WrI9@sy4mG1%)jA}`HM?jn!$ zOt<%okT(D(_?d9x(q}V^e%NiKyJFuqyauW}}DEf+K$h&%sksIYFC9sI6 zS`xrs`(8<|I7cXqZpQh>Cy>JpX!!1+#hw&g9mc5!-sFwRuca9B1rs`j-<-@>Pok^(f~_^D>~Gn z1Vkti;!5GQjM#~Q&At`9(fs6KG0Xqi9%u8LgJ;ZtV{qAp(O8 zMEz_zSsl-T{x#vzT}yqZt8wOa!=mqRA+5uV75<<1#x=z+vg!^rFBps>xAAH;Nw0n7ys#d>LTC?d+FdK zbPf>gIVa{xC0IgtdFd{r%|-qA=Bkq2pGB8zUb`o2X}g;q>9;*(*fxYWbpXIAjo9I5 z*LSp6eT!6nAM>P~?8fr~cLaT=?Z4|8u>=q4paCFF#|<(6FMWRe%^qRwb&SZ$$)rg8 zs1yM2g?8Srb4^RtYkr=?N3^7t<-PBpA3eiB48!5DDs}D*K^$17msb}BXoVh+{OGgzeU+^JD0T9| z;iG7B$XS)|ZjBi^7Lp?O%-B_Z&=b%S9Xc|0nE~GLABp#2Hxy(igR_lCW=*_{Yh5nt zctxJF8$i@Z^U?xy^lT&6k-p=)lnrdEz@y>1CaMu;$BHM_B@kLOUe7_wW0xjOV^%u- zj1N_vW%F;=U393&W}S-{Gp8Wom^TLduD%&$pVM<7H1Q+lBMtc>2gafp5a-+2SO=Q9 zPAp>rOLh#sB&m2#U7M$a8}7S&M228?^Gth^Q)nDyT7!1K^=5{Q&%StpXTdx%9Z0*G zdTt_pCUh9~Ifa;|7`QLAIC|b$^~X^gMK%9%4j<`t4}0PmVzGLeMd!$U-qj#J#Arf$ z3VBnT$bIld>OT+9TiBKD_?V=4ae%bo7~k@!T0v@*if-bMutRm_NQSG^{Oy{?iWenj z@JZjSC9ME+&MwzR-oIpce_VQSKtbfpo`WS@`zV#NQ!A80N5=@30|kJqLH7mwF1p@> z=cd&Z62_kGYp5H<5@KMHuq50+e)3++@o-45=(dv@5NMIMjrGy0jI7xg8>qu$(8M(( zR6h|>;MLl`7^D(3Ec77;c1?I7o-Wc$g~KeDB<}w#wqZ9xwj2o)V)(TNjt)q8up>%x z`hdwGkw~YN??oSgx2tGNIw)HV)`BoWew)d{u%i-n$$Br)T~lP93~>zQ|IW$+i4QTv z(alIm#FUs(Px>+sGEV4rj{jtpZj>f5#7yhI!0LLhFTS9FD~`ny$ygY2|7$4CT;`72 za^t6r^ZPQaiGNAq{27ADtvn1qH!a^V%<|Eaw0^VbnHb|6O+T(v5#i?j;~CV2GtWoh zaXG@<)T-R1=)u;FDbvUL$s^t$C}v$4%2T8l06LX)r zb|aNl@Vc88y$@TmQ~A2@EL(w?<5q>UUH7?dX<`Sv*pG%HEavZcSD`c46PumeHTe=# zq?c1mRAGQe=iFyV{;i!^AK7B#lD#daAoG$97zi-S0Fncj_s=HwTEpDp_ZxJKxW8Am z$P-m3D*}gf^9jQ2y^$Z?FsI9eyaaf<+Ww{UG;byq*fM}rs6Y6Aj^_Lk7I(`12Bq}f zBmAC@%M$pt*rNgTj_d2lB#F;J%b8f833}XAz2KE*K=l5v3HaqaBFv3k7HY#&?%FLAPu@ZW?>?o5H;6!2&sAX|Cnxz{2}k_B}Q5@2v$* zxqXQ~&5yLoCC&CxeI+xvnS^?z+#96GR9T-8SqI=Rs$g5se$$}qIjbgI;r*h-VFJC+ z$#u)W$UzALcW{c6so!ei2>-slryyKWuXsa~D>)1TCM0LYOH%oR`AdS? ztrv|BB!r&y16H2K_c^)4alOFvfr#<$d~xy}wrD@th%HyKkN)To)_S<8 zD5vFFiH6d9AwweC5LaiA88NcAYrd5E_?1 zkbH`{{RKbeqR?TBN>>y*y>Q(Oo+!!D=K3DOd(k{)FV{`Epcn z3PebXCW8S~!>pQuEkJiF&7_Ykb?}T#$M}!k)O^Tn!NT373PCr;%OTAh1viS=!r91` z?84C!R!$6J957lAD^S=dwxMzZ6KD;<#)2q_Es2)b4~NXAd^e&w~#X? z`-)_HMJ_y~-M3u*=Z|msFO=)Xy9Wj^?#O~;Wajz`UN*^9T0D$6m2vFrv12^GU3#9q zITmc5(>IIOzpI5~j3T}t9T9nX+&S^7HRW*>g}r}?ZRz9;zGq9dqXLIN!#2iaS^gPe1O!EXz?cgxUNpyupv7@e zNBLqHWLhD&>S9=Pl!@7) zJHi!yCoF?i2bPB6Q5vO}a>rnZ(eDzKZkZYwVk`y3RBm#vxO_RmD?t5s8=fMjB|=(m ziez>e{n10VJ~lk6;b$ z5P((IQjOpdjuACt4K9Rf>4_1{pwPn_!0!SJe#xzA{XcB|Wl&sQ)Gmq!LU4k+1xRp* z;7)+x9vnh&cXv;aCIk=e7Tn!}y9K9l8h2}GIE(lD_PwW0?O&^kqKjhooNJ8vj7R3o zGx@!edEKXg`3T9HNmR8Mz2my}SBl%1+u-30i)Gu|avv>DLfnA@R-34UoQ5UqPVQs_ ze=nug)v&YrBhXqDYsY(Xb;3wBshBCjm1;fgK9YuITXDUU^mJfK;S%P&6x0JGfEK#t zY8iU z&(k5Tf3`@s?g}@lsrE@arqauv50gEpa=DluVKr$y*?vv$O4Wv*+T^=>L4qsj z12mwkb(n?LRF7Uhwj8KBmJ4$o{Rcxz%5+tfq>JSB78!nTTW>-m@e5faE?T>OKH*GExPOYBmL1wxJFL}katFqW+G@)?Up2$|? z%{5xI%=Ozi&D4#op{F$?<2SIefIJ@%i1gMSI&MSHvj)*Z6pZmx6oFh$bw1kx&|%!H zEsu}>ZCwmm!r)AAu63vwt!Thm>@0?<^L2> zdF1zv@&^u1XIh$w$&D)SEGXL^`rfG9v>3g|T%0bFPA$bLGAQhwEok4~e|J2jJ|8uk z%s6cv>FlkbPE-7_#F}4ZkbnGLj7CdLa2MQ{eszVdG(70xl+v;FR&2XcN|=)Ir#w1z z)gdf2Mr_a~D)48IG~mg^4@hj*g?|N7)X6+}>wHHv2fgsKlRh2%z$s}k1Iy1mci`#1 zjeH)@H!P-E#z&A~I*BULnzc|@?KhsOulG+XN&&l(1%W(5T6cB)%@HD{17vX(-OFph znF;Z8i$lcL21qy8@J>|x_)3I+61jGk%gopPWgn6bw%0jRC$mdT#@-2{gj2}=Z8PYQ z8F5AxJweXmJDCcvc-BT{8{pNwf``vAL`E{D*FU87Fp(#>)iN@<)~9ml3WVFeC+yER zzgV3sQQ-h?I`KNvZERPB?pm7*)g~EGBqKbb&%O8h%~QbaamGAV2dl~m;0StaLk8d%lEMdzn zXAN}_HvP{3bcZ`lr7Q~LcG*PH5!IYc(L1U>bDppHS1a00anBNE^YgI2$PQok%h?=< zcPSRA=VR>C_3^KNUijD79>+(ux3gXfTONmz!`GC=$wLV0^!VsF}FMVPFmcqnK zcRnb&$&VeIsf$|k1A&zu!)qp6|87RLYGF;LhB+Ppw7(IIBUr^QJOkKSzmgk0RI%GT^4?OGY{x z9E^<$wLbi*OBV871UxR}RxD>2kng_C-@hlcWsAknoNlQr(XI>@br`-E zYrD??pZ7uPW)r+A3(A$}r#O2)M-H7qUxSB#_?S3-on}PweBE8G%tI|XESt-gCM|Uf z)IVH7Yy*N;oyYMvBW|X}-#TO)H?uP;KAhyI#Omu%T8ikz^Fea1&Zz&4{xs*r9g?hk zz*C{f{Wh3T!1AU=*=sAImRbq{Bl1WR+%kn-u9cQfQW!>S_9OqJx;+Wc`}Y|ivXt4Y z(Vt<->ZW*#W}l+dggz&CQ=4=p3HAWjmH^_Iurtok+zu@)2wK=#X_s-tLWO%{jz8}n z%cz(eHhy<7rF6dJL%^d)+i^ZDjB@4R4 z3%79*`1wqSx#@<=p{Y?8!mA9{P#~o9)4tl^7T>Ap(ygVI9Z-e>PVNa;7?20i1iPzg z+T?m|5DFVlG4`H;O{&Y4CT#5mq_N7cj-YO6#_}dfDI;XLoRKw~M3)^Q&kx)j&eO5) zN3nG*{AvDjfrT6yKqTMspw}ticI0iMKP`>A;VF84P(~+{6A?Lm;r#@RjK+e|n7eWS z{iBDHNO2(bGeMe#45$e14cDpfWh$=HASxJY>8OJ|FW4wWG%$>WK5XmIe#}#Qw<%ja zr-eK}kB&&>pj^~+(z0>$JfC{LHE_7WbPc$rnv5#lkWbor?%kD^{n5Yujd38Zr-m%L zrEqzu$RpcJ09)-2k>_g;6)dyJFx#C~<^pcIS^RfDCDG6}Xin>7%9lxz??gh~mABwf z@p_E4>S*+1!RmgGhQ>vYT|pt!R8F(^)AB5d4=l2Y9}zM8AJ>uMn<+XlMU9NTE^~xy z!1IoB7!=;UR-AV}QSkR0k`YU|#x?4kzW%BN|It5N!e5=<3@(#ElaL<_NEskw4}wiY zA!!o|Qi6jT`*{q$mPN2dOhr1N|KU|tg4+NrcFfcd3TMA9P>73F2zaT{PAXTtQqoiJ znpA$b9?7eWdv@hi6v~ZmcJq2LYuz7-U;G#DsVciEys&`dWwIWo*YJmPj8ud6d*`?b z9{QQHR)4$g7KEek3$*%ln9^)t22t?zZm3wgw%kBg)yi_jmNezmDP;XJ{Q4}y_xcE$ zzlO0tV3OX*w);z<5MWqc`=gnuCKRM7?4WROsq;61CmT-$V!kNPWXZb6d0snXq+}~7 z4A;m`$y;M*I-kv2DJ|z1%>u?_!RpFHx8J|(Y{x+W%?VkaM3QkX)8=cO)#U_gF`{hH?` zOI5`_P5e%U(h|2s=iQ@A+RO?+q0YNe23w>zzc57~yH?x}?GObeRLM~5r6Zklh}1wH z4W0M@7Bsd61q3y9ckT7+vI3r<-*W2UjJ_Zbq+6u95gh-k@dr>Fr=$M>^j$LVSRwSU ztziF70BC6_O$AckT?8p-UPUr6g~k$J2J6_2eN5EyyWNy$t*+$KX3~UgEtlc-m_@6o z62EptVn&()_qE@wEt9z~Y-lWRr3Oq*o)5&}^~l8fk1Lo^vWuZ*m`)8#G(8!}(k;Ha z%wKhCJ?|$ips2y3@Ydpu(bGX55ZFw7%lyq5eHzF>o)!Z9SrO+g=S+?_qCBM8S{A;c zZ&8rNRpNZc54HksRYXTf!z$^3Ju$yXNUk>d^$%0VDzXo(2%)9#TlVD zwCzAmaXGvJsCzA^C!zp7yQfY`WCxFH3!O_K4Y+E~N7tNcuvvR*4!j{WOc3EyY1nF` z|1vA}!Y73jg@+P+uL~acaFJU2EWF(oBT;I%m~AV?FqzpPES3sV z!0t^_MB%xLv8XAeNLDqX0IvGj0E=xv5WC&bZ$p}S!kqYK}guZR^uuBBu9R{Xu(+Dp;1&y5`SaU zP=iUK2&Ma#d8a_ja5*G>ZT3lidQ@O5(lu4H(j}c@I*}#l{WGQ$#7cRYaV8&w!S4gh zbhCH?oR=E;ci8rM;}Y6yo1VWiN|>mhr>?GWtZo=&W<}KgGc%ilXp)%pNqFMdkF5H&!>JxaTV& zWrmp0x~)3+>l7#X)QGk9ACdBOX_%uyLdW)I)M%Ux1%o7iM`D;GOiXF@D?S2S2Oq7+ ztg8clPu#)d<%9!k=O!xG7T}L-4nq13BIg;^cV8?Bb5|KYEI#;wsEM`#?7}RjY^cA_ zZ`QGjFF5Ox*!=Jx} zD$uijI~E8F z`Opd}8(X)WJ^IKMcGuI7;{?Qao`a?~;M758ayE6DB}?7HqI7LDu#2$4YLT!dF!|o` z%y@-cfPJkXMEc2QJcs-+N?;DeOdLNO`* z%lW@P!w#!fTxZ5c0op;*u#>{A@8x)!U{8u1?5!S|19T#wL#94?)BHw(Ys}PfMPMoG zSWw)H8_HDK_L~5qj6kAF{^;fM>+eC>V+I<09^-9g$QTJs#i`}|YY3aCudB?hQ#+$+QAGntT5gq`PLa8jANYHvFvd+Jk zUVGK#Z8W|>9+NR)+42fi$A~G^$kKzgqJ3N-MfWUYbcCg|O;`>Jt*hFKJ|1{J0eXWDqx-19;h$YVQ0HX7U?BV=io$BwLAJmNLBixgBKNJ*0W#6Y z0P?=NzDyKFac=cW0RY=28~O8>2G;>I?w7GKM1ULmD5ALB_!Xz1| zYftM&r;THRJ<0>EbA53a;Kfb{Qu`|LlUtf5M@7cW#{tn_2HQ7XdZs zY81s7r?e>im??PcPL*00WMF#?h+8RbR}VQMGO8S$f23~6+bhW6Dw^RZwTS4 z?g7aSRQHs;hKOh14sElWd0Q>Bc~*RP2=lG6fAxmJ(O~=MFT&pGbdmHR_8dn1f*k9u z+0Ui79GbSi{xKud#B=)mdEAG=KXaHRFM?It3#MmeDAc6+T>U#3pr+H63T$@jhIBL` zKj{k8Z#*)8h0=Cf)f+Xq{_bF)rY4b@=TXbj&V34|_V_hi!Nr6*{*c~YMhxoE zMMmm^8m#8z-U}R7*swOO_qZxb2r{XM;Ov$ZW$|#$g5<*Xk7~zsp-;!g?u{D&(JDcj zl_```@QBDIljSMw_nL7uv4j_+lFs zKn!SNRxyc2W90)sb`x-sTD2g5_dq#)UIy<<3_7X&WMq`yAxnc?{RIJj$zJ~yEWnpB z;lX=y4JyUU1<3~Hu>pp{_$Iv9zzEewI+h}1co3MEYM29L*XlzhD={Zkp8L1fM@jk% zCp>I608ckCb%bJIoTt-|?YgJ|dE(0#WFXTPV~l^#99$H`3r+L_rd|7nGDzq|>!>{| zb6(rnowao8`rm+bGd7onjZT*v?dLbUG8ETE6ti#ef&n=Aa-y^APwSfZI4-6KIvGT? zFB_-?=(O`iwtH>Jtb=hUU zqR&D`)W*JT0}(h1FCSOCS*D4Vj__LqISRe+vRTza2E2h=vHR;ML1%y%SKme;cu5T>Q>J@Jo7&hC4hW`BYE#vIx zTKbK6^um8~*FZ|RwZbzSnA+O(`Z0<&;Fs~%dtq8y4I-iVFna`{aF!oHB{4-MmcOXW zM(3VQp}hufj8XLJr8r7Ua+w_oK?ncFW+r?4{LK)Wtj*r)YyNpp0(-B>?RTRNn7fg; zbTQB!*RFs4hR`QEboAXdsqgT3drq@*%>Ul6MTG4z>9Epsj8lQ1?*nWzc-Qo>81v)s z`!JKmj|PM*OjWAbL{rG^E5q`sHwEe3ZvVnz^%HZ9X`Qb-%@NqA@|oij0t(TvdCau= zqg`o~BR?nYap9!Lp_%M7DHLO3{4uG?+SPRH)He$dB5_hBy9agkij}i9FZ8EK8 zQf=-`q4HSg>-_*Xp2rh8-0rmfh8u_xbv37oWgeky6XjlxIPESmPmbg;d%3NVyx|QoJP?_NGbS!6?>=*Aw3qh+SQ90 zD|F#FUQt{NQ1H@>dqHknG!ZWd+BCJdGdGkkYVKAa5)g1_ybA8h<;Y`wk>#8spYdWf zQvK(1Rkgu_rUq3-k`t9JFu-5?f4RebrAb3R{98l0Ss?0VC9i{4>>#H`u*p%EX^l4h zg9>OXCQIe{aqMbP7pe5+i@3aM54Kh<5x{I-;K%? zZ%!HWAcR@biJ5;@UE>@^`wh2fK`jte@kdO{H`VA=CAVkl$J>YOoJHB@?E;74)?wN| zlYfg7T7%{wIoWO(0^*zsolkf~f@BMH{mv|3C-Kn}*&=@3xo9(}+pE3FWToO_pi?e2 z$pQZvCoFR!7LTiyz+0rN%p){=yA0SZ%#ZmgX}--X3Qw4-6N;nF%CQ3e&PKrlXJ+#J z5EN$m-xKoy5H{z_f@F+M<8-NrdAle**Ml@-Z)3LFw`|P@ z1Sf1fD%V_Yh0Sq%Rs_;mLnTH09|cRs;+2Jrc>wCl?|IdBc`d@8YBWFv0g{7NbR00c zoOL4=_)&&LAQz^5LoMnNYy?yAvVKe(A$V?basD&s2P8<8C~P)}M4h`gi3hg5S zbIG{9YMI*G1<8t7Jj#y;;a1l z6aZeWSn-a|pMmPqzY+lUq&OZA+zG280u#Fi*#&TSJXz_Z*rA} zxdER*VNJmP_%a?kc#8<1!xY%8!p5fG{_7}yx-o>Ih@~joj09&vF7@hIs||q>?tR=D zbP#+ro)5zkF=Trs&XXks$MLZIiFALSed3(}9OADKwSIh)&H$Akc&go_0OnLjC-6yo zq-0`>o1R!+{h#!&*532^dArvYQh^zj*Ar%!R8*!2QDrn5AVqOPRE+!+v>DE%-d?3b zF@DK;$TPE>yiuN`3o)vo&vI8-DOxv?BTh_(#B9i)k&drI2mGWd2hna>8zhM{l}II- z1QCVl>d2}~k`vNKH?qVbFs!jfDs3f|!`{@_s>-P3o^^l2RdI9@JD+96GyKUI&Moky zm8HvSX!Okowf~R16V#iEOltQ<^8MBY_Vks02c&XUEpM}EmV8d&dj8h7Z7aT&!?-hB zc=$SASp@D76yUeNlT1DlTRSc^(;@Syd{l@xaJG53pY;!QRO1eHV?so5NkMScbsT|r zicrThr{&g0@<-m_X~&*nxU&Xf564MaWqT&mQMmgBRUk82c5HArz=8~MJ00zBtzCS& z%u-$nLGa|Qs~pPR2J+yHcT)uy#pU(d(^fqY`0Yq@qF5T5ngNB83#%vlw-J^GW?v&d z)N+6h;{3J@o5r5Q=cHPOl|aC+1j~P%e=h|iAW_J6!{=*Ie6oyL=kt^3nA%MciqYkU zb^#Vhd)cnF97X|FCnUi9y5a$b?Z2jG=iAwiA7v=o_DC4Ev7ZgWB*I%>IP;?rJUMpt zDp^=rc+Z0i_`82>Y>h4*|vota<-@tECcH8;do$4&o%K=N3PNjm83K8@&ZS*PfoC`v4{y*@Ltk=k&T?9FicA#)$E zfYHr)c-sv9!dXBumre3h2MgBv!A0ace&F`tOgM_i*@25(Ix54?Z;8qxg}mj!^{+&suMfHx=)zdil%)+U)ML=iBc&65 z88V65#2H-UzFzDInfI?EIS7v@o;|CK`(i#L`VCG#FhW}YW6F_@;GGJR$mBNG^ryE- z{Kxdk4c~~eT9`35So4xD#-NFaHzbbcMEHs~-8THTBtuo$dVf!LX^SFq_@st+&df^G zl^Oj=H&YSPhdmE!L(h3B%pAN0`~BZrS&S*9Khx}a`j0#q5XDCV!yd{cW86$bODHH&=vGmpZ~@y zaUYg9`d6@5FO`-NfzSknYy%_SE*RGGA6NC>yzt8LQeQYc$C;!;p5q$ftB#~g9uXrv z3mt6N-Kv-c)Obrb3oe+KyqbTNFi5`I*T|5twO?`aW3GGl{GcOht9%5izMLB$h(g=G z?!3PQ9UT?s>2U4Qkdl|i94g6c3QQ7Zt1usBVo30XzUT|O-wO6*RhfXdb)!_D2>fIv7u@Ekz1Nnzu{z+lxpNvBqViNc#7;0=vBwhG<=A90(>9O&>~ zXKociW3Kv&`ub?M;f>0ocOF&;BsXd)c$?gcu~$LqBB_GLOgADA90$^@XkF@F+*9aFN-Fz`%?lSAK zA6B?xMyXvqoe5Ydt$>m5(%qN#n>+KA+z%LbHS|XJn5Y4t{NFboh@D#TiacIwb&cAJ zkDj@H*>)R@k}_%k!G-JMfsHIerRkpmi1dZEocEWj@wbh9_-Hd*M$U&dx_SJj97`r11ua}BBjUv-|a_P*KDv|bu zAWSj)k(ACO`_+z}_zbhn;^)y1V1l6rksp~U9pS3CXcm141-PDd3R+jUqSa#+BUe2H z*p@UhK?=78QRu+vlj|Z;1DH z{b5CGir`U2i#f^KeU!v^=A{un&%JYtEPwN;GSRVeOgr|c-5c%INgq=;s&s$Neec5x z6Y1rTCDSdnSQQ?!{|6s!x7vW1>d@z5SIFZ9M^;?c0Gyg-Xv-6n)K`o4+AuBWmX{E} z$K}nZw9~Gj+M+ki;~zc&+gHcsHL6YNy;6n>ZMS_Qfbvjun#5ik+BchpoDZWGyV`CG z?k)eA;JZ5(=TPrB2oeB0ojbDv>h}tregY=RWATSE%+^TNXpHw_ z#L<#XMTH;%Wl`C>2I~D+WRp$P)E7MW#T5u|BbEu#qf%XaBs2dEpdFjF4E{GT3QD35 z1naGdiLYwqljKB1x@b`?+JV(h6i_pMiuTLK`6Zhs%D3 zR;9QozMRTO1i;Uh3)V&LWJj!aOI2AAS87Xtn|1s#>$gDrO{hF$p5oXC8B_CL5pgGb zWO~!G7CS$_B-9VIsm#K-7|2BOnSYD;SxWLq%hw-19uJ?N|?{7qBF!ya>|w5 z=Tr3xG0XLW8UMw2t8F9a+io96m z9(CiV$=>QMK;_xp#B4*b#X+vGK5cJ7-@J zFd2lDVsoUlQo&8;(YAczqoHd73dyJtTrxN@IeH6GIb;euoBQ%m(0p_;GGnz#^q70Q z_qJBh&||@=Xm)KNySOeUCM1G?VHkCT7wj6JYTQqJWbgX8!D25%>6g$9=|O9kmI`xh zZY6%h--eSDcLUJDx7`br)A_nHh$cUyTj_m4mWlIPS>BqlX*`;P1BO5`{(Fw-kANvj zmd~X4xa0+Jj+>HXa@E0lVUFnIkv3@a+NydlNc!B(Cyd3j$x-t(dqycY zU!b2|yb0D7*^7ul3yU(%E zFjJ2K4GRnZPCjcY{eP_@G5j6I_If9hvTzeki6rbgex&V#uk{Y?bdBPPN)X6_r+yh_1}$wNed18+X#U zKV==+r(4$jzKG3AjA;06M&}Ey1U&2L&(KWT(C`=AIP0U=^`3ILS~lmWOWwQ1d*1X; zyn5>HbOEkRV`^!;a36@c3pw3_zpoETx z`YHNZP4*Yrye2Lh(pZ>BlNTImjazwc%IO7KXyf-jDhXeuF&5=pPh`5j&!>(d)-C;S;BhxxWu zhpdv5)Mk&9b}koX;aHc85|_1uW?y$jtwYlk1RDG-W~QuWI- z(w;;ROV`m2(hUORWEuD%r)A^;?A>{NAA=vOLv$G$wp9s{h=|ITMghGT^+nN`zRSz- zJaI=|)y)y){+vWl(--J3ICF@OG=OTm-V0Qztk*9fnR_-BpMalX& zYZpncd-4bkxJAr-QF=F3Tkc~V`P#fDgrm|Rp3~&Kb8hRaXVoiYHdh;R5flVSLnN+H;i0gCVfD3s?t$aZ7EI$6BlGs}*RBhFJxgH_ zPcji6JD-?JKiHw4-Ak(XRFvVuU41kE!AE{4q(7mq3!aRA_k^={$T=Qt(sf9%Gg>!7F`d7ZTWb3U{Lbi ztslk8`FoA9Y-D?qxy-0T2V*?EE@f5PY{*W@2IzSb&;8Ht$h!tJ+*OElMb2RUTWO^< zXPursC@+>9_CG9n_thsbpZAqF_LYrl399D4=*{^nOkO>?B4*&m`t`@n5-m6aAeEcd zL2iiuUglLkT^P+~d{7n4EJciG^oFoJN$ds8qrBg)ShWS5Z`F? zmu8;htnsZf9d8WR`1eZj?_j5BGElV7tOYWRr4_Js^rrwdn#Huh`+L3QDk^SQ(9grb+)9~yiopJkq zYP-C91E5x49wAY(gn z?10QUExG5yeNE-egzDPQcKh^UAv}ZI;%-&0YD<3<+GkXOiT5Z8gUg&t+3y(+|55s7 zv&Do(k!v}+Vm~_@YoQ=`dLpk^B?U4YOZS7_sWVoif6oxY*>kIPY%=2yLf1K*8%$H# zvh+!E#Z5J6e!lsU1wtYXuT`PPW36sgri!XC}Q>d!`Zya zce`3gJXWlV?o1)2eNKb1kJoX5w}VE&ZFplditWUk?udPlVoo2b;as^@YKPhM&j`zi z@NAoojq;@F66DyolkCx6Hs4>IzKmQ%u6%BfU0Kpc+30!BdH^WLY8n`1I{g_8c^xmb zlo){foZbAL|EY_-7hY;!EI)1A)3pP=TyOtsuxG-9Mu(PNI|ekP7ffxdvIRSmXQ|gX z&*+Xdzw0<_XqN5^r#R#F209GZvlo(5ufx{VKXqc@HR0a{#@CnkRld@=P;f>+>kcp> z^cgkju{$4hZkzGJLCo|GP=7QY?I(30OENOP-_(V|PW>tEe~2!0OG95{3bCWud1HbC zY1qq<&%X3$$8&=4&f7f~+|CFh4u0Q>`zpR=iK0Ew#+ixlsr+F9GSt}exqsU|o@C27 zS8H&0#i)Edy!^--iwfT|ts8$Z#H0zP^^dN6walnTWoPYW2tfhaC3y=Gf;#c%;))+f za?TiH6~5R{i;JG;1v`i9?R-iJ7otb}f)L{T3;H}-ZuvZww_5_K;)=q$o+%R^*H9p+ z#h)C&v`uoEA=8lA%8x;e$=vgWtLqNDgBL}Is$|u*i;|vMv=kzwOZUGl!*{LIn?z(eZ->x3GJB<)8r5nOW%_(E$R>&=OCNUQeNEjq=p^-@=OoR2!6O zy5a|~XIFVfUVeCB;n)9rk!aI=b#OTgmsL_G2c9>Gud1A`R2?D8r455z?W&ED>HSI* z@6y!GVm?gpO^2&lQP9p!d+!vmjWisWtzFbEs8#Z;h~Oc3etbvl)p{T>gio zD5<$X9c$Yx!#G1Q@ZC`^3NVzqYhClx6XYMWK}JzIfo^>?g;UeOerGb6=5i`{A9^@?jqb;v+G>yO1!7f z#7N1VSOPOuxfhMtXEyXX;s*J(lvf|>-3I~m==sX+C@Iw$f7|t{(G|;xR4~N37drp+ zxHPSa7;C&Cw`AqJi@Nnbz3z9)+Krs5@bkmOg-hLVid>~{X@IC$qw6{7tQ#aPBMnAY zZi4Q8r&=f7$g6(Wfh|IExULym1&FutPL*g004rvTyAzKNNxWfW{zF{PqD2^Nb81e63{IvC+YteHe4WNFws*LiXMnLtak~;VwFl+YKzsX_sn^}O z_vea&_VD;?mj*+Yx~FrBG6aU3Q)tt!GsKBMRA~re*fH0l?1*2xQzY-hx% zouTx|@zQ*Clt@eGWI+9$m4`v~4&LW&K{^OIslj;w_cz}=LYm=)ZE5p^;cQS;Jk`5* zo*sVpu4WO)A~U((N|>>_UDyN25$*RO3Qi8j9FWSVndYl zZgf|=$(}LbP!Ej$aMXTlTgSJQkDS`6yw>0*=AItILd5gkec*l-oLGo=Uk z>>${6aq4j|3ld!Ca=!5N7$#RxP4*c|Mg9OCVtf2{)(3b5^YOrG_`y7Z)(W#e+<|PH zo{8OJnu1JMtbA{39otBcw&B02^g=k%4meSaet800Mi=3 zB^;$&ABOo^#*{|p+)UPNKFe}`hcQ%_fAnM2Y{Oh-`em(|%UrfrrawQqozfm^(8{oL zff&bnNRIcxFEd-w2P>nryywum%5ue6I`$@A$Eem8cSbbczpWOViBeICKKoXbg1SNR zaz*Ho;zZr*NdA@~vixxb*#a3=R&KKvHD0-e28@i`vKvLd_{nFib}O&wSjfy8f@9Wp zI3UAXI%($Wn0rC5s{2sC=3f`nyMs#bhSNOZWs7M@X`;}Q1NCh&v?k15D&Ddpg8 zq+%6E8QXoazsU1HNYLbbZKgICKYx%=L|!LbDMHh=w=_H5?b4Op3oVWj;gYL&%xGJ> zQkp4p`MQ9ZcYu9m+qN>Iq_(`|i`-1tvo9WrFid!X1Gvz+CB*Y>A&-852VOVH5G@zc zV=HAe(dO-~|X$!?WZ#iFb1PQWO5C zG~fabVf;W&Uom-`B7FNrLb<5fZs;GOV?VVFH7|^!jvqaQJkkDgL-*UR3|rCuH6Ijm zg?0*u>h*ydXCPXNyr9|WcG1%SMM+@6OTdRWJjxFgzefoz=uAQ;XfKnTBB%H^9fH%d za@{{kmcmaCD^hUjQ{Z1*K*V{&J=wpE=q8)c=>JiNuFH1eo*5)_>N!<`SJ*)Z*(RRt z#O3My{>F=-WkT^seb4uXo^-v|;$8=O*W$E`Fy&+k8l=wjgQ?zM&R@})Zolsi)koKF zsN-$N7a1%JQ3rPWN&k!?&D4U zXq2;W={lym4Pzr8c0;7XziYac7Bd-h+8|3BZtB{rPT$m>RmBNfU8PrcV|Yo&pIB<+UFCbE5Fg&H){ zG7D%h5O?0YHJTLFa&GOW)YvuT9W#ioa>~@f_8UIJo$GtqNomP@U8iChE?bo4TdLlp zSb167ov}$pR%9a1({;Zhc;aR(9tyxBLONGm9Jo?9mYXbiuAqN4j9IQ&Q9zJAz}P}U*d9I5w9KdtMWc-28712Ao&_p0djd}g@c)fVswMSbwo%~K+>n(;MXrFo(y zLUr^)Mn6{P{N%8;x{69j{^YFiZ1oNKNl=r5;?;*OfpO_0%S%%%uy44%oy$1cyMyw! zv9#J9S04LMrVSux6&~pkXrq5tz1>)1jnZX&*q0ybsR9gzpKq=lLZDe$j5RIX#EQez z<)fp`c~iualwWjb9;BOkHXe)Ly%g#i9K(qJX>$Iz*ZH3Z0o+P436|V zzqD3pn+jd8VVIvn0G)-ys>O{zt5AD4MZEObk>tQRp&+<4qdK4FAMFSbzV=E>72}Hx zF!fGx*H z=MCP090KBh zCj5O4A0RV1&^1R2A~C{t?qc<&k&2Gm5!_efa_{Ok{XP53*xYCo7Dbk&OB7j(4exUr z1|<04=)>nEWhl?cZaSYQpP9B6$>lK^sJm~ysnh-cU~%?KbYN!&o=r^s*PYl1w~_o` z7O61emA%Z_7eodw-Nggrfk{1*=xT1Sw~whzu``^+MMWZnl152VI#y|lF!Ml*A)b%d zig-^|PE~K@tvm$mk-5u-t|2m&uWkmI0xwe38WulIB{fVm$PUyU8z*J({7uE??YJj2 z3d#fdE1@AAV7Y~StK?$xkU=jl`7)wK?>C3SK_AWx>AaVrb$1=q_PH^`D|snj9O|lJ&jxm#-1| z^s^VthC%8S?!)=f#HvempXswC{cQExO?O`%k7#kseyd1F4hT^DZHr$ZP6S3KWKSn2|L zwq>m>czpDFhp%jM{h)_e%^Lrd_+>t>DLI&3XGmt+Wh3k`gyg!SFK|Gu3MjJ@#zglB z;0)X@pX1y9x^;7*|smbyvcf1C{I&mX|vvj57kPFyeEk5V31TM+`cVe;!FssWe zP>MQc!@NdASdLLA18>1$o~&(7L)CWKGpzC-t1y+J!4Dxka*oH_U~etoi!R)aH2ebNsHc|W4P+1F_q!&8ERj9aFe16rA@GtNuzkeHY^B^9}V{1|p2f7V8 zZGk$J0opj~kX(j%wSn;OM5a4dlqt?!>0o>%blvf<=A4^dF5|7Qf+PEf;&Gzk9Z|{U zvSnkMDdT1=z4Lp&3;b@LO^_9|4-*uLloQyw(!+;+9uYG8r}}k)gC2>Aw%&V~-`d1k zr1po7u?JLc%@THA-I0jq5OhPVQXOV=dkzF&gJX_6)f~+%h+epuKO@i90#!eBRyc zxOQ{S)^1?&I4OVWr@q6}($dOh^Jis7e7mDb_>w(t+{ zcU_{`Nfw=-!V{om<-XrpYUkV0L{B^k3X5}WB{gY{l=svK;Sm^P1DuO6^S?>8)F|k5 z&k7elYt<35PEk^MKJ%soBcTcI3~u3UK$_J47!0VCk_*YCw&tmbLbojege|Fdn^RSW zvY_r-UI*W*)2ViSpy79+nxH4T-D{!nB@Nc-RLrqB4lPEOSGtLAY6m4DY*CUL0`Cma z%Cm@HpO(_6mDgw-yU>uGA{S-g)$(G1ksT!ZuU#So9YQA<9z~k}FAWSaf~OC)iM7Te zQQ}ZMHHxR8b0e>_K!5!rWJW>|=PS;OUR7B=&+o|2 zNIeSuQqkA+6RS#W&k^n?kz&Vd_!w>ls~K}O{1fu_@<6K;wd3;thp?}Xit63_MMPQ< zX(yICq!Gm9jSeemwG;AYX?A)i(T4o(r8D`^A4t_U87fd8J4pM%Jj86H)aOIjiV=jiEA)&?k1r@HtME^d&Y zW(_CPUPeS&3x~4YBVxMpGqx;e`M|+2PGwcW-nk=wYPURb8NJbrHM&dFTE;;AB%{ zPejK+rtaO08<@E2)X9HM;(t5gN7KCcF#JL^v0!k=8h)Q5Xy;9Q?Pa|Cs6(v5lr>R` zk>RUUn(;WkgfTQt&KZ29D=&DK+aKyYVFSE@oQ4yV+KMKH7|cC}k;kGqxB?2;aEDSz zFFSP5kY;!J>2qyG4oaR4`27sE?#>pr{H3ehh^UZ7r0Vwgm3ZvgCZy{;qAxx-C7X&v z@Lfw{mz!@Dj;_YAj;<8?$=w-XmVbz3Z@(B9L2_Q`8ykpOs9dO9B={=X?-f1KVRvcF zBk(UU&?&!y?559>%> zcV|0;X8V1ZGw4>t?_Q;cItGh8S;L6Q1Gn-Pg)eOWzkIe&9%t9RI1#?*A>ol8B#b;5 zo6hJrnk*kk=4U`^MmJIz#3UuJ(PrPQ+tA6{&JFeQ7-|e27Fk4%X((pfbe%F=k&@RV zYN6Fd;s^BP)6#}?Y^6+zi%=FiSFr?!PEY9JE^ZC#*Qfa~kmwyE>#t!l$D$vqt*6t> zwrW(~GI48}=FYG1B=TFtRaY@qxSk|_8C1J`<UqJKl5W6>-yxGgVkT zf2OnmOY36F$fbs4i zAhOvI5=xEvjEiU# zz!@r!#8UYMl^aM>epXbfTfDUIRbRc%ZY+)adUU23 zL*o2SwX4u+t)RKLgoMFF*)l5MDc_V$K4+DI#?Eonu4fuU3_Y(zz{@6p!R6vLr7FB6eY*xRw+-MI5$R32= zd2Lsgn&m@tzu$-CS(xTv(E%r^gr#P8^+=;5o}XIO%VzFoC)BiUFKR?cEB<-Nmjdm0 zxFdolQ+UP&!}#lQ@NRa3nQd6v+AAS#;A*rl%7|`waMzFcR5`8TX8cd}+dXwCZeg+* zZa8fvpR(iIV)vu$76qA7p^FzgbX&jS6$#o>W8R3G)IS6J-JH3yu?kau%8x^Nzt}P^ z;p@G~V50qdl6^=*5dD`O?foPCaYx8F`C%=7_4)*p*F5rPc2=G6n|LAUCd3wRDK<7b zT%a!~yg8rPqA)>;Uq~Td%D`$pK3|xXsZ-5VIgYNemS6s4PO}lrfxm6b{De=JZ42pg zPss-M{H^G85*X$+N)Q$V-YmRFWHP?eQ1)Up+EM=?uhiSF)Jrfi%h+&qH_9(bxY(5KHu{=*XeQ5y{YWSH}sJsyIMp}_zbhunbZL|2*=kPZ% zqwsK&R>=(3k34E6;j{n<%8^BgmpC)aW?iL3Xhj)-{X2%aha2rgC-BStZBn-l^M5`r5R_s$wtZ(>M;PRinGe#Vax<2!#9hw%iGph_fz^k1JY`FX8ymH5&mXYHyPXhr$X+BZZyVK_E^k6$Q= z#yN>=;-eMNZ+OF~*ZzY}|MSpZlHz#u1lNh4d?a{PN_tYnLfX;-y_3msjh;?ntV|kk znSS_c0#6(hF!ePdEIL;SbjhO$4gpsfb64?9#KXZwkl@FuwnP?>!YJ1xa_=SXp$3C= zY;9$xywu=&vV2XL7%A9Y5-g{@EyVZKFg>aOYq%Hqi8d?5M@eZ%io=EBGLvzNU#Gx6TI_@wq&-lWee zM$%Mst0tWks&kY}BhS}zZ=!w59#chUWBhJYaW!a8J|yL-?!A)$&*S?o1E9-I>A=M- z6#!u4i!*Tk{h;%bIwJqe2mP4&y`$F2-H4WnfD|J}O#7fAbrNFo#UmeAtqINNWd;32 zY092nT6nWBenWH}BGSKQvEF}_6`4C&8%Fg!?RPH9L0`;Wvx%Cb<+J$=t^!XM-V zjVezQzTrcn+VkIzj!P?_AeET4GHjv=#09s5i68Uc?!BnFkSe-=rwPHj&Hq`_#xM() zZcOkV=RC_0{AXXGxYtcbq)re4C&2)oK_Ia(N&yn+?wt#(XW}bBj(0;R58d*9+YrEKs z?Oh1{gJsHZ+;)1J<=CfmVKjl}|EuJi=$psg)-*=e`}N5Y&!9WQ1Nx=_UVBnJ zQeYrfY4Ke}2KC;t=$le(3K^rlhVqA|U>sr8IB7F@4ta71jJ#twWJY8up!O!MAmBsf zr5+EJ;kwPZAJ3Eq)t>*BeIuF4fV!pHF{Ex26iluG+%Z3&+6R|ckG?gVT5u;C^1uip z1p1zlGhU|jgkJ8q$;`X%ORWH!5yGtu*TFYtfBx$<$%NfZIntLdBD~x)_i&jOBmqv? zfgNixq0P3zU-EW#<9E_CT-`IXELpNzZHG223-f^4a`eZCOf@&;82i*Bel_AKLyhi^ z@hQDyIhHR$iSKMkzcF?#n3D@xBNp&Lh3N_tZ$$7-T%C}WM{EWKH=UySP%*_|nNarF zhWpiBq*{Spfh0TAY^RFo(fBi28T^yA_(#-NYb0B8&LV;XQzO)Jqj`R35CK>0(KtnC zZKB`HMhR2hRX4I&`(w#t?;<#JV{CQRzgyT|2?y@q)1yO6TRlT8N49&u6vOT9NGa6P z^(Pj~5-+U)3mdj1&Y5rh>^_6o))qzLNEkkupy@kb8+$aSO%o~ioXGN<1D$Z&3LF&J zVYorj1^*S_>1S}juz~>)#;OEC%Hs?26)MJL#XAAci}*``L=&+UD<#a+c12jKezWHo z8+_h&d%eO9v}>TY6#fgGroa?1KM-d$F&QhOGFlpeicxz;)d&&HyHrq)_aklL?P=UX z29cgl%CJ`n)oeg)VXP)|dM5BGU3kRJ=jvjxnCau};xfsVk%=&eB0a3*Xqt(nM61*e zYd;gCD?*c)tv$QN?QWPlk;8u5jZso~j^}qxZ`CQ)_*Q}h-P=Nn;TIzxP~i^>-IW+P z?SZlKU9!KL7;p$cdI^9=1K4#-Gd_TgQM z+#RJu1eMHoa(qrY^2=8|Vk@D3ETkEDJZRL^ZG8>^oXC(=HS|d!LPI*zrp+8a&fg6q zeI}7BIK`f@CgN*$621KG7#c!tP;dPQ;96ZoFY@Bq$~E?X z{jU@IeHL?e9T(Oe$4>`mAqY7-h!@c-Xvre-1Ux+Fvb`8t`691tSaN;mZj)NMq`if} zG!?Q&((qSJ!Gn>Z9Z}|=MB;VG-|*haJga${VWZ2l)hvHuD_hq36|kcn_lNLuX$>MX zSYe}rG~ey?L;QQhU51|4_ni@DDgqYrB&Bn*51o}Byh<2;5;mbx0DV528lAr4{;H7A z`qJf5NlEzmq)y*T@|aM7z~}Pb5rdoAkjdN^q0i$RwG@jIDSZ_01ddP?JNF7gg?A>b zY$dr@i1UOE)nH>YqR1e$z(=a@V3?L|19Gg4!ku{Yt>(3sD~IX1z{7_E4QZkpGU4_< z5tg_gCV18_UW*DN#ArIAd{7zg>i>-X-OemNw|7bK_q~^7jcIOnVYkG79tWf=fN)og zr)j>@Y($=V_Xy}XH|%h&o3B*fkGKf>38*ZoeBE}zmK{r&Ns$g|pz;Jc`2Q}bxv^Ld zue9qPqfU#mBqeD&3~3%stm8>tCr(Y{W{nwC6;uf)(gM{$p81dB*Jd7>E4;6OBme@} zTs2PnyWfT&YFos2%CdR0l|VAHiHMKoSloiXot$%WsmQrXvo)F@`_KE*B;MWW8E~BZ z8Y2;sz(dGTPNUh~FYy-rhQJ@WEJpDfRiNVb6%e^6ZeFo@Q-aTf+~&i->0{@t8K&?w+4!f0>omXCTu2VQu7wZ>on~Pkj zPqYvt!cm~MQ(fx9MthK=>Lq2Kk>c7&SG7Mgj*1*@LM}CN%kTcNH)5Rhzqmt8*zd%) zGjpAJDV@4+wdcK zjg-!k>NrMYA42h{(WC3ADwUUBx$F0oSZnCS0=Hr?G@_+JmY6&O-F zvKgNLf0V6|#>1AQa~rE-l-hzyZTYd7OftSxjmBNi{Ndd$!kHKo_gxt|0YiDE^+el3 zi}`|Dej}51M5%q0?OpmWW>2N+Px|$Yr!EPDZeNoi!Zv?#PZU_KW7a-gQ)G8>$gqU$ z;J6~V1$eN;qf8j;W?XCYcKh`u|Ii85^!U!P4SeYT9)Y;-0Im%clS1dA2*TPUgRRD| zTC&QmuNtl_U#bj5J7mgxVo<%9Ne9c$bx40=ZV+b6<;5=XgM5|~`geCc)&GJHsQA{z zkL#kfFm9fywA$BMFOqWyl8*OBZ35PncKYSUJ|xzp8A*BE)9m3n*&NxP#_!3NzL;RG zxg=j9cyde6kJAlip$B=iEr;;&Xk7hLl%|(HpBYMWAwP~Z^rdAyukT6RoX|C9y*e%T z(q|B*cV5qsaRyv4nKC6o?Z%`Ro|XCX;(Y3(~S z@DnopXz&&#3@yH`W!*eunFyV-hW?lt3BU`HqxkV|9BH{4glJpZ`LQU2s!fNFfD4S>f( zIkelb-lU{+!0C|du35ngb8_GHY@v@y163xI)0eK+5G*5h@oC3OGE0cQio!#EUb}NT!jr#r8r34r9D!>*JGSz%m6GBU8 zTJE>7`$%NRebF=Kz2Eh&X~aOivfo+N!JkiUO?G$p=9X^MJi6Zv zam+Kt>~op|b`#p!H!=qSq`?d4)4A1cE2rh8e|?>tL9+Mvq5GEzy2XRg3iKM2X%+B3 z#0DP^$;i+HR@G36KlQmE>9nVvI-(IGYPSlsq3~?me=)!zb9C)^(ZkPlad=t0=t~wLexwd>)p_p|L9`Wn!TmG z)j9sfG7-zHCUrV~aN`m2QzceaWR9o#_If`S2)Yrn*XT3;v_M(bcvR%So4XT+o!q^P zBct|H^f*coA+dNEGx^o;Ac!gSUNH}c&$H$OL`Bb^rl~6+eme^NDBwQf0$?|!Gr5S+ z3nr!aahjIGaGID(t^_;%dV)7)zJ%@;p_)1jOr#F(=~9J~_*hkhU*EPK+^*UYs^vAt zt%fl+{b{tDwt_)Bv~-PrxMx1z4#4|EYASZYy%G<*dcAf|?K@@c2fbL3k~V1r{Ds=+ z(d1T&^4zV^kX3qmzRNmr2N2(+I#T#QQCyY?EJxE5Lq3)w`=d{P-W^~KxPx@-&?JQMh_b1LID_kvWbWjP1 zEW;h)mQ8w=EO6C_Uo^*g*W;yyoCuFp71?maN9n()?Fw!{TR`GYqaTeEbjh_knccT{Ru8Kfvs=auX3Zd z>(@-lATkJBFyDg;mR=%eR>Qy8vihr&9l`V&6f9Ee@vO-)cx$rV%{As{JvbP6kQAU|PCNrL+H1T|F|^Sv=pf#P?&2$A=)JkHh`m4OcpEVa zEpIs^Ub-Iq^cHBu0g8QBl=^tIQYxM_Be{x$fi1={e;2b`&NL``+&`=E!G;1iy$)&-ZY z83_v&RFi3$Hi8p3jwlQfTlpQQZxnENK}U#8AHdjdLmDZsaOvzHv|eZK1D=jJAUJN9 zdKa=~{3%)NZ5Z)!5K{)V`+{Y1l%+=zxfCf4c;j!s@$8Sur~sf4zXf2?OuGZ*PzC+rL~Q?c;01hTG=(0r@Z;#VpUJx|l@P zL(7DGpH>_NCPwc5!eA8Y%%>VCj08jtEp()SF>l>)VCJ=vRr5LoK$M$Q(zfZZJu($p3SA|gQ$^n<2iZ~ z5Ei-WK2CYo@!Kz)FOj71z#oHh=;>e+?_siM>HsOs1pV6M4^#QIo}KoEyqMu?om5_- zi2=t;Ueh%}(w%qXPNsRl#Z!-!4+mBn*Hj}_{*_-nkq^{sL8(}DS9VMHyT3fN*F+g| zz=Me3c})dov?F-Qcs|NH9~wyrvO#$p-5!cPCqbiy!RIj=SYA4>O^4@~?E!o%mr;D< z$bEBcojb*=V{KDLuBwIUT*t>SQ-&l1_nFoXAR-(O;VL|n zH&5IXw?S>>p+Or9PdAwW6b-j>_pG!U5PG$3=9-e-@e~| zMn#w;z#`E-JT7(glUUxl^u_ai`~wI}4FQU9o2Ufh=~hH--p9!^W?rxOI|Q40jL08u zA5GY~t%MPNHie9I*?Qr(MfDUp)=V5Xorro}A90uQz*cqf*2l~nrD{1?V|bRBm$kibL* ziZ_8Oe6gC#Q)R7$PWMz#6igPB>mA@zyhJPoo%rajj;i!(UYAz592NPbYMhdHkc(^1 zrJx8p)d2?LB@&y1JEYX+h)wD^TI3!f{cj42S7hJrdjVRlidtKuH!WXSpg|D^5zOXK z-6d+WnL9t0Y&jPa+-dTfv(G&lu12nV zZZ*-{GEyh%&JeMzaVXHPjM!Zp*(mqxpzDKskcGi}MLvV#KpW6aca{t{BkI`R8y6oG zfRT(U@CY-J%B=pHE!Y6!G|00kMgHtn>_hO%mZY|tR_x%=Qc=xoox>g9tNocnynEvA zGoD)q!07r?rz^Bkn)eEJdogm5TE9szDt+T$*BoMAK{u=4p(tg$^39=y98Y-hc8&K| z_J@bL0Sw7^|JD1mMQ@nX!IM*qg~Pj_gGg^)9zp~cO(X69jm zx(R$-cRK4-k16_|jAH4GfKk>%Y1DL^_!0TxhG-7 zLU!#hPb6{{m^-7{rMz98qOl`#3$wCkXd9F9T3Xvphcz66& zOrY70bh%SzhBf)BhL%LxH1TMJX&`fisrc&od_o&8VQK~JheY68)lEv?ltF~Kele5Y_4yt`< z&*hR^Nh7Lg1%d9AS~`qUJ++duTQk>k524ikOt+hyD12p&WtTWN-2G9|SEZd_rg5C4BHEsfv zqp!(HLLyKrlk>)@5DV$U-qC%D!*I0U?Rm>v&v-P;=dmHts)Y9D4gc#7+QT=l5>Ben z+smz_UE<50n`4=^&?~rYnLEqXip+JPM`C;C;nO=z|B#`7>5(WIY_CW;&%J)s6W8rh zLe!gy0?9qC9I2ye%{>Yp2Ak*Gb2}x(FtSJX?0R2o6RWhQCe72M57huaVVQt# zM3CM+@c7VOWD?wKMNP=TK6|4kATSYbv;Yso1v$vR0_9iirg&^u&#*CKnLQvL&D*=F zb_ZCD&)sFXf&3-XHpN2$Y=wyKgte~~KJo;O!Y^j+`xTqHmq>0J2~22r1&bIZLwQAQ zuB*uIU>9If5o;h?D3uvhKCxEZWV36Y}5V!>r2X<-B>g zIS6R1j`W^qYotn^q}+SurX)BCvkoiGi8J!9E_NJrw0=1quJ6zLzzf5r8ls-7@hG7C zB1qgJc!_C=EGFl+;El`O7p-I_%NtBAp+7|(g6|^MVr8D#SMAkGjdbEpv&ytQ^|`WO z>T9)1B{+EIU|(SV{keFQ^5 zky@jdX+NG^0Ncvbd77oe3_8(P`kvTh4qHPl02!;ITLHSHgUt5o52s(mNd2ilI7)Uj zO*4JClv*Y{vB0 z>D+PMTrv4>f_%)w?lot>Q3|lY4dINfsAuilg%{C;*>tLru*D)jRS3&Y+Ufh4XE=9`@7DnTz2vK@;5_v zQP3TD)=}cY;HTEAYQs%ci9a;b0P2y90$T2Q?HjtN@`<}0f*mVvyo_a-3-8tcTfhK- zzCV8f=sLHH{F#Lny`!r-TYeS=hAoSKEU(r+(G}RyIF#|AHessDdP}mWk0d^1Sqk!6 z*0u`++uD;M$!t|{QS7m6G?reHoBC!1ii-<$%MZ6t2CK7$NaNkR&UAn9_9}RQ9Lv~C~aR@il5wepD_;sQA`YF(I7+D z7cF|J?&_rkm778HLltx@s_E$d5Q_!pW(feqJUnwk6~Z-%0d(Qjg@co1YRmhLL}kO6 z8DIxT;E|NY+`nCCm(ie)21AErZUZa2(82l@Pl| za&%q)eHS%bu%(?XPLs0+du`O;H$E>92EyAn<;UYTh)m0`}=PAly=WE#m{O%o3bvHm<;TN~G-Z_1M%f zMPag2l5+C!$!|>Kwsu#YdBo4@XbI1aPKP5UI)7)A+DzK$Cd`tt_q!z(1Gsg!;cTD7 zwUvP`{_HzNI{K4b;#pAoWDn9(nzu+>A=FEGrvvfg$I;1J8^ag=nL`^Ge%L2V)rMkw z1fYcpa1(!vA9buC>fAXt-}Jju*<_B zpxZSE`SBRhXB87fChBQUCof{M89z)%ALPbjJkXu&(jzJ6YiPBDs==F&HgzDM-H%UW z-2FOsP4zIFDR7xJ+8TD~;o>=TZL^-C?^%<5JrF6?C!~J455$yJ0O#iSqDWYAw3Cz) zmi)}XT$!9V$43_ydKoGMzZR7KnGt8YW2?OAo}FoN>H)O=072AI2+w#p7zx@rKfVFC zs9_eWrPuleJE~yDEqaSt3fW>q68rNNK(War3ex_cWrseXR{=|e%|kFSfx+;v_3Dj? z$ipET<#@N{AtTR>q+U^}(*_z$B@gm#=>QTXq1X(*Z&?97;F-~!_K6b2cHiL4g%h-5 zPZ#7jCInRv@r8B|8MfX$^(bdi*gNXBU<`8D-TT@2PgU;Y2kydw{#;_)%5*1_YD)y!v(Km_6ZSSfOuwk@O~wRp#?QSp zrk>WPFFY+zCg3AZ4*>-qTSL&#SwLwy#B@D?HBF5pBjzD?dPttT)a<(OX-e6X@;7&Td-c=wHo3G2X;YznsQ3uv61M~ui^=Gg|n;0?7cc*^- zo`fTZrah{dtKl$ZPp{$}ciSBXJb<{gB`tR8q7 zNX}mA9DY8Y_gJG_qLKC;9}yy7l)YK?kh~laSbe9oJtJpNkFK)`=ga)|=YLB&r=hVT$?q;ZNEh&B1Y7N{ z{LzEX|9fZ>!3K*+dt4&iQzA7OJoEeGno4C2W6pMl3SBs}tK5-b3TJmO?hY#)+&OEm zu365Y+WT{5fKp&VI33?f-qjVwWpR&RJNX6qWnn4mUWt#^@iqEIS4@pbIs4Ju5qj9s zTM7ZOT4~1>7OZSn_v@KcIevXIVqPwr%`v!q==TS-CUtqkV^&V<<~TtS3#w0dIo?9Y z<9a^Ozr%7HS>$zHAe5ZiIyI{Nu1xn_lHNYmkFpm7E*{UoQTc z*EK~GL3SOf;`cv6X~zd?2JU7_>&jqPK1)l=^{UMWzi7`98#g^&{;M-)n=?;&LsSIW z$y`zbVjGsQRSX;jFIHR&Jzj`+Q2itK;UoT9DIqYrSR{9>rEp!*UWzx{sR$(N+uJceD`qn$FWzL<$1TtSs~t+mlkc4PIv z7eI@Vbn^)-L5ERPt0Kc0?Dndt0yvbDTuXO0ZCS1+=N!0~)_l*6KZR^b!o9vV=)Q*` zIP8OS$8%%Extcd?$_J!#%1eztE!3>klzXarZ0Cf%t!YsMHtOP)Jv>JJ+4K~VPCa^h zH^}K4*)A z5B|8JNI*n;9dC_LzIdnoBbT=H?ashsX+k3+h?ywHrh7KCE+H}}ag@X`#ww%x`Os&rIcdY;r0R_V_i@Dw z->WKV9v&-g!HYf!?i`Eo>utedH)!=koc&jRUL3$U;76Pet`!@I2Jo)3 zYl$T(_{ki!&bR}}*fad4XMB2G@!O@3^2!b17=Vz=-BHpgsGe{PW!qMk>6A~&!FNR| zF2=Gwvtjbj86 zAHDm$GaP+4*0{sAxO}pnGbVSaZWeX10az&kG7$ajg08RDyCpd*29E)vKJ9pm>S6v% z&5H^$CJzFEbgvQr13*xb#%|8Z$<)M)2r#5{*JqmENv@jl@V@LoPA>h*Kzy(IcA8I& z9I?ZgxNoMiBB^Ez`f7TF-_SZ*qB3K+u)Xeal%Jv~v%L;1T31zhbA{~s+MjRkE}%H#*@zjoX2 z2q@1y;nqpdEBPVDgnDClhau-L!)uy+H@M1RHp%V5Qmtf_y~U+igywWok~~A$OR@+QU0%)qH?Ye|RE7(`KRNnfuh!dB^be6K zhndXz{C?QN8reFHa_3r+V^oi>>(yTo3hd&y6@q>3@&^;pRa2yl0jO3M`^K4%A@e7% zMWd!nJ{jwK?XXk%0_1$`szjwJldh3-mp{vQv9q~PFsHK_D=nVw+S@b7mA0E*wC4Ge zsbr1^pJ!pplaDE&;M~^>QCAzhbrf{j9UM>qie)H^oIXl%9=P~<_dM+WYV3m>+Nlbg z{s~}&3WT;Jxx@a_AgY#UX6i1q8!{!y zr+1Hb)1*g^2^RDYbq{>$cX8dZu?T-xc@#Ax-I;m@2T$|%FB{DPo6XKcifuyZQ8Mjr3V!O9E;`N`d z<+&J`$B0yBm4s^XhIV!oQngP)xYX_-PwNEbx_>H&`HZU>n#D3r>aGiUq0NVrU)Wf! zR&7_t*OxM9rt8EZ3M8Sf;NLol(Er;?9Y@ zie(*68XX){_*V!Z(_>Le6=c6u5FK#_gym6V3Zhxq(!hTk@8M-XT*lbD&fVtMb3<^A zj_A&Mc>>h}KG2c6&_Sl?`@OnlOKP8l9R|_lG*l3&p99iWWUf9}^rVl4GQ}#&06K#X zho*gvJo^aaiubZ;fMw!@w_vtpNckc`;zK7iXFxnr^J*^!5HYxM@cJCK-AXi{e3Xba#wIF}m+O1}Q#PoHCemFp>{e4_h1@KzbLyB-MRa-L?3G3?zA*miIetF( z?Yh-4)ssDKvYgf7bI>~)ya1~QOFx2=r)bm0Wu+k3Snr`FB@K4XWvLrtV&AFq2ryZ1 zg1SS8o*-67#BiY$IX4<+5TuT;Ie9Y;zg8R%azkS~t)-)w&{|*tXfU)&K-#( zkVdb!@e%$wZubC0a@v3WG2J#SS4to+&3d30N%=S9%@_(YO zpI=RUXZ>Hh)B#%GE%DwAd%Kw-z#Dbw$dtz{I?VQmmP;}EOaTGti|~F6pwq6!6~XA8 zr|OK}t-shb4ekQMvgJZlA(E`#K%z{sa&(W8Xbi($MSvh$2@&#^K~#t!PJ2E3+t$(- zr{7V>eDYg7&eBWr>Y~)^K3BT^0YHgQTLl56b4xj&1SHqCDJ0QpFhr!AJemo9Z*LuQ;T&@ z!|ze$j$)Hj{~cSAQ9CTK0F!gzF7PySgdj}wRORWDtF-h+dYv}k z3x^N)Ze6}^Pe5?p+sF$|&+}|Ex0;ttna%E0x$KBSL+xTz)PKXYF4%IDJ@ ztPKyi?7jBHe65|?7W6?D&D{IA4Y%mN-}cR5;Fm676)zZLrjFM>K3_NR7uQrIOy{le ztVH!5tmnr0Fw-mM3UUh?yc2~;`}}43d_O#(fk!*}7tnQnIb0XcT6UnDmi(LTk5rXF zx0+ujhjFiZckoMJ&J2a>x27 z^lam==<4bUWrsa^=PrnJjRtZOJ}^?AbyhQa4kDGJm<0BR-y>_&PHk(0O>dW))+BlZ z_Ebnq#`fxN9rZZ|hn!KIrUd&wTN0d;+kk#X$si25?v#(KStVJW;ihhuxuR+W4b*!IH1^Nf>q7{&06Lkr!7+V#ak9H*PEP>5QdwNVn z4_?LS0nhR1Qb~%#mpI4{3aHPxC;m~rBntqsCgtrbf&ZMS%lIlh*k_@54oXhjVB+Gf zQX)*?yG$g~E-KpYxXPI}m6hdwXssfxHvC63CZIMDNIGYt%p`xAcPrTtZ3UM#+i#mLOXSNj1?UGxEvC&%uyy!^`cU`1)?Q}gvtr<)7v zabal~6)XvQ-n67Ox2}-AfS&ig?uOevuMg4=ZSj8I`-zHF^w|Usi3f`A@Snx zM3~aLMR9t!laY<4UpXBbD||~15*2r&%^ZU*j$qfnM=Msfis61gG%y!KP~i-!r9+?d zg-_I{r45^DD^;*dBYp2ZH>B4}T{o&YQ6S}S4zpR+fH0q17=xF!Pcr6~d!yWEBjKQV zOQtQM?bD#x%7EjbjI*DePoRN_7QiilLM&pW3*4_0!b5)nPa>!TsQEDL^B7e!C1H|W z|8k^A;_>iG>u}l+idVZJsSqf2KFdw-wQXkk?CSY4*b!<62yq0J8Pvql2xn6c5Oua0 z@PhvW#4%UTfx&+0J<_R<&zH=730hY_n>hdyxWvPQ)i6V5*_Bc8v3A!-pE1VcxEon0?~YJylTqcv^^fenpSl2Kh3C&*($TlVdv~A%z@e`$MHq zn*99QIxIiQ@e|BFc^$vRxU{C(;ds;{?|taaX0w<#ul;{GeM?b99wl`sQ^#*6Q!=f2p}&4m$kgOq+h$QLsV|sG#-; zoG{D!o51R0P>(?s7jg+VIz}kQ$^3DS<#zkvbS0jZx53{(yw>}Xkzm0NkjUNvN(aID zGRM9vL_HxaBr+N1NvqeZ9zz}u@5fwMLZ}NT?#YZFBkC^-)8iV@84hg12xlK*-|TFV ztgFNFXC~Tpdyk$vhrmAoR38k2qQ;1$uNSClqd)<>KgriT{F)q`_N&KYRsxTQ^y&iJ z4iM-(-;x0m$!MSM9e7=<#e6q0*X{4oJ_L|!txwd^EV_85ap<)|zK=SHBlQCmgE#sw zd;T&LU;0ey>bnma{7rsz(KpA0{UCFIt$zg9W5RZ{KZs`een4PxYh?ioL~J3id4(TYY^*_bCd&PuQy{)N6uz z-lzWc;9pq;lMPeKr;4R+>=M@PSkv9LovUHpl_#OIJnd`$cIMebK8~Y{DapFVH9{9_ zNU=-P`**w0;_Hy(OlJN3KWx1PQ(RpWwu=M_8iED4;O;PJAV>(V!4rINcMT4~-FdGGq4_TM=O}#9dw;h40dclhYz)h4r+z2HSLAZW`KE1Wa1UbT0C5PcPn{ptAhQ9ws5OTTt}q!cIJ{E{0R6 zc>&5-`Ze%h;0{*ZkPIwD|6{aw10?6{;u^us2Y@GuS#CvRLX!7h1a5(cl=C_K&gfLN zPZp5kA|rU*P3|6e+eq=WkJ*KW;duBC^`bua2eD>G?lo6$K%e%68Z0<*2T!J-7vAaF ztT;7ge$cZhuj{%U7h(-R!t}P)>v;TYYQ9dgvj(srfi{E1bvhhTKOf~wyo&tb!)7od zUq#k}QAY0N2x zv6z}H#w)cQ(#1_F{3EzYhRoyDm9bk&47;@9!g|A|s<(5yK1Eo1M2C9+bUe)gK2bR}11hVEs?- z0$SlqQp4Z(K!SOX<1vK}#ARZ)s;ch0p*|m0ug6>h zA5S0Un0u29Y!>qOI+Qlgyv99%(i*tiY-MeIgat397a@->En6f7vWRE6A|TS>$h_t2 z;vHZ=J@0Y-QH5g~dzjqzzsZb${WFLK##6^8FwTeec+zaM<*`iwto$MhR`9%xgRO-7 zJYb2DDC-u%Cw)+b+G0yen7y+#YehWHIS?1=!s` z)$klgqdv5V5U;gA-!8L0ZIQj2$*AmK*cXQbt8RnbA&pAdPoXw%uZS z$*%k3GlwIlul!Jq)@H?(u$XT%%x#ob|3hWD{#%7|&o_~@{vA6>Ukzk>_etEnS++5u z`kAr%FLeM(RCwhsv07@{h_~ZBR} zSB6BlvjPDQRq(g!{PA@CAM`I?v4iR@yn-eO%++zu)r3`f<=AbqO%+bXK`(bl}-T6fNhT8lt^Z( z!unA>rqNM3G7AfU$>C>=7xs3OZubXOKHEnT_oRxQSEa9sv=zUmU0-oeqX0j_-bjZw zPb*cW8%ml@06ZdD9xwm`pcuXq0|+tRR{FB0A%@;Z|BD{B%r|Yfs~+L#f6n>}ZIDP7 zwpSdd<-+qySlf@Q=|zl%_FJr8Tw_0+P3j4>VY_WeF%zGLouL6D_;9yBrtktDk1`K& zV4I{T?cLHv=y5@!7Q@raZF`iEj#3+|CreoGTljyTkiR{;A77%^&o&|jPLW@K5mnT1 zpUa;EvvI8d+@c#BfW2Vsbp!Je#7wS1w%YJ=EXVWq- zF!RPT+reGx0edepYF3I~-&`zJ*U!!gTb(ytJTqx2kX0bj zeupW>L&U)1N!HOf?sFzB3ns} zG2l<^_Qted=jCKdn&}*z33k;xZx$&_zznm8<$?_vcgNFGqLpw)X-JG^`Y=GR5qF&@ z?Lkg33uYU_w}ilT7ZAxtt$STqYfE4LB{eCF%ISF&m~-rw=r_(;q=Xl$w0el%t#r~t z-}#IXLAHavF?OinDWB5tB} z4mfhH4H2&!E><`gg9;){KQfXRka88)JkXGhasr+5_TnoYRDP0WUv&8U6SMG|wg?Vv z2TG?}xs5gCZ^c)vfuF@)4Lqgz`kr4szC4w^pexbsbSEAWZNNp=|D@03FZimTvYok^8g-$*>2f`#{WMMbe9_LrY~r9gq(a1$$d5^cy+bS7eoAdi1tWP zL=yu7Cc5&EO3ZKR;{{x>iLUV#C&eT6Gm+J0nU{_-q!iMS>Ap8THx3Bdau4W+*HSn< z^>a4}*$NebZeB{z2XZzrs^F&-U#0ykvuR>WeiBXvCTh{QweD#FNy1JRu@H2^IL?@Y z^mz9nXw-XpM+`2uq9de?7EBH{?U?F^^_YX~hbRoWnfgz9#`YChum))k*>c6#)4jjz zg^eI%jZ=t(ND{3$9nfgsRE2&r&;yjgFjIc1E6_SyT_1$ZnNU&qo=U};p+>W|wCVQq z7ag4Ciok9jp%9-+9Uk6__|3B@!c>&NC}x^oil2#>1`(kBB)#7fPci-NUGR2PEssdf zvvnl}{y>Ws`DfJR|Hz;=axJ-yQvXm|-smlG|G&_{3wOQz{`tob8*eU&NlfR}rr)*n zJowYQr95LfO^9t8kLL5v(UH^9_9%=hBK@k`Kj>%Z1JRkkfAgAp*xM%mu91v?CfEqK zAdH727$hdDTYYEx*>~J_wv#+M6xe&d7UjKBpzoFWHV&C+Ikzmno*>7WQX)g};1>>C z;g>}(6|7qS`UswYRLj6jz+T2`#r^|8&0s`vF3DZgQ~u>ac;gsYMfqWd9&-f^Ed%9% zo{@VRfH-TErEWOx+0g8398#&|M+I$O=5{I)nU09RUo=wzEjj3_1b-`6zlXF?<(hiP z?MzgZPbFE!Dl3$@?>IOgiUKRD>wlUm=_2NRpOo(TL}Db2si%AMwbvzp6(>r-b^XSX z%l*=tDPJ1pUs9}i2PDP+=+X6*dgFBD=VY%JbN|Lx(8_V1#CK0@L~P4e_k?SAg<}3c zt>@pc+q-w`5hxzepB%?ShB5;)7J^Ra6qPvc7`xf&d56;-oUQ0KQ>A2{j{7(hDu}(= zBG+G*pBIN$N!T4n*_Ng3mSQi(S^r{Vy!9*AfptEFBv?-^-|+)b#x|?3J2c)H+UbqO zxGiCOCcH0%s)8l!p96%@nb>+|prwfMAVIC__npEVYxkY?!DHykk~rU zNa{lhJz>T7N72&^+#A4>g>U@F9Q8@8!p*J0-PaDJFhjh{zfLNP>; zv}C=sm*YStepFcqBHT(cd`zgqQ$7q*04Z11@jS@je4PYZ_t|yHn*`)9Udnnf4 zU=x_v;{GmedNd1nZC{bM#%OO&F#aGxG(-^kEqy-}b2b1?-x^QJp2ja0WH&Tc4LxSK zVB)kIc-k5er6Za`d57dKP8g7lfv_Z|s*PF4$&7|KBh z;lN=w!S3#`g&_>xc^4^IFJ}LiKyUhJK)l78R1IEEi)XgX_{-4eWgL88ws&XmW;NtA zW|{IJYV(#BzfP>CLQcT3h3c|(q{8w^PI~j;DZys6I@qQW!SfvJx_k_yx(`L~h=R!1 zznQFFG{#o`VWi>$9ePs;bdgBv*YylN*h%qOlI9#Ry(8I>6DtKR);pNhJmE_giwJUtQ^MyajBV0TCKHG@1UDSRw7#`~^SDEwRBUOV*S$+Z!M8 zt0$@oIdoj*Tv`8%y|dQCvIv&%f33lYlvLXx^tIXvP&4a#88>3 zc2}@NgCtSb2e8k6C(Ki7QJY$S;f1G(uR|$$Tm3V_Y?uKb5tSUB{+?Mu*+ggp)_d{C z@?(j>XuTJ)hd9V1kOO>-u5$T6e<17Sj-9yJ8*MJJGLW~kK`)XdFVP_i6KO1hNvi*0 zxB_Dhr|I?sxoLn)9A{U5KGhK3)65s?3OlJkHkse75m7%&xpMvzo1xGm|BsVhhH!-x zkqZ*eV&RP9!u;DGeQc;ss?Xf=NT(b=JXM@HPOKbf;1uRA%zDr^;>@z=Bv+cF7QFN( zf;Mu+;BZSb5-e2(Bb7omL?G%Zbs&X$ebu}edphmNteRt}>YrnlE*Jrpy}XEX?mJ5x zVl_?IrIV`38BRGEBFa{iG}^+MdXF$vx-`khf0QETvnx*jC}mNtlf3k2t}JF@4J8Rx zSr&z#k=LuA+(N9nnmKE6yyRlH+AJ7eFHq zE1EE%sjJ&=E6f?eOHIcva%n|_%^zkNYemiCpC5-f}~ zUM6sc?YY^nx%N$e69V~hS;;s`C8gN7@=|(`6RbZ(r6(fKI(o<-~|j}u)UBZb7yJV{3xz!f#l1@c~jUZE%HY# zu1mF+#JtN~w2RD7jbx(3kW#5W3Hj>T5w4cV1ekuNP z8Txdd`7Y^czNGoXQOcaj=0Q%(NZX$f_+VGg7gtFszH;1YNVTYA0Pn2rXX9Li|2i_? zM16wR`_a5Z06l0lPh$5XF8JCJg>WaXGD2mgWsO>{v>>QLJG_BpU$s?TW!n(Ndz;D; z7u9we6?sI#)>avz_pw0HTkad(|iTIPV&cdmyB%!R8>Dt`KD z6beoe^Y`wvqovw@g<|h2piS(XPBNfCr?{n4I^29dD&lxnnh1)#{B5jE`%&93FRZYsjo1$#mF6&7v1C>>t>1Fwzn0xxj z^-MtofxR2YiU{AWp|MYL&hW|U6Qh!R-jtqvFAWyj<(AtMS4Z6_p+>ruw)UM#Mr2-(D&nEMgt;WQf}hxQf;Q2URjOeNGm6>r$j!*UXY4hsv}JtAg{CrZ zPCIF3HMA-kIHt6g6v#0*yU<$E zyFNo-YA+q%cOW=B$(KRfnxVWR!SjV!Wj#d-WrE?TC9lt-zg~3GEZBW+&_q=47TS~& zjG0pMb^WhOR|-~NC$#$nab5wVU+o^Nxy%hzH+cQzuv_X4V<8^+3#;n@6nHO)aLG_t zQYDxp7d}7d7n`$ckv^8RF%B9_4EdzlK_gS*9Ku;SP!ZdNH;JP?vb(TGC`lCKmhWqn zuG85ZJ1?HZ9Q2u%lArnbe&c890(Zr>Ll~W^Ertc?Qp+LZ_I{~t#4d-u2wfQt%*08} zIxGu4&*xPdIu)nhUDS2%R_G+^0t;SBbUa81HgYkP5Y$d}#Pt^}3iz|H;1kn5D8!I# zuy8f0Q*UF?3W2)nS`FL4|GRCRI7%`9ecNL3)}>H?AGK7RZYd$2b0R>c2fvc8BX66^ zcq(cAOp+7(H5S}s4pJMjfOCbp*C{TpXcACOFjrA38Mo%3USY*1n~pSt^^wfRtTPc+ z5)tS)p3t3hbI#D6pa)Cnp4oF*31(FC;1$c3@~2;zU9uR;SiK_*l$@YPhkFV7SqT$R zgH;Y=S4U`?q2);uC6D?$So&=(rCZ2+aYfQa6=dt9f)*<^Eq8So{a0g%j2Jb4q9AHM z;?24DB(G;?2K2nGCI6UrygIA8sZvrDO>_SaA_M>&}}+LKe;nw-B& z+(#}nHds>qcO4;wkwvoqbs1}YO<}$D&L%9hbK8{2Jggz zrCVNi5OPDP+F9EIM;{Hew1eDL>!k7S#a1S-ztBb+>pRCeu4ynPGBR~2%@0h3*mI?r zzsScH(uXyjxzu5&b)T7gryvgh+K>(96oJhTrZ%eUx?=Hnl0;2Im4v&4Sk_%E6k(rL zcvE%MH&LvJP6PkroGD>uBj)qOx^KApgzqz$QIL|^?sB?w>fqG6=%^q&%-QH+T61?L zpna?F`;=9x6xpe(2pDyIUbR7>andUOc(1CC1Xz9R6i~z-{Zt!2S6TD8yREs}+{*mQ ztlQAJUENUGd`UdYF8A&^nnxr=5niC{0+IcGh4#HHj{^Omf)X#N>qj86oaw)S+C&kG zBJtk=wF8d%-oSqxAI6*9j@pGe7u<%o8$MGmVHo!^kDvI(W|M11Vl(;S5S}cj<{P<9 z{G>=$pFM3V>~Soq{ATj*WXPH5t$>WGm%g)FN<>UYwRL)JMZ(nk{kp9AM6-nZI`TBrudyYT?j8lp-f`+GnfZUe z8JE-^J%!9<^XnG)#lUr7lCO?y8+hTD!}V74#~5X-E7x1TWhL3bHGiX3z?bz|FzrWW zhg7P5@Q#+_t252a0?|Q($+NC)r#X^f)|G_txEeJ=^eRNHU#0S5G6yZSCPQgJCj_u zFdKfrUvOVSRBse1orPAS8nOxJNzY6x?)2#f+EIl*CCJ?oD~6h?a5R^a19DO?{Y^P* zjH21p9AAFW(_5>_tY~3k3%3_xZidKZp|4$}!Hj)p0F~W=I+fV(2-^RUuW3~JvXeJW z5VkwJyB|w4gE-+vXjbw;B8nK-&t4UgUUZrm!l~zF@%wfOu2#0_Rd|%OMm}hs8HIc0 z6j+ekOUSL+Dx0;odkfCGGQ=AkRkZEloLygrae_aJ27MWNo%h0+BBs&HLrCp_o5Wgu1Gbc2TXjKDlIQFsO!GH&Cx(J%Q5}JNZ~US*Yb_Uv z>F1^*>_bW9!kvE48tslOSYo%$<^kj*>m!!E9cYjmbnn6ur6rSW{~h{(U1~((Z*YxtT7}=G4<@nX#rtYg{>7A0E<&ZG|BfkI|6

QdZ#HWjEKgc*yhVPL>W+}+u>+~a^#u>5F(0tIh4g1(+ZR8Ws2>ky%()}G8`4>R7{RG7p{p=_!jV`Ds8d343QF>R?o`+{y$$=jx57iy_u z^G+ncawe}u`#q<>0r_8=30*GbB;0=;CoNH*Fl04!uk&@J@D?0D<$16dKR1QFK52=%?G9O zg36*6O{=L*71tP!1)Uu8iuIU(o&0ytr{|nwFSQs8b&nh}cerI7>LCuyC8fB~1hbfq z7E)(v&rGKY00fLu~x^{9TqJ@Ek8dRZyIWS_X7$vsw$rcs)S>_d|qMnhb{I<zvO4+N{;&dxC$2&P^S zmn#-bsx5MhNC*)2JE#3&RAq-SSHsY9NiHDy&;*!#Lf#t&cU7MfHj84L5vtK*4(kdR z#GJPzQ$~RZF@s>yJD@@}EfTc&sqw`Sr$$ecv13>?DkI3qB|3NH8chFWf8OMTbf7J| znr+G3Y4O~IiM!~84(%+p+Rw%5c+}!je{kuNtS#9$zG|0LO6-5|!;?mr{~Y^XAuZTa zmRLpMvsRge0>SJZ>X;3o0rJ}jEjV3v-GQVyWhzK2bAZK1-Ql6}qf9UhAp)OySiC3* z+;Jp$5Bf56TAe2Cr6XjVS|BHjC=u3Q(#+S@c^POQ&`c;#!3=9dy3e#KvKeWMp(C3% z^zZYh+KrVE`rn_w0)#uwE(Q9z{zv0;SSedFo@z`DrnuFi_)+}O3%9VDX?st#=jz=I z88_z$`Wd=I(&i3FhGLR5t7L?$0gIe;1Y)oVHR}bF%Wtk3ugx%J=Nf;PtQ9kz!`%qZ z49>`IRpCy62*}j0%C!DVBYjFy0$Lf;_W(AeryR63A`i&MrK(V+GCIX6u7~p&uayHO z^Ux7kMr^~5n~fwcGVI49iHPor8xP~K?l4DV1eCy0VVk)o62%{ySo|t>^32mL?p|3f zR#(=jOp{*F%FnNq3=gRN6KnGhMaDzsbF93sm5?!^K3amNTGH7QDYeuYhX47O= z232S`wJl*I`4E2VSRh8X`xhRwG&BA#XbmCwc+;6dU}05FZ0Nb_Mq-mzx#4NR)g~8GaWo;hRVs)m$#3TSDVb4KA5M z*-jO>LnBs-s<^6-0T=;f7K_RrYzc7=YP~`UuF=9vT*LJBVwn&~31wO#wVC=aoj>(m z^JA=e7=B!ko(BD)OeOdXF;qg@_@DCL+g^0J_bqa&bGm_A$B4?lHXQ2%{+?g69laQW zC6njri7Hi{6A_RGawDz3m^q#sp;z<#wkG3aR}RaW{E>(}YVt2Ftj7v{_%D^^Gb%9L zN=6{&CTf18y?m&OH>QYgpznl-kT%#SYYT6=BVS#c^r1GT zzfS`?s|htICm@WVuj6A+AIpbR6CpG7NDMZ5v8&OlyvLG*p|ezC5``RT-5)aq-oKSb2wiP@7wVW9$4ZDPbu~m^8We;_AYNZ)b@hT^@JAU8%m9!nr6Isez zq&#@OGEI9T~AGC}$Hk7Xs$@UwDksgo}*f;AM{}+t8NtM$6I~ZT$tp}s( z`t#+(c&FM@yIi|*>61oW4rr^+Ss~ml28`n|Jhm|5b7y(w*}boO>)5IYw1*Ax!&0Zr zs|CD=9(rnsr%f6}znZ{2_B7=Xh-K0!ECzCz$2P#bG|2K2^>3l=I{T=Uc*AT`aVuPY z6#6PY9{Y}^baK!^#p>lC==u)qN!#F+?a_3bo>UtN$tmfpLCbs~U*0o2ntZEQ6_}Lz zF;>&ad=fX%0Qc}aGu{kA5wY4$;Etk9rlL$92l_>P$AL*F>3do}dF%(jXLC1ZO}k84 zyp*6ryh*XA^8PBR_yBt>MRABk3rPST2W%4(d4$Q2h7=GmJj_8yJ2Hz>R!RK%KvD^^ zDM`FxFZriq`->sM@ZOIb48K1dr{%eq&LIL_<%^pIi~oC&Jd{dV|NS8600C=zy&v6s z#+HnULB!q6yZ#7TC43+~m}fTH zmRG?-H4dU^+^+16)8O4)UWQA5YpIdMALc&el<5SrEolz7-mlI=YK?Ou(=~r{E?&n& zPO=t#CYwSK1(84*pi6L*8nsQ0s+CWeV#|?_k<1Hp4Y8=oSwMbMm7~=qZ7M?z(vTUR zVA#)CGmMAbo^+g&z6F;VA}pY?!^+1pWlh*2*9y^rDBhG9*&9}*BYgk*;r;p^NquVO zLc6(%uRbQqQ3IPX=NBg;ZvCx%`Xd~C&^YG&UO)|RSuXdqo4FLR%BDD&fOLj&SYrjT zZXRb-Oo&o{SUW!eBC}{*9^VI6@eMZKuA`4eimm`h#_EQf5ol2Aqt1NJK*9{`I0j6E*sU1;6+0^EQmQms*~QG~;rdTqS7&Q$hj&0fJq2IS zwXOKNz}{hmy^#OvxAE{iU@UI299B37U!~@brJ! zQOpn{CZfR}1|gKsqF4FJ$8>>wwbY9x#`PG|Tf$CSuS_<3sc_Dke!+zFh8i8+dx2JjbwM4|a}eZA%xlyWI&Nx` zYDWV-FwII;5Ps?T>+|Zh3k*?liM&2J&1Jm+C(cJ?-+g ze;F2nFQFh z@@%E$P3CfHYwjLDJ6+)&$XMA*|1j0%77HyvU1xgVxXBtHQx z?QDSkOgDO$YO)V7U)Ug`YfXQT84GxeJt9K-65P0V+Wb|7$}^>k7|50<2$(ve@S0eA z*byS!AUzby~QtTjOsjbL! zhApYjoZqtZ_`6KgtazYP!@y#e6$OzOv(?viF9!f&ni|g1ROHw?uyD@|aGL~D{4sQs^j9zxez7X6{F15RHUCz_C@8zzSFuW+zL&QgNpr@e@$NlKNdFl2?<#v-?5rs zstS%7w_rLK&4I2YbAM3WTm$D{Ub{k`;!FonlzblA1mdJy79Ioqyg@dcman?#9=F2Y z*kgCVY7mnIqZ#9Y;DLAQ<@s3?3MNFcT!pyqy}Srh6K>I+=gt)3Q=(zx6dYGN&xcEx zF}Ms+So4Du-B;+$K#hzv&a7`pz&OoMg)cw9FI=H0X_2al3UL@yezA(hL8*2DVP3~y z;tFO5g3vr^;heK}Kh4*MN+SsyMZUvmfsvbb%TkA+W#SZ(tGv@`^T1rhV(}%}@cl*Q z5M&z0U%;gB7t8ttmsQThFLD<-3oyfsqO!KlP%;8b;`wU)j*A$u@fs!2dt}h7Ishl0 zO;DIhsO>r|Qu4)Cf6c-nPEM}WAj?@Vo&!bOFv`=pKjuguk&Vs=%14a1=q-Qkhm&wM zdm8|1YFd(>J@irUE&JbgA4B4e*BG{8RMx+hC9UpQTWjtDEBALJ(+X*$Jj=CuSSMrc zr%gwx!i2-*N1KF(zuA8iU) zjF~pn>*9_bT*(202!Ja!7JDEnrRv9PUOl1MGE*5=5A1$Zq#+fVA3PbxOG zp54A?8XlE5SkJPoYek+{Z+$C$uFrlwvDr)chc0${%8l|zELWPvxqBGU3G%<|#n;ar(20RPj;oUUGiKiV6I15lh$k|;123y}R$Nb6x_BS;nQ$iA8f)P$? zY~t-G5#c3Ejdx(Ua6{|How>igYSFNbcXyXv;jGD{JS(;5jeYfogun+?F$-age@~|- znn|Wx==Sm}Yg%5Ebx;xh)0@tjGZie-mOE)!@+^50>er!47Fj4iN$-}SN|P3{6bLNq zXR24&aRiB`^&LkVJ(^znEt}wkO+mb`3fM}&Zqw=xUqZ`{whS9nm^!eSr$X~av5d7; z3;id;niRBJSI$1~7W?3Uxpb%bd;R>twoW=JHGg@ljE@fSQ>S<%McU01w5_BV;6ABB zX2k^ZVXQ(Gk!qd(>QvSzi|A;{CquLnTs}Ra9|Tc=M=Mp8D(Lnh25q$n@y~IzNu{X^ zA_>^lPRL2>bV+ZyE7NY$&WEQ^7C*r$=F9udJI23NHxgwza08>3Y=<&*)Zl;rkx6go zeSI@IVpAtKyw3rnOJzn3%|EF9#eeB~d9Kwqdc;l<^C#LqgOKp4Xep;#{)FR~NSdVqR2)O(Zzh(o zTmyKd^>)SLX30Szd_JkZWzSI{gBeq5r%1^ql{!hQq{N~)ZYqzQ_@<;3t&FcEJCTZ* zk}q<_i1=)nK&rCXnV$0arMzLq-2LX*SU7G=8psS3pff6(TnG#ohZdD7DW=Z-l22c| zq73Z@XMEFa8W+oIr(hl}`#->*AN%ZOxEve2=(V~JxgB$A31-Y^`P`&v+V$evuMyG6 ztQ-_(<%rQ7X?^lT-H#H!l-`Iu&k+w!6*;c9P}jcl+9$(I!O!$rWr@}D$f&d8f~|L2 zahgxfiyXl_H^Mb!0h$om+<30{2^u3K?J0|(E|KRe{Y&qOON6NM$-K6vC#z(`|HA@! zm<|}Tpnp(7ICnFisE(r0%*+y_)1Nmbb#m~XwI6WGTg+Ea5aW{H`*b_(#y4cHc<3Uc z3Sp4uUO6i{{W-=fJxd3XW6GA|n((Ht5oPmZzU3Lk>S;jfyxbAT4# z*rQazquILW=fWT7zygAT9W;nIjlRz@%8EzWPQ@igIQ-e@LIjb-sQ>7%bqcW<(J8ka z9IA~Nq}I$Hxv|umF~ceslV+N!hw1OdknCDTL^R>lqTne`{i^h{#)7sZYkRsxxv#?J zQmZBQQyUD!b1@X`ox-ssEWzq{Gyv~-CdSvFpj-C~Z8^t&38zT_6opYWqPj&m`-52^ zA%!k^s)&u?i9O9=AK68qYdY);LM!9nob)$tX+X6Jo=N73LjW~VJ$c(96TAGiQ=^ec zo-$6-> zlgC`MGXsF$s4>CjM{1n(z32A48#TG0P8`71ox{Q~{Wum)lkU8fHM;ilpn+!rv2q)q zwQPasJg%J{+no`4rayr_y>EZH*73kWI&B~oa!+pEXt=ZrSi6vvJH*$e zvP&~M)6}l#@$3X80>!Q)C#~(>1PR?NOcMicU2x5ZO8A|DZ~>!@@SxV4rDfu@7LATU zv_Jc~sH1Flvcc=Ew<5oN`pGZ5HpDSdS>7PeKC0qjcrs6dF4wQ;*Vx(<_ue?(-4|w! z)Gu2b_WiQkC{i@7>c!)9S#?Ts3d&;*c{3R@K<4)F8OT#K>R^aBT)km`N1Fyh90Gy? z70Oh@b%d*Z%zv2`J9y^x9F{mIL^4wgOu|u{I(M#lna`(JhSI4<;3#|)EjA55N^hq6(vhl7z-7qCx zmxtLRBxtPNvZv(Cho`6ZC<3i~tFSg8YTo$L?C3yn-+OV^564$==d6-puc0CzTA|!h zzXUh*a&z#83O>Yzn%A8|5YW91vnPI8PgRx-zs<^^QD#<6(2DNU+ou`uR}G)Py7XqBL3E24LJi-Ms!7OUEXf=* zo$-CuB|sc)jUZV)s;!)aWP{q0RC8$sj${Q(*z-e=* z=~8VF)#l&vY}}_Clj%ztlwbqEuW3@GZnc}oYc0JvZB#(&yUYB3g<)yGpRA#ojbgj` ztgUXNO`H0+q;bH$E_f$_dH(g~R-{HTYn9vFQMTIW3C=k>%j1+E{X~}a?dVH~KV~XW zLluji7AaAUPJLyz+KuBJf;A@Du>DKo;>i=Gq4UEHx)DsKKET3ocPmMi$A(k4JP8Kb z!w|;^oYltN2Olq7|9B*EW-H8ab`QJhujAzFnjYIR`b|X~`H|15a4zzEFVklXfS&27 zBmKg6u3Te|+JO$Jdk*x9e!~a@A<+Y-R$Vnc@)8j@`u8ff#-~xv7qOmA~ zcb%Se*JAPfIBVmHESZ;j?i}@81xLZx|vh z+H2mlu^sopEcYe|ku(y3EODOi;Oo{qpSv zt})#w$?|W!i&z!o$h1)^Y3Vox&F_Kyf#HAo0|Jmgcy~we%9w3i;@?H^>evLK5hyz_ z{T?n?$PzYzq?p9kIIl&&D_NT_i|ZHF1eA$#H(lp`ZpINo=m?@Io)5XHL4z~?1*`W3 zYR!IbcbntBYupWq?*< z9USL~Oxw*+dasTlM(&X+iJbO0l3f5#j}?w6@Bnzn^&Q4nT+(PWU8l%%5jtFwA-F9g zqYZxz)b$oy(`$`l#PUx0nFs+=z1zp?PVMUHYet3Phj3etn}eEY!SGey1tIM>t`#?c zh!#1!Js21M4HfLVN@Xufx9P8sHIBn#(xEw3`sMCfaH3^B#b(t_d9L0$K-|0C+sn$# z<~1dOA&0~D#piLwWw+I3O>JS$xRHujS@?e2kf^G_>HSe9dOwFZ>N;BxC#jNQ*t*w7 zL+MlJN2gs(zLccs5Db?!hsuPv^$7UM?T*`T&++}70=Du(JK!<@+Bhc|ihFh}9;I2e zHCnY}MV=$z=}b6g8RJ32j(wSlK6TF*mk)gqV4_TwxO&``Pz2p`>Wx4bJ1qbf z^1kboO=kN9E~$A!+sLFK2qfe8{m~YJ?-`xr=0xB)C$+k;Ma^c)*KT(lJ#I*_^YhWY zs`p{J>UlGKJakOKi+h0nE@j&$vd!ypuz8x-BzK`#xO>5?U9Vs$UOC}Ka+h?M{nX>h z+ne=(%ixu{{_oUZd*~>SmXumSEOLozP)3V)SW{h7*CfNV{5F^d)wWg~1lB4i0B&)o z?Qum`HIW<5#I1;1v-F{}hXwq^!AU0alFfHP3x_a-gOO`dDbRTc{rR3CI zB9&>ag!wSGtisQwgon`y;Lz&bd54+GJa7uTnZx&w3WctH>-Lwt>8(dainuFkx06*m z!*EM4+tl(z%VctwJb+y*%nUD1WJBe1V34ZZ9Tp*pXw&ONf#7+-9u?he2aV&ic}0C! zerpWkkeMRH)Yx^YM8s*p*o7aaOh#}h6>^b(&o}g4MuqKPtEtwq{(z7{0f9pTO1$w> zHewC}x@$Tq+$L%LaJs!%ZGG9FcAJh~G6`RREjOvm4GWaaM`-B{d^IkBXYvb)Pk#50 z>+^2RG;Hb?^AuhEyAJ>8Ddec-*2gj&LlLd5?!DqdG)~^II8rjp{xEpURPf(!lYt+> zDa+KJEI(G=_PC=2AHKI%R*G-`FnNj?ssrB5)2B@zR+eE z;prMphSh{!{2-AJZ_j+xfbX{>SOAp6QI_UYb9bf%DxsPW*S{_90We5mc(y3EHLM`g=F)IsNECJd156RoCetMakzR zJDGz2>*nn@9*CUADK`5$gNd00toCXJtaM8`b~k0cuj@2M z2Wc}b`yxlX_~XW|fD|o>vp%U-f^W^X{vHUXRv7%-6JdL2Q6ewjGd(ZA)T9Y&x5d1h zfcZ5%$#EkPiXliw;>twsYv{f|NUISLi#UqJ_iapgj~G69H+>&|uWVmLQ+U;o_O$Kt z>4rqjHcasPO2uRe45_0WkKOC;#WxKndUC${^D`);+4E)Ht(-(68h(ZQJF$kQF|LK7 zP~>Usk|#T+e(%9@aB8{HLbF?Ud&{8k6KA80*qz zQ0U##3EHY8thabpe6MUkvk~pxYBg00^6xt^X)zMX1sbZvT}P|u3j)3tyU5^~DyH2> zUX*jDp2kBnGK}1b$SdHDQwWJ|)%ZL!*12esoRQo_UQTb;RWmx~HdQ*n+OHU@Y zkv#M6t}#bqbm;9A)QD8qB?Wc;8zOa$*30ix$-l{z|x$ zWWMdjFu9ZK9*zCVYJA-=UYYMT)87mWJ6;*V^EbMe=j&eF-rb~qWjVFf>HZ%5E>$}8 z8?o!y;@*M;)2xgvd(yxojyE*7&N;B- z5kj{M-QF^tP|t&c#A;_@fZH@uR`WbJ=PySa0tIxezaB_OtW`bA_D?-kbDcoPWaZ?n ze_TX?9e9=gwbz07!Ni7+f9?A7+hfX-ATnxK2NUAK10I_Oo7rP{rD02#EaxK7331HS zX(PQCXtxh!_IX6EJ2>s-OAjVf`l8H>u;Ar>-Y8&1HrwM3A{~z{-EnaR{#_}W+g_K8 zdzlU6In9zQV0r#)98P|>V5o5eWW<`1`g_2)v0;CW>2JIcl0~?5^nG|}`dgAleT1eX zYkRRra1qE&td=EoIw$~k|DB7QY3zvADO`>e6{xwWlqb)I6qpWEYjx7(!Jr?ZiikG# zi*{n;f?4}n7yOG`=lRN9A0xjWm)MMb{8J{1B0+h&SU(d}wBajCOTCCxd~v-2GE!3? zFwo5CR*sVP#sfJ(uQN8J02xwbUKp0IwigIbd(AeBQu{LmXXvs3cj;rEM=+uyq9UM{ zMVO`tCgvFGF9=IT}wAe zcXuq^@jk!*%=?iK3^UAfIOmS*CO+x-jz_;93nve8s$1MDuoj7l0SA(>?Bc##%pQN` zeQ4pQCceFj>PIM9xjLF*qT+h<6is+^H#LTS; zXU1-8=oYi(Cf2%^+zp!_tE9qXyb_pOOsA7#a^0k@$@@Cl+zb7z^y^lOZKl1?!dW&^ zC-C-QMu9mfx6*sDop?2o7}C|Ei{IlIhXH>nB_97(?~>E)i6;JMQAFD_vU8V6?+k$I z_za7~H>VIOV)WBa%VNnA6*$@lxIU>03CzFE&B~EbAO!7&+GzEju*8_jKtTSbTezq7 zvy#XT`CgSMk&F)<&n>F4De``p%RWC#aJMxvmkABYaX(*}#^@OWSH8WBqO#_PO5H$z z&nuDiJ=bBux{`0=7kf)ZPL^~s%o~h+tNzZcrJPNJ$Zna2ULCjFlNzcuAfxKe>LHjD z=*F1*n!V_!>xl3|x_1w`^=(HOO}uL;S%o=>VK>V0NG!~9Ka^1%HiL`a z70v1AK99KX^09fO`GP_x?1A%!!@w_5JLRTsIWx9)BgU2-;lxf2J&gZW}xC78X|64!314zUnn?IFF73`m$C5ZCArW5hRBF@hZt1 z8A87*;j(d3>|o%8+JPNFeSWQA6o{JSeG#?iDmM#$_}OzW={ zX~39U&!XSpaG^%@xl9bM+@i-p$#!-qo*A!lO#C1A`@^QJpJ2Z0yDLN1M?=-LPuuu` zH=*Prha_N@?Cbf1V*BM!2nztWQrmF$x5y56*R}oWKHT+EppNy0E7&^|KDVq9jX`P@ zO%z6wYn@GVhje@FP`=JdbN&QyehSNf{j$)O-2tulF@9a)+C-5X%=KG^00z`yTj0%{ zM=2*=mxF(MBAdj|;dcukj%&btkFu(LK1!r{#SPnZgEKf}heFF5R5v=Yo20Qh*FAuw zJNx# zF5p4%6wU7(0yeJIe_NX`RmArOnO?JFM{>74R3?U{kz1s8G+&%?>{aPDn$*Vbu#$qJ zl2%f@w}(jyD`1(}yDU`MgG|@~eG|JRkxDV(V=qfv!Vzy}aA$4%6KAA4O!(@xt7-QN zGmJ8hgEX$YboKtD#~#lcY&B}NAC#7gZO4e21-an%_1hWG9C56+4KNTwI6`4xq$)op zZChF74uG$qBz}LXbNJ5dWIkS|h0S8d(6bJEb`fsuSr#(tA>}n&Fv|3DNa)PydIU@? zRT^Tw`PBSy#xVrYherlf2w7OS!bBe=RHzW|2KcK`(iOKWdV6QBg#JWa$F99wHp7eW z_7XSX8qJ?1d^&V}_2_pzXSszaPS_IfCyl2PxDT3zlv4USSzFhvSl2UtQf{|HY(#b4xLm*@ zrE^uiN$XR3?e9nikNBQJU+g}`C^WHVQ`$9(mY{Y&G;3+;EAI3Y!{aP8ns1m8MsxVp zla-xccwQY^=j5*@@>{&*Y9F7f{pO5JvGW$U^zp7^4qmDPT}m(IM=1D$veT4KCE|tceerr< zlzks4Q!4iRTOz+f<*bw;F5O5Z@Pt~DMl>*2N@_bpd4TBzi>^NP!YxQlz>pmWxK%J{ z2L^th2SyR(;)xlXf7mVaKB311*934h9SpSBJD2r2d>bMhGlDrC&Tce}nqPEs8Vn`$kTi@KEvBWR8z&%c!?V<&>>f{c0>!rj+lY)U`w|(`OpIFdRvfCJ3 zc=}gwNaguvfsbtB`cW~=$-lb&dL>Z1hS+hCtFE%iMv0uwMC7r0!Yt*fK~uAuk!r;B z8x{-WcH;f6Qj`*Jsnc6VyC!@<@|vZ7_Txin3D`!FYC5y0!=U3^TnFGu)Q|no_G=BdYP3=O=gNz+X`(d## z!#pRVFLgG$l2$v0vf8x3&o)`IjF%H#OgcKRj9OX_0-Oipq@Q2ny4V4CGZK6!=?}~)~On~RDpsGa15&MY!BqI*B$fsPh!{je(H~O|Ef)g%`)N3RWa`>VN zKS2_5#*lsl1J$lvyDxV&CKl}E-Yl3v>X{iveGirTV~?^`9z{|=y5(ukHs_5c$$CI- zMwa0?l+9URTMz0Wu|_BIX#`H%F>?yU1r1;BIWy)V`<5Cx*M zCT$@njEUDN&rko}o7SI?s9U5%b-1xp$sE5=5VU2vF&tOiJ9uD-QAuLXD2sZ8^0dKU z=3Bk1bs%fIpFPzR9Q|FkTlHd|1aG0n{N3NDM+rSr@x!XoR%>d|U<6F6uN$vc=FN(QGzf%2l29oM< z^tZd%K^xyhm%mOMxDr%We%_Vj?~LM~73Hax7_9jydj219T`NkXL?pWt_Px9!4RlzL zMT0#*CR34jK^uvZ8TcejS%KON^<42?u^7(+-lr~CKaupYVUK15KH7%fzYnj(GrJ?) zZccvUdV~^3-0>)<*c@L`^*1(-M$GUX>Jn-QQ*@U9y|} zytnKMeDg12(bW^x!PC}d3O9VdN9#g5&R3_>uknTP$yjOwq+E}dZ zC^cC3!~p`LTGKdeiCMau^NYROT=6_JN?UH*O`O7xqis!)*NmLYSSKj>Z^4-tJJNJz z7{9Qi6f?mg%RLCZ5j8Q~?S*ejj0I>@-dj3k-)~NP5pRA>U+jq?Ho^B}gfOQ)9lN!z z?BrjeWNoP5Qw0=B(*#ji4GUrq^zwci%zwYijk2ghg3$Qzj!yOp{yfGVgLrCsrsOI> zDCjGYqKWvv=f6RGg69wKWZKS|#+w`K(Jb#AjG5b)szKyuUf`V8yzYHbjTCL#I!rQ# z>-k-jtK&ADM6#K~T>Ff$6R5a6PL3x%+N1s@t@@yWj0Nlt^3{LfYV2JWj2w8HMiQXV z(34AX&%8)aTzBnzCDD(is`qvH?WH*;4WcBu*emsN1rZKGr&Kij__%x!$)m5bm0SWu zSZXALG$vwa#y%?R>8aK&tu`Ms%T^Vsy^?I~*;zA)J{&ma8)l6j*1gqZ^M8Lco5!V$ z@p46xihB_2>bY?g*$!$I3>1KYGc=2#iQ9Ae7QgU_keRCKuOQt8zc?CEdDFr4f`cGt zaCCXSzS4J(>A27kqxjvI-YY<0v6Lx)-k)ik*0gUG zqgq?AZ}XoTQG&j0mGS7>Kpl~sb8jg0BUl2amE&W=RfflI_XBpFXSZ1A)VrzAF@HYz z&T)mro{Jndh+9&EuaLk;%^JWJYpXMi%Hp{BoZF0R()X$yVFvGgkP4la&l42dD~6qD zZ$){Eh*em1;+sB%_z|T0!-PMYwm#k2ZqM763VJTN7vL6RS&|=zZzb!CZv_*V)`7yS zHPB^`Fj@G;xxbvE!t(+jPJ6G4RSs1a4dE^>!Khx&#|S>9CbgmB$m(K7KfqfMDp0J~ zhyUPH?HTk#UTvOux9O+j*N(m^msBp>AS&eJw*TjALTlY29WVfjP#94@0Mt_&efOHF zlIAgnuc8nTd-X*okQ+N-dT`qA`?|4}>5Jff7m11r`vUrSLJJed1&4>8(>{C2|6*$P zs%1<^6ZL%tD1HOZq%-}nMd9I*bIN#z+XayJBO#ew2q_p=vlRd#}F#p zw+89GH)52cUWTEJf^L1@Ab0?a2~=>5P{lIX1KOE3w97s^;2_*5{qr^dY)X*#plb@D z?s^pev-C&J2oC|t%$|w|W2~$g*Kz%qWQKkfk4L7DKOJct@WeI=NGC|>4=N(bMVguD z>zpUCq)|7#k+U5p4}Qgn3xJk4fQzxBIf*$PrM=Y{UvL$*NDn@S0_xfPHw+7MF#H+-9WSV!Ou0Z!d508a!shl@ zuc_B++j2t%2AJ(cywAwC*8)X3)mdrEb0!115Xv$A>)`gSGx0jukT#N8z-jl6ivb)~ z7)_?@WfJ;_*((s0`YN=lHS5r528o3}mlCP(x|K5*ta6+Nj9qteXX?B3{~kJBZCqq%Av=EW_g z-I`FpGZU5k*bfBXV)g;XRbW5Eh}86Sef^I1(TYc{zG`DED63-ZyGZVFFKr+b_Nj^h z{=hol5V~xoh>>(3BOJA7WrTkZp~zACS*EY)s*!vL(|G7#+ta>Mg@gyxl+T%FubB{X zvoZxcL2NDeoC~D+#aF?c(pK8@&Q<3#POkK?5E)@i45ZuddTs>0!(`o%p~NiNsyFxh zXbo*n4}{W(j;tF#iJU!7fsqZhBk?=`ymua>r;1^It8e>qI;HCJDK z%WnjW=y2Qz=%uzW@hcr)J8X|E(~)5OKu^Du4vaL>{%9Kh=^?RegFXM34fQdZDd>Tw zvd5{sro~S@1HLHR?>Z-(5vF_Zqx`DAGfp@!u>zj^V?g z_H<6pr2UwO61RKy{0v-nq5pfmYvOrnMeJuG_yKjlU_`M*lR8=p8Z-%G(xZKxVu$uFdZRmOOso zvnhRfKPdexhF<-560Uj8=7OvnlmpytH=&cw0fJXB9;gc&>m&U19G5!w!XP*=MzqCt zvqLAGJ0KtZWX~ixH&D+s)^|<5n|*5ME^9dwjx81OjNiLDZrP!!YC7CJGdXV9Nv`V1 zlJ68sDD{j%nW=L$p4c7RC1zInkU?U_SPeq*I&>3J8lh%dm5G0@pv?I&qigwAcav(x za0u9lNJ&mRHD60V7rR~zHT!uCs4%awm8bADo;Ekg znQ)XoZ*qS$#26#`v4g?|n#DxxPdG9iCOECrd93&EMq(hW|6mKX^jjtDq)mx+Y)Xz9 z3D%J*<^x<10j8m`4~*$JwE1K=K<5G&|I4>wp*Fv>Zh<+aGY*}smi4DChR)~~NauNE z?~m>ND9rSAh?67b#TQK#t}?*@#nO7;m~j2u=4suGe`)!}DklVi*<0nQIoA=5j!*G$ z@{qk2dLfB5fuNlU>O&&yQ;|RsH*+lUu)BjD2>`K|&e|$hY?e2D^>-4ozBOVY~sL_24$u)qCAsQ@iHV z_uJ;qFq`(<6`e8Oqv}c-qo>$s#dMZPMSom3C~*PxS{Hry7m8yw{9)8HIAOpYx#c{= zJTw4l(;ss@2o>=T(2OIg*MvldzQ<|dZFY=*4Vcg^yKHADd9!6_P>qFQcYR!ye<_f4 zA31x8JR&R0GzQM$@M=M!3SB^yhj#zNI|P$DwOjZEzh=4K|X=8GMz~jXII2a%%hfkB=`YXMCx-nFu`Y>LLAW#CIJN!--}=`mQ64 zR@uwgEYL!vwU`D*(T+00&^|XCHkg}3b4Jr~1u9cRXjXtnq;^6=V>zMkcNW`OC^(t) z+>)buuO3$P z!5`Uk30M6e8+Nklu9@!L0X1o!;O< zWlkLofNHqJPTE6-&QO1U`EaVg#UqbIea#>}&r;PDRlnikdeZUGWDx;^BNRNL0KZ7C z`E}JH2TrCcD_GtWsziv8dE7+A;^gZg{d)nxwa8md9M6o5Mmhmm_j1{k0K zqce6>AR{mseOTrU#=CSe5t+)itx<6uad!P0`TXdzYfgF5@a!E*uH5e>1xygpj)JaR zkDP?neRqmcY`4`?&Hb!Gc}99I0NtOITQv;Pt-STzqClL62NCj!Pi*_x3-hO*{?1mURo zO@{@m$k2TeMGx~O9O98zXX@miexH?|DndZ7TtpkSrpa08Mc|#C1Qi-{C>e8vco?iB zQwzu@H=CVU^wo^7O$1Ma@q!H9LNUsSarALSsHiZphn!ZPFs`XR7yC1laE#i+D$gYY zyPRhaBh<2I41Dds#Tw`Xe_cs29Vy1n=JWXoRz)m@o|QG&Iq6z4{URHleT%D0j(7`) zxO_Z5+l@umV;$*bzMq?)s`RYQpI)|tgRQMKCt$a7h#q(6qM}kMkE`7iIy2EDgD+;~ z0W7!w)0`g!Znk)m@|H(BQh&5tn$De_$L?VY9xt07-DdSA&X8~XAYNQebOJmcOhl`% z=bbt^C)rK_&8AF#_6w*IX?Cg=n8{cW<-zpyTfQYLx1y$)W!vdQ#-Oo+0WvB{%OI_X zkj}2!i+yKk=Nb$j4vpk)mK^y*)sw4Cd4wr}Xg)vUh6te)sPw(aGbQ|p5ck&+802dD z@HJt<6N;$lJ-&L_t_~S!=1?J{R{v6^{I0^XfjwEEi0sbqY0lE)nm&B?=ni^#!bp-q ziBDOU2;F-GQd56P9n`+5I9~ylS6D$CVVBjq^%GNve)Wo11&g77}5yZ zVb6=KfI^G=VpNf!qq__IO;1nvnuGL9o8LO=SM`Tarm03J2d<-!cg@C+S8Jk>K8toy zA{Vlqcw0lM-gEO@PWeGpS(vc4w1KHM$FfqfSbV@Ql}sZY5-E&VR2D5hSH)H+y|qrx z7?@$-s}4zpIYjZ_(#!^92Th$)N)~wUW7Y+Zr_2&^V=t+Qc>hUwn$w6dw}8mN?x<;um`!a8^{Cv*_Dx-P8Z!~^ zNO>XB{y%cnCIZALc(tRcnsWs65pP4+HCtAr!6gf0T{C9Q2p;GD8(*I~`II79a(bz4SYvMJu#>Xx=q^3KeV7TzI| z9w?)QyxKlx6XlgdEqdirtAv_aK=Dn1u2wmWcPz>9>VD9FmtK|P@f``bT;grsI! zqJc=DQ@bRX?6moBRQA|#I#6C9;+1BgVG`_#BDeSWKzgY5SE<9qtl~6y{YHH9xVq;; z{3_LS_;SX0N2mGV;hg6)84_xA#@!wRS7DgYXfh^hJ>+dZ=!GdDqq-8!;=U;>c(7RV zTtRg)R<=F(yhfJ$mF|t1B@~>-lHt`HZ6oWG=BC$B_rEALMnl~VjkRy4LG}R$Pn#Kn z>rh~3mGk(m2;#ilPEIknIoKgVFh8RQ#V7F+XIFrF2qFLHU=#KZnJecbMbtSOlO-#} zSw%F={k4k-cQ3Ap!4|79_vc2s@^gWYeQ29l;}jtij52Zq0{cB>^z3d(^z#hWL{rlO ztJUUxMI}Q%uo#jraXz3{d0Wzj2)d7|1r9YKyreI=R_Er=?m&rxPM?AqqpvLg-s-1W z64Uc4xSHiytt18mSOKJG8eQ}#5TgK2t#G?GeEV7l~?VzN#+T^m2 zQW24~gz|WAN$a>UPgvT?CX)qt-eb)->)7;DoDRS;V}jb>vb+mzvz=9-nU<1Fs6t`# z8%uQ%FN&-7#{cd#`G(K>7a&qAc+OiF6e#}};@pm!sB%%1=VN5zY+kN8oX~w*KOf~t zw{5>SRbA$@<_at0`PD+T=48+rjEi{`e|5>uet$iGyOUwrnQBB3k`gqn@8MLE0M_-yV4s)VrmN2tj5<2r8Jl-*l0gKCJxsJ?j11kdZgY$$& zw#|f@q?WZP1TcT8G)iwION$s9F)m><$kC^;;tY@Ziqh{m-be6pDDN1=Xth;Xa>Q#m z(oVex_)e;|he=C+GA>q-64mSf%31FF*|c(&SsQcxOMR=|KMoYOc zKmJY&HMF}l_7?g~#*vZUhzsSS2{x8Udv*g8h|s-7hJ z4+D_>mDR&DFMqpVMs$@LcuYSZ1#|l43H|ldfkA5)bA#D$V@uUTO~3RmR_@D0|7~xz z#Jn8MxZrAP>jzSgt)piAJxmB_n-B@2$65P&BpVMk_f3nKNv^%BUXm%_lL-NP)`@4u zEqf6&p0d>X>lak-Vlk?Qg^GsEg$snOX%W8xA%fIySA-?qDc6t$o60MT(2_S-`~-mp z`lxLvxUf`qz!yWkR*&EH>FRcd26iI0xtsEoyS*~<~jQXS<^;NIpzRd-l@vKMF1IU-?UV_y;qPq z)R>b-?9S7;`$bq>Dsw|?hHZN_6z?ynbK&dzEO5!3@%CvQ`e;QWFH2PfXT4M&5N%IV zyNJLz$M=7h&mE(4dv-#A(7P$9UX9g=o|&QrS?+I~4*-p1a;|L1WCC-lw~nBW{y){`>*I$#uTsE=qdsa z93)x(PHPrr|Fp=wtcmy-HYLg2U#UoM$luYZ@b^~QJ34esR5)|igVjZJEb-X;&t8NP z^tA|$iYM(nSz0#XQW#E(iUqcTUd;| z+-er%!Zgh3NG-%@R+s$lb(uR2ugfRB3(pJO*KgIt=U3AI#dY8jLGN1CM;y9zQ_Uqx zg@B`IDXngWmto3&^E=qCuajiWyt=cWQIq6R9*OP_cusHWlb)aaN}=J^;DC zH#>q9O+jc)$b(28D?{`<-_D;M&36_bh-`pyQGCUs85ihA=N){V^)EVbx)~knP31Tb zg5Zzkk58vqlWQ-rrbN69>oC!11six+4SFFD3=ohR$q^>R%B1i1lgB5apNv$a9EXXB@m~dk=ywrnJD9=6S#Mf1 zPV72vkewuOsLCrr9^#jCcI4_d#|;Q0{>}^j{EIO-a{6r~x^5!2#o=)mqEiKo;2cf2 zGr^@wMa@$_@}mJ?VO0e+d$vy#GdFWtu9s%khG7bbuw#rYPLK2@R+zmY6uz4CY)fqV zVC4pan;1)u5pom0L>i+V5nPOs3);aRNuCZ`F*>yCX;_kre9(a)mR}qbIP0yjt28mB z{#UyM(gVB4xF&uZ!|&L0zo&D6;qUGr5%$L8WK_RT{llw5BIoU}aGREl{g2%BU-=+? z4%{@MgxUq@rFU{6XAChR zN-vFk!l+E%n!hCNY?LSV#r;UJ`b>x#){;ej%Ec_TcmPTApI^yzCzD(6?uwWM8c9=5QGAzH$`ULG z*^{4rDJiJcW$6ZW$1@4J>3f6=NR#E>uDZsa?uj_IiK*wBen{veRHy`zHywqoxFz7~ zK4(4qB~6a10_`Ky?YIiG&s6t{U1_v|FCU_l@M<~x7Hl0|>t*+XOUG~`boTzuRl_IlM#q!{tg_K<+X>a3#(m#pJP4^ zc}7|dAJgR|pg7Hqdr?9>jN~Ebsk;;Ttsx;T_fJu`00p6eKxXOMt~lACx5ZGWZGQ$g z{;x5pfSM7DE%_hPrGY726hd}ebVaPGS0aX)o$LD2DUYI2?LMti0**D0n#y1SxP9P3 zQldcz7LN`GrFxQS?LU<1zN9}FnRHyEtHtk48PO-#JqHJ0EZDr$ z*3%gMqN+b^MJCnO0R8i6*r(zZQqo;^*a;Bz8p#Z%u3V!vgA9~w41nom_^LPVaIrKW zY;R96F@--%UsfdGgYPi)Xq=veXXGA{C8YnVq~73Fl0L-t`)IRx?<+jt55LPL7LPE` zriPMFZ=IZC?K~_A@2iAT=Q!bQNr|a6h>}yp7|Ii`q$TD`=TvFrn$ZvxJTjbBl#@=n zK!1&%kM4+1PsL9W`S^n1gjWwGbu4-NTN#Y_FHYdrLRQ047CB!@6+M*;l2Ft1fFn#@ zubMJ}p)A&w4FlgOMUJvjJIs-119OJ&EPcRA5)mXf*G6`|5Ev+2bZ!;PSV-H2a#A7PeV zrn7Hgwq3X0m&l+*ZwkXN9aYB3*Iq@`ng(0?S1CZ%dRp#*UI5{%56><@Ras@u9y@GE zj?B>N{b1U@T>CGP&z|iEE@+*fu`tSzEsdVF(u+4cO5F}&Uu9^nS7%u=-vTK#ZN=U3tI_pU=8R&OmY60G2>S4g;oX$Q3W_YTEM~`i$DH2Cb|MR3rDp(Qh zL>+Cfu`K8|_)vI?!vF>{*a0 zV!xV!EF$3?5ArBT8~MPv@mwJ*GG+;}-4UT`{O-Uf zh!m$|l(_N|M(Flh{DJwL#ThMtJI-DY75En=XM8`1Feaq)!Om<*4a8(Dqh52Ex#X-B zaoeJjqq(ZO+h~oe{EdwVq?Mzt|H+Z|O9$JEm18cofazue{{(|lCT-Tr*-p?R&#yEjdw#Qg^Qiz68)!A(Z%1l6By8wv_T ztLKN^EQ_h&W8KeblujMvuYu1{WBv~^&~0vD5pnd zN+tF$Yc)e8RH+T8G?a~=52=28&}$jK`Hd0BR>Q8r;;Z?XOm9UnX@Q@E6%0!D=dw-G z#V;H!vesZjc&;FP;s)|~&B<)~Pi}Q%thq#P|9l z-U%+PXI%WjVf178zm^_M?Ys6s+NgLsr={9Ia@_g2gte+8Fusy0A%G$?cx{g+ucj| zR}H|cNg(@Pe-JD5Jk(j-1atLpr}?GuuM6NQI(Yy*I|GB?8(}^^J>Cx-3NFeDC%56WF3OfuQ~S3Ca@EjejTAfA|>6QgnD; z8~>i6FR38Z^g2g;f@0JFI{7UWO+_5a-3xPU;U}g4v4#`I|2@c*qTI^r2hcuf^R&Wv zY*1W|xo|}u9q_*%q?!RA*UNNQ#h(r2dj*DwN^=3SH4W(z<_^q#7Y}36VO{j^7A9oD z>Dvm^$l-4$H;E_K_lDTv)NF`e+JLu=kf^s9{V+#dP^QIrmjdQ8I++vXtyQKP4Wy@i z9H;%UbvKurQ*Zz$8qaVw%JBsRboU~t^R&^nEP>$6^3{9M@*#9G5qJmRItdmKF0ZOVAIv+0qtC+nbPMj2aj*piUw~mwvgVIE7A?@7d#To!wy*epe=I<$h zF8$K_OOH+fRpgY_b=|doz^#q=XQ+jhuHuIIi+|fC`J{F63T)d4pFUAwWrQGOiW{YL zOuRK!e@h8zFoDngR7tYIwl1nj5HA(C{n#j9h2V?*Ax{_1Cf^6K%0`#&DRD%j%#YGS zm)5mVG?11ijD7cfc2cTkE_Rj5<~@+lRidrcx)Dl`)F=o*PLdl|*Jrps+mjM0XJ7Uo zyr(gm!QIl=D^pCCaBd1`^b6YhA!=<0KRW+}PQ12P+o)>(y<1{fcUJi_+z`qG$GvZ zi(S?K&Vg!S=P$JfDIzy);za&;Wq}HqaN1$Om$$1WBH!7R_RS2={IWLE@Tr+!kuiW~rm`kC9f8Um94t zLXADF6hlS=j}L07sSFS5#>frQTJjL;~4(P|;^NAYJW z`rSNc@mHsu^xme^9$ooqTqc~Y!AkjWYX3>|xc@Dw9_scMBMMm3y>jPF@prO4X@h*{ zEhA}30a@*$)gWhXH4Nk+Ef&l>F2_3Y9j(Klr1xA!AWl^8feG_f;Eb6ntIjQ5ko#H;?gB$&1Z@L zvJ5zE%mJx`aHv054&(y?-2lotB>>ZcIaTk_mLM-qqCm@@S{{MS$;r=Ms#));I4JS$${MoupOykcu67ZCt#6 z=)Qz^KD#E0>H)$=K|lt%n{X6>4*zik$O@kCb%1DrlA~2PJ=)75X?LDdi`ebA)SpJY3TcTEKkuxK|9cs@^klP!Tot(&L zqsAklg&X$yv$B9orSlM3z4piTJAAiyu2;H&ajbH4D=#|+LOuYNUn`&&KEY15QjACZ zm=VL5$Pynx5Ku04&T|sXNs)YSsUl{%_iF&R5vv$2J)Y479 z@LN>t-*k+>8(j=@Ir`U%?A$Gjyxqt8r4&QacvQAc^}S{!;6X)`zqDh_;Gk0~hB{ zpI@bjL^UZU_}_7w9XCBA>%Rx%%O{2dk4KJ@^Vjf_(Tz;9?;j@qP_LnyS>6&7#rvy= zONM4f@=h5fw~=pVlDo|2sPM$vb2mB3riQ=)fUm{)K=UsxBSFVEZ<2p3pisG6^~V+T z_Kfe}&TqEHRr97=Qt*8y zED4dIln9%~wWasIeQA=>DtXXOfn+ZRESOA7lM}#&6?Y?i*}N^|u3tX14&pZ_d_hNM z=|)Rhv!sLOr5ivZLHIj zJ!bFJ+E1_&$X1j)RA!T`A9iAA5fT?ok6u4AJ3mf%{DG)!*gSY-A2TfJv8wSrefz+% zJhxXk8JGME3TrI>l0M?T+uUi8en#sAqnmlptrJqqmm9@{?RQDakyrbR?c>%7TrAH#*g&zKc5Y(@+UM zM^ygv4ro~j@U&bIsawBfK_6vDuLSNPO>f9jmbPnF0iKMYKNA($gittzg4PGChH9-X z!Bv^3{%up1(1IKBIgWVqHj)Ptoc@C)+_{&AF^;WN;J$yP?-xwGXBvLP!)~G{qmJ*= zrRSy#xp|XfU?Vi^B%{yb7>Dv5VBN@MiZeD(k9eQVgjhI1ZK+SCXgrqmGIcph%X7s> zwI+No4+#y_rLAWqSAek> zf~=oIsT08?{S(zG-vN;+Hu3j6PN-}An!!cJCYwflhvUK08KuZk^~CQ{hA4?FrM@z{ z5q?es#$rbBQd#{OJL&M_f3pe!pCpT3Ev;0(`=|0@d z(ThzY<@4U_9p|QX7WEotNn1Fl7b7t1PQQHxz)RGBAHGr(DbqniNdMZH&2o4FxxYXl z&e8<)TuIZTfC3Oep#!t<=bBwq_0k9TjsuNtnA5vBCIO#Onp%%7xxwPR-G4w{-8$w& zaC5*TY3+G`Eu*qOJGfKZfES$Le@Lu4-}dIjuk*RJa`np6SEX6r>^cr5ewz?^>xNk6 zgL{i&X0VK^cz@;U+3ZHlAoZkUN|P~an=`RtE$xwLo_F*zAk_O;LYSkr z`9cdX9yUe(Z>w;%zqi$un^X0iW%`7ifjb=Rg&_kLd|yhpNKX#4VAaX9dcS7WSF)`1 za5s}!ZAM7Uv{*Q9!?mY6{@GYni_W0R<4T#RCcHc>ET#R&2L=xO$I;t< zHd3uS%GVX@=%g+XE)Rdmyzqic{!SHfWA0uvwYn%5WAtFx&jz><5KqNxAo zxYGJw?3&Qfb`s$COp3^eyh=@w`ab;hm_Yp!o=~Tup-n4nlc;NvX0DNlz`Ukjm|b(v z^BWsNmB_0>V75V|nYc5*$q85l9qJWt3G~?((TIACe|g7+4E~dB)x%BQM;46Z^IP-N@NWQwEt0!+)~)JLs@KEmEb`66fIWSFbVD^dypBs|tlc+@D z>|$c%Py5RNw2Z@`(2tvK969o)x(eb3|eAid~F_rtzodbgKxdiVDLIOhOH@U*Ia% zHVz#8l84!%?)3Q*1$xD;0{Evvdl!Id(C|vjpzw=$J~QF+c*(dcxR^BvthG>J$*olE zMd%1{6Rt=BrcTp>d!3m%^V9m;>qH>!^k?iS!X;4RT2%N4#IIitfQDYv)WzLJx0j5s zq3NV3K-l`G)UKTvh&avY^_U9uQ3&f}+(m?|Jco_Fci9p@>(wl=7`%W9{J$a2;jI zA0^53_sIL{d+a@1a=#ji|KPa#iGYc9y^;N4B^!XiLZf1KS z_;?wErYK05SzV?#|FI$l>wmn`=M23xQKdTSaC9 z|6)rHnU7`-_Y@!`43~r$hQ1B{w@v#zyJF~lyY)(j37+t3jR39gJrCa8eMiKZ{}y89 zrHd^3Q~m}8M#Y}Cu|FF`(_nWbHp4G~P&DUjDa|!f zeMDd*pT;G*(AE@|vx%!9(@w9^<3owxa-KuntfyLE#jIxDF~ueF(q!7ye#M@H9)$L7 zhT?^pdGR~@^68vo1B|h1Jiv_~W00n3sGPCTZ6c6wwckRt&DdHtQrS?&yXPtQsbg}8QtG^MA#W6Gq$voEXXqs(JH2R@~-=4^3HNzucCBpsL^~}8K_tfm?WP)xU+yx+%I4t&wK<1LQ%E zcbBTlrA=3QZ7#yENJwItx~~@eRi}t5Yn(Oy6<(Ctazi-+}F^ z9re1YxkO%{UTRDV+?l{JptC>K z0l%5PUnOdm4ClQkTHAdm5JRm1b;U6!UMt5h!GtiRV>Lc*QB98N?%%c2ifp7;6a#H4 zaqF)l{_zvvs9comB_?Wjb%=@y#MQO<&jMg%oZ%|jheK` ziK!x zF%7(#ijmoXleK_Lz5jHc^;7*~a!%HZ$lOJFL!7wS*0+3nVmS8IO~#Ti8{Yk$a_*(>m!hSnN_+OjS>6fs4iN2O6thrzlgE>Lui<)M-(6%XnS{_Hqz|nEqh3pyt zpduT7!9@QpK*eJ*pIZ)*kP@Arf7Hc)$DI>W657j4xI0?pMcf?4kc|SknK-z&zZy~F z#DF@JRcOlV6KS-)`VE-7ZCNK7eoy^Z(oL;{=9qPB1!;}`6-aTjN-aArBhSVIXZVRO z`~0S!k~TDwu_y!lLd@I|;SU@ZI1gCN!lrG0(y z^ED-f>2)zGKIrWux9DxxMn5mc)XDAC>BF^4hAF4$v{h6wO_qky>YWknh<@+Y8m)lW z`K0$WM-%Zu zH){)QAxyhq4(ga&+i&E)R-~gK|8(WEUiPv@go^YB60Lk)wNSVm?L8CSCRJ-`6%L-w ze2siq_`*I5n6Av`PEkRov}}oQqby8M%XqK00@IucETq&=lS>`prC|d&gL}9>_Zx=Y94($D8k!A2|5}_Z9v4^(q|@!Yszx0i}Z~@m3b%aiMRtqFjX`B zpbH?wCxpkbfQ~Quu6rJ@1({Y9Zp2{Ww;-Y%1(nTEe5QAj3N`?$`k^c4tL@!2Y#$oy zpQ0F2-7u{*qBIco2eM#bL`aH<(*8Ob-Dy|Y+C#4g^A4z9=<7Rcab@y&@NU;HdTuVD zZ@5N2?cChm5RFfau!(L=D0*aJL7gA}VT)xv1R&JCF6X0ar#bGJ8Bemw z{>5?z2or6zmA{5E^|`1Iby8~s@q7bSV@eIvm;hIJk!BQS;U<1s4QXX?AX#(LcH z=dQQ6zAs{W!&%wM|1_U{{8Q-Nkc(si(R#{E8l(a}&!Gu%z7xP{?LEwI)(izGd~vG3 z(mmlkASj??EvElY-%&|j>0sqmVb?^5{+{&p!yVylp(JFJ6 z{Shnzuf2q${g^wH>o*I2QD?4Pdm#a#YDN&)t-G$aFFK@VM3Ts&TBmJ^s7g3*`>(o_ zzUVhfnaTl1Bl8EckgI}Y`(i4G zvt}LL0-^qM>SfQO*hlemk+ANk<4?y6;+DZO0!hDG)SPo5Zn8J}+a%U+U1Jnk9=oj~y?&1O!pR(?DomhUm+UKEf z*p^Z+2@IPhlg$m%Iw4ip8x`#|?<#{iowGL=Ef`K^6)G<0+vQhTxa#cdMg}wdUEF%8 zT+cjH-#PN!I<7IYU$dlzaExOQT}Au96=xsasO<=OPOgiVy1O^BN5f8+Ju$l#=Ck^8 zAhQP$ik*3Wy$v?D9`R+I61N&Q-+4Dh%^r|7Z)&|Z`VhNE<9!x1dU|O^qi5v6=TYaY zCy~BmjJ#g>YCP_!y7bp?w|-)FvG9lE6~XL%T06yo zWJG}U^&nVOm3yT4kPqt_Bi1DziUkcH8OORiK(iq?{8>X>r1z3Y2Rzy%?Vce2*#r4F zwFuVqtM-UJq|UTYTDqyf@ye9@axknQsP9qIU!D~$GEHJc*&;(2{giLEJnU5zwVh6% z3wyeaz61F=fz?5#R2z}NEX2rBDcoU4CVm~Y62cmMJiF-qG1WJ%E$sY#o_OZ%wYV17 zo~#EY6o+2JDNQ&!Am{H@o1W!ViPCZO-1W1%xA6&p4yK^>i@6rk%maPVZ`R zDv9=+?Jv_F$@wtv12=NWhurKtnr-(!L0(a9Y9U}R-o$D|SsB~~{VtTSOtPh8!gs*5 zDU+OH$tIKLpZo%AWe*ffi+B%~qK8DkM zK6sgJW*_SH#h&cDo>r)??~ddN82TNJa~p32=l})zRogzw3hJ(Ii)bhp$h1%o?dSRZ zo;UU3yax2G?tXiwN6sDioHlwezeE3~8X_GQ-VmTyzHo+swqj=XYGp+H&##%ciQ%E$ zUzyI%PyQ+F`%S*M zw>s_6@D&Bpix{Bu$X$lBF6@2Ea!OpT(cmYDa}caWQV_=<%BZ%^b_uI^tK`lWsNSLf zP9rI_X5nA-^tkKz!=*5`VCG~Zj`ux3Kd{mr4R5?kEc`ZLZ*^@9^vXrPOoibg?^%Sg z^G&qr2Z?78;a05wK8?@uxz(HjDA4n8&&>K^#)Na@6cDu7PxS#nf)s79Rp+(lBX zb8nqI2DZYjkL|yyFm$YoxLe5z48}5PoJXCRFnP7ACmrLjbdYROX{}@F{2j(;;&{K} zHgk!>-88iEZgbH z=pxgXHi-QU%>*)+dNRxyH(ZhZbMy+pr%b3`3L7M1ZUohCIstBQV22*Eq;jDDH@Ztg z82q9G^)%?c)~!Wh9-{T2$}D#K!9=}KW=z>KKMEvGxTQ)CJre|0i8}G88yK>;JifXW zfdwM+F>?+7I7rnSA1_${9nkX7wXB#FEE`h9m$X~|hs$Y++Da{r?9Hv;7upBE_Tvla zLnk>GbKn_uFI1TwdOBS@GI3z!2bt&{nXlUavDHp#w3qG#lamY zkVeJM)7dU@LU!jNL~$lSzZ~Rh=XTQ@z%$3xH&v(foUq}XPDFTuXEfYR6bO>CyiL8g z9#&5GL_`ZIJ8O5W5=6Tb5|0zSd)YkRR@c^f@hJUl{dB)^LhKcJv~RY1oyVK47B}4M z=lOJNrRIXDJs3d-3barvY)KVfNi@FkJi!|n>dSUMntN;EsUSUWKLBJllSVr6P9u$Ie zEK0Xyz%S{ZxB-OZ_vp}vFoj55tv4u@;q(yOB2>&A+ZBoTaO+V)1d04f5=1XDgyE`2 zA9ra-w-%-wB0h&VO$t%LJqMQcgP1Hca2|7F0r$a zLn;@NGxbXFppBvsdUA;E(Dxo7M07crIxA-Fehu{k(sCh48S&^ge8>icR8R`fUoeO(v`MAQDKYj_WL3V=OszZkK6G#3GaTK}!JT--0Ft3w1A z2Ij}fTp|0Js8sySV@#c+xAS;nH$6_FQQ==H#6>oZKO`wRjRtEf7g?=9V$rT5u&lk; zf&QMDZ=e>88;PIOuz*{0wF}s$z?+?B|436_c2`xzEsP)?^*AsX!$wn{U*l!Sk7lP7 zRH=mQEKimfS9jgLZUzXfDE-?}n&ktKNVE$Id7m6$cCdq3)>#$sfU%M4@@3)E`t6u( zVFpZqMMIh$`$BM~b`-+3B)q_L{f6-3-3QnlSA&GbP@7;oZ^0Jt5-Ce!9eNB*k6WX`DN;+x3oT{42B*@d2#X5mgYT89F5K@38(wM0z8BtPXqi@d7k6&XQsfHV;w>FLtbEh zpjD~f^vUOB=!K#?k8uvrD_3p5I}sIZ`gH!2?2p5xynK_~0^Fxg#Pa#+MB`R8W^Twb zRx}Q8&+Aszj%e#9C(w%bAk5;wNL=2fqZfQ-AWfYl8=i1X;Yj_o|03iObBbGT1C zL$a6fCzBEo?+2f*p)jZmRNn$4*uVQK{iq{Tx4$!*fA78Q7!XW8=8*1ld<6(6)0VS| zt2BjgSj~(j!SqZlBMzm#ZtW7Xt=DxzzP@mF8WKnkrSsZRl6b=-7W9QR0)h0H0n-Wwn1tJ3Ljzh<8CgTpXb7s16 zztnXNMG}{yquW?TWbVmCf#-ueE+|J}Zh{0%sxJctF2xM+gkt&z@i#e&Qs30Cr#FXH zLcYp^1O|75&8;I;8!^T09$&p`O1Xy(H8jq}sFr-_R9)gPXtSl@KFn8%pZ{A3^8&3@ zHr2P0R_?2^h9OPk7mU*z;^r`~&VT?T6-Doq5@ow49mYn*I`-PiaN+m?E zH{#p8WIh*DUr^KfZ}O|j`MLzB#;f@{p>6zUbF?dlz85>)!=yir6CE6CM+uDvFAyu{ z>f^#Cj79|0y>*TV>QF!j*{VJ?+<@Db(_K$K*<>$BZxYiut+CuLM*) z7A?@4PrL3>h|K3n2$6v_n%TA;orhin*Vu54Ut3G9BW&ggfyXsdx0!tR`XsJ@ z7&XVvHT=0#oE_GJ zJ^>Dm$f60o@MoJoWggftX_u@vKY^HekG=o8bU?Rf98WT#2{33C*4u%__f>tw`G_IFzBh9`r;2L@e7qwHVy`x(7FDl3+a zowq`@jP5{2^S$R%_)n&!a4>jN5^Y4;Y~}9LC8F>7BO2aRDL0qCODjOpXzP_uQ&BaK zpS$+h@Y8!OZ2?jIxYd@JuVqXZE_!zv(pCJ>R?#4Pv07E99+R{K(lx!Uo^#huh|bHi zTD{?H`ZM0{DSSy}NDxQzor21|9!wgTV&ZmxOp&^lG; zDKql7!xAUzO5u*#3Xr?2yU*p?ylJoHI;FDWShDOtcmUO0tGKFgCE3;o;v12$9&vhK zw4@8w_c$KHqt}Wve%BkPcUQ2liwZl^xS|6lbXZG%i^X#(gV7@Y?ohAwJTceqXj(fUG|*9YhcyMCfM$H`myI+-+(zmimK=p zFNp||eNZuN;wF|jt>0yknQGVK$6(()An!}>#W)*|zT-`;oSGt7W{N!fA%;O`H00C@ z6v+$S95Ff(>C%IoD89YZcM})W{Z+!JuUCqnSzL5NR~G`V+c(;`xUU1AT)Snso@#y& zd}`z!G-2ivq+;rR6b1EzRYG2D;E8#v6K*NbwrLP%3qJvZqb={P-bWSfrH24bsFAI( z-tJpL+z?F6k;d4$qF8cfnZ#vM#PPSN_^ zWQrL(dP?>zTymkBlt=WW248`V{}CEa{)(AjO?ha5n!to30wT3BDm8gw>@o4F;4SOS zUxuB%ek?h86E30333i_1+#M zu`~!dv+nprTLa7&X;S%XgjiXDOpHFf5WJ$ zYfXP#cfi1dzK`5PV8sLQ?xcsj?swlNGjpqjEp(fq+EJJro!{>v?%@&!*x0!&2U&)a zH!aPsI7-Jci8q;_aBy-cV%e)sxYGW4u+X`WtfLl7YPveew5#S!Z5aC#TyK8m^~K9Q zVZ-Ot&+)gxr*q~4l4@B8*rBuBsStRc2_28^9D$ZSFUn>o_PxvfsMm0T-2vbSaqSxS z730$Df(1(2*Q1*(=1LWL24HV`ous36!VA7CCFJ+&R(X|QZc$n>v!CaYD}0du0?UxN{PKr&wyTJFPelf*GH0XqZ_t;H zKQl`TPKvQ;e_bb1^NO7=g|FoWPyaX@9Nv>HT`X4R$~}9I>^pi%bS&ihfRajMaHy_D zSKmuq={8&L!8z)gJvU9m=SIAERdiY2Fm1SKpvyO{_~iNRqI~6?)`6r1Gg{nEh11>^ zOHEyUTRFIuzHi*S!Jr|^hr5wSYIpuT`#0u}n-Vb0x=Hn2%>)oP() zj`*D$VkWKHk0kya?}9>dh~K1cNZn=o_@2(xCxSR?e&S-fL+yWUSX?m7Y$xS!`{6%2 zKhzB2a@?P^$HTiy;`F~7e6oH2z2Y~>{xWn&w+R4?<0R%d06N&7ZV1k+Np;)$r8lQf-HN^0^6&meoHOHKEeuX~Nd;F@~ z>o}S_Tiw1000mm3nCTZg<^GI&IyVz$?h_<+W(tBw;}^+w=9qH|n7NMWI0AkFld7Lb zt4BBNP6%DQf7z|$Qr@g|ls>F2D!6aYV*mZo*LwS>LojTHapbM}bZ38?T z#Z7w0p9=a%&nCp4f93d2D}s3uOb7cOqtg%TT)Xer2A&im5bMWI{QqQa6btm?`I-hi zHaZ4)eZR6-)Ze+s?CbXVq#iG>^gzvcE!-{I+Wc~-CR$>;noL^^|HZMSBDp+gw%7d9 z#q<_~BhsO`C`|Yr*i&*3r&aCDDMwwrvdc|J6Tr0Ud)9uM8RK_N9w87t9#Oa2%e{^2 zsQ7ZaEvlefifSt$Rsle^HdMK+Ym3%^I(I*8*sqM{QO&&-pt)5oQFL=RxRDyjt8lCo zXy|dBlsUae7TDo;9QAs20PO9gxsR4pTo=*1Z4MlSI!-Wz5#K5L?@%BX47R&*hNDz7 zgNN^U4`Fx`2SQL2)P!74H^NMk(cyNE^fZV{3O-$FF*Zd5eKmFd--^a#6mHvC+EjnX z*S{7DW{SNvWgQ5hq==z*a-cKy)6cwxrY|a?4R(aq9?s#85{79CA8MbM45xw%#+Ab~ zlgdjnK3ZRqTbq11XXMG{V||Gj!7W~?WN+uRwc0(_{f1&aFGe!M_nTs?!U?x#ElE!4T1%LdIQbK`1MUt>xfKPM zQ}+ZMH|wC)3c!-dUQ2L8*kCOa)2PC^P~^ar%-Rxjs{kUtG}_6yQC?`lcbC)OiH`9( zdqV8rqBVr5>r{lRqpVtY$^yGZ9*;_3a>pzFIPmN{Q@fCqg86pW7rXE4SWMLC8|Z@pRXBJ58Gm*kE`^g_!Z2Q-$S-+ zpYcdIyvGfEEOF89rgUra`VU*T^1D1yFQ=bQ1nb>$Bd0%U162H>9*)I(hKz}^-8%KZ zxRW24pTr0x;~aYm8wn7yzWefRWM-b4ajree@%Cud zOK6lj)DBUXLa+atrEa0fG7a2c!S(}I#4jhMxl5dWpn`G_wEKEqdl<85sq&?EL; z7(Br*3XeB0uk_4bJ=tG3Re8g|7s?TD1w~En;d7`P4o>`)4%Cy#7`8QX3r#tn`NZ$N z*l{L^Y*b3sp->9<))7P|4Wv7?WAUjDlFbW=ncQ`eQtAw=L4R9b54mF>Bagrd#BIo~ z>-x!u6i8VNiezdX|Krv$vVS%_LY%AnEnoN>2KAEAUgG-*1jObsIy}wfpysuDwK#lz zR2G!Jn$PK<$+G}LB}mn~tO{+MwO0`&CvOD4voQI?kke$B2wp$?L$`g#vG2@kZQ=_2 zr-PA(8sV0uBEy4ZZJnA1O9mNid;S2K`9fEUj=9gsl3yqZ-6?k1lDLxqkx9Qr$QkgV zx}ipIv&#m?H=l;g^`_iqKeR5rgOSXF#`7HApQp@Z=os(`BG6@!8IW|40nH4`=AUUJ z=Wkc}0u4J0gSnkM3x)kYgngq;MZNI@R~~a~EBm%s@p*ymhT58}4P2Mcw@}?cte4IM zP2W_Dy1oU34QuGLG=paw<3M15+E!4zE^F*Td(?MifX2l@*;Pr_7~7^RCt-$|tpgX)Q#HvNaKWV>Qz=fF78LNzDM;(8N*KP*Zkfn0y0frKPyfm8mLDr zB`Jszkf!Tok{+3y4Q#7_gfbi8X-K1Z(J;-c-Lqo^^nOXOfzXCi-d%UCg z?Sou%r@aX^+y8tBf}mW$&dA*YU2q77`cFZcrEIj$T-zdLcB*z9S-nXACd3 ze(Vp%Q&Ko~BfnuOw8n~R35`UDwxN`ocbQ)uSGbb>GnxrYq=n&o?4ZfXII!KuM@U$7 z&C5Eu?wD-pkHYher>f{@O7ugEoP@b*O0K2NQ&nN)q;XaNhqUG^qG?kRWY*bBTAXe&E!W^y!5ebH4l9KqslYS0 zj4i_q8fJ%KL3{9MReglUGU_Mr6_2*P;zs<6V-_FsV4I^Wc* z5($QD>?ZXG$I>vYgk2hvUabA>$AplBB#{N8CBG3E8qHtXUvFpZIY(l`sKmOdDrTxC zT#=*#e*`*%S^^@=8Ge(-Nn2kL?Lzm(z_~(Ps@elGpgdnGiOjIEX z?x(A|<$%I|I)?t)=hCsMnjQJpyUFnhfm- zvuZQ39yK{^?`;wA<*f$|^IC-vfRkvV-e{?t78j{TSTD!ABwtbPR(1g%R&}2?Gxg?7 zDTuaoBtCwJ;Q!Z0i~jfhydpFOJf2_R4SOB(c(FR;9zFaSTd1sY(_`@63MF%2z-y}NPemHKjF@sFo;CYc&f5--jI)e^Rz+LpJxlc z=ZT5>gK5|n&;RL`tOd}zWt#H1NycMt2v*8F>}L@w@IBH2{WX~NQX{zz6)kvZjxiva5VWWC<4a+sMUu^>^*4*q+E-q>D`<9CRlOw$ zKMfeVDptmq$OYl|xGdb>11SWY`O=t&4b;#EmO6~;h7uwtnGENRMBn1>+t;Qop+Z00 z^fhJY(UHhE*>Tty!(W0_RZ&emembUL&rB%ymg@){wi6d>s7}{$U#XG{3btdpI3(-I z30Gp>+NzYu_oh*yc#kqJOKhx0TzDVrdZCk22hI~=_T^j52sK!n+)sn<0#&{?s^)+p zvMs<4m_WE1b@=OXel&X@41sb^G+06<Wd{OQKh1E*g4 zan)h}Np+Z3h?M8lp7$D)pI$;A^J2=ox6x5%?EZ;dS+ zPJ6P?N`kn<#(wJEG1X3s6-^{gp{{;l>90Q#GPJglN%D6)@G7W_Z35kQ@XyMxAE7(z zlC!`vrH3+@OZ~E3MOAQPjqzf+!AJHv7h)5L9Ayvu2Zy&qiv3-;BQS!ZYN>Q{NdO4u zes@nLS8uP0h?x*Xk&%1XRKoIXBx`7!>$cK6aYx`b>B43A={G$! zwY4Y-uRd#^cz(UbLEB+Q;uKaZKh{Xu#Ei=y#N|fZX2vQqayj&m!YNl}5b`#DMq!SS zYEYSL#BPE?osd!UUkD5xNsVw+Jw#gFXpBDAs7P-!x?=9X-cJTWg~r}!BA|~3^oMI6 zl|;rd#S?UI_p@EwBAGLX=is0N=do*oVP#eDMT~)41OQq?SAXuIDG8 z_u$=OM`~+%q5g4#85Pk+r#nDIyIu2QTBc*bPtDOPAIxsV1#w?Hmq$ru? z`>Y%%mq9=kq0g*trO1gGNa3tOz#-dK457Vk$cI=h<{)XI;e&~jAWXySb72bta^DC> z*;l4Y-BrM)8(jKP*KR-w`axYQw|@3JU&NI!GI~W*ehigR3LhVa{aUEI(_RG+_L?Xc z!IlUaRTUj-t>On|F^H>aPfDWQecj%81Lp!-P#~Xtn5m*69=Ssq+UXrD#K}arNqUZ2 zQy!NZx|u12CI14REOVoO60Hf$XN!ZkMdnAhqt1{kZ) z1yL-0a-5a1S!fm>jI*4NqaZF>3p%h3=T=w=Ia)6}$HNU;JFIDZKT2Qk(2(51 zMEK?)JwH7oZHGH#D-hcE0#$^Hrea(|Bt`Ng4n3n3j@klu!q;}>CgE1IS87#LedrKT z?Qv;(T0zes(qd?tuJ_qdRIGY#zwXhj-Va;nvf#-ONpH!AGFb`BDrn8@rp}o-1WRmsyVlfw&g`_3d3?ayqDf5qy*B>X>@?%&Ti26I}4$$0-hDe{&k>x`yJSSb@nvb6d%ciM=pbS_J2S0D_3 z3$++jrlm&RQljQoy~bxGII4*Q&-TI4UQtO=m zyP2@IY0K_0bG74M!)Y)ThBH20uQkc??y<9}YNS}}Xou|{qm%(+A*L}24HiW&L$x7) z!2rT$RJ~kt0j@On@-?+uaUg00>xW#0`fhjD@(K3!4xU?u`t)f^5TDwwj`Yv5g2*8I zFE~E!HD9`EOWwGy`V;DZKYN3ayw<~~2-Po96Oa*0QWCKLtlEf^srO5hqd37tLHD4T zO(_n&)2`4Ms(+H9u;eo%$YLZs&z&Ys<#4fC12$TCgwzx9=MWxjX zVJRD!AeH{tFW5_c6!?G65jfU-WrEFqOn1T`($=(&5}zE{UQ}Nrm*jTE;4LCYSOnQk zn;dc5+l#7~Jn|L%(l~srZOyuASPg9xg%?Z|O*;RvFX~9epRBKf3dxN|S0OlTlz?!x z!YAm%-<&0=G{b}U>_3RKcH^VAb5mX5homId`{nIYcRpoe(saMXE>Rzs5wa2k#x58=R|>s{6s81|~o^c_vkvmHhi!p?IX!p$PH{ zDntyg`cRVjUbg~WUcvlk^VPum>m!-G^g7$oN=}%`7`c(v=@dJROyBh+z(8$xZh86H5W&o8KuXS=A z{Y)2%V0h2gI~k*DmQt|`cZooESkb%A)`oHf41dcyeNxqO!5M^TT zO?KC(chn1Gks$m%Q1#bQ-79aGLKmqA#ue0>xl_>evYmoN zrvqk3F~6K3YIucKIRF{^+s9Ito#MfAClc{dx&%Z+ibWycSrjw-&&*8nr~y&-9!+X9 zg!DCRt&Ts6Wd zk0^5XNW0FY`)9dv$?GO-pxBi$u_yHlDV(0jUsj5)8k|x8e=Pu4KhIml8R=Wn&Rzk|z?8NyZZ^2_SeCeKHkvwQiX=vF|9#U7tSeTD|xO>o9(nGCE) z6*=5-5rf6g$DJ?D;X(`LPL(EL|B*_c;n3sPXEKJ5vttl)(u!m~BOSo7Ntr+J?GCuY`_(P2aLwuz3 zHi4HiJ+R>5EX7>fR7^qfcqD!Kx zeT-*j%lXE>)XVhVF^MOIdu?hS+!QJjAK{%VHo8K9Xo?Y$v)56cPiBHh^&_XQuz-kR zrDS2@PmdBpK^oQdp_QyB{Hk!Pa*p)HQkh?EGwIytK(~mOB4rABrOJlCeG3V4WkNO)*7sEn2?HM6?H?B6+?)+@_l5HN#tXS=5d)PH z44Nch^Qy=>Yc&9nr**cL#QTRX*y*#>)RA`RUk&sHj7x1ioo|IJKF=t$ZGJ%pwmMzi zN@p2Pxv903-t?u}BI;^>lwh??YKo&`k(RPjPCrdtHR@4ar~8mtjmOFH-M=b5ibAn?o~ynNZy;=ZqrRmj!jSjZwAe2%!0K**=W{=^gej zCAqjy9J2{J%dgn`hK8fg!s#oev5hl_WIU-W3ftuWML3!uQFn^}t?m7vV3!#pan&n5 zUyuqD8l@9CL|F1>7!%8$c4vi^vbX(enh(1WF*<@dQ~!7a`(!xIeU)>Z>zFx0&LCAT z-!SJ+MJNbq!u3*+yB}Ub3rG2RDvQuBLiEvF``h@^q^1Rcm6mETa)>X85p&58FsOqd&Oox?>7BgSWI($w)B@rWNfZ zJpt~yO*fy=ix0Suez*{P;l!o5$TQ@mnM(3gi_hXj#Kj&|2JSHLPVC<_f~BY-F-xf>GIVu!|%oz6YEiZSyg+Xpx`Bd zv$pak@%)h_WuxrIJ5to(&_k#Gm8CS=+j|)jXScbjcs_6W-S&Jr3zsX|yt znH;k8N-Fm*>uA(k#d{$Q!b1Lt7NGtWAKECBTKrX)X?yoN8LNC42`8(bx6r>Wk!++4>ST?s) zj;G~^1+V6WA~Oe7x}%4XQP@G-9Om%t+ky+#8njHBa<13gqF{)GW8q3*+WU_6Cpw(F&a5Kx^K-nlcdh9}4LR2_pPW zB78A|0%frVy71NI&pD1m+&h z9QMw`M!q{Ss(HE%Cxj07S-@;wkVlAB#8$G*Kk>BlwS6Ea-Mf}GCNPcA(Ef}6@0LpU z3^_9Xzr9I>gciZ1xMk%taO+K5WZ%x(t(0C;Ofo&j z4!l>W#s(hc8l9BUHWC}scO%Ci1qj}~*WJjMAk~NjS=j}+_LBEnSHd^sZ|uFAK`J6% zI^TY6i1*^k9Oy-%r8>W4BMZU=rnBlV3IAx2b4T;QHtFtUGK5lG6+B8+59Hd%TuXQD z<@8LyU8dNX%2%rTW&GXct$~bY4e{w;jm{d$TofMO9sKcj%*>YlsUZvCPye}{R&mQi-iyRvS#7CLppijLlY|CV{R+FXv zNYVzPG~P;tNxka19cr}vR$4huA@K{*Ge9y7<>;c{xv*d~mF+=33UIa@L>VS0_f zm^JkqYL*p5=QfP7a<9;DB<9i-I}hps4ZL24m%Fk( zsq;(GCKE|;1(=e@BsWeTx9cmZGPeolT^qT=7%FgDuV^G~`;PxoVrrwMUd~R8vCkH(JyTQF$}GD_ ziG%2dNj?k5?!lKmd=YO?)?k}(?yKE|(6Tr&K|rK)i9&Rfb%&)29gmJ!wleVFYwhD0 zc=;b+s~&w13mfRc&PYtNcLpb6&Q|d9jxFMiG+7}xe}OwnoyIWl!dd}#q2C9)@9MGq z(x63bUaJ>5G_M^Pod9xmxB*UVJ>*4gxUY)W<32eJDf~&t_nCs+q=d62RS$Nl zotXYZJ;qw7`sHL?jyClNLa%TFx)y{vLWu5qqW5@l0oGb$Wf41N*rF??TV<1De$lVC zz&K>eBM7;-k#&|gFuA_vmaNqzm9_SPzcyM?e?NzT(Oy5P;V5WMSBnD+iJ$_Tl;msy zSRlEtm7jv+*!$`a1`MO={#DG}1n*-0Q^l-75p?__{4)>d!rl*AIODs=U1WEAYp-0j zd)(AR+9x5!f`rWv?M-V--lpg^MYJX*ehP9XWM`8al`&iHlGjt9ct&$;N<;$#+D;^j zpn|OKW>Np8VnqC6?MK8@CM>7MOlI#pp_3*92%C7w3q?<469n{1?bC9q4gOs3wReHe|1 zLuoY4f%jBaMgS{Jm_+g{BZNdvFGj#)2BArrdQLqKEwgN1)MS>?x_FbWFo+w%di@Tw zHvvsPw*zt5m%;cU#vfK7R4L%`_TOMOkYr9Y^xt5X_@Z{>KONCzD!LV|k~VF8f%?&n zOsKl@uth(&pcUQx2$Ahv_g@DGn-v`6@F|=%NCQ@w!EA0lGG#0)bdzq`RuB{^`(UpQ z>?piT1ff)kRWR-=hhOh}aZT|0`;e#|_!b=Qj17W|p&0rYDkE1?!{`Jsdz99$I=2jm zJCTL_^UOH}cMOR(EjN5?IYz=vRCdOXx{jsM?t7YP3J(vkG?yrjDigiyP0AiPM^-Bv zb_u~s6k}NaW14gDC*BteRuD^@vRG}w;(2Zp-LbZU;lzA)q);1)3YNyBc!Z`}@8w3p zg?=p6n9y(twvn_{YZ?S0^8&aw<2zAj95l7_4F5H=Q<1@D{7?1TznPsZ+YX17GI?I^ zu4p9NG^`8alQv>e3jIOduTj{?0Oyov9Cah-)+oDA;HW)mQm5t?#tAj%noSU6vZPIH z#zZP$N2t|YPb@Fc8Jv$45O`ox+L7G|Hm{i}aF(9}G(_X8VLZ1&xFd9O1{b8d ztP8blWg(d4G3LS@=lDbjyenlfpIZ*QmgBQ%^C|qR5inBr6Ee2qw2>JPunyd?Zs=0~ zLPpcjNeaJO*sFPm;GBR%mpC|aR87TzsuGboD6gLJ#xCpgl6U#$=}(eV-tXEoPN^IG zCL!OAJMM6Gs(+;47MbDDr71D?L{8%H-lW(~MqACIc$(@h^NmWW_}?qZPL#F0Y9rG- z=2?j5{lR-a2J@Rt6R|QY##-_)m8+T7j8-=JgqKpAOJVm9(H~5StJz+hD>UDTv-10}!2u7~ zAe;b7j{Md&n|z!XN1!~VUd@kdlgi(QmCDiPCIlPqCb(NVG0bbuVHYTcaR%O$i9jjE zFQ!-rYcT6lBWa^eDp>pVlO7=GDjTkABA3s|I+3U^)@SB`6}gbg_!VATMs}Wv6g3kJ zc@N>!^^h9Rj|l%3UBoo$|f4&#L2Gm{J03KiG&!V_3+5dBzyvx{A z%DMc78(b;9B<5F;tFAiChIjrimCAjRo`s~5SDk$L8VfzC;Feiq0qp`rl5oqt0`F*S z9%923$V)_1M0a-smQ!am_{^lgqFc_MNXxQyiV5j=6BGcy(CM#HCnG>#ZD?3tY^qM{ zI4AeP)DqiZK^lZZv*H$2PXygc$vFg6f;+Twnjw~j{gNU0LD({G27je)(HjeJMSNNU z(Wj*W@Wf=4Gn^@{9UpPLqKjg7wOBOV>U*7U&{_dXdkDbbRpfLXI~=g~#)!;`R}wqE zCn6z>V;?a%#dab@Vn)V^(45n@wF^{&zoZw4a8HpgftEG1*|G{4V~1XJaMK_504wSi z69QAT>2&l{gvDCL1;)uN!YwSWjv6CC33HXB{?~Cyj-$}~6M>yJb@BVz&g+x*lPLBo zXGXc018)gSyiVL843_LkRiVRTe`CP*Aed6r+imP+qiSp&!wo=v z^iAjShxa2)7^v8nfM^OBR?*2{o+yuOND&0kL=B(bB|Ln1*m!>0?*edspS7ku!0 z8k^yh1&%!x^=)jW*`tp_zxA%q&#c7SR6{z zA4XI4&qIvD)=jB9zU0GDtipkIW^2it>m}GVEI%k%ex7JtT`5_toV_1{eb-e0ZNL~Q zgXtIthjJ^J1(@K<#G@s|wBm^Iec(4%%Sj_s&6(GM&e3%II(3aDRB$_%iTq)pM1abZ zv97hv;O|Ztw292*ntVHbfrAfs9{3Umf=|~pf3Os5XH0Zhnp^!Q+n2G<2|%XmpV0a;b+mZq`;T&et^}k(2@r=0C_`blM_8pkf;ct>?5Z5;z?(oo1bUhIoh(cuX zufZmNF_q@Sce=)X;^tSt1iXHvhNhOtJzyLPh@oy%_R2geLik%$&2Vtl3sxV#C0Gl# z5Cx~n_>0#zJHl0$r#Z-d*89vYrO@2V0AGoS6jJm6cx|_=OXXy zV&kfS{o4M!L#+Mn)Z9Q%C+KO@4M4J7JX+-kKU!2j%2E?p3!>^6duW4pZAw~?`zXYT z7PQoUIG5iaIFadB$e?CKb;=N_tRI4JsQC{X0L=bu@{>S$g$h6`Jne{tdlm|u{8wA5 zKMgKmp=Zi~r5!DWu~5?0`CL?Q0Fi_5kJe@QhkgHbSA8lU26IS<{_%9$182|d)HT_- z3OZrz_w9PXQ|9DOKnPJphqvWn8qdu(9}Bwm`qaN=R2|e{PNEPKK0my2 zw>F>bnj{Hb_!t@N482cnvTYk{WQETCBbQ2 zpuJ_a?Io9IJJwvN+Vy`E5Ie!t(MPVW-l(XF*j}3H^Z!>-9cb&!Apy?OZMw7(E*~ys zK#g;V7E*}(Ds&LGc8pT~G5Cg=7!7WPlT6W650_A#00gu8OM)S+44U&GzTH=j zqjZE%onNq|SUS(=8AZ76^F$r_1SG|#VN|2*Od&Cz9%NwjOK(DsABW=2VZ_a*e#ha< zy{w5x`0GC!=X*VPZ4o!}GQmox2LF8Ln10M1K|#DcGm|8<{1vJ&ES`6EMm z=;+5{$t-FWWoo9gF%BNtO}m(wvN>CWJaVg8J@xZ3?#oec?UC7~dvvvbR-JXWbA6^7 zafchewHXuC@MM9|w#l60v0H^{Sw!+z4N2{@k2io>i?3?j+ZQQ=f-OHsdiiNlBs1i_ zYc>W?ZyOp#aLhdv$U8+oovdqfp)oy|P}PFJv&`Q8syZJN8HYlc7sok1HA=UUub=!4 zq#BA)7ju_Oj5@S^=1Ju}`C>ph$ZO+!Vm-r*jhZ)$ApGhI-<@Vx#}q%A`|pb%9MWGh z$M8g$92ljvDoaZa$lvHearyW+WeXh~)r!|<%4|v9E#kJ~!z0f{a<=5xahbZ4bJH+% zKlOeFoWfO6N5fpuZd`rWL7X^5$7#$>zxX{J<_Uz`)n3VGsIcpUqZdnpNN>IcYbzj4<6G6dwzwoMfB5MG!bT=ck?D7{HkJKZdT zY_TU+B*QcC!5`U*%cmz^*)JuNM@;aT1_Pgl8LcsA?&G(v0=F&adyR2aROdUue(-OJ z$fWn?@u9^U=Gv0`L7sdZv-~bJ5=YT=re`@w`yO0JA?Rw+$EowbsRE2v{p@47n&KGG z5Mxs+E9d7$M6%%AqBv7a-wQxJzjXttSbPt$eRxLX)FMW>U&!MSEwwICG zp_MvzKPU<(Z~LVq)iqBoB?w3}!5>5!q` zqFOM{(L{Vajvh-?FaC4k(SjT5;rVS7EWE)9|M-OYb10Hcp-Hh_Xu)QLZ`}aaZW&VG zyYb1x9jt6P)TwAcEF^HyP=Px{8BI;y!))IW-1g^f<&V;msH0}f)trmJ0d8K(VOvj# zev5vS0Gtr$xa8|q;Oh(==VrK1`GRdZ2M@QQ;O=%I)d&%+VY%Z5ti;)>_wBPFeVk+- zV3HiW*qMK=Q$g)M*5x={*);JP8Tf!K%Ji*jg#%{Pqm&EIrvWTp&GUcGbG(>yygnnl zzi}18Xgw$Nd`gQJ0h|H_CF6a^o0`s$QqC$YwfwJux=JR`2IHvotA~O&b)={}qZo0m zh#Ih3SWy462h8ufBl7FhtLiHR4?eV1VWvAkzViH`N6ti?zkme{;pi^(yFzG#(pg+m z245q7i@2}ut=226vObEQe%G&PtD&nM&Rnh!Ipcl{ADL-%$Ym$e6mW8BLA&Qnk7Q?$Egx5LdF~I@ldmsxBKPzj$ zE{hn!O?TkRj<`7)<`P~TYR>)?f{B`n;+W;qm#ppXG!2jOO;BWZ>D+8bF1gVJT$+{K z!0^EI1ga0febOfUaEm>GO0^Cs+!86k2Tku^ubV4%;ifhWja{*dmxS^*NJ@dH7gq0qV(~d@AWss$vL>dITvl=3VlBXQOqIqAaTu{u>e{oG=< zphnnd0tH#Hl!Qa1yG%^q8$*-r7F{+D0~vIY)}?Z5f+q!i;LWLcJL9H5IlLs;oX5CA z7+Cd==9QADU&S+OD_T8axR-@?>Z-b8+~Zduw(r?7LjKDI|FDW>tK7iS^=;~HoQT2! zQ1@id8ZujO;14Nr)nvSRx#rPNL;xWG)Fn{=T51^ zkU&T{mDh@-5S`jRZsC!$;uLtZFhy-x7jU_Xe)x+a)}4RRS(=TD4M{7!+p~%m-fp??Jy@^qN4ocD=Ij3uSq;6&FtjaY(pM2A#E7K!`9&dc)A_y& zjj8VhkSVrKt`|jqhkh;XhjKvswU z;The3WEK74J)X15ZG{}R4Fhnyj@Fi~t8l-fWF1$4E@`@CVdRZz2B1Dw{<{3#S)bK# zh3B$ty$yXa=>aoMov&&>1mA}PSD4U(6S^9j-`UM+uD*)5aNy{KecEf_TWki?IVYEIyA#K@!|@phuT(x>c5T(tl{uGuTT!Q_MV8MuR?-& z;Kx)#+A)zWYE8}6@(N*xb;Fzi%^`}+>F;?Xx%Ty(0Ur$nU=#Gy%>}^V$d*Sm@4|k~ z-G$g@L-1?&exx=_cjU5H=z>c>)g(fahj6vU$<%9Hc4y$8DJ|FQUzCmL$4*hCprZA| zCO`CecPqztq_Sh)mbW;P%CqG`m^l%xoV8>K%VVuNdO?bWxF8?5=%uk3>F>(*Mu+J;v84miu-j zTHvMdRs3SCX~2~wS{KyxNpW@FBlVxqhJv0*<5!7%(ja zJa^DoB+RtGWzLF1os|9l%R${9r{fTSC+&|GJ8njXlbAY34pVkISz**3R2^;!+e5P{ z#QePShe1aPa%eYP>&<@_-A1*oX_Eh2E9Z$k1@?0WJ7CVq!jycR?&aqkk>5Q4l$j!! z%3lMfSOuA`npHX3dP7m%WH;`*RAb-b?MW%NAJySNvDc0gJVu;nMPt5BEU`qxnFY|xGG?S%Wan1pFWivS>k=`$vCC41TI{&7W%{c zhLSJa3y~jJ|ZeH@*MQ)4+L;BmGXL!!i%?o0`od8@Twyt4O zL|IT+4>;i$g9GG%uPeDqc)uoe0R+99M4xKFcVRScN|jOnsw#Zo9%=Cm12cjt62}v{ z=;p+HT(r;?fj=6lsObaX#AbFgfKO;PsdC?Jz*aKJb84?6N#xD4n&z4`HnsPp(-6}G-K~N=2)-b}=gL~0ooSM9oLtjM6 zsb^1(nV6t}yY>ACjTR|F7x?*%N37V1Le&q& zZ#dN*7d}F<08Aj?&^Z{*ouAioUm_%1K|$BpqiDe#3D-a8;=J7wZ*JMy_#HyueVgrn zp`TD8S~2iO*9ux_=+GLz;8K!(tMumRuS|tUQ0ku);6rgZ{6*o62DIqnnC$^m^0ziU z!;MM(sblD&jSOjf`F|8}&nwHF;U{3xg--Dpo6G&v(Zxsd>`l1wL%>}~{|DN455PnY z2K6d7FBE6&u5}Re!-3rUGy}J&#`N3%50^zL217qYM`lkF24)W{ct%|xCHz%1vu(V) z4p2gxJ9GK38>xnzFfq3OH6WzG(ie!4_$V)ajftJ(6Soc91-i<0u&4#@W!`IJ;7l5d zy3;Q3TG-1|%-6>7y^)4ld`8MT+DNMccnd|!f|PJ~W05zWWZqi9>puB<&!=hlk3AX1 z#d!B3p1Aw*LVkq3f!9}KDsrObxlE&1KgXsm%`CI#Qj#uEM(p0b|G4|O>GC4jKrx=` z+l!{0eC=&))jmV}9#1^7ys5A4a{QPaa2`x&R+3=Pr8fza~& z`Jap&&QWb;8rQ3edWHK<4i!DCk7M7HgXtHG5ASFVzh;05rF?U5*dc{6Oi{DKjP@MT z2@(wbGp7!m-%-9;r!@w~!095jc!3k>4gdJlFz}oID45fWJd>|z0Ls@C4Cq5Jx<%$j zy5{AK!5$)9v0$pE>#2^46U3n|8e%`$hFYh3*-fIOJ)@4i3+1VB?TcZ0p~yoWr!U#hXEhaR08ma&q8=V#eMCdO3e zG+KR!GLM#sFX`SXpFS%r>~JTP^$)88te5YB_mkDO5tS-+j}c|*ROs8I%-y~{$nWOm z{T}p`TwiBZG+p=xs@ zoV+J`C_Zg*MUTz34*C;>q9Z1Lyq?IrY})oDI8rM=m10C3Ap#ncL@&M{esuhEw`xPSLZxVO_K{ak1`taR`3Zk+?U5FW|l|%Wi`{C~fQt76+at7|b6$szVbdb|d zJpmF_CX9XNHahTooey|nEykA9KL4{{pQ&X%M5u-B8R+Fhvo7vI5krtd< zns+Z4Ioy$g=`%;-4$(&Z<`w{!z;AcrJXm!`z<6*x4vRwn-8#qejoL*v3}-$v{JjgT zpru`(t9`IeerI_Z-`o(E%^vV9BZd{8g@mo>#o=;$sraR?UbiD8~s3 zAIsn{j*q*6LCXzm8A@I5(Y7E9z;8Q+$GAoD&s#GzZsr0h~h062p)t3 zY~*ws-KGfurcj~hr`UwY+|Ff{%~hx1!SaOhkKBg@%~(u!-v>HFt2N&si_u31qmwVb z;ly#BCXwN1eyOi$XQ|MNbycC(`B$)Kp4_zlfW>ZS7)@wUPV|z*^t&f=;9^eUjTz*2 zc@WFRaTIRYVdc{%YnhEvLPh8bGX-S_=0Djgd3N(S-EaV4Q0cxX9rX$=20qt2R*NsS zRMVqPeRgC)gTGT1>Mp)Oi-g{aX*SiEI(LO@QY@-{N#I#Hh(`k&!F`(#SiJIqnyi*-8A=B{U~R@(GiioiYeZh;sL{=1Kpbr zUN-n$Pe66NjEULrWKGk{4tqvq3lK)*L#9LGRQo%{QPf*9eA&P4?fcmb0(sQ4hUWZISo6L*G+rkdQko_L`4~4 z>#6k^>M8}ifUx1={MCLgsji<4)7dXRO~?pZC~~VQm8E!tF(99QR`;`680$??xjr8d zo^;^xb1#0VvMI0LE+BZdgT=7sZq4w8b7Q&c1Ye?Z@Lp^@BhI00G>TI`i|-qnWakP^ zFRDbyiM=ppgD1r{maVcl7->ly#Rud2{BL1)7~55oL4*IZ(nIzZC5Pyo(0Wq1zydGB zH9d{2P~R9@mUL4U9s0XB!$c03iA^XDJyA!|)h+ZQPrkf77kPXs1MQ}MxetG=ILijk zPzK&V0Q!`xzw`CLi6kX*ozEpKrn+sHt+|&lbdt1&&~rw=tei2w2GdlerN5~`f!a=L z0w7o2X9^<7qc)*;4#bLlBIPP~S8aM!qrHMU>G(+(8TQaIGY>vO+x$ucL_1Q9|Mbl? zafrguA0{hOJD;QcNF!*#oz{4Yp}h$Y9;?g6@gwb;S!~G{Y23VB@a^Y;I>v8Zr^Yo3 zr;c>RnytBNpixX`7r&)Ucj;qbaFGahvKGcQ=iG1_Up(_MW$08H#x!R7}46nEX2Sw|foBc+=s)4)Nv7c&YiBlErTP{SekuO|3hAu`NLO3@J!B65g+h^)sF! z_dLpU$|W|#yO_*P*LW|?dz*>r`p??6aCCYpFnBt(D^|aX+H}kInY-sf!37!Qn&kJ#xgN;vc>zu;Z+SAai^xl=@FMcJ|B# zVSd3^Th+C8#ZMqX`)zJ@*A(VmP20m9hBqM+JU8Dv{#S|;2e*~5YJam=6gSR~5c^e_ z)wWWKr6SbhfdsRsB#INQT3PPvE~w9hWJyowYZSN65JmWKSH^C5N=c0R(PTLY`zcdd zFycmWYT@Uw!1&thl#imH>#8K!u}eIkP-jUHyU>3w^)wljy)mdHNrn}~?fP7O$Sjw; z4r8a372MZoEZE5=ItZ2Cpea%$N|M~iu;eO0Vp$PiznGqkoR>+bRZmaEd8MP1Uie)l z@kz7sj+lG%HlB=c(JB4-&G1lKSiw|Po7z?9#xE{eFn*)j!pG~+?Y=EB-$i{;*~Y`@ z@djs`NSuZJ@S*^d*o%2r>W?3&mBZLYA@w56-5m6_ON5X8pAk!9G@&>Z8t7jXizipd zSzVwr9*v%8>p=Inbw_{U5rMT90*0I+d*Y6fc{||>P3E~Ur}5TJK0z;lHz~-NCgq;V zn6Z^*SM`zC{2?G6wfTUgd<+QQevJfIwBQlw6n^#~PpqvW2q7#pR3UP`C)Uf8V-zIZ9P=zZ-dbfL3`EBCVg_cIz}$CprtF4p9R3c zXRMMP6Cu+5VHUVu-)Nfyq$A%Snjog`T%T(jegNosb+qq@4jE4Gh9ESI$2`;KplutMP&lJnOgcuy6&JC#;6 zeTQ6Lc7XQ8*!ZvWj1H)xvzK`6KYeR45Z7=IXiH`&#U+YVL!>;zDo(^s|LlUgF0|d> zKb^mszV#X}s?+AR;3HVlTGs6)Ecn9Q4LEK^niJaAB{S4a2D(%BQ)>PqpJKn+{@wC0 z@`k-^J zM%bdNoJ$&@CPf|g5|zudC+7mgLBHb?IOvPd&XTtcoqVt35&SGMPiW+3%RT88U*xy%#WP zCLH&lk!6+*h1B2|lyWJGVRqS^^)$cD>5YO3zEy@w2s3rZy9eB4gS3uv0`CQz6By+) z6{REbJkST4RvGQZ+egKw>oZ@&C>P3ds;GfRZMCv#o}0H8bEmR-X$THrflEzDfVd8e z<`JR2;)2J8qSJB)*2mRZ^H?{EA-;7+U!BSW62qDKN{6`=O2Z8EJ^cx^t=z5VFspWg zfV=Y^$|hsQVmI6&l0f$#4np*xH!eO5L zUoF?e(}6@Q-bQ@lh(Q53`8lyj#XzMBOQb0?SlOYeGlA5H@}c(ziC@w?aryZ zBB4nV1>*BZU`@GnAIJ@HX32KfG;sPN$s&FgYi-jCEe)SNxVpv(u~ zkx|TV>%pZn*ybN-&N5}h$h>g)n&PY!9HgAYl5t z&vG68pR=VA<7lv7PYzAc5{$zG=#AJ5g)dpn(S03;FPK^nbIj^X4^4(2?U@VIE0n6g z?EV{Av@nY@rVKVx4FOCZlD*2WK^;%elp}@=W}?k^B$Pcb=h2`qDfwEPb|x)DbkR`u zI%?Ym58oIlvD%R3GZLa@<)OSGw5$L{Y^jE13sOB1!a)P^)jFZIS z(6?f?4zs7Kwmd9#UVAs=k%x;+;dO4RU@$vdAKP&q&>5c3tB7>!3CHWDOSDVp$MCaW z2%2Z<{{7|5a2hSQR9|ud2)faT4%d;&%O+gyRAEV6^4U}2_ljc5z+%yS|mtvu2N3KMS+}c1-Sz-S~ z;C?iB6w(h?Ffc!#4q2Gi!Vf59q)?!O?>0dQSFhW)9;^_;E9 ztr$jA^AK>DV(2*dJukb%Dn0Z)mj6MW{4&L4gRQCT+tI~mY@RPmBBHyVNkdbR5vLEp zmT>$pT?y(D#+S5t8L!_2@VctaxBWWo$k)EWQD_lGvLW=Efi~;9qZox;E-=s};EJjF z-e-^O+jW^&?)i7u1Np1Vwb z;+~e&$nd9x>}kGF3eHIe(|Zb8p^BZB1Dvy$X3iC%&0qD&&QrRpoW}>9_&&c_{HNso z(>Uk}l-)f$#FVf`wY@0If5;*G1jiNb{#igni)HCP7- zivxuP-p^S%j?0qRusZT9odBCXS64W5YQ0d8BOkNBLpQKBa+x$loHgEqxe2O>@S99$ z-aY>wZh5w?;rN$#<`Zv`Krsl|5G9!hrk*J}F;i$h>zVox2J1#UG@;=gIzJH3J_f|p z@aAQ(_ZA2AS-bTx0D1xb-N>b@7<9%Ou{x}Ik()pDhi5#hAg7LFxfFdfZ!5x8VZ_S- zkchBT39!Td_-$84U@5ob!oY6Y_Fq-Y$p`O9x2vgdKu~R^t)q*K5Op+J-TVuF>oHnE zF^HN9l#iealtbcQed{{Rg>Zx%Tr_a~@3A0{Gb7K&5I-4U0O+uY_>0f6@-P@KqZ#^O z?KS{lbtde6Q_onPS#ymEH06CURC`s)ASY9g4Q)I~hOmJ>{bE({8>pYcQ<(LccwXQG z+vGj{g7;ST9VYGF&FDdKjt^VzI_@23C;s|15~JG9>!Ni_3wrS}`J-8ymYV1^FdE_8 zsj}^r`yTf_a0`ws`zP@LrhUaRdA`ckvCTK{#o(~?y2BJ2kZ=|-bN9idt2@N_qI?iU zf>4QN`p=#4p5|k$+$4u}r(3UwIn(^|SXt?N_a>nMo{ zR(DRCSIA$tp;H1}o9Qk^4WWN0F4|KtD}xN`m(f1G!vTMRN6=sAeb}UtFD$ecO+~Z$ ztkJrD;!fu~6s^7oQOK;p4bGESe^pt}JtLje(ZI<#dCj~c*o71Bp~=C5KOdY=tQtnK z{Enb1IM#2HcFZ=)Ion7w;S;BzNlUyel!%zW|1@C+yc}QMvFV&h@%!+?K1IfB>Cja) z1+?tTrBdvFwr~FO)&Iu=SdDZ9mOkUQpbOLcf53X<6idJI0|VizP?f=5_*uU344p9h zBxYp=uSRd*_4Ij%|ILSjKzFw5qfq=s*I}mqp%N*xrbSmJ1TN4{={eO+CYSGRoB?xW4@mnf?)1< zTh=O1_m%Lh1qKE5Hg&W2%>OdNjHhOKWA+MF0<@k-OSP+pnWw%7xR;OluZ~;Uo@HbU zzF%byo0NFau2I|cVs)1>qr{J6z^E_hp;bjw`y%#en6_go6UqQ;;4w+I7f z4AsdtdK3cKvG*eU9)L~!X@;Efe=c(CCr_`dzHV0Tts5A3D0K^yXB6Nb*!#}dj0(Np z_?ZMsh=_QJ6%S9SGc+t|LuZYY8hT+*i5OCnIz3|3p*Ii}y*ba>IU4{$r(=^xp*o4uW*wU=*Ns);e| zBY3fkfkkDrCi(i#aEhhfe-tC{y_zRDui9(Qjm7N1c`SRsnJL5W2=gWDhZNOeqTyS$ zfTkA04fN1z%Zt3Vh6>@9+C#0gY4OSG5l_e3C zquWs%Zxs)=Y30Wq2%`){Mt~1-y+c%=ObZI5PUf@6`&az9H_a@Y3$eJ}d(IHZA zwWBz?avy3MBs>tRHv2P#Fcbt1xSNI@0va(l)4;Qiv z&6jw;$zLz@r(caIAmL|ENqEfDrjcmI)^D?VP;fve3VO>kJP}r6(erg8v7KxzocbZQ z@)kg~)XzbW$jG)WEB($_O78+dxiY_Wn2XISU_!VFmQ#n>beyl_Pb$o6S2TGl3C9k{LTxF0ejIpH@AT!Y509M3;{m5H%cWx74y zF)+R@PvzgR-~l_S9sgh795X&4$I`t@gTU-}nPY5(9Lo;u3O9+t&puNLkC6QA zkMO^6*{gH%<ZMpJsaRR~hREoCPx2u~xBeunEe1(~ql))yR%LI(-Uh zEy4E?6O89Ja|VXCm7Bve$wma3L$5eYuq(y!2A`I0tV;^xl7|K{yo9^Z?;PZk6MRef z9bqkHGCE}qO%`jEAHQT1#pX!3)!8HtJpJhT(k>lioA^ngh{UNo*x`#+BQZ{7iV^*O zhHGg_vBig`Vm2iA&v*CS&Wn za{{JjV#E3lr5;}%ule6~V{^F!(?hee1n*r6MRPWVz$smG*%L# z!Z$bT&^E|StVq{Ti*LDpRSW+Ay#ZVuq=;83@WsZV8Z)()VAn;#;ak^(YlDPER$WuK zAJVRgXs~R6(ANKh^j%0n(mWBmJurrIAGbbeoN<5D9L|gNF8VI}J01i36Yc*F1MEF* zk2|0Rhvch?ul;E#ktNZe^}oN`Ivjxng6T9S)R5Kg$R?ewy|r1>*Lw2gjI;RR@JVj z=Hrz2_EyMzbco=|oAvv?da54@o<~O1=>LKxfnPWT(?xd2aK}Ee((jQ>FE&^n_Ui1^ zw5x?pOsXwtR1xF6S*<0?67I&twy9htX)NC;;W%rYq3L=mJAM)MGch;IQ0Pmfvtby* z0?9Fv#rn<&s5bcYKNeh4-Rm}7V8+!?g8{u?1lbn_kT;4l& zj##uzHI4s}OUn1hq5WLPrd^+KwRzFCUij0)i8QKBQ1l!yXoauJ-@Z;>^gC5Kl$fjh zUI*+uz-wv(@207Iw&@P9_o|fkQoPR_VT)&z$kTsvjNLR|5;5DxKW|kpiBn8Reo*j_ zcrG0I#4~~jGAlaq1kcn3551N@QgyRw&wP4iLLbX#w?|i`te86Y)NXO9W08kU1 zHDG6AG~<)DANN@|_wAOKT%=$g$o;P|o!8Sx0EjNa8G)w(6N)USa3im-tHUHM)zY}^ zz$I^b;dHYpmGOQR{$-=uLg=<|gNGF#!F{liaB8ZZwMn{S0E=n-veGNK9HJ%SUQsYz z_TjJ=cL$&$vLI?re@vIjTrRJpyvcG74ng#rKKRrMuU@Wc`3|puqqN@X#qIYwdK_Xz z-X4IKJiK%Tuv9t71V%-25F@df84<+wt`+z}mwV};#;>kz^m?vdc_rKyt;YDXQ zo-d4{JSRN8!>|D1XKm7qJ1ET!FMdAyqJiQF9A^Iu01(+dEwf_bq7;2UTbo^MPeX1C z5OWj^QBc~Sz8{@^E!~c5m5EK&v!?z|*|;I=BFP3~@|y?)&j7~0^y$s>K`@<#k?hYi ziCG(YZ|X*|6MI9c5;KcV)UeQL37edYjJh8w8z+rVCCs0rb{yi3{W^%2{eiKe5-ZC& z+H^atyq!Ru5UDH^(F+;~K0y5|%?;)#fHlQ)(dFqrxw42E3Nl=AXeatqr_@5LMxKx? z#UAgzbBV$D29i}q&w(kSK1+PZG;x&hb7Z1StU@wxDITyHlM4R)o>MqcH>BfWIO*&h zNB*j^*>&EIJT31%ftU{AYCfU$vwA@I5=?9<8Y5B8)QvKGItpEhC1vueZoeqIfzR93 zXDB`90fD-sSc>=rxV^?YPyV{>SN%RTN&(``COCk^6<4A=^yso}hFG!P%}l5Jj~#$w zP^gV4r3g3)q&icQ6nK#-tl(S|-L^ut&R}_E%#WS($PZdT4a{CAp) zsj`fnAsH`W|IxB|Y$ae+@=D=sg9_62`;}n}&xi=SM}&E{uD)P847d%9W=>~6BB!*} zz#PBD%C{%UKA97(PO6Ew`<^!rQLTWMTp}6Ck!7xek8Dqt9KQ+RNm?fs`d`y4t6nxi z9Oc{sU5%iC51o`fec9&oua_tWL}KDzTg{LU>AXEf2iX7l) zETnn?|K`c;Y%Ssnq+|$b1FM8FG;u^Y=J-0a{EKE^G_ZRZVJVL9ZNJ_vU(AgW=mwe7 zR0(K$hM0OxYp2t#{PNqkkED4CVaS5)5s*04d3HE8jLW%_52D$a+5`UqFOSX>_KLVZ z(>-lAukBA86Cj)sKqs)VvRFg~`@|VX^o0-jMY;@>ha9j?;!xpDyO!wP|2-h+Pp@O- zss4r(&!=wMR9LQftQr$&KJr)Z(Gi1 z3>WWjv^&;5((GVU?7!--I#w6d_j~~Kot~v^?iL_X%;iK?u{l7Id{GLWv&!V%;0OiP z|D&pWqx7burXT54lC-1qFfFTz`==+G)k#B zd4@u`E6|ZSC_7+JPg#e}1y)#6Ye$)Fpk0kd{Dp&-4`?p*)u_Mg`|K2zC#+b1f_@V{ z_g4w!SJq|f4(`te!Lu(euJ@{2(MXhI+G#|6k__E`oE)E*#=p%RKuiONF*7;>{~>b0 zIrPJAX|Eza{@tCK4t$sk7l|NLLqj9Y#*qK~3Qazat9?rIUI4WB6e@iwI$Sfi-H;`ZlS#K_U zGY(RrwWN9(ev!m7F{EZ^SXx_U zWKCsuBh&JpES753`=CMfG7SS3B;R54!uq$2Kqmx{_)rmgfN7(END-FSObhup*q&Y- zbpr*5qy6`D9F0>GFMS^eqeHmoXlyZ>;ZiI(vrqc75rFAnN0pP&`>10QFdzgo=K%69 z!NUeEHQu_@+nY?fUfi2DhIoh&K@4e}vt;*E2#Ll~%xNOiYJTEkT&{QD&Y`{c13xz5 zy~1rhZIo-meic;F^KBr9Fg%EN$?jXWj{u);Dp1_5#$pm*KhFWkQ^k3w|#El z-VR`MsKfZMk0*2eOZFRMYa{NhLt#vxyg#4^aCvNOGv#A8js2p2-$9bo2ZE{55Jsj- zOMgWSV%nNE(!?L;?v7(2KmP&YZ6glsigzR?UUbQ;UYpSS^Xi0cASomi-WK}2_}nM0 zN;Rx`7+JwuEadW+&&zoeaDcc1adfz{_t$P+Xe2*bo=60H_l|s?t#4yS9OXEIcl15H zNHJhJfwyZkCVazh>RZ|`=7$ez)>KPz)79xI_qK?=wMB z|86p#TclNe2rJBl$^UTmzfraFalfZy7qKU1Ycc6KJ%kYB6R&8$6u`R$%pwYzD;Yj> zmbxvafxJL`m&jUkaZU(gL0i|<*hNLgH|uTf4K)O^mFqhKkv0OxC=lVZv7W_V*AEz2 zRrOx9IQT0yN7n8D00>CrTW`KfI7=p0SjqL8P`qzW9kiW~tm?1nkH7Y7d}i+;e1RX0 zj{8`wxGQ_g3)nmV$a1(4)D%}xFm+!=JA5Trmjw+5WNFp6j@byBPoDy7_O=^|s=;IU zrF3|0AJ*3cy z4EndmBHZ)5YrLow{-9>~WD#CZgi>aK8F6FbGG{@4K9H)w*JGVXVb|#a`Y=Nj{b7s{Kbb4D};Fo8SR=iIb*KaLqsd;(uyKXe$@|CpI*@7YBGfx z9}x{cnQg6#yj*%`PAW(+K8cc}CFMVm!dGK8evzbYnyQpB^_ndIHG2-5$(d2vO5|x1tqSP8;{OvUyzHkfL7#tl&YzH$ZT(r1`j)L-u?p8^UC=WQ$~pK` zz4fH5d@;kWO1r50?{O4M&VY)TcP<7%mjYt zwu6saYLDik(N=C^|_$3s11j zore7Vpt1Kxa>b17x=9iz8$u9@xZh3G+)jOY|6c7O&Y|_UdM-}Mn~DF; z-5P=KK1OwDhE;W&c{jMR(PuvR%bZjWEJo~uXMT-!L8<3pRlb$)t~6XrF4{9gzC9AF z2L{*bqqCv%if}A#G;jY!b--|-iYl<+?LVI!L}qE`YbWiWsV*#nixOdd?!di2f*WcV z`h?*9P~x+(VgCUr0qOvTC0RTcz{r!UoDw=QsP=BCwk$l*%K72`B(B!+sv-aLtYE2T zBbnX!FZ7}qNi*MuDJQ$p%Da zu}JLat@Rm0hmC+FWZh=+H_nb(K!9@X&0LBnJn8J`vu*tEZyZMdkHGy+h%O-spMC~j zK`$+)n8h?*7pM@(zBD@QLZ@+`R9%4amH&d?o+upxixLofMG$r|QAJ=JC>sA)O({AF z`~`w1;HWFoB6WG+AZu{hZ4~Z^KeswNUXZxh`RfIy7^lHRWxM^?maBY^<$I2 zrr9!$3bN~}A7zGo9p_BKh-`yEtG9VRKAx9l@7Q~q!2NgL4t;$2>YDo7FC#yaeKJX4 z7;h#Onp&kR_W1^+XK+wg39R-K{XfRuDypt-+t$T`yM^HH5Fog_26uH!Gk@eUEjiR^H(;Am4k7H7@t2S|Q~r*gbfPhtw5_VGLRtXK8SqQszm2 z84(u{6g{6!bp*qr&#eM8cm3n6AdKs9r@A0vU?uUlDs9a!I$U9db)q{ji1WDuced7H z(UScW`@GfgA;NCP#i;DE%*@3GaDaVC3b2y?l6@`uSVf^Ao#$7DU|1t6(_DLoN{3ik z>*$ni8?rcy`5Hy^nQV*Xy%?e;U#+AcF*|5K_|+~8J(oo`nOQh}LWylyVZ3G~S~Glk zhxDME)9V`IFim!u6RKAZtgXwfF&S4M(?yfYNW=@Zu|3sZvmv}mW}M7U;n?9MlL880 z2Mz>rRZiltiZSKAK8v>|LUZXW$4)V=Y zk;3Obk@`x)a=W)++pXUs0;)ALKKF%fyII#GZUR$nYMwvJi7vWlr0)ig*+|lV1$zwW zV4_7N(!>poRYZepI#?^5n}~(Mxy;jUKh}ZjuI@%AH*7)O@(~ET3k-i<1Xn9~2GAoict`^TC6)U8r*db~X=(*lO#Pn4!#s;O_2 zblvBtqfoI8d9|K@oyi-7JOIfqi2>lEPsp;9=i~Yi$@j zfRm%4ZWVcX`~m{xiMQ#^SJd_QmwOwm9goP3hc3gKhsRc#r&rg%*j>zDt~FbDY}6AL zdglvL9pXqc?R?j6w~4kqyzq(9MC|6+v}`A}o-<~M4F)@DyKfe3mBVh>HtP z+#mjy!DICrD2=wo3;EYlf)4tCzUQx#xt|P5$Jj3gYD3TpFenpwGCP)(3w5Ny2%SgB zGr74`SH2JCjK&<>Cz4s)=z8b-7tyZT^7*>)VL1?ic#V6-1Lx&4+O5<(<`W{ao9Bm& z%B$FV_-33;vlQD=K8|Qygogf1r>`&G(1oE;u!aE_xzR%V=zO;^N`?a3`u1+1D=vt~ z3vsEE%L5T{fn#sBJ@>o^)y?0?_xq=mWdE>_2m_!hI(|ahKPkl@xHp$y=XxF~Hd0hx zrO14&x2yAo&N${Zn4L)AIFdf7Z$d~?9yvOq4NdCYlG3*WWYLYvsc0y z16X)Def*e%aW<*)o4fUDDbw=h*5Y*6rRE0|+WC&ADtIApu&QuW5O3p7yzD-7S1h<0v$Nr^4?e<@|#+V3T8Q4RDilWd;ySwA8G0Py4@^#`X6kkG4UXbgjv~hxNtY7}HhqW%ciG@+W0GFaJ zm9398-sW!grfEHO z4!Q@0ah$d^0wcd+hughPilDJg)8eEl!2b836a9}Ku{;{;Bw#M~bQbQ|eG{*NE`-HX z@xn*6-*3FYnjQ4X?t?ow z0l&uNi_B#~14NX)+Rf1678tNrh`(_w<9ddlZijP7V`J@-Aa2rhdlN!av&ppI>wy)n zfgzGJ(=h8x*;mkP$N7*5Q`BB2;7j~ksXlOywY3}>pcK5ZUMOYZDBY!84B zoD0)jO0-QtmuL{<6XnaIhL6+$aVD?jqN3%=29{tf$@m$_8~L zqG`VX<65@adOEfm3qs|S4$*=;?2KtJ_@HZCe0_6}H$jkS-@25+Ew+IPCe8kPbZfy8 z|8bhL^KCG7f8CQNA*ztxfU5Z0p3NU?T0z0Qvjjq)_YM1^Kf@u`&gz)dS7ZwcoHU>l z5&CKiY}`wUq(Iy#5#OmuW|tR))1K~qNU|#??1==i^1nDZO*p5>mM&S)bM$JCp$@u_v5DH>6dW6V`!f|sc7(o7pHSWWlTK?(c|k1au0~4P z$uA*4ie=2>JZEI8+80G#sfJX1HU{>b8p~+I`ckyzKjRjFDqWBq5sH9~vyK+V2^gbX z2?8wvDT_+9;C&G=`MjGtTbI3-*d+O5)*q#4VWOpDS|#xE_2LN$Rb!3dMpN4`WJWd> zGtg2QXwEL!9XpO_Gh3r&Fb3^g-8UaEM!x`LE~z&;0>@3c{`pY$vAi9xraRU1lt7(- zIY%V3s1SEkrR|j8on*irJ83M@qwejYXdDd2>$QFEXG@?@%5TfJmQ3EJkeJA(j;s0( zcF5s3U(QdA-%+tH49mOA@mi2tI0SCk1CphSL0r`3de2khUHlXjg2eQu$i8CMQ`Z_n z38-2paPQ%DE8*F^Lo_7xZ5FoYQI<>{LF5!Rip}Lx6JN637i2DzD*~mt1Lby z{}RE02X@;;q3YBW8wySHo#xu!6jQA;q%1y|axWzcGe`p8Fs@$(!eoEjoRtGhq*W-e z>Y%CF=iX&GH=?ju!wpG)K0xJEQ1T@``nV|Akv^>}Th@Xp`A*_YCRgF%>|}-)I^jrx z6EKkMRn_8rnp&jGzLA`H_mYUxF?m)!oyzoy}xvRl`phX`Q}HM^Wtn|HTb+d-2kdktxEpp z&V@d&e=a@0AzH(E&`Ayt*pl4sA2{9}BQ2vaXLKW@pyk$)kO!97XO2P=J@^ zTPcO@2-Yj7wV}2>%=`&C?z8@7JSZ>*Slk&#oVE8T61@Bzk5P5iRgIGA0Y7cd-JJ}U zk+RzN={gg*2FWkhhNkM_B-4@Ns=CAA%kk;!FO%7;CDiPTV8_qVK?Uh`Z6cV(dYtvcEd2aPJ$Kd2z<>;0V5_>5|GZV2)sSBi$T{Y# zWQ~X9QoV76)5gge{Y@7^N>1jZ6lKMoZlR~5KgkE#TF=O zx9$VM;oR~kpx{WK$GJ3;^`Vt$v3(#i;B@{wI#D1%_RUOW%PU(835E9hRaH~$D;oHu@3EJ#URkXJ2y zE^V=`XyZmJdIt*r(6m}v8zpe?r*?U|BV|D(p-YnYDvP%mP!EtgJsh=EJ^;d`I>z&V zhia(2g}FyZB2tr<=VRE+?rtH^qaYfJm>cH~Tfnqm=AQ9Fr+S|tn0~dq21cI&H}KDL zNu`pau7(mH7=8`Na31BRM|PzLKqi|XfI$NO77{`?##wNlR2by8ic1#BS`H@d>&C{g%qGE$gp$slqW9$Nr{I|tH-QskMC6i4`NL&2ekumVsZ7iJ}AtymPa zim7HI%0!S9QB5S?3Dmj`iCwrZR6x$*IN<_js?iA<;ZhU08a2eL>*JTTwW^>2XPESr%ICJ6_M|~A!@S620T4~z#T2jXsMEs~+hNeL- zzk+47fK_47;$y9lJpK!@(d4(6`YTgjksZwtTM}?}E@g=YwVu2@o%p{NT!xd%z~1%^ zaa!6WRtg`Ge)Hw?5L2B@lZyEH97zjVvjdKhW|~BuC6=~791iWPqdTVMkeb6dW4NHtss3Vj_lBR6eD{iK~gC1r6 zR3~U&uLWhNqv!Kx4iJzNWXw1ZWD#>0&t4H`K*hSOmC@C;68TUD{un$v->PG_c;INY zkV`(`iouaaCvn5AP~ERj^Z7JCsO&DvL$Q;FrnV6Gx+#h1VSFYK!lIn1k$1%&D>h82 z#`WBDGYhV=ehV(EnXeo&`qd> zBt*k%hC=49kC6KBWo;;by{+Je42#2*EMD{qv-tOEwYlrB;=G7Np&xfUnc9?tBTXK? zT{!vIbJ`p*k{JOdcIP*{i`Nx0^5HFe+&{zA|0Ih4dsi8MLOhL<(HhgLJlN!__q$BT zDIG4gsx#BJF7Z48656Zf!BcE4J`OLcmvU964rfWnNQA-X3^?tzP@z3I{G5dUsQO`io&lr_fjV`xe zoOXi=A(sfs`_4IB(Gw&I<*KANtgG6h=clKjoQKKfDdd|yu}Sf>JQordqCppjN@Ikw zjZ*tl3_-qVE)Q@}y8UJFb0>g?(M2)eRkhBX=6^y0xuRK7+)Oj+vr=$Ye@?MM7Qmeg z1)mP3MYpncX256nV~H&7#lq!JTe=zO*W^_#k0*LXG`C_C{mbGTQGczYhz zppels6He#&x9k<0jd*2eJ>k4yFaIFIQ|CAY`5569L$wfDxc86BWwA9*|3~ zRp^hCOu%r^yMyUrXLc>ls!;I#{kXibBI`yG$>U$@H?ng1gMVCV$~2bS56N}X^YXyO z)e%V(Am>Uq&NZiJRJ?ESsrWiVAhbzLD1%5uV;PTJa;57d735I98(U>YLStT(8*GQ8 zIPC8NEYaXDHS|Q6X$7A?;CdS`iyg}dD$jcI>9wr9F(dVUMIQXGB`OpKbsV*Z9>$_q z;W=0Bz~Hu^y{04&z@wgej7dV4!&0o%w`~;O*~lvC#;XzWcL#r$$}RCMFT_}mx|dBQ zfga8Hp*~jd6xEgJwNE}JxNol^&Zb(x5VrJN#pzq0&6VDr)GYEU&Zt|ws1|(1pAheo ze2m7=stk}{=$Ra9`#J~~d)QU3GP_VxpcGlJheBy29VbTFaOHCTBiVAHEe1sa{NF?e z_%uetT$%jgAI&gj=_Hn*t#JobbAMeykVC4L9hA^b1TM%?5{YH~#x)c+bs=E@FpKZ3EbK~<$X;yacV*@_*Do~8D-R7Yg#K&g%vd*~+%yzMT( z5zy?&9uVT8Jy<7nuwKW%fu<0@S&-hulgV9NUjQSE(01by#M+a-<_CCgQv#j*xBva6 zf$^c2*2h7Dc8*$OUZf!y-aL|!LE8xKQ{Ad6@041l&s#;dB%W&f^HJFrGYlt|Lr!w@ zZ55Cnef|5|oq})-P8@>OxZQ`A=LD3nhdB?hp>j33n)7&$E70Q8pvW4^@h%LBSBxY7WVNAv#$~wArL@NnG1A zqo9ef?*2hi#$MSfm4Pw#MBuHU{}`TB9@nt1PLUGxVXLO@ZRksxH<%7--` z;xVA&nkqTDr%a+X*oHqL;vSakO&0FMhGq0QZU86V9FE4jPMf*JP>pagOq#s+KvkVA zM_0n$u1>ejH9V~+_{&J`2PO%_pO@B`H=EY3-J&Ij%tScr_^~>U$gdw5LjeUm)_?uL zu%NwnsHW@NiN3awGTYf+)$iM3==Fv*XbYx(=8-qt(hE}(xF0}n?o=cN?|&Xrna4Qb zcHL!|T3=ibv)dJz)RG7&4Rp2|ahPQ^X~EBTzx5)Jat&5!gstol)q>z(2|C3=C#tVn z@FGSEp{JKJp^P>Jl&y$uihWFn|Gt((HUe36{H(l_maakZkshkt(J>=;jEKfwe7b?E zyQ-ds_vc3^Z?gtQPt&kRu0lNlbp9FmSVv-*z2F3cnhLstfneZN3c^}AmN=G7WMvQ4 ztuf;&1vy&!)W{QlPAvoyQPP>=Vva@@bbM1Gd_JgC=P{-nx{}6#F3do=VSBzn((M1L z9HYoOai23Pf|Xh~#2liSYOSb6GjB+D$UQPyT>I4WcjO%jHaIU$kbZF=v!28*rOZ6! zJ6ruIx-o{tL5fck|KWf(dFTAB_>gQi?CP+*^{v+gY*f?fOwL;SDI70tH?&%^@*kvf zBTWi=362@lA^ds;qB=r}EH)Kfm|xRz$_v)IVYif{wiHGRtJ$3??Xl9M=cpM2F?xIl zS+k-1OgC2%fAVF|8%`$qtjpcZ1k5mFXGO{DU_J-R2{C}j1zS)Di%R2D?ru&HAsl;* zhVr{w$jVCy%HG@)u{NX)^a-)Fz!FIO@pI8@PG6N_=LhZ)FaNzsbQbeMsMr2Nz-M0Z zo(V5;)vwvBP<(`jmVS>q^H>#br#<|>jDV;-ElcwMwC7X7v_@t-B4&FJc*+Ffx(rL; z10ip0QR^M8}23Nxg>0m&xWzCbKTsNP2HD~Evtk5%FOBiyg_1knRj5Kt+cq|9_ z^WC@eW6=O6a!G+He<1N01(tj*DMu=7I$0OBkw#W46)I$79H$7;U>@DYKqHwNf{$es zNDIdzh764xM}wIJVcAb-^n^C&8%1UwZui|x6VI`fNeuazxYST-KwZ*UCvmo!9!|bn zM_tFSUwO zy!7MsIukue*(Da6a(o)E%9~j34>0a;$Y+^#KSbw7n$^Z+jbgtQibWjfaM~P#Jna80 zFh%2y%;EU9wMtYbl870Arki>A3zwwk!(w3hho%*Ua9pgl1gsIve0!lfWKUY*b?PI@ zvZ|kN-4aTq!<$a6tQOxM7tNq?tr08mGf*Nzzl*E32M$HjWAWuT=HO(%zE|JAp=!(C?67_LRSDx0dH zqL`G4R}sJ!(hw4)w6%#xr3#%eg=>OY6TK*#V%LV(exnU@WiNZBBGK~?8-qf3Kv{qA zkg$7=UIA*VO00AhPpMs79D&V_!c{8@438aZ+7Hhh5iEb+PrCV=2NaBv+73Y5@+IoYnZt@Z!Iadpia|pChSZ=BsKB4d-y;UkL z0lY+bodcjb0cR)LWN^1x1C4rZ1;y^}+pOFpUNl8HB+Rc=nF0CHQvKtq)?zCtAB0_r z>?af1_Mt7$2n83YRo*_x9pXBHsoc@!n-irn1~6S(5*fxMh8nW%rSv;41bS*HZ5g<| zczDwTwRlmd>+LrM0s@}@>KV1v;y@e97A)ef*(c3fl!INf4YOos)%DJyzrr-L8kOIx zmT{NViUHG602e{sFAH0$R*XUdi8s~ zPVj$)5=j1gV)#F*{9Rf&kHVnk8TH17Q|NaQVAwdsKUOThSY*FxN>L-TRYqBXfp!LP z@#qt3uD6;e7&dl#$;QCMQAf#r`PSwG1<(Pdc>dNkcaNMKH;z|FLkbPaSw}+SqE^sr zn4k+>j}dpds;IF1 z`iCSq`i#gHx5<_h@e)`!Tf^iBYdKx<0Xl*Tj8Qs%#5Y+2 zqi%U<-fxuam>C}ros1uLpreIaUV$Tkd791L(z%u&?JX1M}pd`}5fbRh^N zZbgMTHTStT#rQM>jM(d*u;W!oWH{@dCQ^pcues?$@VI2<)~ZS0bQ@L7~n4F}8OXCqi~?jl%PhZxap11sjLTtUjN7C6U`SynlFykkRwz>RQq|*PdeNK4`?VFTqonR+1 z29CFfL>GENIr7~7mN@j8QnX+_8*S?{d#f#i4hk+@+nKhHL3uwIUTrbX zZ9(!gW)+kT<_{Y^mQV47VZX`%yBF`YuKqv(!34C$gsd6{iG5v${b%(C?Du#iOneM@?U#t(9XdMFVhhLK2+)vJMK6#trvlKHhxCqs&T-sXbl}oaUr*`*TruphC`(MI1ol}$VqJCZV77=7K=@xl2~Rl5T9FqEoQ8# z0UAi+^=3@;6lkgCuiPg`j-custYWD%7-OUh)M!K*%!0U#95jSlC9z@P?H4mO�>R z_449dX@0QjH=8bxI^tp>XmgnCX_cn#T~uvcK|Fx}#YUe3%ttAg#Jka9#sT3|*Q@a9 zb(2nsBKY{0l5K=@s_AY!b?oL8NDTl3Y6DkO$F||CSE+{OFH?AtT?~=OabH08-i8vu zy8uiFv-GiUuPUwF5r{nkh#pqFk0%x0yW!A&+?{>audf9hPD`(9s0sjmaeP=i=Kgx& zT8d8d+YmDljeD*WfL!e#cSo`U!5U}MU0U;&0QxsR)wZI!wM*OB|7gYQV#IEv$VLp# z0|X2DaE^Rrl6&G)l|HLabkEZGs-PpTP^NbrO1a-ot+Yu{oDVsU6V%rw8mRv+xVhz| zf|5kZy`G4c#NjGnz8u>?q3nx;7D6GV_ZH@ts?b9Nx>cInLN&VKdmU(E*05;PT?MSXY?=hAET&IA8H*{{TBvbQUon6>w<|F}ab>X@hv0Q? z2~3AFq6C>aKjRNlPGL3-?xo8VJbWnAwC&rb9k_tUaU&5G9mCUxrG*W-%A2Lh)LpK% zZDS=6We}vTcm5&giNlpq-^sQc#VT5U5U1ZUOpI1$)JS988`|(ApIDW!z6sKL%)&Ip z-0ZOURWOSJm)mC|Km7DY9;oJWv&UOM1N$WM_W^DUnDSqU{b;9hw8>2pQU?x&8IhY2)7-lAcD z1e9PrMKEIEKf=-4QSi#cdzVJDNWiHKxKtO5S1JJ0b7R~~JB_V1sV63DqNN1+iGy@o z^=IRhLNXTEN|cj`7&UF(OxL)AzR9>#&6yn87-iw>X3 zEZvI)DBc(9u(r-w(HMjXNy1Nadhh`?gkvt(gp!0!y(F)DdKAIk=deO@+C6?$!(pDo zV@VH3y;5LWb8Z~X8}LnZnA~a3G^|DFW?{HLGME+HCz1vH?Ewgw(YHhu!rFD*l1z{x z^_<>#v!nt9+E|17wvuind8@}9L`}X^zoi4@5ve+)gm+s>nZO$pJ_wcPX#Mae{1i`H zo>Z`_Cm8slcbwii<;}IRp)oYdXu*Rm3~&M~@8l}pTX+xEzdy%mmZM9bZo8W$cnLty zOOm5}q^9k*ksiXFd$Y;!IxOL6PhplFb+ns#Pn(MxZAv8=>L4-GP?!C^;WBqCW{=;V z%3ceOx8>W|d5p8P9EBNDIn=&h+Gl!R+?J|Ek6U6Fs$wONFI+!uy0NY~rt6AGg`9C=kZkko2GqM(oCsS&SyD z@WWh55m?d|2MIdbRziluND0iV&B;X{i)o$G;0!U&thL$s)Cx&_w^e@Cl*S~_PO%*6 zzOPqMlo|`>H6&DjKdU;0t})D2Y0sHy6<;_dOxRP1_)TD>$6E-IEv0N1up>bzHOPzS zutrS-YcRR@$=?dob|b0eDTcfnVV$Wrm|hNVV`u+EGbl(2(n8;Ey%+@rZIf(m9~U~N9A=r{&95a<(2J|UI? zYxNi~mR%wl)@87*(`9~-?9bgXX- zy5!V@7Kdm&xXRmA3e`F#<)BrsLlEwD)l;Pd) zxP=(z33TJckNWPj@s{P4)~xPV4e`6!l|HFL;BZaZB}t;tle}1h?1@l~G5F5$5SHJR^~y8SK^(+QOSkTO`d~`?KBf>HS^%1(FioPLir;z z;8_Yu>m;gb)sN~VqFkx%NA!EY;TOtMCG)V@X(QpcNysZ-8pNsE(FwZge3}IB2Ue(& z$-kZdinz-sj`LN{ss20bk@+ro+s2px`%&mC0(P>FysG zS)!28I&xlGqzO>Xm1(glJUR%wIPrfOW~sjYt0+(h&|?}W^?m?nvf;HomQJRy?~=et zds5UEke2G!as;;3i~e{bu@*|?;L0S&aU4eG?_`zc2X4`c3W&<*hCv|lsagbl63f&$ z%700Hb}8;ikJM(Y0adtDf2In5qE21QNkeK6h&6Fm0_p_*Wth+Ztdg}WD2vFUDeysW z<)9p;qSEn4SM{_Dj)Z%ZNySYJSDa>C?u7Q)KH1j8Tby-W+4}gU74pAxIcMuHlr&SvONSLDc5&XyPCSMo;i;s!O$qbzYP{a~sjaXp85g`FhrV00E+RL)|t| zBMjIRYP)I#x)(jme@l8?^M6Yjr2=}L^!_Rmp|z%+O#kO*lCaraGk_`4@;jDb*^rdK z`Q-V*i?d+Pa|d(ap%iFlv#HLsRCKACEIA%z*)OpR~}`HUQ}U8>XqdppFB za`ii+`3U%j=Hecn>Cr-6MOZY29^&O&(F=QInQBukPPGQc6L<*WImJ*S)&e#*9FpdF z7X1$x1_*|LRM;jF36xKx)x!i{gYi8M2>E3l~G|kcaAs+@lNR(HnAPigzvYy(irPncMzZ zeBJJ#vNTad8dZ?eMK-^=ROFRrogv1&%{PLt17BrwB`U)ZNZ$y{)6jN@Oa8Ox(scvM zdP`8}^8*iFK^w!bUx;HF_Nj=DJN1C>bN+z*Gk-Lo+5wUF>{3vw;6ek378wYL-MY^E z7<^$|4zRb3M@ZIXgQ;wyBt3j&JiIF+hg8p^Lfd<={<<+OhqlgMjLMxyIi(|Z9M&kz zL^&-ND3LC6eB`ts(34J@&K?~v8qSeAs#ySKr}eC>=*lFaE>5zd(t(fN;dnQ6nL6Pm zy_paX;Y8bUB6l7ePJ4HrMmEzCyn`w|>{!E^EuO9ILHz=cRwfs+ zw3J>Rq@spp5(HT=KSqR{vcq+%0Ac|pYRZ32#U2XG5`lcZj=Pbv;~zZIEw6f-^!+Bs z)%Mq9TQ?vMFZ*FLUYUOj^N##iBC+`gj>2OKb?RuOb#@K4y%toCv)Ds->qF zG?bc9s>i6&DT}AStRY|~RVw@vAZdl;&YR}$;gO{4dMA^PUgT0PLQ5AUfz3DD9{~NO zWp8tp=;a>LvAN1NxT+3pGiGY5Kf|4RNzNmm)BJ^SeA-z%0!0*KZ25aALSnbwgnEuD zH}!%#^v}F6``&Jpwv1sQ3AyS|NYwVMe^;+KkP1_ou2_U87T`df0|K}{j`60(0e`St1(Up83dXpibtmR(qLgJCV<9LFer&@}DP{`JAi;Bc{ zyLZjqh)xdU0X{YkC4P>!7C)or;RWlMK>Zla_0@$dVdeB9f z)4%gbcdXCq?%dccbG)+61Rmb|%k{l)KmEGsGR!h{4&w zngjtJ>igcm)bUCw3!mPO1OW)FsK=>HWU`rd00q}#7A-W(!uA5=K-rw!`!zKdcr%5^ zfRD%xV(^8luNl{w)MH%Cp|rd~e)a4J{Aoz)Z^yQ~f|lp|gC!tcL3eAXVbK8;`98K4 zrBykTf$c9N5*~85(hR8np6U3*7*?>*gsXp`U*l z3FU)N>Mlkd{Q1gF@An?^ubXUy9hP`s-5U?}tI1|RfP`LW&;vhv7AFvbs zpAKjoVg#)_zcwGe$C#d*Og@+`buse>0#46anc5d!(z{!1be-C6r?6yh_w8yz!-UTA zQa%2fAK$EaJKi)toD|yN^~IKXWLd?@#o6uyhUVRhrpI&S7C_%V#R8toF$xU};ZCp} ziIpMQieZ~}&R%{^D?CC^tglXO)ql73>eNJGtqRar!Tz$7=3Vh{#%mwORZPk)%uI(rwF1+alL z1XIKj-wuVaZ5niw`H?Bdp5V9R=npw!&T_OHkFUSH5`NNsXLXNVK45sUy$}d5i39|? zzlQSy-g}99@KFC7_okd@7L?~^Y; z0#zk9=zZ&LPAYITNL@#^DEJX!#I26E0!-NG=4aULb2B1tyI+f*h3On4XQ>{C&iz0A zao!+c6x4OP-2z^H*2mOe^WpRruTdfZ1n2(OiuZ|7<2IqK$A#2eLyd|;kjEok{7G+b zoa`*5HIw!+0ld70;qMwP^sJ)?`O^TTsa-Goi@aKa@;=>mxqX@5RXz52w*jCPQumo( z|G{C9Jv$i!>G7O(5885t3+Kc016hpGPL*`bsn`15+a?3gVB zq@)9T5a3vRbVT;E^#`&$zIr4pf$6wZ#8zmUWcn9#p z`g13omx0)@WQ#-~mCn!Wp2Tbs_>6IQTzX5-z5Rn9G_W&CSRz@$zgn&u^ryD<2Uk~a z(SDzdBQuq)U9Li&dGziVtTNl4R^e=NQQ;3PTaFssS`KScAASfnv9td!w~Iw=+xwlm z1ORW;Z`Va<1mmSTfJ{<9(3QXUM9kdNO^0z4kz>_Ht`{A%VUIV)U(%w z6yA&QM8oF9>TqT2Uosz2vRglUM*sJkiN>2C3-o5A=lSxQA;y|#I)F7AE>z*Y>UUAz zBav>E<{bKPEb!=?F~DW$8Y{It(zx<>`O}kK%gF3AMIp-j)`5`^PBF&nyJWUjMt7`P zc`~_?ZK#Yl)|cUQDRU%DFMb3Z=HL8(q1wOe1FimboUL~8Z67vt?z32FeCZ6Hl$`^d zD}5}jyOc(6h`Cqo)a6E%-~01qZX_By@R4DJes?+rEtFP9xylTIOcEXiDpgc{@oG*! zQGM`13pr^X>^}O$>6QDS$CUNf6o%d|+!!iSws_Pn=yUf6=nMktP8vsyFxuunlZ2e& zD7YFE3ir4Uoo;}-Z8+-b4moEQxL~#Hn4d1lhL%xqHz9& zk>8>`KaWGErLPx|J^X7$hqcD2aIgS zKue8Mf7JRh`j1yGdIAj-2Vga_$5s^ZD-h^j^#=Q-Q=n!AOAV7}03JYFjqE5I%JB`v z%WX+s2e#K~R*H3(IWZHD|EUANewD<*m1^!(YTUSE>qO|WR5SbNc~=TdE=g1AhM^G{S`7Bmd9XY*oOwr1xRN9kjA2?sq=6_LZ!)$A3I zK&>6Vt~nM6vJBFuek;)cY_ZX+^R)*Ra-Wd7Wf#_^(^%)6-P@^uX&ZT3bmTtn=0+t_ zpXM&)v8`&#^n(HQ$yV#V}+U# zfQ#C3ykNVGM3-Sc!nh9@3v2Wpm))4muQXzofUI)cNm~CoPrAk=YN6Ps5hk6a(u$fI zSTwvPX5pi{sZH-@ixI8}a{zf(zGF1j%m?m94q8UzSyB1Y?$B|>eKWt4DK|;y|AW%9 z>_OlJT)GV+uw9D@!f@eP@i4P43NgpuX}eiakNZ_vAjiPp1sbI77Vuu4glJsjp5u&t@6Uk8^$T?|AVIaa_i@J=qK_1uT<>aW6fS!D}K$K3(>$XTM!H818!? zvqykv+oRJ{MWZe^=LMSwulR{LxZgVBZ#u%~0?~+1MIH}e-eD(uWPJ*{f($TkOHCKa-?IbSRy`m z?gZ*K8SF3DC&>3*J@B=ode0S4Ql!Fyz)Oq23&QfDH(vFB5otV^XOdGp7I+DmarHQr zza;F!RgZNPcD?x1(Rlg<23R{!QI>W6C6^i_NINk8bQ$D>O$SDW>D@tkcNTFHJD!ES`wdiL^R4cY-c? zy6x(kV1mxJ`kZ8amk-HnJp|uf+sOCFYCXnIyG$=5d#sEPJ@34U@m*@wqtx}M)!kyN zjH^OTQQ-EAtc5CycgfIe(87UZ9(wG$ox=sH3j_$dgqR`#z|mD)Q$iM5id(d1SW)%389T ziysFMCWwiltqI*11&qCMygyPHRS*^YEer2s4&rR?c?#>Zm02(b>sHRM78bAXt}p{6 zLs{J5fDufYJ*A?sO{vAmSYh~SbsR7fAa@m_K7TdQj)*k2adfYwA@&DXg7-^+lqE;m z9n!(HJ`0|>HeD+mex6mIc!ARZ*hzO2*U9Z5=Z%s$yr$;36$3Sv>P4uQuQ3Fuc!!<8 zD~58mKJan4BF$HmEZC!nG_JVVf`gjAjj_9wT>{|iL?AGud8hO@{&^5DKGRW7o*z(h zx`k~XF6ELiU`t4ZmhFqneBO}V?x$JL2fCnhb1u1QThCUDWUm}&U6xUi zq2-UbEs3zJ=l&oa2ae7HYwsc)3-;B;pAT&2dNe()tc)#z;{7_t6g*B4y$6t{eGQyW zZt4)gwv=vsgOR@U<)lrFS)8EbW~BvP#-}EDcJ~!Q2|TM~aC?u;0P96gp;VQlTI2_8 zrKNmDA{Ag#)$4WuE0=Lz2fLiK^}-tdJ>7j_FtUX*9AI+GKHid8-y#$;08Eo#6nk@x zC$0rjZg|gc>Dw5^ZDV=6SgqS&NxaHBGX3xP6p;_y@;4^hKcA&{VLrWF{f#Ukr5z7< zI&`JR=V$M>m5yaMfskRZSM|BU6{gO8HUG1af5LGn9`dx&^~q*AAo{KE)i=8=leeqS(I{#dd zxk^#*sk*I5;m;)(U(ctx!rd*W>2UqiCP~8=xlMiY635tY*E&PN9hq00M^^q@u{);# z7TzhMM}_or+=hFpc5CZg>P4f^J7B;^D^Pnt9an@4Tb@yi9I(6z2hF43o69ZX$xQ zZJK3STnpZA;(bi%(8n0e^6D|K4e7D&+eP;6Ei;c8OrN-0?0qyqmj zYi6)N^oCBopWe2t12I`?9@?(0W4!68w&XD>MK7VPzH0|B%Z5~E?Pznt22IBUuR>7l0OW{-F6I~|IFM!q7J(Gc2J-kyh0 zgA4$I7~a9jz*VP)aFLNitX~0Q^YxAj+tZpEue5OKP0j>!x|=aoY0}v**}EfyR`!%j zjV$1sKHghb;cE%;1}fiA$;|Nm1^-)LzX6EXc}KjOvnqeJD-8vO9i(AG`l(alV#dxJ zO1mO$9J$2miq@4^hr>QSe0p@76`OeYFi+j|G?%WsI701A1Hsk>bjPf&pS~5h^~V#Z zp@GgEN9j&~S}?nwGWZ;jv|avd_`F~IMv(_Gkgf&4S^j-g?XQzE-{p|CV9uE?P**Pf zPVL)>-6J@JgZdjSoem;Y_8BRiQhz{tp!9HEzLJGQ3rDioXf!1#lVn#YUZe@)EDzRXVTySZo@} zm9Das?ORNbDSOp+YEj2FwCC%wm7jNoYyzIj&CxY4C66(d^A0arihZz(@{N8=KZKM~ zX?Y8~E#;10J()HmTX=);d<(2iZ@m^Sbb(DNde_OWNCBkN<5fz2`xec)A|X1-o~|IN$h9;73en1$izD9e&M8m zdk|~a2>y#R`z95NMy|52GLj^26PijFI#NFn@iK_yguQ?kopYR;i~ zkdsL)Zrnw59>!W*MVA?cI-gcU1a~=@838!6YT|3>Yg4hK`&3B5ZeJ5lsI^tnSxqt} zQ;m8m#$+uwKr~Z@We*VNT|CIGE;jQHuNmIY9{2g}iv{>XNV@k*>nCUbQR2FyZw(Q; z=$fU=Y5>4q&tEeiw{R|h?YOSMQtE-ZteaWlIGhb+l?_E-P+O(;E`O2u)S&SU zqQ@{F_S+RyGd2SArM}$@XU-uze6?Y*3Jhw)QS)qQC&R-FpT)rYwe~#E?JUS^Mtj z=F@rXb#dj;Z9M&8cQQq((9?6WJYjwVeeVV>wvc4qPrdJa;wF;O?#O@6z)-XYt+hh6c^pRUHKCQ3$l;CT`Wm^x&$~!+IkAViPFuf9ri)9N4cs(S}iKpO9N$5YAY2RQ%Uev5ViY7WgPMK(w{ zVfS-7w$p;l>(4HE?Q39#WngBxUt_Aa70tj3MXi5tUmYj2dW6Pw_krIJ_mtzs_oF3b z5?g~|L6aoH0|^MF60qmFS?6ON7}{heP{FZzPG)>Z$2Kp-@S(!{HyAtXoC0GxIn698 z@M1W|_NC6VN~VKw%Z9LByVG-ZDW8V~1iwN{4-?4h-tYJdS-!;NC&|sI+Bu`rc&t>k zxeB)|LN4_=$SiN1S9C$2YQJPf<-9VoT<5AedQg}*E zzXJWGGV#Fcqzk6QC}d6Qm`Jr!(ueFlJF@ls^V~X$SK9TLfqoVFIv0oGyC?0*K)dQ(kt?iMMeP~7r+%_g&iw5UKz;S0THIxPcKDO ze*c(vPE#>AH@4UoxEhHjsG!%4X*VS#px|CXwi7>q6&TFEH+}?JpFiY-KBc)fpOI>= zMmoJlk#5|lx{{7~n>z{q_qUp;d&sTgFe1nZHa+u%1t;5uZ#)KY7rDupcCALmbB_Dz z$v2Yeg%o-}(s_LSYE|-S!N-K*23u`GkAbx;<7RXw0^iQcTTdtIoS6Jvr1zUP?M>7n z&8u^!(Z}DIYp5`zw+hvlP(w}cFd<|qN@CfQbtS1-t^t*1Se(LXXv_2~=z$0I3bm8+ z`1u_Jmtk!e$(*R|&idl^b~yrQ{32Uf(6hR*H*MG`XDp~Yg8q`4;J&QGa$6I}{5bii zr(~rn%-u2;7B-;u^$c&(nU@U8>In<^%(m;k#3%M=2NmTH*n5JbJ z_*^*CJpv>LN?WOzUBzTQ;-#+^@#__nKaJ*ICCYK!COO@=p)1KnMHDRTkvntf9E z9?@Kb#bxwEH@i+LTiRvqo-~9#38;ByIkN10{n-{CgcW7WRO(tB>Unb(K0yB*omx_+YwSaE3OR<3Dv+hx3O?TiN~)$Mc)ZokFeFMHKOZs`sOhYDsz$yBa?MMq^p88_UsM7paE#?@x8|V7Z~;`s|;TOGdu!_5NFSYuJ19Ug^zhzyf3l| z#%|r)`pTK~!pYg;B$!+rg@83#%Z(vm2QYu%%~hQWEEU#vSSmdF7=wV7C``A3>0saW zQIhohR!Q-S{lt+5{VAh^6m*#6{s_0b3X0K^S25oEyk5~88 z?pOAz2=9B7H2$DTIrE7#+1GBc;I6@MU2-bn0w{hf!11acjegsNIH_J@Pj7r ziLyc99j`A~$F-3>M6p5s0O{HJfwt@exu(|-kD%-<7J2vZb0Y(H7$$x`7Li}Zfu5eF z2QYrr=y4r$PAzkMZclKRy602m9oGA=9ILJ%>kLT))!TS#o9!6duOy;A{4flQX+~C4 zP)P|ehTAAHk4({H1_Q*Wkm!dW+EN;8(N0z;WrS)i3agS`a-I8CmkibEp3|`|*|@rg zvA!dv!^ICb8J#-7y%`68LPY%LA)d-jco7t1Zc>DT9(o_T+UF`Xilzyh7T|MM7v1#U zMUv#rOuTlX(%%Vit*vu-Nbc_>4Eop+q{mCg^fhf@siRZ#IIbo!!O6Gd!hO`M={98=VaqoQ`2KxGhX-fNh_?cDKWd(YJdBTNvketN z(g9vO-omL|T>@RQpMZ$REB2JQh;;_E<{xz)!Ak-czhFqM`rK^k(|4i(YlR#j(vVPaG9tOf#xG zef(9K!QgXC{fFMw%$RiR>Cp$M2sXI~WN=TvKboB}M|J)J9HWe~_d@Y@GV9g@7(7>E ze^iRUPnMKG>6I*jy07W)tt)ehNVGC;O6uv;T{HF}_Q>taFd+vEZki{)PI$7#X@}q4 zzB>cka_o~0WqEH(PQS#WIuua__G&@HrFTGh7)c!QFt;4|W7Ku2b;R^dF~ZtdmgwDX zn_nrD;?Hk6)b`z`^q^X8S9_~?kop^L!3TW2Sy2(Klsd5s1?RgRgJQRymZi22)a)Ro zuOvhoN}`iJ5R^&~6A~_$hD?{CdcAwp8)EvrkRfwFD$<$Sy7`L!73BOZm^8}BeIa+R z@m^N5lL*n;Q+r1a=&+p9`#(dxlpGMHC$5-hwSuWlT#Xjg|7fSCD7JE?COFTrc8PqE z2RTa4hM954vB_O+TeXrd6sOfrCW5+l!gA3v(KA zb>nIj8Q0c%#MkUkO!!WvI)qU(FIkl!du{H{zz=v(j?@MkK37bL%u+b2ZS8eq>L&dN z@;Jw1Zc1a{0a-Nz7p7!+;or@=D$?VJ=2POvUtVs&k6ffYU+vsKzKiXoNV%`{1Gdc+ zK30k^*gVR>f`{}u;4TUC^nS}CR#f5__^wpbYhQti9oysReOtz+Qqp*m`g%J%lc@=k zHP`9uyl_03_*`virN2+@*uUqZ#x-7^xvf8T2r;eifw{kGd>H)OciE3s@)i}bBOUCe zd&}EHdNJJk1sQbm{Gel-ZP+;BvB4SQ{4pvTdXP0L*o=F}ZR+d8pVcj+lH|-hfBp2G z0_VCGg}>q%Zwgl{E8VsqE84Em!W6e(u?!>(R*&tBa_Y@d_s+fLT8Q_dgt3Kw`w>Tt zV%w+<0x*pc9cIjbgIS_CoR=@ted5w`q0FDlpVH9n?~5H0_dj3Ip%K4MM~lXr6Uy6_ z#ID|0z|5tVNp!`}Q?kpm&Yz=uK^uR+_=WW0TJ;xGj7MLC_HFV4$Fnh1Mt6el$&H

J@d@ou>QR^XAFp#5td7t6awBYbNq*@&T>qTasGDGdrf zeRIjPV1s^rhp&8bdbGt!-lV}iQUl^BO=b}vSL&ZX!Vxesl`Gt{d)cf_qRjAa5eA@p zP^3NSlae3`^BBx{B!>un8@PUMe3SM1NA^GQZzJ(ApICB%`ONkWaoTS#cT5E%KxBvA zs=8JbvX{lJEo1~y&xRzbp2>Ew00OkB&O>-X+)fPDeOHe+dxa7xrybEDG=~v<^BJM0 zH(Nv-V8AlzgU^3DB|v${S80LB8rCwr1;UBOr`S6r+{tBoC8&vcYq+dyS({QEtd+>O z+VF^#_*Bdys%_ncwbb)qYHvg6KghyFt@GmGK{|SuUJI;`_IN7hn)ND3XBEMO9~n)@ z7`-+yMfo~x$X^Sl$%M4#@MQXwR;dH`lq6qG`BE`D$~y$|tg;*LcA7#g-6%w z{te=7_=aOV6l&+kQzlmB?`)k~uqCl=mA*Db>8Jd&I1wcXDheA0!sV$IvjX~Sw6p1c zHDYKk*?aB$-+cXUv?hhhN5Fg7U%=!eh^XEm1&%(3!w>@MQRVQSA@v-33~0R-IH){H zaZ&S;n9OpG4jNnVo3nSha19Eyk;~a-XHEf>TUZ_$=kyB-_*smIBz!20XHhxE_hezp z*FA?+Hit?a#mp#d>3X0l9`Yly4;W@Z_wNNge_~MPp5OH4xDow#hm*NcFszbDlk3NA z>+QA44&O$MUs#@dP&+19E=S9sK)msCdKuxaFmRhO?JF=eN-lLd?=s`Ld*=Jhd~Y#E zzpLH%P>iC4_THRFK9SW<96IpK#_;r=PU58;v+B%N204uzTZLLdVH` z4f(raMNNGL4)n4ua}JG9T8i$R)7PS7`TD4c&DGXp(OrYU*P{O*nM#wP2%4=hH*Z^5 ze63oT9qD#t_pR=ydr`Z1^sc_4>e)lR8o2c-;8}82O0SdnM5&qF(jy*`uZNUAokv%o zt4&np6Ft}I-xVQWGbB?HICT(p@eejs_rqIT7Xx~GV*R9kn0TBYvmI9KuvJ7{0HL8? zgh?A3oc6lMks_Ok`4cJJp#A1?vI&RaDt&r*aBKF%3P$MFa%d7&hJzWoJ?l1@Q_rP~G{9|6AU8rJ!#;+ylMap_NF`rc~rod0|Z z^?jfyM6%FVYS)uED)F7B!xNt==NEA+Prkjbc#4RNklL`n%Vb!`K3(`Ha91xz zan5Bc)Y?rq`QrI@1Zbk9c}`zO+5l5U;y8Va{a7Kj!;-_3KIgV~X`3I907^nhIQZ(^i(Jx`P_? zO))U`D8$|~!`Qig(2<)GgrUig15;QyqGRI6PDYi?r|tV_UF&t&dsPpOkjiXy+~Hoh zG89ECwUHO~{NS16-Xb$!c%{2?4QphU5%>HN(C!Yu8(XR+`J3646Wor_w|X*kykI;u zgX7V513F*H5^6O}&4(e^RptpnJ$yO+rFAS+CC0lkz(?pl1t@8nmVLdrbM$QQbeS_T z5pd()sqPbCCJ`N?S!>l>`MNppe1dBMW@(8MN_AaiR_{Jh>FEIfP~r5rRr-ILTyMqJ ze1E}pnO(yu!eG`HD7LLkHlW#du%w4vSf=^HXHrh--4!qSgoookvts<6CIwWWsB$}U zE0*{IiA$yMK(kQ=JD04fjjh7`22C=v5Ux$QJC7M;_M{VFKrIYS|Za>M9 zrc0^4T@~!DrjWwNW*PkiCc-n;$%5+yLwJxUz*Cy(bMS3myerGE^`LVaT#$w76(8!#FrNiDuNzZmSd1by!M z`R;{m1MZ;T1^rFi_~R#|Um&}t#ejb{f31}u*o1A6|MFmMMfy+Jv*oi;A$<)x%RJ<} z2#$b-4zJVwc92cx&4YG#?-|D$f)%lQL+%72QLY%n8$4uxb_CWo>waq{cI`hQ4th)L z--;nwn!9ywboo(pcp=+9orSQb-?-ev=&-fMf?l!lw~tamy8Y7KCf%^+Kk2%^gz^5g zT8YE~-t4x=UssL2cT{3k(+H!6!nNT+hwN{Qj37Y~EYyG20P`L);$>j6PipP}SYX?f zG_)^*$SU0zo|TfzzBDo@Fi=16b3**$dro}6K(olW|J!WBH!Sdv#CBGjxz`Z{DY8s1 zImqN@Tt&Y);bga01*O5R5ZU{DGfc}GVJu-m`U}71w_>jw50(ld@rR#I-tK$V!#BCQ z+XIVXfSEMj!D+I5xqEfzfzHSV5FK%H|Mc{zFweJ(NAEf2@E%L`SYfG_CjfxWg9$ zN~Vp+v6F2=6h__eJPnL=zUn0iryI8Qj7dLDOrV_{4C1#8pXCt?9o2{262i!HPSQg7zO`xOnP}sqio_HWa5AA)(g}DjMS*KAw~(hCBKXJSx<)~ahT-I z)`tnZP8qlx@sq9r$7CV@f95=$DGQSRhES@&MA~P!yky=^Nx~qjK(lV><|A>&JtX>) zz-*;D?t@#9iOY7iK#?i0eHkgT8YcUew^4(@o2F5pakw?Uw+s;AQ=SkJY!}_Gb zKNJ@LF_075|DqBZL=c=4%$(nkvsF4fT~P=MHLqo{=}31EZ%)_cdxK$`wZ#?-*Bj>m z$9LbIf&Dl6-$;g{|E>po$hW1(K)34xaW850bhS%^WpgRMwm51=AwDE|kArVcTU(ch zQY}rw-))1s+piVXRK4GaxCJdYbeHUjubnxRso=tbU7oJbn)uDEx{X2u5{bUgf)On` z3t%-)#U3z%N^UU-Zvl?w@6G5kwQ9^BUiQ-+x?5wq+7Acb`SxRq=FZ(Xg)|V==i%=) z+d$%IHb}Z_zfQh+`n{~Z-KVq|9pE9i!@D?%g!yomur%88*PpC*LglkxNs(U$2^m)~ z`}eXxaZi*I|NH-00O)U%ih3zPSejDsU63s9(0F+^R`fLHFk5atcDX^`!=2*Dv^H$o zvDi#*M208UqpT|{(9Yhoo`4EWhlz~S=mZY|^*Pf9N{|x4X}LMN&>cZzbMNaH^(`eA zIk@l5*{V}iT{-T)fam*lMM%@eJy}M_$DyLKMu!T)#~u5g`;$WVBYnPgZ|V7WC)vW0IwI$|1Qyc!7$QM`Tkc~Hze4Cr#}o|#Cy9$>T&lxEU@ zS9wnf;wNb4E_^{~3P&!{IF5kcs#Pc zCHQ5|<3H53HfS0P8%ILC5YW~k5g@O%v=dA zG{X_HllC1UGk5wIX1QpwV%(bTU&4^h3TR+SM$R#MxlQDcnYE_Ikr-rMc>) zf~7G+FL9;19dZn_NQ^~y9Xj`I^PH~|X$m&D08duZNy5&{>E zqY0+W`?pEKa+cgW8>is(bRb@wANK;u{UTQUw#mh}Zkl6D1PcW3d?OYj5wPfcNVh38 zEYKwhgXh2Yok_!nDDRBFg4P**eexpCR$-oXr~b5MU{n)0RTkx_TUZ6jtq+T#k+^2} z{S?$ln*<8sNDdFW{Y2bqHu`);4%)X3T=bU1ie5(IUZ~NE{#6ov6s*`Cq4d=3xB4W* zZp26}0`@QTh>itKQe3@8Lve7HYgxeN8k9ppUp)DRILZ&_bdVfz%WHYM0C!neG>|Hx z>{psW5W9f0TUDk%U5_!z<>cHn?%p&{fJ@p_bew{27YS4w1^$2?Mok?q zv5HK~XIuS(3+{t{{Kh6_5iWnC6Ex1Aat@U-3VD>-k*ECjI?uG^3;?`k7-kes22p9le+GY_<+B6zm5e5Q@M~47T&d;WSm9C=k z)=M4kU$@^y8y9FX<;*%OyYmY0?}wPoW&2dkSp54fJ$LMdW@}jpq}7h^0UNO8EsA|J z`Eu~iZZJQ(Z~U!TI`ql6)5ZvL1}V3ZPuq(2Cs>>U9IcSo26xA%hEq>6D;j^$pNb<~SV=d4j*_iIwuAf;09uFJ?vznF-d z{e%7kp%7k`M|e&`nXXHO)jV-&mZ_WfDrr~mn|xbi`e?o_$J^ZcC6CaohYs`lnZB_{ zhSm@$^d|K7?Afc8V7k>o$f!@n&~BXD^6cYAu?1H-=Z&_|m4ajQuevX6wXmC#Tbn`$ zu@}U5;g;ieVzdmaZk)~<8gu63he zhp*pO5igk}P>18ss*%)ZN5aEw=!?k&@mGn5y49?7rXphhtaFf28W=Jv!yG^Cv}1JZ33=4V&>Q9O?4#l&f(m4^&FX^#6=u9K({AhLaW$HpoyUb&uh5 zpE}%oV`#iJr&-r$vtJ8{y~k|xs}IHIze^*F+#Z=;%EZPXJWQ7>)n!zruW?$*CN}J? ztQ4uU;Qu`Cy@(4cA$+rL=_IJ25T!_LRy%>VS3ejrg3=yx^Wk_t!h8Se1Y?J$Vp6oa*1GsISIw(^onkRzMtk9|%T z{NIv)VBpGh-s0}9cZQ!O>fAinGlIwA8w72H2#<|9`du2d8bG#PVp*@)on)OqYs=-} z6ZnXIO7^67Qi9;jY8?TE2@MiG-}_hND}lN;{5Gx+cM%r308)IMx-!@jXb;$FNvHKH z_l2g8G_I^YPO9VEz&TpSc&)7gaOS#SompK8lcn?)Y~SenCF5GUGaPoDN~d*p(ob?* zW1ZC?L&OAK{{HLs;(a#kQ~X7kN`HUEO1UMc%A}rm@r3E1u|KO|{J-yfwa6f!%|wY)@9sV|7LZMYM9^H{HLfpfKaxq@wLV}(POjfSmt^YN7WkjyO^wWzLoH>3Y&j?=#8 z+iyEtC6pGwa9RBErQlX50C*0YRPGMImh{0#PWVr z`={akf4I0N@{?$fIF_v*-i9_t7{)_J2#2 z)8U{$920YBSRb;ASpaN^EM#HEwb?~Qz-$&=SBLv&FMo=@eJRw6Q)A}mBa@JMJDfjm zrEd^Qe_Z$r+k-#W&xYj8-y+rCqRIu9r1e`2*@1><{J?ZUbwrvoBdTmaQu!c;+CmjYjd)yI?k$>PrHpw0KN4;{_roFKh zbES>>GxV74CP$~wMovLu5|ekkO(lW$;mk*jm<$w?1W6h`{ZR2xUV|M*}a6B}}dU2peUJr1|*)n7Ft}@j%Lmo#aZ+#>idb<6) z!+oi1Oljv}d&@l=>k&-04N|f`8rgkR%SwlUUESyN6@;?VG4H;5%G&bZ0M$*$;W!YA z(!AaE_cwqCQMJCDhy;GKoiU7+?ugMT33$7<-IL9p`0QPvN(>E6w0isFm~JqwWXP=A z`F9$P$mSxAdL2|Ps~B0hp%Z*19> zfC(y_K7Kc*l8N1$_i?KJsjn7P**nUyaea#BH$oR}%o;i6;>!Eg{Q}^fStX#;+xS)M z$K*KH_u|HM&9C4Zg0=Hx^p>|V=;!_X>vBH}3wp)ZGtw3W+ivrb+|qtmkm9(tbMruM zZCynorMjSUD{EKo-Bgz#IXSF1A4i&N#R@y&Fxg#6Dx;t7L1eE*(LOF>(vc4jZ!?Fb zRS{R)j=&{uF>dz_Eb;CB=IVL^hv|)b;+ca%%@o+ z5Dd__=-1qU3xoS_BNBRZsxp4>V!W%~7qTGT5LLQ8&p(R{p-?(H!TiuCPgt5>wvm5i zwfW+j;hgqi)X5Fv$n~sLizeh%%ud33$FSsGd9wM6rV@)h)nqs6!uXq;fj&J&{e;^E zM>g{oQ~O^jED7>M3@qA@G<3$k^UHtnc*3p0@LDsEXQ6E5Nxsd(rE)QC8+HVy@?dnq6)|KV zFrPDl;E52{{hv6Co}?5p#X#Z*LuOBaDk1DCOpPO=zdWPVOBCy*t{Z#JYx#f2B?3lg z<%(9x4)%vqha}>5yChH2)Q%n63Iqu^B&;={)M+~}gNe4`L3Ty^*`09}qGgRd@&*po ziNw2aQ-I-$DRj8G28(b@Re`pFjV-3C)8lJby!16oc**G&VL|Z>b+g~hgwZ+Zb^ zg^Y1xQA-yM-x?fHvP#j!?1r08-F-V*cZs$Yr|ew!7TbEi6EODKMl*^D%xJ*DaIqIy zQ0?+gpKpYjT^HDaehwmh`D{j0M;_AnWZg4fR&8Dl9#n}|#=LAiX}}^YAD~~I1=eky zAI&1V$l<_p6m8T+j*kAx14X%Q9F7bbgs62tRf_gvYKwjFQ;t+>LIDm_BQ-VlJGba{ z^gpBx58MQX@5w(hyu+AI{{q`v(@rD|Qj>=~m>U8g&f1l76!sE>6hwfs9ZTqdQ?xIp zlgeCdZ8qiN6#*miQcaQ={mm*PrMHoHnGORX(}D34MUh$!J9TF+HheipyPPfnOHkHJ zE13g;H|W{E&^E%$3PCx+1=q4hsWERu6_bT|v*CsDLV=;0qnSJGYw!%C4D1CPzX_1|EF@UOY?`}If z!@n&tD-it)$mPfRi?IYOVlRkz z$>zc+o?YTxAXm?BG#Yi&1bZX6;=|>rgLa<>&73x=o`h5ph6z6pifq?GqN#vf4v0L@rD#Gby%N7rB|B(B+ z+N=9=`aUO_Q~&8fmdpDj?Y8C}$ekalG*7 z@fZij_29)nWhx5Jd#o0qv-Cx;=9luxwK|6-d!H78o{KN4{I0uk9Mq9DM~>HT$hPY;L%ThIiZ* z4Ch9#zPRAiiZWL86PDX3*Ah3mUSJ(+te>zQ6xG`3=vt;0h`aefs^5#f1y+_2uQxUX z+_Rf}OFbzS?hScxwuIQ|NAfL#$DQhoG*bE7pxVH)XSoL(pxT$6&Pq(c%Hc<|c+dMF zKhGJeK$Qq907=!)M*AfUYNrUR0=r?>8>$17*IZrW!@s4@05DtPic(?mgILza<)hTX zQZ=B+_apF32=(*DzX6>1Y7dm~=>Gi#oPCqq44>*p#W6t2vjn#^6S+0yRI>f*M|$P7 zQO$Jrxyu7RPk_Ua99pMdu^}r6B!h89+*#-Ando4RU?NlwHhtJXiC%Z->wEp%1i(l) zbbh@{Ts%`YrZJ(`g$g$!*Uhv0TR9;2R_%G`BMP3g<2NE+N5983GJtfjR)EG98?Y>> z&G!p7ikue*Y4Ee)N;(8oC4=spuG4&u1I|SVz_xYO`J^}S;7es#nX1jgu^;kVY2DJn zikK1|rtf6+E4oi@4`||+9IvLPy*s}H3N<5L|7OcGo8GwjE3L1j=&-7wf9^%WT#&GN zN^UZ|5%~W7BAK5`Qa1U8Cru`~_cGR&xm8ceqjA?@bez*?Ao09!1HDbcy<1hA zE00#$xP9wyt6fnMRW&qz&D8r@G!>pbz$qKT+IFojL<4u-eXr+6HZGuGL6K&FHS}=3*O!w; z=xdc@E2aIVf&~OcW$XbCwM${W0;1-w5@jwOn9zR5EX=ETNJ$|2#rHz{ntugH()ghZ zwp;E)ln0GpG+`rm+=K9!-Pt-04`f8FP791bDxJkJA2ytyDZ?8D*c(4afS8M%6d^bi zxMUdQcyd7_c4Kqy{o!Vo(jdw>jBAVROePMU1lu#caZ-cqX!CyRE*}9L=-RdIv_n!w znvr;dXN!@rE7NNLE%WH+q%TxaJ&N&6>>ebCNM@uF zcNvbOdLx!dg?OpU3LI4_PYV#RDuN~)aHxD%mEAP5czIL}jlKYa2hOV_1hP>kZpSZ% zlD?}-pDkXSi$fIB*iKo3r=9ziwlZL-eTP$*Sn3*8@mc-`ju5iecS8;)gU4XOoh1<4 zRmq>yno{Ow~f~0T1&JSa` zwwH#WyQy>;Hzk2;fW`NS5sQCo?6=uze$6=LM{6k;jJGMYbLroFnSm=h{$}Ev=;QzO zoVmDdNwxVTg;Zu*+Wg0}i(|RPH<$Y7!$Nw-!bx6?cqQTRk}v-lwa2BHNV38cz$_aZ z3MGeG7x>{yWmi8oNv3ujA+1j9Q!t8bnuI9Bm7?c&#w359;~D6Q|2}U>RBZr@eo48j zso1jKr5^o7G1RUR1h_Kox5OeWN{lDJiU@PP-Ix2;LG-4rJ6bm{C#C4)7!l7eMLtWA zIc0*=)j;7Vbwe{;h(nTR-$YziPp&RcoKycxAw$wPE)Dq%9?UKch#>=7V3dPRoGB7u zr6_81=E_y$TIKp4;wlj@cDSg$FmIVPI`dYRoF{@0u;ah^&yK$VIvsaPMrzgfu)N^h z0e~m*^8g}cC_hrTotpG9*_$%ebp^LBAK z6-vh(=jp)8yY%%4P9a#u!nE^#lfUpfRP2eIIMuU9Co>`My72+{ ziXPh(1JUxzfON=7M@cP!C)Qzz^wZ2EcmQC5N;oKBc+$)$LT%`^w4v9B2I^a;M<$qx&7aKeF4FCCB4GjEiz<4;Hc)zuwN7a%KzI<- z`(W$^0@FY9I8&`az=Gbjtj%J%;G1gDkYT?Nvxm^pqZeg>39(Li!{!Gi9cF`=p-&J< zs`n~68yDpQd!K;#{?B-4oc0G}6^4tJ9S^`ZU@Qc%n}p7bDVzZu!bwk`L?C^~G!X5S zKrxS-qBOfCI(L3Tck6`fZ*MMFj4Ns&Yf~<#3{oZ|_h(*swFOhH$$n><*gWXJeRhsy zmhydZ`i(x{%tEKIW$j6#%QM>a#G*HKpDPi2aCGemA!PVz0QIW-ijQezW0>*lP4WKdm&*z4 zHX|KzKiW*O${2!5{74uZq>y011iqRe3sz(l#f_OuIVHU$sG7>~o=E>oER8Vs0HWJI zRa8}i%Qab}Sp@5iEz@v zKhd+gl<~XYNbA_dEdKHKI&gcDWXWY1iXP;LeGRm3W-O(;in@mn`G@y3;F(}3gO_qZ z@|E)RwFIz>)<6HGbVk(g4%}gHmAO`CRY@G0Hjjg!FQ&GgW0_IMZtG#OJEmVqm^^`$ zzkWlD_2moCHv6$&j>D}uEQ zx>Blu+wFe5OfOhR>n*#|z|U=&+pEL#kqs2%3&kOjI{kT(4}hm;S7LDn{m?X$M>BYx zVa(S6gkZr2E8T6{rgzXpifuuD{52WmWml`Bb6S(fA%XbKUBMDJv8+NbQMVM&UmL^+ zsj_axh)J^5hvv+QJ=n+hAct>835Nu%ibsil7?+a#xQ^PwP?A2x^Q>9*dk{!(d|Y9y zs{8g}f$i32sx~w{^Tndbk;HI~O^VO~f#GW=2rP+^gy}wDi83DRRJSh@^*0ik6)eQ( zj))O(DR}0Qt%5{&Vt`E?d9(1Ue0KKp~WW9 z!asaw8-5fajC&w5wplvpuOEeF{@Ydo;~RDVJMJ)&5YJ1U{J0>mAm8-G!TTSpJ@G7u&qHK{4XKZ zZi|f4OY{LYEC9Nm_lGo&N?3GA7o;+re+dT;(q+sx>_Z#`6o^5jRR ziz(fl^vpZ(K$3v{ugN^sbzRi8T+RmU)c4Ya63GY)h}paI0Q$9rl9OY2Is-ntX}&&V zL&4$6dLGrD=J<}Pz|&TIjzY~BsrMR19q=Dh78z?Wr_gx52FOK7uW(|taNE}%o%bs6~69e^&-djiGj0+=gMD9U8FUTLV?7&6{D3so!$ z?1zzBz4rLF_-Q63unfs2d3M{|MO(QsrsfosBMc+mZRy_WWj$D=2nxOO4wJhqYbPD1 zBUqF^>rnHQj9HDn2Ma*LmcG?n-)n(iA3u;jQu<@V;`>|nKQ+}s z4M$TQ%lna14TH`+yj=P4Ep9I#=}C%eKN(-$z(XWgG1r+mF z$K|vGThb^hep9#XOzPLPc-M*_G513*YvbSB&*AT)m_PgS2_`=>4U;K3c2@_Ku3WEgy zA6su3R9CpPZQ_yu8x6tTgS$HfcX!Cf9X1YuAe-P8+?`;--6goYli==7GArkscjm2` z^NXU2;zzIb^y;U(@9P#dTl|b=Ci^g>Fgj|%F^OUY$flb+w?ckL;&;CXbU{DKa@snz z^}u+Z{{8@Duhxm}ixZ*WT5O)j9Hg$vY}#veUYqN=TTBxRHHg0azuXbx=;&qJar1 z=mH*yDaXgRAASVB47Ttl0u5ixC{khC#|@#)#7s{|Ak$axzDHln`8ZnraYz~Q7`ZaBKYwKAVyD~hG29&$QXoYa&<_dJ3~Ugwh=!0 z#f6A=9TpRnX{P|N|5ogQBg#ox3yJ1)V+vNXZUzyTUyG;{mm87*|I9bXf2{$o&3a$) zvC;+j9zV2RwG0y4jVOesw0cPQWMWM`e^@EqeI?jtE#W~Le#;3wC+Ze}jRzjDJTl(v zRv>AH<~YB&oE7zcHBoU_KFImwuHntUeQ*M%K$Fyb>lyMJ1u5?QEB(k{osmr)x@_k! zqO67p*K$KI*AsswYrF69oq>WUnsYxz=7GUtEoaC^~m* zl)IFey&9u}5>r$<65BmWK;m<M!#VNFc-5~cYDg=lILr{E0qfTo|tTt%0WM4 zY)BspN6>2|x>O|TSHyXP(-({8=hUlG-(B=UH?QmiMZ@ip(-~)VHNGL`a$K?!3Al@m zo9Y)EP`-u8^2R#;Fr1>XqI8fbSI?rgXC-77EC(>ib5V}*(R+`MJKqUM6)DU~8HVo` zlFJqq^(_k&7ZizhTLF?rDIb?lX=^t&$u@;4W%VM~!EwxmC9I$H#FW85J>UFZriMi6 zh@_!_kYcud zty~?nvei{>=+ns&F&(I}UNZ9b0_M%@ZlA$b{2$-~zBAV4&o#PR<9qxfYN-12r}7G` z$lqT6s2V{z9FOR2p%GR3jo-WCE<=|Qoju}By>A}Z4RsW(<}vR3HU30C-$c;0+ZQB6VEH50 zn6A+d()D`hX|<#;eR3jet@Zi^o^47ujCgzLYq*h^KB%!qdpkGvmx0D7(BLvHsaSQ_ zpV&kznz7DeW#^DpI}AHQkWIVG@OS*;WA|Fj-f;cJOJIv@9|k7>_Hmdq;7J>B2y5j$6IZJ3^q`;ba1uWbO^ zTvPiIoO>l#=CL$uix(0&lx_zuu=pX9gUV;xr6`gWMXX(!sfxmoaRL-s22V!#Ys|2R z00ePkU@qNWKS;9arDhj7&O31BN_Fpma=jLp>Ecb-gXQHFP zTuyD{+SNI}UVv37gWsCLCkYB6iD>_O;ETQoBk+I^OqzvyUI^a&%A~;c z_Brc-k>{cG7YY>BU#5-cYrtvaYSpj6Rw@gs-tmrFNzGW{Tf&x2dS};R7*79@yH(H4 z9YBUrHke{K8{_PvnWy5VRxpMY)Mz&|`=?gP2enS3aPQcaI zx35ttXT=Hh!T}yHggua^9qa~tSU31GT|QOfq-QecTqljA+}B#SpDn?L8Nen?c5g#B z0N~=ax47r&r29Z25#QA%QOBcGdTrIxb=LGZKo75r>P5CH%GdTc$+p#g%yQbk@8hO! z+I9k(XNX2odET@cvS0=l81`7(GOL7fqUkUI@i+ z0_U|223{9_^#LPGn^F<3R_Qs}=?lT$*P~#nmwp_T+^;*&Z&~PB@kSy+XRQdUO|hGW z&G*W}<6Koa&EsMN_p`@Be_u8eqIuQ=*WC^ekjWA_dk3&sMofykQn1)zg(Z#rCWEfJ zR{JZd-T*t@Jl=V>CUlFFY$n+k-`(c=kO+Gs-zt32j^x^7s{e~~`WU~ky1=mq86m77 zOHiXL_Q!&qpnsYW(zuE{!V7d2Ew0^mTbi0i@cK|q(6Vqk>y4gG77oBRvbG6XuJ}%5 zn3MpyCv2AOP+F5+je&Swv>8upLyrjex{rK#gfjd4X!1|wqZVn9yn<_byOB>1YQ1D4 zAI;JRRVn&s!!l$14g|DGN0}*MRN3js_tFyfL-vB}M(4r}7;5#3e*_7I8%bpg?Z}m7 zDkvTExlwv@OqV>y5u{pZ@bjlKNP^2NKfga^H?QV@!-YobJFe+T-#>fR`OV2o#;eB} z&_KbY4xJexAOTBC+jmGH(gdYmHQ84d0*_%Dy|lFRVfZ@aT|d>=A82iIElfl{z+Nc{ zP2ISNfd>-BX~;}IPgx}NoJuBY?6f)mLsD|6dzgra996yBSsr94?qVxy-RpOBZC0^1 zy0T_S;D98(g4ai4*WM+!bO&Lhfa7uA^~krQ) zIq490;^+0Gs3^atM{Ilq@pjyAv=xBzyhNhJ_8X1!(;_M9R_Du%!Z2*D-2sgpNMt82 zEXH|h)jP!~p&&+}b-NYH;*mi?&3MuzQOVaktqk-|m$-*9*F1>xEZ&{Om>NLACrbhv z6F+D|Gn=!vP=2noU-Z7M`!RFEs`0u-CKTfNXO}fV&5MQS_*)V9{n1_EHh~q!_<{vW zpXDUV&lsonolsxjA*`xhX`tWg=_!}$^$HjIr)ukc9I4ybG&c7yw*7~|i303|2P@Il z3Jg*{f0rcr14OR5VCE@iY)Aj`hJ~cxTE%W)K8pn-E0UBZvOYj{ONH&%>^x)*eYGH{ zZQArHzY)X|0Ec`eM~gNFL{GOh$JbMmpHH9iSD_~Wz*4@d<4*q*r^HPh5%_1>s@8}1 zTla`H-6lh4D$+g3jTgTb%%HCVE&3ks3`U5z)%Qu3v5aZB1Wx`+=8J?--cAK96KqfQ z+(H1DcC$6%%y7l|15Pq{ugB-tWzBGPz->8;k;#wXk1Vm#{=~~sm|Dnf&XVr?;aJ!< zg?FxRC)|vcJVxG4JJC>1vtXwaQun>d2A;R^djbZ*3U<+aJ)*9pY5be7{UqD;eZwn5 zSR$Hd)lc;C+3q23r`u1RiXIFG`i3$1&BhZgO|1ORr>+xfVY86W-V|H!zIM)NjWjSd zuJ2sPsbYNg9=p2b9R}b+L_%RbcNPnJT~x<5_5!i$I`+R)3jqw$#&@LA@W46%9oOR1 zZrPE~1csR6-{(UX^b}5`kOAXFK+x&dI#uo&GK=N_RIiE3+3nP7sA9Uo_(lN4^Y@ya zPn)RmXZR+;ocnjeycN*92|}M@DYT{ej)w>iV~G{7KJ=OjPD0^9;8kDP-1Ih>_}rx* zP(YF}+~W9hOKx8i`~)=5oN6Q6qu%G!W&3cX1w0XCq1+n#I!M&srQ3ySu1-)TQ1r#c z<07>D^o)~~5p2X5oy+S;y+cIc^F6RzezT?fwEe-&%q?61y~o14wc_~5Pc%dc#F|4# z9xz2ey?v_lzNdRsdaiQa!a7o){#a-iUf?#@2gMe1k77FaP^jLX-=t3bYcyx5z_pgZ zY`32%9u9?|5T#{_R0?Ec!Ky{|=c@=-*)fbSMHz-~%t-s+k}fM(*NEliuxNFP;$0ML zv32Tj0q;;wMga=FaGj0T#C(1phxui^3&}l6AvMT+l48Ksl~t{sI8@mat%!)xpk|hx zOv_#In;m{P1%*<)6mi)72m(S@Mm4C7Ys|VJnf)8MO+3b!n{1otV4#^5xx&(W6 zXvmhhP4JgwdVA&Zb)*cP#xVnB0SoaG6o8wPkgBgr(f>|V7N|KhYg;f2_)3!;cd=iB zn3b|LA2e0OR}RXnxpdA6f!27)l1TLa3gY+J`klAWk9~%f7iy5_QKhvmB5_OR@nF^i z3A`@3Phe|Z>iKiUgi~uPIVnWNFWIXTX04Ap{TaYNwU8J*uCp3Hi{|*#?jMW%CN1Q+ zX>91b_Uicz%&rp16s*rUd_Ed8Zm;nQoVN@q4~hH6hDZ#woS`Jzo7{A_l5+Yaxqaka z*^ZssAQ}qRAW|peIcxsyf$HfU7^3t??`#M`irMQrnm3{~6TjJe%#3Nx>8rg0kxj zC7J2u6-{U((QohAMb_$^&--1F_<(aIg|=d1-rc43|2N0?2X(b!<(|=Yrce=21b5q+caTD zpMMl!wHdi2eR0H*)e9ls{?RhVF-k2-vv$3PEsTKSauXkNeD?5%P5OBwdOUhYbkn~B*kl?4h=^r*H#|}GYRJlK~ zpZ$^yDHrjLLu~Q4ml6+4GB&b)qelVjL59{oD*OUSU0|{IyuAm%!6TGUx78rGpJL6= z!3Qa)q$V~+-x6k3L?zFvn{~D~epON`{*4hliQ^8cYrTApyt_1Cez_h`8J0+!RTkua z9AIs7e=41ow{{OH>XN5?b4k$$3_Y0DBuG)X_r0z^9=L?u?>`9|25^QNw+C_Laf60i0w+*Ca+1kU|O97?w`=+Js z(N#2&uoK+VvmgEh&-y82A_S6CU6E($>q{jjCqT!<$0qm zmxT7UiNeR7P$h*N{3&kJpM1psV6+Tig9YKY0&~ zZnd>H+uMQ@q+xFROsI5!<`PwC0fPziERD(thm+JkqZ}OxP`89StOqKXP9>w z=yrW`=Z*eqIUj)D|H}R`r>@X~KfB>~&D?}>!%puUat+R{i4|sKZJRqsY0~Z4a}|Bb z6V(4yLCifpatXg;DcFV6uwJ!uDS=tVYiJj49%NS<^+Wp|rs2C}qe0H_M65-^1*-!5 zxDoriFf<^IboSf=;wcr#@$Ed(ZzkK>O_P1swwh+!Q@%c7-sxS+dIrqxGsOp|CKw-(>U*-4?ScA73|u#ptaJYwG7pVnj4|^<_Cu{eP64hq(J;)8HzJrh$UxZWhkj158=D!O+6RWi3JcSkd zMot$OE3U4r2QdLe)t$=P)!I=l9^`QoN|q5g3GAA*TnzGSiVHlWt@fl!@m#UqBZ~5M ziWHW3>7VqfTUz7i*%c-6A{^M%^1d-LN>LHDXx4Vr?J{}@N|qE&9l%MuhjuKzCGiu zPjJDoSb$WCmelygn#iI2vR3T|m7pXni{w@bOUf z>iB9Whh>hV5U+Zz1h_IL7ZRXXsNal zk%0b2Y)IjSj_ibOzSeQ9yegLP)s!RULvY#$dQB;NYrBblWyPreW>|mSLAJ%Yq(5K zC^H4x(+Iqon0?=I3bJcN!CWZs_cPRt;VKH#DKor&+?TDZ1t@bG-zR_Qt$$LxR~2*! zo9{Lkv68qU6d2J;SuSjZUDc9H`>tOU?L&c3@u&)7o=mQco?vX+LBTHt0$jJpen%?} zG?Z4GaDiX_b!8N=f@DzKfwsr1sNO`%rq8j%QP>yEQ@)J%R_`V`jz8$}Su+07ktkqk z*}+zVx>~)a$^hXWr-}nb|49vz*{t`bs*#Z*2ZDXTiE?44%t>NNQk>Ts7k`n9Eaji& zBllY3&-ZEcmivhB1TLfG%Z04ygQ~~7hqm*MjEdS?zTPsB@B&5bIA;-axooGBgD}&1 zSnXLW4=AAEY{`s!X7Nt)v1$Rd9M#SUSaLR0?Xkyd&cbA}ql*Jxbuhh}1~i6(+%cU$ zag;yD@KNt@ef~Smj8-Z{@ms(yDXiNpE3Se<#Z!#QPUKpj^jZq>B3N}#lMV9aM)KO7 zB)p+Q8~V;J^TR%&iZ6MLlaA>Ai!%2zW<;5fCDocWZA=;?O467b$<`0qskE>a`oz#1 zrmK-X(Wycrf=9(7hM3g7HTFAo)0R@+kq}AXI#d9bz8!rqsw8WS-sq{N9iQ!hVvOo< z?zNSaG=8f}ViN4-U&GBmKskSNRO8r00c`J`2J-+90}8Ik#j*|&GjR_2{c^?>21>c6 z({bR+RK%cr6tJtF->nPd3}(jx@`$EHV9bU1Rm!SGtcdzy)P;Olf%^Z6{x!-HROpUE zbs6SSle$n+aBjPgJR|Igr$=K?c9dXy^BZTcxT7o|$#yG~gJb8{>_($+l29{2DIOUT zLHpz~{MpVZ7|RxWL|pHg-Qt*?-mQ%7crPrTahd3FsbTO80aUMYBo3x zVVZgY@M-O>4z0y&v4(I{=^Ar1*Lr!UsyLNS{h!syVq-RQJ;5F$NyN$^bXO7{f#L(a z-&W6P#c}zB;o~kLBbhpEIng^Z z9Ykl!Cp8Xo*ZhPBKYsGebJ#_;f(06tCzF9_DmDE})!30)L1OM9O-`i$>y@r(+0!4s zV5%OQ`?p%~X=f;2uO*R#$iCT(<7O;x7?3Y$EL8$FP#gs8=2EqrozJwunAbbc826to z`+9Jo2w)H_b50sn@Gt-8&SGu#5ep^RNa^eBLxjhzvRz-dkcAA2jR$b|9GaF3f5j4V z)23-i6#OnK@!aqh)Wfq13AVrfz=?j?9C0Lh%;@0+KE2SB`E0M_(9-loyy`#)m+3Ob zB6pn%wGXU<5fk$w?3qT%mvL1V7yVc>y4qKae9B+OJI*h}rdipO2lYxqU(&3WehUZo ziPq0z2_BI#)!o;#3^sBM4|{@q$Eu$##+vhngCiYUxHgneO16vI)tnfy4>TXGCaB!i zEgAgUl8ot$Q($X*(PODs_Gvj^j{cVwUb&U~y}OQt52@Gxcy0jng7ev!I9F}0QV3bD3k3SIUGPT z5cvU+e829jZvJWHe7G8Ar31WKT%Mz3fh-d)h5?(|^ABcW*$ymT3#IY7m}{T)j{#uN zl!_m{S2O3k3EoJPiGF{&Cc(TjZNpTx&o=l=zMI*$OQ3=z z8umT!;58j2MJD{u=d~AQ%Pc0K8E4_j@Q4!e&<8A3z5Zg=6HM(PNu=4{(#5O7@oZnm ze~3)hp0gEj9xkBRBh?wcBs5FeLAqBrdZ0~UBfQrTP+-QLU}wO-nTTS_Lo_b(RA41M zQ5-DUmwWB=G-UN1{K~Rv&1};$$%!VgE&k@0t>h2Oqd*nm9d5kKve}Qy9U@t_UhJ63 zkd;dKdUTsP#!hjL|6u{7S*=u(9C8i@y$>%Xr?KH`$b{tT^p~I)&sp#r5IZ6_e=O@x z(jot)b1(%J^jUfA_)vckRpo>6;C0iJ~wQiTfsCCTiJG8E2-IBx1qETcM@#LYgJ7LU3@SW2>4?@&vaH71!5}vdu7mFYT20 zdcnHD<9c)xB=>z!vJLOL@;jFb?%zZDPcjKd`F9F{UjxZ=$)=KE;e;_sCF9+VGN2e_ zdhB4~k+@pYQ@boAZ|(6Fxm%kN4?J^^P>z);n_$c1{`#`hRX?MmGYe;W>mcu}FHTSp zDT+`06Fl(7$4I9{UQIcG5f9!5o3I+YpD;rq;W+C*u@>`}pSorw>%8|=md zmn5}t#)Y`B5=vq>trgHN4^%thg-V6fc3VW|x~wT5X>`0x$oiiYP@ZMUa7=6b+R<~Z z?XWkk2GdaR*2Cbd5c2|{ZOOxJKx_ZF4uzqm$O0{fXSp!fbe25s?+y3!-Z38gjA`hk z%vv(iSeMMVek1&7Zhd3RCtWG>1;|17@n0j>qy8s)|2vrL5iq312T*+tDG?Em|$bl`0E|W`9X^P$ITcmg`Nl z>Wu4-xRlALEw(L#l6JRY&!JL2bcR5EK{NR~`{^6F%tuP1r1F-swyFr)BE0}LGIfzQ z3GP*z@2F(VcCK1lo`&=Fij4}Fu<{Ok!jomspM+5~xl2mG5Io<|ZA?|>)%a!7<5~ck zNRphTCsAObsdS2x^2SBh3##<#Bt{mfPkzh)KkwlGjv`i&55j{OGRRH>fgd~+f_`5L!`Ta4U&K}7Y@w7z)v(0|j=%!heCcg(Fr z>B5>_qRN@}Jt0>{NzC_!jS5FG-i=bc30ta;KNO(6LRpy>Y1I^F^TvwP`Q4Vc#BfbG znS|DQA6hU9y*HM=prg#5;)34Ta1|TL^L~!#(vxlTd>dDHgpeK_Xv4p1PL${UyXUcqEl335!PH zY=-ZLECs|q?+^o66VF`rbSjLky^^g?8?gNC1d@G;VLK>O_ussS;T)%c_XK8dR{Mo| zy6N*xr?)}182-la2{1k|w&icYtW>OEz#3CI(O-1e=hIPM`5m`zaO+#XA7;f|p{|AB zQFL!qCn>F+@EQ%*k{he8I|s>a7_K9&lwGFlNT$#=oeUShPd1GzckBjqPrD5W(G?*F zS|o}kJj#sM86>nGJeM+hBfX#UUYp9&d(8FT*jbLsmP)6cOdfXPaY)JfIw~Z!f{ZQK=?PjmnACJ zHhpluVsRXat{#Z|K8#9J;JRB}a_<@d8KDYZ#j7Kryvc?8&yJr`j&(mzO!3RwJgu-IG@ImOLJ+d<{ zf6V7GXwWIg_Y7J55#ACI_%9;Ca#521^{6?>!hmcZoI^p*5nin>m2W#)X0sQpj7Qx? zsOcsPPe_*ps^`0rYfuZ*bz^;!)N*!>6_=&mgVsOY^AT4{3Lk~ER)Gan)-hviQ#~l* zJP?1x8nS=j96$@!RVmrJPsHoqcH<*%Bo(;+C_ZOqG)WSe6QJ~9v`s4Z_Nyo>@syVi z-z4as`?|awMNC;K-mm+LI~*ZzwRvMFubL-VwsmsqcVMC98Nea3GqoT2{PZvqgWR^7jLZaR;IWxlXV;c*Z(v0#7y!F1<+O?++GBFW zWn|vQlLlL$&gC9AjTx6Ly>2y}<39M|UAz@!zwCDXLP>ITCpJQXkB()8pmwIvFquz* zduhjQQFV>EWotUAyLWPbt+(rZdZAVvrK(z@_c49mO3r<#h(N?Gr;l-k6#(1I{rHMfW2pp2zaIuK2L z6#&BCahsMG7n49G^O^6cb|ZQCBsG1y0b;-eDA+5v-`PRv|J8|kI5=&1|1Cs5c(AX| zC227~NHylrcL9<==}Cx}aoeBSgQMc3Z`Z^}D^=Es0y)*E3eh`x0_#Jwk`jwzJC6x} z=Olq_A00OLQCX1v6c<5)3C4fcZx5nh^w-~u+qsnR%~hQ3QD5I&pS6>5FycP%LB>f8 z#*i2{z5mpW5bF#27UMfVwC1uYHUmWo(-5yl<30|eP;&<)f9`cLwN5kmSAB{Q(l|;R zDef;xDMit@1Fgp}2A}M{TgDVUfYD|3GO(NzlU6<%muRKWx|Lkx0a?A2gG`NM&6Oy;fM07K{Wd-%&Mo<^;Qd_^O4&Y(Jov2dbL3W&L-@?m+Of z=lM@J=>M*2|L4M-G^%eFc;713(g@8s50(BddARt>|IJ8H;~yvR&)NK!zY@3?+Nh%Raj zLnxd`=hg5HG4y+!);wqQT^HrzC-jMx_psPQBdv(-s#Nyv288aC$0}qVjNG<9jF8T6 zm%eQ?>2_=mp|ktM8|HYVit68c&DW)Echk(r>SJIok(5B;*t;bnA=c-YoMQnwBn4+t2jp-~-H@~;ygEv#=Q zQlU$cJpV%D0LPL3^}l@&{oe$wS$vqi<{;3jjA7P@ElZ{XG5TKgA%C2^H{FG3jj$wipgotmSQ?7S z_zRYwa#Cm-Z9WgJq218NzfVYG8UxrICivRoC>_XY&?vyBlN(o+@}M%opux;EG+X$t zj>&#uq{3UvW3TXJX3pboBXnk#HjNcKF&4M~j6#Lrio%u}G;c!|D?Hy}n$4g;`>5Iy zjvO#KJtnCQi3UmrVW_u#84*@^%!MNYZ+gss3sFam*pue>!+<59R{LwV7^na_v&Ay% zPB19IUZ0w7v#=4Bxv@6i6)UHaoUW$r180LD&@af)ScN!jj6{s=P|@T)Q;*YCtF1`( zIn71WPf~QJ(Ix^nH@8OqU`4$WP>D|}F(VW@hkc8Rx--|*3SX~S(nKZ_bY;5m2`wi3 zuca7C??gJ`AWDObNgKta|bHe?186FHHrq6%D2Bk^1w(Tz8wij@vm@n231e~iu9 zalZ~*jxdI`l8?LY^OoCcjMXu^PibI!H=Y#zsk7JAFTSoI`-L|=;;vVsKZ2!Ukiu_1 zl3EKXBrlic|0EF0Q5LS^{XCPlg_6P&@Zuu`G#yK26gtBG)gFX5HQWE+8|S~XITeI* zfXv_OEA4l5VTM6AMcz>8a3FM}ySX5q#^WGTXwW;WbR_isM@3tYWtv1aJxC9V2{msk zcoYB$3)>s8CO-p&rG?XGq$$Q9ss|iqTMZMq&WG)xPB1AQ@N4jzql+Wl)-RndZ(Wo~ z-7sLQWHTg6duG8p(|#cfcHt>nb?8SNN%Blq+UCWiu)+>fc=|h3PSXwGgOFhZ7o8Ly z46u%}LC=JwuzHTFV7gyqRnOrsj-Cg+`c|N@ZZJhPItv_5>M&6cG+^MM3c)Zm!YH@_0wa`JANMZ>XgK*<96|Tr2-UgNTrY#0ifM%|D z`5#q`pb0>U_)cRzdQM0$O?n=D9}|jlQ>*rC?C*FsM-j6DZI_z9cD17ADNn)i@j_mF zI(63v@Ue8|yGyldMVYo!h4mO`_WMga;P&{e8lCKe{_jJ{ePGe|-vXB_iMa(&w3xKNs_?gR;t)g@lC`|uyQUI zvJwr0-_mI3{lRVE=2~yZ85MO@v4@OY74yr2I^1BAwx6zhN5s{0w_TI&5nEAcDkB0{ zyJ3pFA;T(mcV3uHxJ}Ulas_tDX#N0)IyOYDIFlpe-LRcsjZAPA)}yJS-NoTSmDUfX ze%B_7Em|=>t273wp~M?%_Q@mxqmPg}t^)6q2pjeC+;o=XZup79vQf&|GAsWQCbFbD zdktpRkyQa<9a>X+EMWvJisBu9v!4OLJM>do=|q?5-`m7gIw0`hf?`TenM=0i{IbK2 zXtF5N53IKiC#EGEJp?8@rNK~wBgdVFC>R}donDv> zfEg|9p0&92?y^C-YZQlCkgbZ~0(p4-FVQ1{nEQS%T0YtfEGnP@IRv2#=ACIjxCgg3 z?W91ykXU>_{waiofGrhYipgHQ#W|VOT2$uP&+w-2vR{4=EyZsh^ROsd+RPVg>-!X^ zG0mj0wb2!0p&_S$G`B+)z0-{~+{u)6HwbH-GZf=mQS!Flxcn;L=XBc+*EAj_9z-gG zLa7qlEWfc>MKS2Qr~&LG2FL!2xu^;zV7?LgSBE~kVfteJ*E$pgE0SbWjNBN*!db1c zvH)@)l9U%w$2>}?SG;Cm{kYtYmuQkCVZv*XVU_0LkoICMFA4OpmgZ}5TYVlHSw`7U z%K?QzxG~my9Z_Rg>AuC;GH7+)G^9+0e-xgQ2GirmW7gIN!I}3IwI)x4w)rx-STjT( z@5^wla^+ZZgJY4O9&)RFyE^D80y|#fb38IEg+h{EK!Gd!ip}W6HnTp9GGwK;d@fho zZYh}v@?nIDGHxQ#faLIH$M(oO-*7RHgD#xm5lIDJgZdw;Y)&9Gd@gI#Uwx@54hemWZwg$hF>UT^GWgI039+* zTV_?0N{yd#>chX#eK1!O{clAT8ZN?#BuPwLxC+1e(LwvJ+NQ`@4fqJcK0iK->-|v< zu-K~*Sv}lNl9aBK?i)}Q(?8=M$npR5FaZCa4Z97F&rK0kim5yh@@)MbzdcNHKQc^P zx}?-GXAg%9&Qt>}rmfqK;f$r?klXg2NZ%SMS^J2~qH7Uy3MPU>7eco+5OffP=@)Ml zpFq&4#uF8WdnfJ8obZm{U_n=XP;>OkyRkxJ+SyoP8xb8L&AYBalM;H zlcTj)Aq5>@e#e!wK4&>|W(#fR>0#WN*TM_)HIc-vM|)~iB+}O|F1Yn&Re?#%ryDbH zUmBetm{$zef#6_GqU^8r*Q@*ky7>D%neYF%mZ}&L=9VNu>WsHt>vzRt3NlKOgBk`% zmpncni{*`XqJYr=i*m~a1Cwt*K^C1mh zK6ue$>L88rNG!7@|8VL+T$ajOt!|ex!%V~go53>#XlyfmT7@hp6lz0T*-y<7_&zHx z3yn}u5REEwo9r`G$JOd()eV9>?Dt)uPU zmNHn4SKX%H;>vug(FMsL?Umz(?+V&d{mFzpO--@x%Dw3|B)j{zJ=7 zLe(yywh-_J94LMA@N0(ugmim$avJ=zN}_dY|KsC24VaPO&?%pA_8l`V_Wg%j!7)sY zu?T>)=m6x3bWTsRpuh^*MJlj`ng}3?1-(Q7Wd6roBJbRE1J1wH`yQ|o=SFM zn5uviD-}SwCUP(8Go@L?@F#rsd&tXZ`~2rRCu@0msr=vQhm69MtUC#P{OG85Viw8! zqqx_5i{T@&DzcS>_DX}AFu}rDnNJN+}m(VC^Ii|fc zP;B~**rsG{CtES?(-1}2cU^*!ACBYINTZaOY1={3s)mq})>zVv~f5fwk_eC}UZj41JrUPwIXA z!_jEc@2L)z6YytQD7*1gEyDydVU#0w`()NnkkK@tHexjWGvhUk8V7)n-rHD(vGuFa z>Ty-(BmuWU+DOH>$Ds%vgLT)%g6bhM%P5dn?W@YwFe+l;zUPE^uUqmP^S~+Q0$4f} zPII4;O9W&*EZ)zjo(U?VuZ6$a&h1E6JXTK=a8v{sj_-Vqs}hCo*WC141Ua0OlsU)e zhHqvk={EYmn$VH?T?BY?iJCh6dRlh4Ur!8uXUNt=?DsmpIQ)Fxkt6gn z)Hh6nZ<6Wv=W*X?&=Rn}RLS?4I`sTl}rVx-l&XOwHP^tuCeiqDC1JnGf>Q}@hp7CZ}h9~Uae#ZAta8L4lK?w*Pmz4a18eqHr_&63w&3t0a6I)?ADoHvfyfs@fz%DjuSnwrbA@OI+M< zrU?C+RE(BvR^nq3rW00ooIxh9zIUPqv;T3xG+DYYeyEu@(lRnKTIXzYvTaT0Qywg8 zgEX>&jW!RbyxyV2`p}eXRU)UWlefF=Pwd4A zp1;|LYx};SN4GRgj9n)&Oj>&0Z4&v8c`QoDs<;scHc!XIe?E$sy;tb6AE#^;{KXrz zC4NWZxnZ_okR?l1tyW5@RpJsq^a;p5#OZ-Zp5YrzdnfTv2jdxM_eSDFfc-JkmyqCcaEc&pS_G6=L{kRRBf z4(kGkgl!xZ@bC{8i0{RGRNsm)Xhg|$s)+owxW|RmoMqFh4elNafCHC>*}WaJZhZPX zx9!qNvBzl^ET62?bH0_&!++C-)#?@|_pG~4ERw0N zWUaf4?uA!kzzlf3s81%;BNM}TdMj-ae0&Z`Wv1a_qKLjr@snq+#Cza|3ns_%sLIB5O*NrC zqkq=_)9&C2?B;jp(_O~t8%u#_cYJok-r7l}6|hpHBJu%jf()ARoOo-oj)tM0ovhwy zOS`33No0eh0z}N#s+Myd)`rk7z;?G)t&U;V?mgRRH;flX_rI4=;oeqRupmL(MVV8u zmdj7o7o+Y?GAQEG-+@E_E9q2uH-zuFU%w%?__5)`e)2cZc-qp1@%Plw=0@!lBP}^0 zoyH^|qr+(9^#jCiesC67lVj*S)UL=tCm$=;*2jC7ocqZyf$;S*0e7saKjH7TwSsLb zsugLe0*LFI7~e#%|K~gV;H*l*vkuQ%{)<3(uCk30-VOJ}!v*G?EAL0`(RqW-ZzrXl z@Sht{LoC)TenznaOb!nkqp432v-?*IjgqvYWPL`C!JM6!ZO={L#SiP|Hg$ltHPmK| zf$O&B=UBGyS&!}Td)7+(4~J8qQ`TR+tOE{<9^EHsn9BE&ZvBOmINOV{ADFF9I(d`^ z$OhoH`6jj+SDiR34Vr5970JA|VE0<~v#(nU)n;xyX}{P4j$~)MnKJyTlrn%VGT?qS zoag{UY~g>t?x|F5EIi)seH~Fhwv>iUxB$;5v1{o~;aK!dA9{@cj{Us|cF+a89(lW& zRT*~2wVDsaRQ&~?KSf%p|<=<6Y94#2>JR^ej&JHsJ7cjf39$EVf6p4hTx=fef zxT8n>xvtVdVaN@1y0i<~FwtU@b=hxLw|J?Ilv*}QxvJc*sNU_*#qZl?j5I5jPQg2W z&u02)O_)_>aD-}_#;2@2n^k)@VHSFiSD6hqm6%YB3?Z!z>8?NIk2eLYA+N$0kc1X~ zkI)}6xGTGU^QH!OnUCbsT{oJPD{e0)JQ=e9eY9U6G%8}OPYA*N$*k{0De)QLxZ`_j z(W;@7S~CV+00rTA)O+uMpwZ9Ir#fw`^?_<2gjZFvb#TyyyRs+zcC7GIDgRk>Ui=_H z`P@{3Vvvma99LR-EJJwf4)P;q9tv3aHZwm5Z2N?xfbrZ$E1S{*zBK&}f`^%7ryeV( z)kJ1o*caB--p@@NBV(y*8x#Hq{i96t?{9|Two^NfzU*P6>{nsR)-cLuwH>7WZ7g|ECiXLF+ zE|4{;kkf0K_6`J@)tiZ=@3nzPaDpc}*kC~BhR)ut(dRwUtDSHV4^*uWIEi~61xgla zOW(j*e&#dBu*cg6XJW|R)G)hTNFA_>GED??Ey!zl-5Be5Vm_Qb#GOvfJ2s0oCy7pt zTmo+}roaMH$OG_%MTVZ1_he6sW&&@ilN){;mb5^MzPD2f&LjP(;C=!IV(uAxY73-= z`v(N(Q));Dhtfu)xyAzFgHtGXl=_$-kP8pVqZMd zLJ0$l5tDiwejg?zKhIgajFLdm?PCM1m31>ZiOcjdJF?R;);Z>6>jy0~gTM(TCye5B>{ zn#$D$55cjy{F0h2u$ojw+7F{z_uxj-?-QSMF+=5_1r$D;wL$OQLsMj0N2lQcLVkSH ze%o2+s{6?j!_K^ij#p{v$Q$4|j?gNOIXDJg9A)HnoBLULoUSmp(`g-#TG+gZo+T)Z zHLg11BjM;cuF9PCbQRg84}T)H#snF*?BfxI2K+$ic zY8Njq8B>1bVsg0Vx=L~(JJ}MCdYeQM3mIwwIj#vn2BwEqy1Bklb_#fjTrY(Q&DjJn zE9S4rn|tccRgNP@Lz31hnju3lAL%ekm#rXP-9`k4u&GKg$Mn2C1Rl^>Gh64!iZ(}a zqLkueeXB%Pd;vKOrTEV)6s3ngr#d<~hFQZ*p^gjc?q!n%B8027m-LB*vuuQkt!8yN zh0v`4;2%8~OU>$fu&)#&k-S(^5$0WMC8liq+`-Vob1F_jlKW6cQCr;OTI5Sh;8NGE zwbF~ndO7-B-{3bVwcOadm02wEdVIA@`;mFv_mei7k4_(-s@Rs*1Q=qFNb0y@lRrkhweMEd^Nu$N_y=wDzE^MR| zm;UJtybFic)!w!BygpIJZq#|I+-bJb)C{}jY8#tB2@IG&^MC3D^U9JMY+USrY9gpEb*?tn6XeD6z!#aiMxNA}vN=*64wPyu_0XK%deBZsriZ!5QHVhs zyH0-H7hwYdgBCS=ze~SeZ<{Fy`498mz#|09oA(?&8Lr3bE=UhL3{CwvL7rn*KX(>7 zWqn6PXGH+dmBoKXzuKQXpQX78-p=tIUTX4k`ceJ9ow`z2&&WmeH0O@;_9%kX(I&-p zsoF+8;t_~A&AmSEV-zXX-J~)L7(iToLfnXK&D-UQ-rpWNG<)w_LYpq60!J1U{D5Pl z8w?%oZNruFd$AsVYmO^a^k1$|?fHap&bjt%_tX}>^Re_x+K$xfOa2hVlzQ+oL(o((kzmJ`@~#?P}>PbQtj`10ywQ*k}vAes)T zgKG{(5iH{%D5H9#$!C%~dRM{TI&<{wJU2~OlJFN7VdNAAwd)fGdxEed3N49FI?o-8 z)u6Ne2{;ig=-d2jPy@z8a`Z5_I-)EUt{b@DR07<1S%*E#4L_lSc5VzXifcA4P79Nv zw=G^{*jyNWbb)1(z&(Z61!$;&)b>D(x|Za(7xKA~6xJ%I#gc*YcL=2^rQSp=RuzZ{ z_~xRHWhLk|-k{xUTmSgs{!-|cv9ev}xydMkSpxkc2*@&v)Uc|`NttF)lYZ9*+Ljf@v4bx9EdX*Ic$c2|yAo z7gN7{xVk$Xn`fhBMfhz27`axp4h^~*Mz}m427Tq@gII>&bdlPHhVv2m)k2vbe+;Gh z@PtPny&DMbqgOMx7OQeKxBHNhJtn*VSI32kxr?VtNEI~C2p+DoC{-en>tEu9wWS~m z6XfylKOx|T^fMYy5;j-EZU8^0!*#>5r&Fg4JouL0_P}SRKIqCL`k+Dl9<(%(?Y*Y9 zweooV?)4#m`<*32hENZk&)=k97v~WB|OmWbu^Tz@-eEc>3W-VX3U^Emm`j`;!T%Ocq@?T z{JFL74rvzl*zx*k6_{(nh05_l>lH248}#FT1FL|dR`@{AjnSZQ{I-WGFDurD6EUs# zj^IG`B_bmx>~`PEQTMlC>|6J*p|>L?dBKi+?fWM&KSH5J^0^_a*b(WuXh6?&v?P#6 z?$Asnf6`xATD^Vv}`_xf%r;;u@c^4A=7#m?Ol&d`Uh zWHzciUiala=`iV;gp(RimE?Ftjo2%;pR_?9+>&#)w$-Gz^K3311v_r&nY?z5+WiDK zPSp8R@>fKA{`y^aN9Q?#mK;>1dx1Sld&?m>@ZeR3)f@limUfMbT-mPl8pzkfLQGN_ zGM-apMf*3=%|PHT394-OIvX;Ruv@xZL~rMX$bvq%^7Am=cZuV*SuMLi2JIB!j?87>JLI@`MfeZWDUSULMSjWwTt~{Mcyjh0i_sb6NF$doFL$ zLJb57{Av?E%KG;iCJR^T3B~faMV`}2-RhX;cezCY#@!)0ac}$ID@5wNb*VWG86S)7OK@*x6mS02+2&6?z*bHs)uK6su4 z^fwcUAyMN)`!Ahlc4RxKFRAyS;W&nsa#MS;%9ms{W-}&KNqIQp(!R~3mX%o$bJ<4H zA08GQDW_;AS-v*MS&}x~Td!%7bS-*_RTn)9zeeCr1-u#B^;C=KUYR>-(B6n;H1b5p zp5pREJR4^=j>5JPQG7Q-h;Wu7n8P*f?Mo>9kN?^=$D7nP-F)|4;Thk>PrT?Ke!Atg zBeFODWpA*+3ZEkX6!ls3qn~MGyj21_s!I^$ef?IlSX7neGSyExXdQO+D$hFg<%NO{ zUZfSLK!g?1sL$7&-{SBfbqQhM;#p5EZL6W5z-`XC2;^&68}gb3`BE|b#6GQ-vSDdXE#)@`&ko&@U+>`8D234 z?hD$=J+}&N?Q@6@&t_4?dLODU(oN_V76nK6gU`penH<9kJP%o#@fxvv~hxNb~(4s zrnJP%H*O_NO|Sao9~?#kfCT>Gtt=Nx!3mRYzj^y)Yx8mRZPf^4o5-a?zUG}*jND7) z5F{hI%4M6`TaM7u`khf(WWbWEHK;Zd2Pi-Nu`(BJ5~dU*Zf997Pou2tE} z5P#pzfy+Q`W`K6dgI#X$!hW6JW3td6gQ60Cnpzr=4xImlI!QKYm<0RVggp!Oh7?Dv zuo-Rs?qaE0l-yI3$qQ0e-$fs#|6?$d;kf63FcR%a=uS0+sq^#zCBdNzD+D&kFr|9&*nbU!O5KTLm<-< zu@v)ML_R5kUX8E`z(f{=!j)*9$9vM&<;e7b3d(dASk{Xn-25^MtLUpOBWH%QNWhg zn7YCa%SSz#JL)8xuk!svu5zPaB?6W&(5^yunnZuai)3XwJsGNqboyNX$D(DfI((mm z<4-w7QF9*@QF~NZG;HeD>eD*US}gm}=&%Ud{QPoB{P;U$+5cTwQPXz~Iw)btj_B^P zbPy=@30|K%%@to4>QN-rnU%^c=)W-gD*9Ci%vC=%AR}=K4fE^2C}G83yrojJG^zyp+LkBkxBk{#*K(CJ`Tu$0MaA_*=Vt*BEfPoDB9~ zi1Yiyf@sEiesc$SnDr{BO%!RLdW01rRxTKIeYDAT*8aJrV|_X0S46zsSn$eCQZPF_ zdRwje#1-Bg1w(*^JVeCFAn8v%_+#c$VhPsARL1eI%BvyPjK?-aH2j&8Vk_T$KfHs= z&OSSHcQGfD9)N`GEBm6)E}A5Jyt&LtR}8&(D`4nHT+v*`-`4`e4j8AzOesC`kJl9~ zFF(e_$zMhbhi~1!?S**e>y&7n$eww2-sb_eLsj=*vAc#mTtC)U>AlNL`_3CSn^&43 zgh(k7T%0Ah)iacJ=-?aIn2ep~nhnk94#RKONKrkt7%b|6N>A1gZO{y2X8W9tRreCx z=wV)zMvq}1Smybs9v^>W=f#Wd=0z7^g3$a*#P8bjchFG4`NEJNyQ9pjkz4$+WjGcq z#wWT3@3T)IfWj4KEBCtSzTfT>5^iykxQM1J(=#TW;FWAiH0v zS2za`CT21nYW>?yrE&g7t=-Y2`yBZc$C%t zbne5B1S#m9+9Ra4Hh?GHG~kP-4vkpqtEvu0>m(tsc^jiWTie2TF(Nav&jK+Y28knK zpye0R6%a`dJY6f_yV8o$IGM&gnQI2&>)Zh`-ubHfd=XfN*E8$9uKDOHJ(p_&My4pCtIm9`=T3Szs@ZLm&Pj^5Xq`ud*fE zhWKD}={$`(Gz3-L-Y)Y=nHMdWWuP=ZvE4l}HxK!}iDEEx@H1J5H9ZJZMiJd1X8~o(tS}w-lQ=+{>*l5xaKT zu8BB$N+l5FoA=Aj$g+kOyh35zzi*i697=!?icqm3M4Q(hSIL|?HR$Uh*Qua)|G27@ zr`Qp8m+y)d=|G}DI1A-J{OLrfH)o3he~ziNmjry10VGLgeO@{9>FHHfj5DVPE>$8c z!}_7#t@k(QbzG0g~s}O_W6(gF=a4nVcUK}48j3dWZM?o zFO~Q3p&?+i`2rB!r+#0xO#gS%U zJ3sEd0w$ct0um9NxFh6%M9q+`m?8d#-8u3GSH1hl+iK}aT`<1z<- z5lu=s<~HYx$k98w>kod6QLb2~$Kj*#Ku2VILgi4SSv!3<)f!VoO~x_2sK9L{cPn2h4E#mU6iQK8l@eomDZ0g0^ zVU&A?xb+zLdEC!RI^^4Fd@I}W_a>Urqmjvn`wcBN#}#gR+`=N*W212HY%>JcKT7LDqT8t%g0Gm>bmYd`K7^&CWkTqr zj<9&eWN)M?!SgXpJgs&k2{r1!s3i4QwwMDjQ^n=q!!x5-$(%wp~Mxm}9AA zQF)&2ogS=sy{ur_2j4;Z94jzy%;mBZzog~ne3Rv&-H0hOC* zuU46hX<#xFZ!CpO^kA%S1W>X~5usEd4}n^o?weAZQOV2nQK{=c9$P&V^H2ssjRaaK zLmD?G1?_~u-h`EAId?0DfSAcFHvp{l!lkUgk-1+P-v!uvQ`q!R@lDvAWDyrfoQ3Z4 zNTmk$R8?cx?dqmRMFkO-^K(Zt97#e=XU($FE49b0?LBml{1gJoodftB?qO5eY({f7 zg2*zqr4g>Ke9C-BL!fk1ShOrbSE zcmJvxZn^^)qG#K%h$zOt73U6qY5R#ZE$Nj(-q!;ZD3R+Rn<3!I#W{nwku$q z1tve${%46=cMn{ok)+08>Frox-*Ie|>FA~YinX7bAU*a~$fI#d;R?u(vSRes;UC5A zlUxlYXI1_N2d(7rs8NT+%T5WiZ4lsTjHHH&jBWKQIr&np5kH}u=+xVX7`1zG(w2eF znfoi-vrV9#RNAj%d}OdV6}E9qW*Vdi)G(FD@zC+_C(#*38B?X@b%%7T_ff?ctxVc) zL!@>xILIJQMEt%jCxb)S@VF#+EZ*D`cZN%J-2JiNJqfY^ZJuH-fzIUt6w|}Q>4B&= zjg1HrxybKZkVQA~XvScDeSVPa2Pra$sHD@(twjfE6j0n@?S(*}@WH+z@YFq_cqeC2 zc{)c$mc!1qajq^PkxtjCO$ADOx=Ix{ShCkETJ;w8mGu(##WU|OKll&a&Df-^$@A71 z>9a}N%7J`I2B9K8bG3&MD+;t|6m47WStSg}`jE!xXLFD}gwh?LcgWz!T+x_9)9N34KsY(6L^(U9UOlAO{`q)th=2Z;_X?|( zl};o`#iiP#pMaw0PM@Ns&zg^VZuff=qpv*TWnty zi3Ka)i?rme+}+K(QQ&6<->*3g?hGK4K6cBgn}rmq_Nl+>bi-L4tZqUzI~@#>8L^;6dyw7#v2?+N| z8KoJ-z&xsqN_-tb#JJy>aR8Q3PP4uG#x@ajAj0d4C&H@LFyxE$I2bH)N{Rh7Ufnzl zDnf^8_jS9&hW3cp&{u}1$e?JJlUZb2*d5GOsP0sUt>^8(!kHSz$i3=lpGzLRkh1RPWPO}WB?jOSM1>WB&L?j)?- zYr)y>ggp5ZL_QQPU{Id}B7k|kU-O=!G9@`b?#_Mk^~{f^k?t>E)ODp(SdJFre~Ksw z>4%1@xmYs{t~ZYrQ{xVI{(lxgF2Bo*@Nmr^x$8P6Pe>L6BG>#pynnywEipc*1icKv zau4<~7&0h`OgP~k!&t?49nqiO4s#@lbmM{rKp0ONP12_^sHjfV+b$7YRrq+k@TiXc&#|yf@IlT^F!ebMh7G}5s;H&Zjl$IVT5+wyJFG6Z`P42)BhT7@ zft=Gn{^JMwz^bIsV4Bi%hkpJ3eWB7rRz-U~ti}Hwh9>6wzbh=#lH_w3jYtv^oGuSy z%UL1N7e{xq2hZ)+gcboILsL4%Kr{@?9Co;1xUXCXn0~!TvtlIMAtE-l#{)l>=ZUq7 z|9ZSQ0f=0OWE=D`Cm_{boL^*}$#*WRo0pzo}e+v;w_t+Yeu z!GJbk-b0DOE{OG$Xc&?z7`>fumj9N{cYxh?(WSwv4)Lipk@?@@u2$S{TXZ#Kd#{`p z7ORp_B@&c}FooAS$t`NW)_>`;@eq~%iA+JI*$XSlr~!)KF3-$}9~ql>k)9r3yc8m@ zk1b#~in}`Mf40)##^~1UF7mn~IO)xUt4|PbJN=A-xWp_>!2tt3%)KS9`#eeKFaImY#zZ~Oi5uM!fgX-nXJ1efekbwm+MPa|xKB{HOZzBx=$ zu2^*rF__F88XrATGG4Uw#yMn;K2AtnSuN~~R`Wu5=5cXAYG}SAd*He z@-de{9-d*|C!DtfYX5zlYagGNh5hK#PQxO#HLA`=d5c%s)KAY%7y8$|xQ!}u@UZdT zC8?vdwbm@{!VC}{N4(clTzUm5tjT-X36(yp)W*^7-ArOo6|H(lq$SPt0vFwb=&MXB z*AP=9H(_QAZG_n*ku15j&$U^5+TsDi&y&tygEY zR;)JVW6(f6baiVMT!Nb)z@EeQ7r$V#lFU8(_w*2mFQHk;Se-PIf-S(96XpZjob)kC z=gI?=eQ%QYj9=|w{8L`F;|mbM?mWE{es2CT_`S`beO0dqNhgVx4+MeOOgx^=Ty7- z5H45h<1#M_Is{)wKLXP4Z@aBMluyqsi!|Sue?{PQRndBHIaQ>%_=@d$nJPuS+>yj= z%EFS|8qO?ad#UrskMmudIFXPN@<)1{u-#jltA$V!sbc&{7(Z(x7)fPXxkwv^7cQMA zfifTe?;3uYI`!NsmS5|RX*Z-wI$e7|;HNj!-6#wtlq2P1duf}VPGjzp- zuZwkr2CfRJ=pPB3Sucf(vJxUFc?~nDJ!{b{wn{6$m9w>qqVI;SQenJz0g$KmIW+Fg z!A_r5(z$|JYZI)lq&mgJR~Pa354R;5BqvWOI&-LG-S8qCpuY-!_5k{@26a%xIn0@? zz7yirS`WN8#3n~kD-MF;^!G4W@(558EFS7(4X&ZGmdLg4UByTy{fUM06K-W8lByUN zq|`xUyXi)i!N=j)&JkK=W>|ykrevynoV=vcUF3KwAy;`I6$xjVlYUlbf~&^1qx<{> zn@;^)@D>ofquzcpcx*dVUSC}w>YkB}ACkTlh({DTr6S5*{v1D5hvd0RbgiM>+$zKy zE-K3H04jVp^Gg+jW8N z!Z_pTdx8|}ga1kc>qccM-;ksSYqKCX$3$?(pwy zI}TEidGQAKCp=Op6gt}yIyEf6`dq4~XF(LoDq5jyL!-c+%{3!jCY!jyD+{(?Px%oy zV=(zQ>a79UFbma_J<8WL@Tja(#{j=K1Y>p|plVn@zQ&3SzVru10> zKgV3HBqY@nb%%RAtg=i;Rm%W}?8%vFHE zs-gC=kkb?yJ(RncvwAh(7{2@lh0_J|J!Fu3tsGeN$N*F=dHm)91LSCNU;;w{(c~%1 zh&MaB^jh)YsDBRh8YqZ-!R=G-lujZ=Nf^nB%@4BY=&bEy6n9yKI=@*OCPk4vc1A#w z{|<|D{!-r%#8W9~mSZ)xBUH!}ebS+bV8yRo^oAYOlfD5K0*sGCLw8SZ_A9{?`70*A zD@q=x|M+pp%kkO?Ws{MShNUMb|8=xtWm37etm2#kRD2)K2uu9?4|`pVJGvDE&3KU& ze0B>+uRO4lkJ*xE!nP_c-uC^ZX8hhg9+>D8Eh=oaN=kU3%IGNYd)r(mKfFQ z58@EaA39YGjCu~dMPRfGb5UKM%wZQQXXf}W_lQOBV{a#<)>MPtO11(U9Vgkc=y6u) z?F%FJ_1ncaQTQ9{Zz7uY+iO41zHsh*EK-m_S%CVg`Ugm#;jcAlWsB2)Rt_n5a*SCP z2I^eNyzcNh7giK2aj6+cW!8zl(eC4!xk@g|SJRf&j4m*b@gjnkibX+;>Ku`7ZEC4K zgz*yJaI}*Y8h1L$v0$n+x0Xk%(Ttz?{lWiG_z1dZIz&q=M7(K^79qlA^$U9zQzHTA zi3(S+`cYOa0kZWx_%0ZE|{raN!)u)+OxqV0@+#OCdUkA zxy66+7dm7?+qSanb@CrXf?A2jSYqM(>5?z<2yffj;^Nc5(`aput;rYC|Y*T-xyP#Br zms_tCH;5a}iWzQ#ZY;~!YS?G?$5mE?Bu8`2_;qm2AMXs1F5+is%DbFVggE;t3hR?+ zs$<%yhP-_(Bt3_b$>5)Er@@=`uLd*!$(ZgWYz z`Xk*`WN~QzYaO=S-;&(M=o`fBG{n6ql3u_(fA@uh75P~&<}{mqS=bRDp`sV2_!w0PAH(ajR@(14Yq~R z;xP)Chsw%}KwW5V4D50(_>vHIKhSn(J+`FAWIvf^cP`f0C45Jp5)s?Uw*p)d+j$|n zXEHkA`^GSLEPL`D7KAhKs`#k(q{$#TVcED?G467{f*peB5`3Y+_%}-znOV|Q&3u2v zFaPMQ>j83I8(!lL*!KP61jd^&Pv6=I-3CmoJURE8aix$wgD$FsxSht->$gaF=Hlp~-QLTweLesgRo z0KOr*h2cGHyD2qj#v5DR4&JA>Q$IXhGR4EVqs?^hPHWSFZjyAtywsfSNZgJ73?P*` zVOn1%=&H%~QWiudC!&6HGgIE3PE8gUa@lH-MzVP7luN0fc1nKK_+XZJy+2z~!Kz~_ zI!7LyQx=c7=@L{dRM|eX+H@E(6m7wcsVKSo9bM;fl1~wSPS>A|Gt8|z_KHtGDGKYlVDfq<)uU@mZ+E$tby$<#bJVAHh%6_aKEX%x=@g^{6i-!$ zDv{`U+f3^L@7}Qv{rS5)qc%2{pzRqVj{W?}B!LLk+SjIJ#nuo0?P+m_2y`f!fW$j* zF@aE_jR%j>5vGa}XWWM}G;y-vyJOA_B~t0Q?>4I*R(%-&(E%%~cV(5? z={v8h-QQwkI+_3!q<>64r)oy{j8_4|D{#e%WFE~@$-f_9jk$*$H=1HZBjVe;iUi&L z0QW=Al59`UwfS;9$Kikw(A-zryT9{Tat}MKHJvynzF?#I(c;ZYt$VXgfE}8c z<=?+QKs8QjMNxCCd7G;oX+4>{{cmzKonYbO?KP&@jwnDYNSL;C5I*lgQE_k>sOLR6~wFiBL6;9QlT>c zfzGQwHK#jkFeBx2*<5BrlV2A7bXL|zq_|A_X@gc1kvKM~y9Lr<#wKo}+-u3h`=pe} zNw34(l#U11J<&aDqX!+BU8ln?X(W@#gyQJIw9@C34c8X5p$3)*0TK$*YSMqU^+)(& z!zAlcOmLvp*>}O3#`C6@N>HK!>hNN!^hG+3XCQn^o>{=I}b{T$D2zWRs%YESy$ zh0JL9{zPHm90Td;N)WQV@}Y}xEK5#$pKNA`w+Q@`^j<3QvYT`z>!Ngf%K7GIwi%3` zG?2_eE8SvzbI!G#AA{ z_d;{3abk}tsVkdhW*2&ckRt)nW|7{jrBGgtI66t+MSQrX`pv4*r6~Cc(1oi(J{$DD z-yQ^)`)F#u@Yqje2EgnxPOM~XtB2!2B#=B??Q|E-7$P7)K;t$G&C!I7)orWCGq7D` zk0G#AMff>n*!tAUnjHn)cBtxCFA317jci+_bez9&)^*g+doAIRcqjSXnwX{r*WE1V-2+9pZrT?$OpbhFg`pj(9llE9 z9p@6kom%Y8ryX0+7qAj3cwL%JpyiQ%F$piDo~^vc9l@l7Y4Tg%!XalRn#!mEx+s(w zx84$F_NqkBh7*y2FLvX(1X%Mks+nzM{M*;89VQ7J8#FovM8$WR^lSwJ{-c3IKIUrC zYig|{G&su3Fh?SVzKbJmUUFL+nkxW_`-sqNF7lk}zkaXNXUfan*GC#?{AJiIUdXXMBbtSo^c;#AS9+t1yQA2B^neyPnULyz}pz)%Kl-h0W^*L8pSPLO_v zz}Xvf)%EvfJDWh*DGh(B*GKSn=Q5C2ZW}=?UJDlORq$Id_bRK2JO;@A{cfv4gv

fR&Jg7k7-3mw$ZEH+hf6l}j)j8U@i}807N4nLW&j5mB zD4WsyyM%`A`sm02o*nqq&c&kJqn%hX6?;sMi}CL-Qak#yVMh~%eOTMbtvC%>th}qn z51g(snRV|0U3Z6UsVpuuYD_#7I9aP}=XR9i&${+i0z9AL-we)Hgc zW8yXnS!|H+BWOWhChS&7m3+x;2B^w9h)@D;BbHs*oqyYEi8=B-%;R& zAUdPxTFjUI+oWd5+bE{8#Tj3E5uk=B@fra~vj^alM!B;^yo@;7p$&6ias3cvCuC02 z)R;47)fX=e;LEKa<2;;M`N=f$9%33+7M@fE`zD_jH>9k;cc=d@KZnzCqnWa`V5h_t z=3cC9*X|K)AT}^F(b!%9SGiT?1#JvL@ zcj3_a;n#1S!fv!P;m13|xw?oIeV0Y7?GjGv%ld3V=u{=pXKo)Y+;t60>q}$XEmdd0 zTs7ZDDoi=-6#2w6V=`4s z%|lUBZge@prKFJ=@Q042`7a<@W-w8taFD7}x0CIjMxc*YkLjL>L}g2#I@79fw&R;O zhbt-ObgWXqyl28ps7IW{Y^3-Pi4K-uxmH`97$$Fi<4qrBk7C`~kn)OIG!RpFFgZA- zTTCt~A>=_spPfTW2Hzms4Cz|cW%qH6#_tAP^g%9vVC__sZ znvWB&XTrR;>^)4P@Q}_B4y+M%VWGUZ;$5NJpNzvvmEtCL)X&kl(Ti%FzxZ4vVRs>i z>oV7(jub?3x>o#7M~?1>nnDKoa%V)}FrKiSi@evSNL0QZ79KU9ZaGB-uKG{l(NzG^ z+{_hAuYm8Ceokvjeze|t&rzIA&K;rP)thPe$rkntp`;8IIIWu<1_YlrPMW}=g#)^0 ziek;2m(sevc6DfGK$Xisc!${pw@dLax`50TT*n)*6Y!?`66zGon9uB!6`5g=5l7Dc z{rh^9EJqOBe0>x0Qxp~TH)j3_Z5T4p3cTLX2Yl4Fn=lgt6+$O3*BG`Ad7rauEuiTNG0E7o~snj6{i_f&JYt9))h`++hH_r z%3cUP_jb#n`8M9V^gq)otM%XlIbSQ7bzXc%t+Cfb`6>YEQycvAH4~lFK5J9@vqhhH zR(;c8o8~)Wu1=$Y%9B-G#*BC|0#m#Vh?4|io8Q`TA4Q0;vDZjlGJSsF(e}@?3Y|iw zJ^&nIe833>r<;HrHZD1>Ma;!-fG>tTdAzvpP748X7gz=#%4R(<*jV2Uai@E<&RXz9OSu6?AOj&fxHjK-?osRT-D7cP(qPe1)X`Y;CauLq4>~d zt;M2{K=g*#v^NQrP|xsGkO}DA?%eSVO%Ge|brm&VZ-p}B=MitrVY^Je38fR_6_qKM zZ*MZSB5uP?manDN5%~%jHVTzSbU!Rn+`Z8dTXb*1S$6t$ONnlksWU^#xF`ku_+zdT z^18h;HSuCjlQ_kxn!01lBHo9z^mb7mUcKHGm5T#ibK<0^H_xkpSE#FXfp$l#(ySo0 z9X(pivum%y;L~_+>3yPO?m`JGP;))a{!))`^Cl`SrARQUi(Rd`G|gvZ*5(KvKo{Q} zG*{BismCzl!&Wyg{nLq19|y<2DKz=9$T{~(>e>#vxFi|F3aE`e?e1Nⅅ_u?5RSl zU;YBdDqulrYr2O>E3L=?C)Bo&{`S*3a9x{Wnv2JcK`RP0Re8@wv4q(ENWs~U%1i0z z>yTKaAg%s&nC&$x2Ke2-^b2Y$SZ2+LF4NB=)|uPnNQJn-r`1DzPCDH+ZsKGp2>UOy zOBq!0bG#LBg6zIzUUqbfHRshwJ(C_s^qF7joxu3@+kpcP*-HAmcA%&}D`A62m#R08 z+6lBn0XNvg>6%c!#0S&Q8u1IF#p9kkZ3{yu-_I#f?K+B`@YS z(lMn#`!DQX@mqXcD|5ht;7Ke7JOD<^X~{12h3mWKY|WuU+{u=+Zn@9MF2?cuxa@UU zR}A-pYs?Q~UtgsX{79-HhA^rZxqf$F#uNMooY?0FN|^zb95we995D(D-<`YBNUb<#6pRqm zdNnyzPuM@2DJ*^5gNMyZ>$KLYN8a`5Tas3`Z_s3=bWFBKfMw2QO? zdR#M@pAtqMHatEgzYocH7X4sJP4aL(7P7GN6wu@UB);p)oo3@Eet$#p951>}#4fVI zVQNO~o>6H3=ZfK9m7uYWflfg_p@hdvWQFZl&<|X1_}`uJ)qtD^XIZUz{U4VgWk&&%OllUvrhojeN8UOM(p2C6M zWw@zY-LQK#n%)s;2IbSN-UO1zAK#oN@9@-}R>6%e383fWefW?>X0YRssW95H{#O?T?0(xH9_HxZ5e3oIdLUwwd&n zHc?K1#?@nh*pCJ#HDkW6H`__?c?(`O^A0(yXrvgpvFVfIa(MKDy-DJgm|fYF28MtB z#C_R{@!Pr1{mMhm=ei72JTPB)jZQHb_}$ED;`UNMK$c@MsO`(DzdqfLY%ZK?-Rb0w z(A_4nF6ls%O+jbB)wn>D{rRI-e1KDPsK9veX>|1m0_-bt{*diY@~#ibLhrxp;5=^? z&}=S`pu~Nvm#wPIKZTk7RP0g{=Z^H~Sb<+mzUOK@3DX5)6ovPZyoTOC{NRLDmQ!V@ zif5p&`iz(>N+X_J!vMgH_0-m`H=N#0LDVNH1Kvc=MTx+nb9ispIdQvu+9y1Lw3{2& zQqd=*AB>ocaWN2GVVD>*UFcrq2lVQy8 z7H8UPdyXZk7v&P>oA!5{Dy~_8ZB;JnmKv>j8SJLpuf&1g(q9l^྿U25#OB^)) zN#1X<^~koWWw`F}m8(mzcUUT%uBWwigi`j*H+Ml$aNZCaoUF_x1?UsT#wKgpT2 z-2I_e{j06&)(o@lvDu~N3-NN(CAhzwxpSxJ?@pudaOSDvRWjDhmZtbJSr&8HEb#^z z+O*TgHC1lc!*blUTRHliuvj%DlwpSO+1q&c=@)fS74;NW0bg zz>Rr!f@bww6rE3Vm^+=QAZUqwRrC{;UHwvZL(7NDdZ+K@X2I9b{zsbI?9dBs04>J( zFVO+ge5O%BqAd@H5nQ`lXTa~3PFElR+HagoSK_wND=y@d33cLV+%BHd@@Fi@*&~Fi zJWdJqCys$SJiK`+bc)r!Y0?P#@nFI_P+vM#s1Yf+CPUws6*?@gn>iDdJ_|Q}kh+O+ zTCZU(6ivlFBj|`jZ=?w~JerTQ6?VPy#=TZUeRqzs5p9z0#w-bq85c)AC5lVmgWA@< zTsP@H$HPA$Gl96#Z>CQ5j#_-s)aF*teD_~Ui3fp6LIE_)v#9B$2$S>pyFBRi5$ zoS0|egkg@SCnv;Rx15%gZA4F2gAAsk7uqQ02bF9Jn0vj~BtOgS(&NH>sVF&V?DOxx z2a~2;^tBdoH>WICUihdV%?np;=@n;VcX6-xX{fUvD~MuuRTW~B7LbdencLZYtD)T8 zlf77)`ez#}qYg~EdmX3rpfk4)2-~) zZY2{$9(ZPcOBvtq?!|VaryUu_;haHP0U)YX#I@*K;VSt3kA9JhB*ABY`jQ^c7r0bD zy}AI(i%6#wSwkan*8yz^U*%uoNTpCNPr^u9EUYhbw|Bz$G7|X1g=F&0S)kPC7UwfX9U9u6yiQTJAV>w=?-8w&~zPTEFgja5v%qq3f)I^6G*v z4I#L@ySu%(L(t&v1PJc#?(XjH?oM!bcXtRbfh2SC&rH=^d{g_5f(!Q9(z|>0vrxCj z`v7#sy8j+&7!g*&=J!L}=VK_e#m@uVpa&SJ>*mGS{gyZ@6uzu50zL`^8Rb5F7-&L~ z+-c6uY%)&nKm-h!4R$>yw$FRj9yi~SLrU@?(u>*KM|cBqqz-+Px>1H6Qc<0WSRI3l zFLtRAW`uWosEB}fNsvGFzTP?_kNuuMOZ{ih$yCN^Ij&vnb`^}~b}wpoY2c;Q&$MAU zC=cHiVi3oBFXdF$y(QY80Gp=gsr4fY3TS1TW4BmP``6V8Z{YaD_WP7hmzugE7uL&; zkrQlk4^hE6_K&T1!Ou~U1EfJY>i{al2NmYQ7wC!z<}@6A62~@Rs3`0T4dDD7`t%hZ zaH9=c|Gp?!urP4y7&q8{lakhMuOK{E1#}ERF>f%`f4j|*TW=@azi~U^+VwVeO^jx? zRYdh{O-{o?sb0DT9%Y#kXtI8q`nQ3IuQm2S5-*)Rj+YKWpB#q!p!;D;9Q)Yd%3V`m z;>RzOy*oYF&p*+dfbv7=6<|?n-kR1lI0>E;LOvaP>&tgz-bG9GRYzj1R`<6ka;@DK zd%REROEe}$zM!_bR9ajgTY~r}$5(-%_admBq#vUKJV0e8XS^F=Ne&cXTUBRc!&{Sl zR8}3?34h$BLCn9jY`Gx|9(@a%5&_$CyVE&tKa7pra${BhjgPcD%C4Vd;q!yTp+&dt z#x9h7mRH3)?eBEIkbqCXEys#EGwniA25)tX5&KB&Uq3M(GeI_~+ZP)5*P2O>$%r)u zthaZ8kC&>B?^~KqlZ3wU-1?0?~h@jCYSLG}?ha0(%Zm;n`}dzDZ*N9q)L`DZL#8nL2q!QNd)8PKtD4baWHb_VUG$zAopcni|8 zqwcPe9e=-|d!EYMZ^D95`jY@6ZjD$r$Vg6%CkW0%SOF#n5djQYxRdGKT)o|u7zC~D zZIYRMIULD-(umuDsmA6h*-jWjBqPtP^eKw0!hxrA!a`+>gm->=?BWnCh-8D1U)(Zcd z?WqAD<;UPo+m0_a|3migPvq0=u51SZl;DSlHzz>T$>$ta83gte3Qa7w3tybgP#C6z0Bq zxPFEvT;)_I=vswzpXGmO{(KM!hH>E!loRAAh25`RROL zEoZO~vKvBtJ^DlP60j>yy^`O{WvD^Fz=iG&BvO#eCOdxoDuJ6g>!u=L$gqn<{$-L@@|?yiKFfttEkRwmx|6x2YHa*@g_ z&$#}4rJ605n=JuM{XrMdtIkyabtA-SMsV?FkAg73xEl<7uD8D>*eX&Bc5D#`NRHy} zzs@W%SDX785^aHwU`Fg1M7V{&sE>f`^ig2U`qZTa1yjixI$gJE?mr<1UCe=dd^(A_ zbOV}TVcz`-M%H`YOHFDF&df-%e^Xw=teORj`3_?Sb`<3ZM(={xjp44rT(I>c@=URh zaM^d*ToZzgtTz*n13i`8d=04BpE6ELY==-?$D>NhZ z%9*ok4|^~{9(((=KNn<7Z=1IFlPv1s>Ev5&G6_5=_W1GD9kgc*k=?ve4zsK@kNI8vOw3yh$a+sy^O=bK7XZ(+3yLNBR~xNiBe+lIvYD z>4_i*p0TYM>|(T_haecRjS>{g)=!OXe<0M7>t4~weN(@%;^Qa{wPgA#?a8iRBCwaG z#UwmaSf|hop~zW&EVQ2L=pmoPV8PXCg2X+ecEkl=ofEW4?iOHt>#RtWRHp;UC>-%g zC!lgN`F?)PN}2nj`kOfpzkj#r3*<+ncO$whjBX_OuxTYuA6bz3l8pCaSBYD$)3WtY}NJCBTI*(wwqct9!f0xoSgJ z870gesF?IKhXJ{ekK#FId+2Z^Ch96N7Cu-E)m5I%eY?lY?ZNHy#1S}%==0y#L*$e5 zvRuv}C_)oAr^BfeBcS`^aJ_a;1>u%#RK1b@KF96eECI`^=uO9_r)4{$(xN1_3b-yC zVsKa&_C8iY_M0_ro^Dkou)$(|Ua`))c|j&IXU&Jb!rU9J34{SKj-3J88qE5xxZL*n zKWd!=nNg640{egz^WL`jOe-EWA^pF*9_y-k$;Jh@>&v^eYxK)e^o3&q6HxI*i;cSN z0n5K0k{`)U{FBa%52RQQbA13@ReFIK{9>V14-IwCUJ4aTZZcku52?#@kE8BLWffFc zzR0N0q}#4YKeiUxTpPU3*9+IH_*G^YMW|n3a~{3lG5dM;xg~K?+Q?X`RH4^TMxX5x538Fp^y$KnH9; z(vE_&tOY$Mh}d2+kDSH;W|r+y`nKAaI@;yO7?88%s#GF5tMk+2i>f{#$?KXLr%Dc#xjkw%k=x)5%}XKAV@OkK8XZzkqi8 z^;St@r)clL1empYTpYYM;;DsMb{*>vqKJRNLcc49#>Mg3nhz@%E{2kz_~xhv?J|zF z@9~j)L+N*GSBjg@0@dRTqWewSAOKL>6Wg5Q;5^}v+@BeqwCt=W!PhFe4teoeFHNt5 z%w@ZT>C$uq!L@|-JFQr!?ax#nHo?rzTBHkr91~s3O<~Zsp{w^iZrW`5?B4~)y*Y%F z#ia3|`L$WkfW;YI7yO$*xww$e&Ha2~O{O{H&mj`9T(@u8@GVu&9TB|cABOV*&WTYi zruQI58=lr0POyo4C&C_KBh2EKe62BypB)gTWzwre%O>}W#wF``BpX+|%7p<8+u##m z_kr4vDw9cvMG0y9Yy$n#b4deis+NM2Ca##P2$no;wyT}7&)TWKXvp~|OPTHiLP9Ak zM54|cQ)o$G)aF%{s;v9j2$Q}C(jRhD5Rgbf&wVUNULglVXC?_Y3A-n{vFQhSIIB?EuB^}%m62uMro6)!Y=JV zr)mC?sa9duDjmOVj;;M}U(Pz?9Db zH2w5*5qi!BKEG2w-$-~u_?gF_c;+AYyll?iTrHd7CjBFXrw>vfz5^H~5=p@+()Chn z36dYs?VKo6yP`9RE^||-_A;`^= zj0yL9A%1gnf{j8`^jwAL)k>-LO|eaGFg*%fX4Um3rbULPLle38cT-vH*nCqij*sNM z;fD4$izV>r^)|C*WcK;uR{Gw{K5qd~JEj^Or~2X8%sTyIkF6SvUvHhze82@X`;uxi zF=`FY3XyITrXen0SnhOeR)2wk~GA@JEVfpBZ%`$fJ7^SPKOjPW&(6J_Q(=*Y`v zPw;*1X@WH&j932%$9KlwYlionX+!|`59D5M_kJjTJDK6{c}Ze;mEVVgs}4PT2)ByD zm^bZ*@{7{7@L;~H9i!Sb^J`=f``J~$pSMSEk_A-)_q!&e6n^Pj{ATP^%Jn{Q&|)9O zn$`~Tfb(PT|7!&K*Llb;v+O#zJ5urQY5ysLdVIbPj%>ykTmmNu zqI{QWnFgy`@hGg5M|SzNB9&HzK8+Tp4=S(62Fc^L!@0nmpW3xsY-~JRo}1Sz>aQ=d zJV^UMB7t794S)^cM8o$b#hV=F2O)tLOXV5kCt+gNA-X@A7u8;}y;h@Naxy$v8tEAW zq+Ujq{YI-wbz~ya8GITMD()?hjn=`9E2a%LmRL3?Qawg6oYI7pDNI?f-gC!fh12a_;&cfZf^L6`F)0f@N0E^y@`@IvRJ; zhNW;T>?a^#Mw8v@FMaU73&A#Wqo-U?3Ju$v2e>Nx+YV`^K0f2$nCwsP1K}CXgS^>I zyS1zG9a+1~q<@)}3XecIeqN0NceOdtoqcv}J^N_1x-#Zz!#7*-Wu{eOFYkfAU6B5V z0H&*IZbClJ^SS9*V&+fY;0v6_x2`X^zI>P!;$j}-2!Dv1g!~L|$mdFbP=fWD&VfG& zUzS!)Xa-?~XAx%WFVBm@1JJ~q1qe2}7-yPp~C z{l}lppKNBcSv*cB80?fsz~k-v0VU;D9MFd2(S;OWC}^`6%}W=Nu>R>1c3sN%&#~FV zT2Wl4UElB4Bc@w4@D&Omhv9$=6Sx8ec)tbne|oUlY~}D9`^xxJrZxI}u`KN=M=$TP zjZ=`W#0JRg)cCRN!ZXzSd#LE!d+6QZ59^=Nm&Ap}KS2)M-9v(}I*iKaT)mv}{p__d zop{@IKd-~+-w+joXJqKZ-SM8xCB5-FuffQX22#yUq17hv_i26$QD{p+KQmm}R+f*~ z0{wnp8a(gZH*O6I0pBzd#2p&rt^}_IXpgFi_69Lmd%1a!6JPf%!oA!@d097xQd)YG zP4Xg&-&ne!SG*TQ7W3sGw`){5W95Ab4Ut5usHek7p;f>$i52hj90ntbPIXL6LSMkl zQd8@Z5Tvxhr|m<}bNhMb;mK?G7A6|vr~-U0BOu^EZNs=ffD4w8CX^`)MjpO8Jeprp zDLbu}@G<0x=|Ok6Xh>?gY_npv6Lz>vaM)dCDa#d^wY(fmR0vo=>@0m^=qG7sJaxyi z;L$eLq42BMYE&IzoP_WU5e~4^--5NjG;zt^3OCKC2b+G}7be4KSk8{XSf$g1S|Oh| zxfQj?k>@BRw@y;D-&6qs|B3~-?a`8G@5oWdTFX>T*ZrHPAqoHNS2_SfP4V-4H`IeL z7K|Ossu`h11@vRB?A6Le-zkx)G+N6TOSU5gC+#S@zX&|DoFb(m@HFb+_2Jqk8$-n#k|W)Uj$b#b z5Or07kA0a75V>oY!2MT!_VNb^#iIajzHBm?GA7;GXwE18Pe4qa3wTZPP0%E(5P?nM z$+>)U$3MAheKyc=+EI+km4B|a`g8!!;FNuLDz`M{Wa6%~iEy9D&7?T=<==*Q zkWSEc^OY8=GW_+ZF~#X9;Q^Ha&4vuJ`S(Ff z1^U*{@Zz97Wk?7zv{Al|FkOtak`v_en!VaLo#y_oSu{U2@SA4u`|~U7O;tJVaJZx7 zZ%?y;D5SAJ!d_aQA145)l^?IzvN^mWe-IWI@aGtZChQO9=6&l=o;OL8@OVbm0P+`I z*TzTAFM_DI-~@EX97q&}dA2XM0(9HoIFKNq&fLJf>i;hbfbFv1^Q>Bo6Bh5>K1p`Q zT_4%L^oefFbk(cDyv^LrTqaLg=vbvj8Uy--) z5aLX}5hq^@(>>EJgMgM}-*rN(W4Ts>Q%29};YS*ljZ_4~A=FH89(YH;tReX{EMz>> zJYaj)qHJfBHe3yw4`LQ?Hf0YL$uhD|eHwB$slm$C2dFCcCQ$UC)!d?B*+k1WKEPDq z%;7R0b&Q;<=Uy{T*2+y%`l~;<_37ZA3Xuu+eK$Z}zs#!EUnUy+w67-MlW~W56ab*N zoffCt($#CUOIr7UHpGlv0ne3lt)q&V@z3nY--*gq{(Tl+7rRpa2jMetKtKrQvFl?Z z`3ezZCdrK;p8sAcog}+jyDi$~1NqUxqwr^8RBHpsUPYbvyqTKLKoh@yVb?wh;JpVU zP8RNA>e?4#=yDzzra@%}bpo|)|Of;2g~cn?ae3;-WK3s9|={>~*aweJ*O z&uaU+;X7fjtzIjEY!BJ*TKj2+i5YBKEW>#s2rm9%6%t+g)zjz03vIL5iNcQ-;eQ0`)#j&J=#vmX{Sl;*kgOL5Mhr!I0&^y zzDh|#67OfC+8Y0)GH9dJNE5S7m|W(vEWM*l57aK|P?QOO&^5$(=pO`u5(LtiqCJ?X z82QN#-egZ&0C8U~)To`}MFJnJ@%GvDgsU7{o_qhZ6F_ysy!u#?`2De{aB?t@y$LGM z%uV_CCCodC+;2Kg<*JU;+8{n27Zs*{4#<$ zVSIHqp()#}uik8!3gfO$3t#t9X5a21`n1{Ut>^Z%vY@M>m&rT*IG$K0w<7ihKdo%D zebC{uSCC!X_#VuReVob-QZdy=ueVmE74{oanwVkE;Bm+x?@=SXXtr?JoQN|C_YYh9 zZ=YNvp&$JdPmh4k-W3X>cXLM^c{*piodD-Z`l6gmC%DZwcX11ljN1WwzIqNuOW_7& zGxj+xwo~+D?Q{DHKo0oPGOnKN>`t$vjox z)8gR}StwnBV*A|ZW!G-U_p(O9(Af0LNx&4u(`f*vhW2=~uB+DOJ`m~}0uAyiemQ0W zCPd~EME$s1Kn)X4^5Yp6Q42c&woHY`tGYy0}ZU zKU3%Rv(7Ha4fV1nY`sBg(73`2@#AHJtqq6*#E2~3ahSNYele79qO(+H@^w(n zl-rD5o-NsvR-at-!Ehp7@xw~P>L!o4EUI(R5kSOyrR@G3%zgO$dq+VBwO%byX_7fZ z$tFGH2cl_`%pSavwq`x@1fs^_^AVedO&J-9{8yf`3fKZCMy|rVm;ISo8Z(m(F9avH z_Eqr@X^Wytw_}ZtS0S3=mFD7&alFr9)L}T=;#ATX!&D_WeM6-6Uga?mc^y3L3{f^E z1H7p;KU%mkW?4ab{LL+$jyNtF@-E=6W2=s-`)^X@MJ}GI7^L%_j1oZo-l1sj+L_1F z0}E!gcYH$aX8;3={*y{NBFTgBzt8jU`uP_X#C!aoA7DQF`-Xp7w%uOMp&#UB@kiG1 z2QP+h*-K&@Ha~hla^iPYP{O{vu|P8ckgoS2)0d%t)b~r&#m9E0?R_f`;@L84+jIx# zyx8cKc%r$c+G`Tv;b_(oG1E-M83qHCyz(!TVY%OQ2rqGGJcRj}`-rn|$X9L-eP0rbP(mHrY0Gu{c+u^Wv0Eg<`^#M)nyz zv$nzY9Y-H|qUm>IK7m0$JiAD})l2@Zd%*(hz8Fr6KbH zwo}^i^CQ%H21fqGm)745dP`$309(fuZ};utoI_TR_TtwtDvHO z6C6K4-|AR(<*NRf4oX4c6NJnY(FJn9O)ebVD0gc*xUHrd4HL@D znc0CKIQBZ7p5!?F^jUarnQs0`l_5)&Bpqv#7-8SSTR>9>gU!A2Vd7HR89oj5M1^)~sdGv9~QNWm!S+2Kco`0V{K@60n~6Y&Y`mpbQnm>y0xCF^V&`UY(> z-5&KQ`I@8H+Z6uUQoaFk6#^ZeG<7n#I!Bv#e zXPDYVL#UuTH06D+85IwF?O(0olIVh!6OFCh_|!2A2(U(FEZ+v}hG}c(7Get8Z9a+D z%N3=6-p6>6dMG-f0cnNIOPs^OQyp9^QePVeTO?dWKoWFeFV$a;dSnZLuXw1?vVt=5xec+s0B+p zwJ$XIF5+|ulnZvX&5d_j#oc7ORcaPqaZ?nEsE0~q!b;-C0yCCscr_(G+8)aj_1PK5 z3mr=QOKadd_F@Qq;+Pows#-Pt^TqWUcq~3CY0(Y^qxV<*14yLF$6;IQe?V zzx?3v+`8aq^etxv0M|+qkuAiC6k_i0=TQ{W3&Q^~`qzrU<$9$KxNYtt*_+X+#gmxD zxpjO&!!}Mh%%3(fPUvgu6WGK-*Pp2|K^q^gWUgpMa-jSjYWCs71VyX-wg{B#sE8$$ zsxOxH1?C4>;Z!4W59gX5)+{L^G(;N1Yl?w=F_n!(^c6-R2RqF>Wm@*|RkHCN9j;=~%ra=%rG#WY(ZzzLIx&#a|dkEc`WRf{ucu^f`HsMgy zY8kMe7-1~Khy#5~p(~-qu*k;hl@o>Smw}P35{-JuI4}DGv4GcvnPwVMRibp9Ag^ff zP)SK|nB*O%9AiWjRyh{h@I%*wuF4s1QxW2VzCl%+^e!4(q(*5WQC=+L_4j6^2&%RA z9orq7Bi7+u<8;0FeKkLt1oNa8Zz(?HVC6iSak#vU>XQsTMXxNpH6`hh0-qT&G2;#@ z5lxiuV(cwh4aFAD>c9PY$0YTM0`b2_vlF8E{TIW8cEbgVBXcrw=hp0l)Ldse^6t`X zjL0-|akD#4eO08l%ALfG_O(iPB^u9px|(2w;yidZoYhAwu^h+hS-#n0%ar3I zI`weP9);L8QXLvOk#|i7ky`m zO;Sr$Xl3of(WvuW;DV04u#$gEU6jE;`gSNYnoU_Dnni5C!@*l9Hw(i|r$U>Du#c%% ztjV_kOki8lj8x%&O&^qeW+K8m$!>}NEbkwqU0#d!RZGw=s3eU!5HE0FD$liIyRuhB4RsCI!t&scTT`C) z%Fz&L7^&oGZA(s;>xeuk;MkA8O}M#4&Ye2Lvyx;B<|-}w!jZ`lkFZ~)wO`R$9PnSm zwE~^cG{i)5~EBSU5p&$kil!QsT-lOgb;;JsHKx&y``=b z+6F43)vxNXOtqmKZgd~kp||BzmbS`bLrT&3IYORa9#Pohai~<+_@=NiU@4Y5DmS0C^Maz11A&F0Bdx?m+tNgRv-KlN@b^Y%oKDc zTcRupnn~o2bGNHif6sJAC0)a4E8t%NuY!wYPrIn>{Q6Uv7n@wH>=Ll_$ zH-04q=0-QxP}Gq66R?T#@I$jdRM?RtWmcFuA8DnU$EU5rXyMC{ZzG|_ z&y=)qEe;VA4K`s3-FR(sGHh`GWAYl$r~bS0%~}~%lVhY=X7qT3^l3=0DyNpF%2B^v zMm4!a(}!cZ4CUpHth&5yL6=qqC*}~R?t>GVGMTRV)0+ENI--|%1MMQ$C2f2(JC17p z14wc1tkL!wNe{tCsGre6Ef~LK_e@aQQsQF?oJu*-wUic`WQ1&r!DFBrRJ3zMj?pI; zNVz^%F3UaNQZ+ErG_h>NmA6i+csT+*3L)erY-5?@M&hKzPu5X0NZ}p?l-^i4hS?`l zp>4+LrGA7~s14CDBGM?lD$;3$CkkHem0mZJ84>OQ#;=vx@ia-jL0>~}KeT_TMLDbPsSrt1KnDFHnxK6Dky9ltfLyYLHh`VpT=_SlDbYiOTxE7^&kqyvz_X z5Eq~*2ZRq4otSm0kzbhaYU)S@+85wPTU*;i^{Y4=l{PA)+$-2e z*zLN5EyY7r?UR_))N+vxb=A_!Y2+TITQGA}x0et*;p{N6RCSd)7#9oM)2rN!sKk3{ zNsTs=OQDKcs}Q4-MpBq<=%VjrxCkalZn`j9DnxNdp9HZr#^AhhgXtFSOCst`@Zt+g zUenKDH%?|| ze<|FZh3Fk_9eG7~(aQTQtI|Nrg~&O&pLm3-2FQN=MT}N99D=w5F_tRLzs-U7$fkk; zh4g>DMiQYm;-K(yqzZ-#O|p|n1Kk_NJy?BEb4pPAE+ViDFGGzCBs7!ls?ydNn64U97Bd+Bkd>fxx}hi zTNJr16x~CnmlMx0)gP2>2H2wQHxO;5of+N0YOp~k`r^7d=1>+cKawqVA$nDW+Ira#>l3Dm zK*1<^t}`j#l}0cx<9I>^9OEeZV&b$`Qx^XoaoIO2)Bm4C@+*WZ8bzwC2V92TVQQ{> zK#nSEtYJ?@UZZ2GB>RE7Dn2%R1Ve+ia?eC0^&naHG_jn+=6C$I<*$%K%T~RaC5qm_ z5lBmb56Vv{P-L_Ej`3uRDt|mOs90&VSb-NX49}$>;wnqaR1(bky+ORPiCoShMA;-8 z%eNc3#FBP^Zek>5H?f|I_=yRZo~ghR%Q}MMP#3p~)iR1iS4wR`y{ZsBW(g!gXXGP4Q-7l;f2YVq^wQKc>*?O)xad$sDv_S&2`y185?Fv#Y{}|Hwm(TPo`m zk5HF7&l3=RR!Iv1*N6zjILZ!@C+T=R=)VRFlezFBQMN29#{L0+=^-r6{Lm}6oS)B08?@K4?|SZ|Tv9!`FK7HxST zwQh-z$`&uiq_VNXL@scPL0T{pYj>}VUf4?qVnLH)&G-3#v0z@WRN{Z1bj`$w=AXn# zDOGd}?A0yh!%-Mw3(RH z68e8Bqv2$l4{joTC}x^3vDaPoCj@szv7(?MSbb8Q6ReQXl3|Z7kaA(2c27xdoWLWz zKW5UKnakppAdVX~$hctWm7NwhPCmYJecx_L8FHXSGuS5n9zdZTJY5wHi5{(txHi*BP8qAi3y0zMJ)5XR z6#Aq=Dnrv3N0b0jQu<(=oz-TZZ9GJSMvxJ9Gf?vDMU8<(W_>bNnLDMmrv&%pik%@_ zunu9Fd)NO=S5~c5;D1k7v=m2B&Wkk~%Yzk~h$x1>ve%Pl(4cfNtis zJ(9si6rhHNGhDW2kVBYhEQh1Ae z2tAWr*2x^=#o=w$k~4PGbyV9pb50XkbA~R(VXP)j3z1BX#xWFjBp%AzOcOPndZ>u} zTa=%8RegG;nr4L6V7j5Mz+!NqV2R#bx9wC;5UWH0dagA&(EOL)Uu`6dFYz|s zq0bu%*Ch(3xgMrmm(@+44!wVVS#bemB*5=Ek=%j=82xuzTU`ove;ImT52CX8qmm;3 z-8~x;5J_^J831MfjlT)-)t&CSpP;uHY=^~`a|Ml;2f-Y3ZrMY$P0&?!z(eWo?RaGU z+;MfJjBSdBJQ?NAvOAnEXgO}Aqlj!=vQ}e$hLbisSls6`j^#PIEqTkiyVq+S9ac;{g9xt`GmOgU!BNUX8#t#al7LjynrHtwrpkq%wU z+aCviSaPVVQkg_mdhCB}pSS@PnEQ|&zrQ{&gKj89)PT2!^@>xOyb!M^9W zBjOwK%Y3#fK46tsDW$atCJk`@bWA&44`cRFb;ut~!k`SR7rFonO^PxLZpWdcfFK@K z@WyE>si>tXk?4Q|1!^W7h#NABECnFIG6=zun$}%tl^npde9b;64^Lw$LX9=yrhw&P zqG0T*{D>BpSnkd*w??hST0L1vdoYR`pANK#%Xu&h4m!Hrk24Ea|1>;YRyh0}rp;6C z&b26@VIE~hdL@>S`j+=!jc(j%Ic)}Z{Pq;8?STu!hU z*`!$0%oz2GsiA+auIWH&5Wb81;Bqa4ltLA%+Vv|Yi)%PprTsLIIMmBs@zc+JtLom+ zv<#g2s`Dw79rPG+Api{4(RF^31-LHE?o-|F#3rrQw<`2Nu+jiUap_bjYPn4!|P?2Q~DSLn7O8(udtUmH{LXMri zIY3*2D?}W#MKuQ9_39`Wk8LgH1Aatc>m5qZsf7=)Dvhed;j+i8LV#5z_;Fxtve6t9 zmT2>61xYel7#V4AqxxHOL}DXyxYd0GwqYgNR0>5;D#T!3Q0BXrWE05zGoZmYZ+fM+~2*Trs@gs@@@u5zO@^tvjGbT$?=Mcm)@d8xS+{QF_7Urr(N zKlxHHko_2GSf`KI^W(^8+V2S=*p;4G@OcCO9(^kod$;7V{-oYqEEZqI+!-@K(#laI zCo#@;eGg2o>vG8oWr&2onm0YG7!gsaWnk`xqH;7F?t}?_CvQ_rDfFvoITait%+{ry z590kO5%wp&#M+$z54Wl;yPYW%qBPnA6AKA3-Ra0G-o5^yEh4Y008&inNuDc{RQ<|Z zA|j66CbZh>hyW|y%QFQ9!S$n?0BB^E;1;0)id5Iy0Cz) z@!n5S|KpCeak435cNkMyOli{pp1Nrp5*9h*!6-@Kn%)K2RXsTOi~+m!`(6{j5(u!MjJchcq)wPufH*jV z4QFYqYH6Cu0?iu_v`CPa*W&3WA3|?`CMTRF`tZ@fZd$Tk4cL7aG}olls}3959&%XqlPp?r3-55HVtK zs;ph$!~$zq<12S73aw0NSPw78TT$n~gx%+2PMDjYFsgoTu8bYNr<3blQ#)oiBq8JC zS=O$a2uEvi|57ZM7?aY%hzY-c5dS8EpTa(HjMr0MZJ)w|J3!wl)!LRM7O=ctc}}x0PkxA!3{1Ay5qaN=T-S6+=l)xUtkvM} zHv`g>zxUYMuC_yF556+>Fr=l=9(0^$R$XXio0Uo}2*Y#Kzu$PZ12$Y^X@B0*47N)D zewe}Y#B2{YlV{iL9gS`Q8Q$86I5MB533MM>6=`H5wxMaZ2ZjI?QKW9~{L9_GJUB86 z#)6ec#0Qu{#0t*$ns6OM+Ux-t`S9UF;UW4um{9v2YLB15;`KOGzGkz@YX602)gSU3 zOh`*g=M`{KyAeSCjY-Ib$@ei@zN5Unc zPuxxS1CwnK;>rtw$83RF&>h6pSv?~YK6qy=<_6oLIlp>>T-NLJ=Jno+mK|YTumMY` z>xSW|QfYieS;mII<1M+`$FAq4Tw6@W-^vLFsVjhQ>YMcA^CS0ww-yRc%j5nhI4S3M zsV(~F>yA3F=Zu3xNG6~UrwvGsvE(!NETQd<+=;?u$1Iv0(afHB8U0nUD_)+YPWlEz zoXtvjUW@A-!)KUI`>+LsCmoOC*LTld3_cIAvO$Fd8#1-qQ^m#Un5+ zog9jwXPq^O&Obhk`D2UKI2>N2!PN4)7@X>Eg?MUsbK$6dB^;LC(54vnKqgd>gg;)~?HH zj)$jrRC5Vwb|*dvrgnB8={Hw9Isfrd(l(gvktWVIl)8?a7C-JlmZhol%i<8a!qpD( z9}y;)I%)l^Ys`%Wls_X`b^`+2$-NZ@-ggFVYlTs*tESW)|6)EMuzkI8d}K`#_x8H( zFq?Kuv#P~C${X$*L~*{CrtW}e?zTse&aEWW;9!A~+^()4fHTx5YQl4xVtsGlSjxPH z3%%X`HUvNVX}a@ zjhw2#T}4CQTJn_*Lg2Xh4u=uc$jM4D;fTX3chpr-`aXr;VygEy$g&Us;h$aYB|l4W zlKio8uk7k1Gu@)7?$#7HV{006_W&cHLi^)&A^W&JjBQX@t*cAlsuluc(`$cC+x@ch zu8Yl(UYhWeIXcOvb!VaHcA#Dvm6@1(jN!5bR;3>fk0N%T`(X?8ZNqf6HpzM_Tm^U}=Iv4S zpyre668SD6z!7Yvg>B+t|Gvc|`%{ihRhF{ zHr{A@W$gkw#f{J@`il;2_d9$yF$*ciW{Y85IOmjM?yS~karfi*xjthPU0mwDUoQg3 zizYr;QdPe2((nmtK=)S(-Zww#J_KW$i8gXFCaVV{eVg=D&F>X-lyDAODj##-c_DOU zxkGXhCpa$P1Zw5GqlT0S;cT=H4xDjwZf&r&D`>@W!Fn>I1Yaz{6eu!>k<9aLF?B58-0urX;o6I+D1Dg zmA96Z_6aJ<1VDl~P7NdFzk(UX-EXjZBy$K+!D)}VH{giCTyLklLGe*g;twd{nx0i7 z?VR7DP}@{|odBAEA{=g5_kqBd^(G@K3OSh68y9b2p61!k_m3Cr8+V|Z0=;UJ^+qh% z2|eS+9ZNEtGx&D^zhV&V&+8+}p; z58VzA4Ql0f2+MJG25jatQm*!5c}n}d0Fo7*Ui7cBA)^aOY~4A=(4x=k20kvj#OU8X z&-D}5CIPYKcF*HMlp318Bd%*O^O!hT{yOL) z9u7R@td=w=BtyrgM{Cf@#F;n(c~oD+3&tpbXnMgp4PH4$Q7p^v^weY#{RRyWthtnH zet9u@bxcqb7_B;SvBM~C5^dBu0}GYi-* zS{8x8GgRy%kl$la*J4F($t>M1F#BhB4t3h$Q2aHIErtHa+W516=92h-ljNT?E6AsV zYpcD6|8sddDb})O(`XmU-Qbs ztIS%4=(&adbB@u{NT*)sZJf~$-UqY83VPX4Q*4hTd4oBX`H_uMmo-EDrSCTWFgc$0 z9{AtsKM(jvsVkPxGQ>w?beDy5cXH?Fx0pvd{{)hzzpQ#avVaMhvpUQ+A?gmo$<+kz zupYjfhT8F}B)Gl2V|u@DL7j+QVfAPI_CTp)5b~`i;|reuir0<4{Z=&nlO(nL(K%uM zo8hWkQig~jlVdZV__Y4?tAC|!-(aM(obU9?9qN6-k$$B#sB+QGA?a=xMtz|ET~+3x z?vG_)wknPA8l=|-IC4lnn+4T7Tk_k5<(thGzdSmRAE7?jcD%(lX6@UBOm=x&Mw2>P zw5%DOzn~>KD1fPGTzU^QrsmAafCR)USFhL8bgr_UMjXb52-m*y=6dj;`vStJ&|x=6 z1u^wf4Q#M^_2f>=u+9WH#jX`qm|NGoV5u3h)uph{}aQ zfH}!)v>~i@Qvl+24{=fK}kn@eq z5n-jB!Rgo}GodNe)e!=_n+P(HVbll$)B(5t%NG1a3}{iU2f)huI@4a5d7-I2M@aAJBLJjn?!RuwxJIcIVEgf zu$icyWq|ozBsQgjwVV9%0(X8d0{PY!_zsP0A8f}RpPSIM%hwfwd&v-X+INST{}MV6 z0S)ZdX1*i0oWy$Y<$mL?vZa2dg*>pJf;v3w`%Vn1L^orDY>cp>^%ecRaM~)@jw6}F zJ$HR=3o*~tkBJRUScvf9V#z)RB-L!p0)^whTE*@2oQQn2v#vsh%NeIAA4Ne8@<^ z%%m4~`wREuKbh>e-G&Zuk;=PhUyvAeCzs&XmU^%}OhxQT^TEBB-~hhYC?-X@5$VYm zQS+88N439i>|JB?6t#djze-H&?KL9gYCM){wW(Rw{GQRty>UVu@LhZ4SW4U9TO#g1 z0u=mQz^y$p$84jeH^T5n0oWpPif!5Ryh8r2M?43KjEPNIwwnK&9(gS4=&zI=X4KpJ2K3%kOC|jkv!~v~Aa;pa{+n%kOtZFk`B;zfE#0$1{OszUm(4ynmm$ zP>fnrgT8(3QI3g6izR;}O|+hAK3pbHgktufK;J~?t$SUNSlP<8wRU2W<-uRJgpxg$-fX8co*WaVG$GIIT1y=X4@I2jMMr^msQz@3+~Fd!YAEPn(4 zuk?e=UFolWn2C8UV70;1GV6~$XzCpOk^ilh)saXPmW=z6c}gYjM1Kf^`7+c{4=?yI z6p%t3bA5mA*8E3@_*A<81J}h7l(xK5S1Gof1Oek7fL*eNd0-okCD~z!tg@!(hvQ0xBcP*pjf3e+9_T`mDYhE9^@-MdfS(nWX7(Pz2qmtYp-`qP`=?C@yacY3C7@4TG# zr73+!zWj);V%vif zlxFHUn+Ri1O5^=nf!^w4t(CVYJ}*Df!Krm>)P|d$NzD_xg_^XzDjE;3u9faoe60UK zwdEoaGF_-!@5QdD83TDN7`^|B$hMUiI3RA<9KJeln*F%yG6}BfL*8C5-)=O?PnfCt zr*JDFpUJyAN02Z>xCC>n8sLKl+<1Dlz}aI}6^ENpj7Rbjlyc zIoV~Z4~ecSTQU7n7WRK`iRi#9(C&@DwF8pFqPrJ(EOrws+qu@87S7XjdyPe7_UcAs z%6f&OJnqg&Mjf>sMHuN10m0t(7~{mcK-|O|vDU$oEM(dNQAnOIyXmTc9DEe!LGKrn8?ebHlVo1ie$yhiQuFN%gnP@mByXp(>skYyxAX6v=b|qX zC^;~DqEnHGS!`{!ErLH_wj}iI%UXi*Y+NxSo-MihExXHkzFZ4QLEqk0K3gGbBt?p3 z5D0dsC~vZA)>rH~ZQWNPNYO-{1Oa6Z%{&ZZkxl!8xsbNq*{aS3m)(k^ps1lxpb`s{ zC^ZVnw0Iw5e-)&1?!g^nFZJKK@MBGU?Dn>!@ua(VW5O;b$%YoGK7O; zJJ%LB5Q&*bp#Sz;hrJOh1u6-i{nrmenN8V1z&V@@K3w+LFfj6BEV>oODJ$>wSz~$` zwIM)8RQX70JP%|gg7r2i5Gf`uE*$PP(|&n{(FBJzLsAP5hJ#3GRzYh4GZ|D){yJbF zAYa!LUmC=?yAc4y5F8hRxNSQ#QqO>U+>1(t8d`L=7kV;ngjA86?;Srm0rKLrREqua zE!0>-4XzVU*|PaA{LB2y!An|}0GyjyKK7gn1G+_pkb!0@J1$CFf&-T4fr8aV0HrkX zUq0`=z5Hhm-S@=^YYxmx)^<|kdjn}L0|$R#0Mn5-5t#*T@ewW6?(?lTWcB7 z*56ZCc35=7!Lsp8;U@GDUSLemc+u{m`kLJEo$~`IkO*&hA~;1%etnMXp*z1>Z*QUY z=nZWZfKCC9B#VXK@D`3edpz% zl`bOAszr$U8Rq<~5~>cw^9m>78;Z>u&s&-)aBjtJoW<+I(4XE2g+_;4{Px1^__RpG zb;}lCLKBS~a_nf`qpJ&H{rN(vv7a5)F@omAN<^u6EgO@=jU|q`Vzz$*j9IUFSPzXd z4>hu3!ELReok)~*B_kR&uDpBQ%Ef$*<2pJ=7f{)|TxlzvNMn|pI?L;pT0-AjPMU^Y zpJ!fjVzFTE*gu$%Mb;>01f_l~65bqVq!K3 zAMJ1a4}o6r%`^w|u*WK{Tr+&PVClTNkb;dJxb1#Rh{5lazD~_z!rHf`RE2wuQ()7H zE$QNK&aUZh6oQzS5TU{fjRDWvuomfyX(k+uJ7rwU38mKG7i^A17W0F!6g^Ya z7A%s1iM=N$Ga%1qJ#A$s1g6MD;&rw}xx>0%um)PGku33N-oxJ3r|P3n4&}1tP_#R= zI{P!uuZ!=1~`;1PwOaRu6}(Ad4(n z%f)9R%|!Xo-L+6;(CrdH0{z6dwIvpwoue(0#VO#`k`do*M5MB& zomj#1s`-(v>W+?98vZ(ah*nm`&7JHZGgKWL8yYrilZl3^68xtZ$p z`@w;hF8O~iWLcjwN|$61gTn;-Ng0%LWdAwY%CVt`AVdQBcoosmi#t?09zDTGz}JR8 zSS@#{aP=AT-7j2W&zr@(J7b=?d^~&*3PjlPw6tPdh8O)OlWg9yYs+ltW44MfZ87fL zau1Nxm&&ohH%rv>>Q<@yUBhBf1emJv=mA6wGmj+h$yoNkront5V6jTXVwV}@bzT-C z^|t};5iQyoT-bWhzt{W@mev!2Am~WDa;+PYNV&V24CeV#WSy5U?$LV`kYVEBXS5Pp zgnoS+dW{5VJd^%;k+v;9WBGB$gx1YNjR&b?yPSl;F`0SR(f)4{h_U;zp&BC=;Waxf z5)IAFcF3hj(0O=l@+B2JQ*e!zf?oVCIVZ6+p^0&{N3yQVGyHIvYYDX4{vfNW&^J8v z#+x!{!emr-_Px3@?aSA%)ww^N3a~ly*m-T{{1Qx=~+Zx{7 z0JV1vw1`zZa!(cWuL8fFtlZ?HEWP@kddh$0N&EYuaVc=JqT`>-Ygq~onJDkiAJFX; zZ9`AA{CmkeK5@Mt=*F-I3%|3PFRSY4|Mq%~?0A1oa9^bRIhDw|M_+=C8!$yC*4;#k zOQ`ePuM{y_dj^;t6|`T{ zD_`#E1yj?$50Ow{P<10O;k^Ln$M?5g-;I@;m`F47jZG|wlTIgr;XIKEW4dwicvX#) zCV|7|aMhRfLOA$pu*7%xb3Wrz?wy)3Lw6<}Z8t6;7Dr|SB@;SV6x+h(hvelckRI}d zYp-s0Ng==sx;$PI41(n%^?gd?hpyUJzzpf_TG8&e$R{1@Q9IbLb&*3w0|0e3ZD1BJ z2zBPOy~kEvBxpI4j}xC=qZQlER^PC@4C^-CM|!lnzoB_GsST=VjoM=NWnkU{^;4! zm!T}e{Y3D_(>8PPt84jqZ@92xOt5-+9i~O$wSBbiMGu|E7iE4!Q}>fnlDEiIZy1GO z%OFm;p=HgcK{OAP@JG%Dw`j|&DNCtunR~;Uu;o-=i+FU2S-pHHB)~1Zw@}j9dULVc zH$wwoCAkz{VyB{v4_D8Ltf4|+Ifuxn9*&pggFHG%I0B*?Q6}R4x89RlO7R<+eNpp_ zS%t-@=U1iAbtfR>9R2mCb=44MwwLP`< zZ}`aNC~$OP9eTeDJZm|Ldo&_(BG#tUkFXq1KEv^M%ExJ~hd9zAq0D_D@I$-Y7#tU* z-7{wJ-NwA`)xFw3R(}6K3!uR#7VsBCR+u~<2)h+pke6#%`S!iq>!DMb5|jR~gC-WN zG^N9>x4ehgt$74+hsxO(LTw5JOPyhzZI6^>7JZIJ&VxF4@DFO0zi~nreM>Cmze~Xe z3ulsXR940oL3zH1fpcK?u5sO!x&E+rt*20ge9_a>#Jy{*X`Xu>5`|X*x`8&wwgp#+H zuT~zA&?FTgYoNr;%*6BArZmICb({||Rk(hQWySisc%zICn%0QUi;G>zjA8(h3LP`s z^|n2+j<1T4AhCf#EUzF?SIeEy)D@Y)itY*0p#4vZesYDqWf#+0Z6$4{sz8%98O*r; zKo;EEh_vy>s~^*vK4v^y^hUIMDDHi+<#^kksq-yJ`)Mey8!}6VZ#VVWNY?sPc$)%) zqV8{fF8tXZf!)&1vpOS5h9{5fKG$WuH=*k{XD$BO8}FDeCi?U#GxI7eGR*dXwkl$# zYct1v^P;=37yV{yc&y|LoQSXdv&cEVvut+_&&;w$`O7icdOQAopcg|&lND_u2flaZT$D%+y8lh zVAY#cZY4uMB2sGdSN9Zg;T@p_r{B|V7VAE9pV3y+W4J~lVz~q7#9)OTO*P>O1KX6Q z@t+cFc!MQ{r%-iitziZ#yJ~4&udY+*Z=Hp~XP2-PH&EFNK%r|wZ!Q*O(8j^^Y)qW{oMK4 zSBtrnwhORu%q6xDeT{Q#UtA1@bK$CC*dyATJpbs8%(CJ1gv}4U;7_tHQg&yFqi3!fMYzb~!(!%7&_+R`S|h&^ z(krq;J*^u^% zI-(=9N@Zf{p1VQQggXlfvFtAa>xl#vKr;XCzG;R_(pl&4$o+LMZ@h_FdD~n<>@aWj zJZHPxL9k8E83|7ehyk;BYDJsRSkMmfH~%8LvwOLomU8_tCZYOHma}L+cz;T-=14`- z&M^saV2ADN*B3Ur=@FKr3LA+YG{1^h1E;;% zAOB^kIQ*D!6z6KI`^SdEh^ORLiKJJ)mZP0bS;h;2p-ReE3*_boMSj^Jy70c%`|w^)D^#nm00hd90b;;6^@X`;_jyWNxwR@ZhiPo2!Y)=OongrvGykV`?K@lKZ4w68gImd$bMXszfhC~-t z|Ki!9H61X@eD$?x%$`w32}+c-C9K%An|15SdB9%vioaa|D4@v4EGE!|hxErcu0=m< za+>?dA8bd~fgyY4LQi;R?I%OTAJ4SvEI-6E3|k&_S{1JIQDZ~}Ac@|wp49Du>|VxuWCzm?p?kp76#GKlV8#dBr;3=4KRkk)Pqkq0Go3PYF)cYhDLQBufFkk$Es#C-v`eSOy0L36$RN-10coy zy{!iyX9OujPuE(hnCZ!z9wi}YV0t>r<92V^4>VveyX%sC=^Pe_y+U5ATp!bGsJ^6@ zjCxbRDW#RKww`kHr;CJ+)AZnIabhaL6_slz(4Mp)eL&nHn4dxtEipzvs^;{)*e&oh zzTh9+%Sbwv zL!%~rPYVSg4pxyTi$ZhPTs^ToA-TH=*Ikz;V~hert>uxOShvPSzt9NE0NwN0_ z1c2XLJwx>@_0?C!_L|uLYxmqO$uY!I5Zm=4r0`~QaaUw-47z>KXiZ4*{2$IPZVs?d zi`<`d-K^361-SjYc>e#W)LW#qV|h9ADW^1$6ock2?8O!atOUUx&KmO2ib-RhA!D{k zfwJ;imp=OB(zE2AHE!b73fkEwn;YgF&lr4*quSSKt}9XRrL?_kwG(gfUC;Ber^se+ z7R!8}C1bjtZ#;ij^Mz>1pS-fdNq1FLufDc`-y}ksx=-uXlk`^DSNSNmliVI9JhxDN z&8QJ@W_BgWT-*K*LNmSsybp*VgrtS=SY77z2?J|X!$s3kKSN92Plk*(XYmZ)T!ARL zr9h$9TX{KRP?YMU6-8zCQ!$P%Dp8*NA#Q5L3kZi- z9GkB2OiWqNh`6cT{j0JYJN#y**F;}^u#1Du~I1~tK9fE zZg=AT9$eM>Ik+E?s9G~qdf>djA6W!$HHZIsrLM|-oWiw9z~V=IbnQl*U%+e_!+S-z zS8Z^4h?k-#NsTl^ZfknJ0`5?rP~sSz)!qi^ZoAm}nwZ|b%M7$~0R-mNp`L6S_^o)B z;Q7*Rc6h*T&S47p;-iY?KbBt?+be-5I~za)64Xl7HGW7htRvseZ4uIQf-z=Yuvrnc z#Yo$S{VKL^JKi(7pEjHlwsk8n{Ji5P<|maj&@4>gNnQd*HZKnD{0Z)f#zFaX*f zV$(s`mV^apL5Na57~d!NA8@BiM@;_R6%NlSpzvd)55koTzUK0*4+OBv^fL zJ&vvoiWZt<(B`6$_7Da5NOyRJP~B&n@lSBtsqZe3@ly&35M(3V@3Y5d@|T;d5K;LqHs zu9A_1>l)RIeVLwVd;P}l)z*yb(-2ng!#s-bit)V9&OVindTQqn zWk%WCq#`$ezm9XBCqQF+*plWCrxhglnwya|JCeX{vXBS&ADX;kB2XTL~I!*+LS zhsq(Pd*or?J{(K@`R}fN>>xe&Z=nYZv84SZs`87>N0BGUqbH1SbGNp}ZGXUCVb!To zN(a_Irw4Z)Vk&R;vcZ0=8NSnas1fc7-bS zXjx(I1tnVsocuwqsIjx>d3J0#bgE`Ds+o4FJ%RSV|EAT&grc%#Q7|u|bdnA_PdB%FlJ@IwrQ2n5bPwS0)B%>~v*kzw7?rTD ziIz^J6pikI!k%f5`x>wS+vKd8hj`oX<%zfbPyKX8zSIkF*%tgmQ&v!%HSk0(8HlA{8E!Oc!5>dlEdG6(0wuS>M@^qv2J|onShaenpRn7*F<2VxSaSYGvUt z|Cb^=#dct(x)c?nTk9}YgBt~v^G3@q&KxYcU4mvte#u6?>3BCw39ZNvIaT00S&K*i z_x>;ABb9b9&i4aF1{f=&{<^(({L=8S1ZqIH!f$3V!>8{BXclhv&Obs2%QrtVSufA6xAIWyHZB1mvF|<1vOX>p476)3|4n1 zC8B_)yonW1}vK7X7&2^VQIAQ?dL34rTcaUK|=ux4U%`<1VpiQ$67wE{nMcsf{YLLto7sYkA4{!N z1*$D2Ol+`i<*TJj3}VA}F?ea>{?VLm%Edunv>5VP)B4>vh9};sXbv{m5B|gAa;Po* zfw}dB-XJyL>G10wOxa>;{7QCw#d-(A@|55v=3~XGR8pJWs__DyvtpJe)h}3AuuIG}TfR)2j!h;nhDfNg=>ycnqwHHv8eZkJktb(B z0Ly|CJ(*e&953m}iaDi%017i5z&bh}E^V=em(ctV`c7>T<6X2%HYx zp<26@;mqu=>4Sm@JDV?1fUs$md>y{_V2j|JWGGBVy$4qhu@qJmy|+sE*&Crmhi18@ zb9|z+zgY3!E84fc@}hOMeHi;r?CZjT*+CDuRGs&mbd*@<^9Wa;@rX@zPT!iXZ~lIc zY6{Ag(G1b*rWS(WC()H(@bgd}WPu>5f&Xa8^>n5}}HoHzKFe+$t8+6D-rS;^TjqXpyfmp4{V{>p^NxZpN0mAS_ zJTi?I4O=-^>={Yawv#o^yQHj<=WR<(AZv(LW?%vkq%o&<0M9{Xn^_N)6 zOt=^_#goQ@;|RJNvqpUJtT7>AW(te-hg#CZzYebS)w#4Ykz|{_+{)$+1*WMkgX7c= zPW$zMxnQ}XgIve+|C(7=|M6>5QN(Wzp z?jba}bEMh&X=nmQ2)O@9AN{R6<6GH7=_JB4Edv?UCwQB5!23TBm(9f1xKI8dc*Iwp z-&Wl3IWFkDMR5nN^Fl#w)DS&bAnr?lXI~-D;g@btF;2@vU_Fj~UAx@8`4uF5=GZE^ zl1c)m-FVB2nBT-Kvh-fUi`r&x$&BeO!PpE+f$CXF> z`sajeTAv+nW}xc+^xpzc#j03==Eq4~h27%UN%~PK*!3j~`MkwzJW2nWmfX_Epx%%r zsg=8Lgf~*+S9}@z`OSW;{VFo3KDZwP5F=!c?~JyVf^N;B3nGmd(E?z{U<;(iIrnIg z{T<;CSJy_3J40n>moXb~d~|RsrKCJJAVD(~Texmo4m;B5+ zU?5KO>?S?}?D#%&3M zx+Z@D7{PP>%#_juayuLLg=%uK|90oF4DC(P_Ow^B`@H~HOXq&Ui zrf8ubm1Ui8NX&b!=eS;^d%-2eu6z6V%e@BgDbK$`@r)YP_JlvR!ul-u9@#yxKX{~5 zF?Eg#P-L8{jf*!lNKKuk78c{EGI2_@C)LuYMy06UeeGVPY3k4O3Iwb8_Fr4Ola-l7 zlwQH?3a5T^iQQL6>7zCr>kb?2{M%rh*}jv_Inb}XSTN3Uw3@(|=igqXxGqMK)RdZTs}1l5ZcgFkrN|FY85SJ zDhTuguyi~Y_TWbgOh8dX&KhTH{L(pt1QzUVw69#|NbZ=|&>_jsyj?D2`g1!w9EA8v z1u#BoK7i_^td)+mnr|y+u!M|8PyL?}W11xIUFauv_GgxhYzgnZ3*=S{j% zHwByaudt}WVb;;u;VOU`|3%5g5mYA0@e)Vvw!iaehpL9v0RQ4Zj4EL#2tN^*qMPv%RKx3=Mzs@8+*tBXI`t_MNtVL(;Y;6f0e$pnp2VxGEV-f5Q0@Lh_Qw0F zO-@aq!1Ilap6^B{y$r*+0M{f`?n+%g*-KmO{Ca=_^^P=oZ(-;|nuX!P3&3fncak`k z3>j4CMpmfL_W5AViF2t7Y?DU=W-43v%;ZOz!z02;oqdw!z~gEcwZk#y#R1kYe0(Ay zYKr>Ys;&IFF{nA2z&)mje4{1~^M1-nYY!dkrf4$5P<0Cr2H1WDlQ_ys@dhc*uG$ zOK^p@<{?HRb>6+>e8rl~H{9?7#h2&(ZBdcOMnj$##~DXbpkie`$=-wwUOli^iLCZ_ zie@rg89T8zZ6PwdnlHe1;4M0aKfXV5%C5Z$rcD^wGSok*Q<3XlWu{WKdhyjhV=s>= zijzMG)2!hfRvDi+z9&SNo!ovIy5|1u%DG9IYR$qnpSKA34T~Z{a@{7@`Q4*ONvMarrc2ld284~fA<8TgwHj=C-0-|OP0s28-MwGq(CRS#kcyq z949w2>B`^zQu|sdu1k#He;d~n_nPdWjkgUjPIxDc4nG*SBm{I7a!BL8di+g0OiG~m zAp23z+OsC(caF_Ji*g zFW9UnNB+VVV9f{%{R$uPVQc>+aS@vlVUM>zW z%Lzy9wc}`y?=d?Y+&>oX44YkFRUa5`2sxQ%@kmcM8XX`U;c8soZs{s~U^EHHzeEzl zg;*?tLN1SeK~~&q7wG45+%kNHRMug$`QlsGopfj|DoVPEQi}hqmHMW?2IbDZHH?k>yqE>|aVlqr}?itKJHW zhFfIDF%QD8uAA^vMWE-QWd2`w)*6s5Wsv>CC!(B4c2Ii&xBsUmn6ruh3k9NOWa!l$ zEh4!T6?)*IpQNA9yv3pmE_e6jgt_ax@FWdh?>QNshH@^KRkV~|Zli~6vK~~^ukU#y zsCvlG|L2)o?y@<56e__ib+BL{iC62S>602Gq(R+FynV#Qvf|M&-$}`G?d2#9mpf0r zc!XTziQ#?M1!Yk-%|dvMpdYiW=92}45ZrZujVYbe$V;L;jbEb912z(ckqp{ZUb%YX z?THC#fb7i8ASc#L*Z*aM#78{+4#eH848RCnwR`ZdMP=`Qia9^%zqiSipf(M7n83x{ zfH&Vs_-8^!FQYBSTMwUSz19&AWo{JN_PP}!Sb69)xqpqz@^Vy5< zBqkKo%gclA(q)lkYD?l^ zt?@SYblZX84=>1n@egr(HJKnt2fNcdt3ZzRMskMft+mIq9|-s3!)pB~j4TE6M%)g}(qfCcEL6N^_Z-pAR8u001BHwlaihr(0=r3CU6?iv7)(;h-Mrep2eDLKha90)|YpK$Cn#UYjW_=nWf=t$R(qS1eTBSXJJc zy?K)b_DwY3{nd(g4PWNeXU8om={+(i@}M=+shl@ga*twd%iP~1BVv((n*#>8R^RV^ z59G(HV6-hr8GFn=>Jgjm;bBK&{&Lu%63{yD+`Pb8G7hJ<&>iIT`^4-gLmJw&PUJXP zf@KNyl}eg)sFes#&BAamfP>z$Ls0nx*A@!T-%+>?e z8Dd)j2;jN!JI+I{*cjf1%;2>?<_wALy%2byT+2NypQ}}H8d-pOig`KmT94G!dR7w3 z_1mIlCJ_q)6k5SI49tCAKt3pf@1~o+gRfRxjn=o}SQB#K5SAaXX%et-wuDe~wjcZP zhJ`hO`v5c{Px6#^^Q$XhJXlYLSj4s&y>-;+PKZlZc(nS)Q%a~yDB)Ob&CFBtV`ldt z?q9tEM#Qais8@YcX2!V3JTX+SfQIex%L02$q`33=7b(Q)ci!w{Hx?x*1e(`{B`@h# z*%ez_ZdmZ+uyZ}^i4iuCh$>4#XH#JoiltzG?u4Hlwx=TsC_f5Ha8+lma^@zzldvjJ zaJ(}0SFaU?nals@baUQ%DSr-FHwNWF$H4`(1H$YvxeFBB)X88;|GdGsJQ4cMK3R(0HMg zR{D&?ncUK4P?zqcW`Hl7H&@e^iP=D(49eq23OJUit(g3n#p?8ZbGF!4KlRX_7`)v! z%k|qYeD=dElDEx>_2^Rym4|Dy9yY2b>;ZH6m@RQcU@?Ke-X5&+6P6s|w3m!~3Kxo~ z7`T_2Qc*n+QTh#r=_3pg#f@KMo&3MA5XQL}#M}!@>G21c)aka$>`j|8)EPG)v8wz9 zeP9tXH)!qXD3&J-cYc7#zzsC1FjqLa@kHQd0(tI2$Zr07BbtsEQmQslZQf#?_!RV{ zt;65qQ$D7Bo1!14hx@QmQ1mIOYt6wwQJ#OjnVChY`p^~F;78Tho@pJguj2Mo!2=QXOv}?VER|U5SZ=%Wj!iSF1KN=)SEl5xzs@>_+*|u8mjY&Pq1h&(mi{f<+U!~lZE?~q_AA`Vn9r0Z6h%&$Ex1> z{%&KNa*ji;6==9W9j?0(KO|m2pGh;veEaXo;Me<{#UF#}M~+@tKbl}5=)O0&W@321 zt4hG=SE9UDTVJ17x?Wx>d?N1WBeyS=zudgN(z#GNFVrfghDz%n0jO@;y#^tg#5XaJ zCmE#wa%%1_zyR_2T&p8Uw}k(><||uHF7mR_5Ovh-RzPpnR^c zc3i6x(wFxQebn8w!(R#?Q9^DNZFahuemA`~9tH>( zUMwB6SaNR48i!qjxit1X>^BdJuOBph5+Z7m_+c7IfWWW4Hh#t*gY##3KfX$PSbXp- zf!9WErL-zlTsCS}awc_o*Rw6P06r9#IEoY2r8*<Kq~7`|sfs)=%q_Sx;c_b^+vN}*99 z@#tiU(K*qCF~*Ki#cVqp?bpQ4GRKALot88%)8yx^VhKF74x{&9E@~TT$F?2x=NP+5 zH_J60bo7uEoLJ3Ovn=|^ms!jb0l1pE5|W{^Mk_@w2{T$!;}EcB*zhL?$5FHPN~2Mi zdk39er0Oc0l276mcKQM2zfd3@6&p>{rjv4vPp^&EDc|zl%53#*S1w!@H3zKj99N>J z6rdvNZN-%(*%GK$<$uRnb+CA)wwt&GR?whj==lSCIf~}$Q6$LjowN+!;tJr{%3l|m_As4Mo?an5bet2y;tLPV&E)#x(cF9KjAO~ElBwV zt(f%j*N$B;t-ztld^$`9)Et`Ns6KF=onutpz+Gc~C#9#vvU?*C5!yZ_uiCw)MwOZ@ zd+Vn5s$<39Y8(d z_s9zChT)#nQzjb@^XgHtz#yTIv-~w$8sr(x ze6MV0Oloj{x_EVR2H?(f1f=iB-ss!!eSB@LYw`2B z4qTq)1@0v%{qpMQw#)S&sapq6G&y+g_#SKPmHIsfxtcBI0^nMu3_dx@3{BPuUWFKL zUG{T$jtVt%fwFYK2T@t&MaN%QhA)jwaojxuC zK4MZlQ7rjfomr4ZNpHeC+Gj+Pxk>0604Q)LY58zORB-~~w85Edmix^7^AP&?D;t^3 zLXZ(deC5WLYs1HT2x+U9aVXh1Oh&^sY4S7Zx0LQgipGk5^C1Tf_6v`YbYWe4H;thw+jZf&XRr4Zsip3pu zn@6gB?|o|FLGIY$ZGM9?g-svbS|E`P^c)w3bv!2p?uE+o>Ur)wI%G+T?UDaEdC1dGlS6+gl~9x6l# zuLx`oSGDaymzN?~#xwRfnX58lY$xbPZ`RL^-@O0hL8=Ooo!W%ZyrYVt?PJTIOBJ58 zTT9x}ez+V8&*Sr4t?Xn_m8Sw0b|HBzL=jOkpcDvp@Q)FqkrW|tB}adYi-wSTh>U6f zHv#z!9Tt(TQp2>s>`RrX;xQWAE=KoN?@o?LL`@bd@gwI($ZdIOLMOFAc?-0T3x2!I zeko~|t~4n3`I))aJ2Yk>>$^qF5Sa#QvhN8=QGbS*H)LGMc?|HqeA&XI$!e>>s^i}F zr~YKM_#ge!z#rJFDUOwfNkYM$?dcUovnr$(ebC*S`uGJeV;>dzJeuv%|L`Df#d08L z+rUCy7y(FS#|kK1h8qP&Z58}08wy?!MY`4q70uB8H*L*w(rcTWCX(acp*DI{uczY$ zo~>ja`vg9jnmnUm8j=(mRcy3^MrCrj+iYtjo{2Aq(5uLuC5~MZ?YgY9F+7Ysi|gSx zzlr3+B%r6AHJa!{0OE79F0hQ4MIXd8l+odGzz0zx)qS_ z?#U?0N#{03=V(Tb-}Cw7_b;5oIXq{3-tYUmuj_Tii@dTswUhg2`2gOZ4TNxNrCogQ zK1e>WsXviaGLWR%+?)9Q*s`mgDd2+@J2cnf^s_X~s=+#dDcqySmpEn!5Z;J-Y7!Lx zgqk>97^mFl$Q{}g63z?!Y_RmK<4v2^l6g3Dzz<;$z%E%2PM8biB;Tn-`muwT=IUoI zbG@^L64s<)Z1nJsGiU7=9z3x1<&C?x-TicQemH8G^U@70J2v;5aY+Rujh_75ni_u+D;G+x1Yv`ts`;J;y*Pv=#ez>If2cP1!y=8u1{}YCu z*FK%?#QC+XH;4OqWsmUEZwW>jS)urv3{&qjE(>&ENDOc0?{OSZ7Ct(89FDQZY5sH>>YB{xLP%9QZvwbK_)5G=^~Bu%h&nQ+?yFT*(|Nvq;&+o z-lX~-wf@~AXVa|h_axt{FH1j>4ZE;rbMK8HuVbE?mg#-}%PX-y@HiXnY)ME-C|q2 z0FUs3-;nSY7MrJ^$w%Tz6a0CY-)lL? zlwM=WmHkUj;(&-De*0rB4GHrV?`cG+P|4jd0v1@;T6UflIgxd5W* zZb@_#?$UQQ(*KlZbL^1IY#B;GTmcB(XW30^{Lgxv{38~2LyQYO3}j{^e@CA@0DTmE zWLB|GOFOxBB8a57>3U45_K!u(Of_x{75RK;)U`yUsgS6Ipo=>bgN$@_AnM`0Ga(1oK9Ym*w}rJrB-t&$b>VxDi;l>`b| z=6?C~*9MYfmd0k(0BjNct2(?F5}eU?hrbtJ^A}n$|A_Wj;idb#oCNS~q$xqjx~UJ&hpyuhnS zc~EDB#(UQ^qpy+j>fbx2Q8)Vg|Jb%-usQ8+)@uNB#lX|4gdYh;_TK9MxmNe*Y&v%I zJ{`Xm>TY+BTcMv{8W;HKmh-yR8-=dgQF$#5`$)2H*XeMoXX;0KD~b2Q4S3jYO0qv0 zFQsb|1ln)C(<++e8#%K5FZ}h%Hi^@^*IX;FU-duT<-yZhL<~Ul0QR25>!=EJg2q_~S;_!{{}? z-#E*{&PTdEkzzCYBsfOQs30jKpQ=pRUC+er1&NufOZ-*qTrVT+;cwKDLuUXf<9UaC zkoacGcwhI&+c;SM7_)5V^ge04CH6We;exX}u04_qmQnF%vSv*A_1QOREuZ8cvvOA< zsz&1?;h~_Kxd;$Ri|ea|8C`_LI_f?1J3{{J!(X0xLCBd1XSXtb zrTcFV$5BRKPW<~H2=i>PI!Vy%^u{U-KD3LC_{Z@_a^NJ!E}auNu(#dfqSF>0cstiD zMgB*Ome}-e)M}#YVH^`|>9sMO6F+|ux zt+PDq6kmLQyY5)#oK#8KJ!)nY)=B5Pw%`3&tvCjcx}QZAyd$khX}s|LJn-5 zHx9f#ftM>T4}S<~`$z<{wtnA@35UFzUFZr|Ce(fom3> zJNcw{P2LbJoH}@f*%rNtFD$C7Iq+-gw;4CUw z1&p^W9D0fi#{V)qDs2dxlUnlpZ)y##GY-eK$|oi64-a}Mbi9wb0Mx;7i}1(B9~<$< zp6SZo0khYf9GKfEx=GAuA0WIwJO&yDS-z!C>9FQe zYo03J?+bp(U-5GynUm;$w0H`AD!Q3bc*M_?Yrg6H)>BrJdcgjwb7+E6Q*(Rbsi*Fr zsCTG?n;(~O*(8wru%8R63z7EFFDW}a`}y74SWa3}c7=6V2gQ)5V)KBsZ?BlLG#1`OBrlJ|T zb23p=>SE=6zWl^%fFJv}Y>Cs07O6nM`s7FQ;v~&%JZLpNf(lImPahYCOja?w1sFUj z4hr%(pMTdB#=GSfmDuD;&;sPl{RdxIryIOl`%TQP^*_nuXR;!Z@8tr>ycH!dq;3X? zSW$uTGzQoiFXmHFX0aFLv2?@VwL#r8I+)}**?5{$^EMnHlKZQ#fzITo$mNPO^eN>o z*QjJk(Eyh&@-Up`)yAvM^G2_C;hT;BTje70rLWW_t9~iaNF}Pd(}m0A`xTI58-DS}~RUlxws9Xv0 zQr%)|k{}wtlfaEn3plZlx`%sRZj$v6@a)C84<0Vfmk!u*@663%YUB=ohLroB17Vs4 zcQBw?UKq2MI(QhxILKVa8unGu?kLA_6}O0``Ovs-mTXD+#dTW$3We4EX|M|->gQYk z&30kpJHLLPi{?q7ZSglSZX!*qmd!5akMNHl^FqR^<9?%R=O<3xi%<3TpR2CY4am#! z^hLi|*%j}`Yf zJo>gWpe$L)Y_VI=B~J)*l%YDw{Xr~=2gsAqLvo~FT<7%8vIF~6}BPDyhj zm4Mt(5bJp$Y~asr&!%SuIr4G{n|YPwnt`z`Pi#s?0$5073h!%J6E-_cE=2HHy&|{y z#Yc%cT&n3GN0n6<4#~mDB^J*puuFd6#_mnWtUDL~)hG9ZAZaG{gFnqBSWRzWWO!N8 z1xHCu7gz0Q@*<(T>w%zZi4pPONdB(pNXocZOU}?;#q~=C|i34@y zA=|?(EGtDBr``|sQf*ngdOYqRr9@{Czi}9{kr4VNT#|;pHctV${%eD^Y2Kq!Y$mzv zvwjYtfajyz4@%ea%b&(fse=d1iNvQ67RXl%TYh0;jDwn|*`4*uiY>3`KfjY?FqMK^ ztB}QMa`|3d2LsYUejde-+~w$j$irQLIzDmU-MOI3JDi^T^&K7NZU^waz8JV60*^_F12@;9u-`6Yku3M%(o3 zSN-6ju-~lN>~CjQ6Ye@~w3<&sx^NN{Apl(lcskjQ;!Dgnaw6 z0bN|%x@4_Tyq7veqp@vTB=Z+CQuT9Z4QSbskf89xD(Uz6X$rEjJQ2|Ac1)Wgo@8-O zsu) zL5dOq%gM`Mhxr$Go=n0?*I2!m1B0s?mV>ML=Zya3MEu8_bSNeeg2qjcBf#js$% zpjAfQ1=WiJ>)NmAQ09)dp0p#GQFU;HoLOX>-rWtYe+paN{cY2`E3icOsf!_GS$Y&JoEsLkQhJ}n+5T{?kR!`l zi($X32<46|+4rihTzH6Vz+>Q1Y{|nGTz=5WTYxP@9`1 zq1br^HER9d_|S+_qRzzjsuXg_EVN0$gHf5{#@z65Ai(CQFYzQ^TRD(Yv1;7FXlsCu zR~7*y58P7B38kXio3*|BMz0le)IU@hcF3ARJd?85@KnhVfYp7cm{s+r26dUnpmCj> zqen86XYrb0Nfl~bu<`C-3G6d34s|X|(E{8Q#aQLBX7MlexsqIYnqQRhOiGVrRqnwq4* zEr*~BS3yi_Y%PB$B+)CUC6W5*7NU7U3}B*O+t- zzeG;R0~sXke@<3He^)-IUy({m2l&4gTzSW$c=5)XFnn(A-@cLrmH}m-CHu;ss-VrI zh^<&-_G__((5EB*=YX#Pm-`*G=0o3~mEGd4aEtTlmEN^>=7P44>P)aF48q?S3}kbo0P?- zbo%6aze}v;Rh<6GVr^({teqaW&aqchyK%Efyk?Q`NIdi27~*717F5y+6nBjFVIKT4 zXlb$HP!d=eMdC^Pf?piPmp6N`8zFiqaQ-6sGB*A6Mvq+90r}3p_!Qai;>vyFwaAMD zJ``d0<_cEEo4X-cwRu8@a=s-rb8z--KIb90-T(BU< zFMk^46))Z@RNG^74c{oQ6JQUj%ov~8GM@fy-3*`F)I`d?Ik~98A8|mwoSPfICaV~A zGTF)z0M>R6r?xj}da2J`FahWdk@VTkj$pGlR^P9(@r_}Y+(urIT>I`kN$i6^3zz>6 zSY9dfDTIm1^;T%WSexN8cYpJwJnh{Qoc^-o0+!Hph3S`?DQudmH^(d0xdh# zeJ*EkU94i+$skuQNxuX4PhCfqlE3->s-{O#dJyRFp!8BquGs9>hUbc|*Z!kZoA$a5 zqIQg)agbJ#gKw6%*mw06Ka_NreqiXj zqL}%E`?l$3wf4_DrLKrMm+|tnufPjMnaNEHzC7-+EXMX6V89VU;PRsMKQfc9jBVD# z%g(LvxaOqA_X71FY&rgUs6*0T>%Lo<^gf*H7GEtjRb51!c&|lRGE-}|Me6i#;>~W& z8qL7w3(!m)g$r;F9g0M%yPf@ly0*wGP1t0)uQ^0q^VJB zRU>3_KC#F~v)EtTKgG&u-kyd3U%8#VoBZv|A3uh8p65wC_xa5M3j8tKixm#(w}Ffm ziT6^Wn~s{k#^%0zOnN5Bo=A%3R+p6Jr%2BsMc*4?raA_lMPBR_LI)cMR;5SR zd#98t?TMPe3mNoCo4jiFe9jVU#`Jb~UA??IaNmL2?|GPOa*Vaa1OZUCpdQJriM!&ic2wm+}bx^-VT@MmGUOwCmf^9N&Cw1=Qq-$32VZSW0zQ z=|by0pRQ|}N-tt;*F(|`!W71Vc^4P`UJ>Ny+Gf#1iefy@h-O@1{t93Y%FF0Jl~AFd zVu}ywtlS3Q-IlW5q?#^StYUW(uoX^$4BIY`!VZ(voBCwSi9a+UirU$-@i>h1-{U0R zS-q2eA|yxDBivWmf7iot9~*1UM2!n}J)CwJazeYYT?e}xjK$hh*O=?S^8UN{Z?ic9ktuZ z9)faP$f?Z}ts!@T+ zDDJcv!v!k^ITQWFZEr+j1*`?P_cx@L?mM$kz$QX;liO6F;~0wg+e{Og+tW!jncEHn zKeIhN5$k?eo9G(V_J-I()Zc4Dijpj=i;sl_O$U&GG^)lGhpzrSb{79%rpF7a)l|`U zq-dOy#3dGY-en&`z_ox{uHs;aMglz4st3)BGE}yfR)j83Xat;cJ)hCR^o(QUW&j6d z%%FRa&l&U8uBoHDlAUI%`s>%#1!mrX*F)4c9PXCG%zyud(i$7_vXERHVa-MwR_mO*)E zM&ZnkC?>xOdRR~61Il7HE*PG1Nh35~awEIGW!%UEE}7Qa&5s_K8>+7mXDU(;n@O;- zt6A{@?>Fkvn%d5p<+iEVQ1z2y4)SrIC3J{pw_Hp%Mt{Y2fILaiidG!Od;0(Dy^u!M zmie?wHLT4Qy+4sVePQ&Q>-qmC1u2QE#;fZ`-!6aOvui>ZVPB-T*O#@050^%`OMUgO!asS{2}kVt}mu^f@b z_&jQaKCOQv^RDE4OyJ&^2%@%(y@Vqv9s5e|>K9V^ofbX3Gw+?oXdf_u?yJ2#_Tkpp zF4AoCH=%-W8fNcI>;!yXv8SSqMu(*no+|C0n-74 z=8HP46n64vG2%`s56c(QcCJl1!c!|xM>q>;Z=xN?x%VtM&3oBD*~~hukseD% zuw|zOkqAmjzQS&O?R(!TUxQfSeHRPC7lT}1Evi2yo5*zzJ3Q4n*KJz$IT-~x=pKL` zKNAIB=CkyAeoZSh(COfze!ExG6UW9F z5YFryfw=Rj=?$lz024X_>fo#f#MFiu!CJZl6wyQnH&Y9#Trmoj0G|37m%UC6u`#s+ zc6&y2^=N|N-HiY#uhFHt!57Lr=9P)km_T(%Gd;|$xU)yylqie%Qmsc83c@cZWBux~ z?B=z?oe+BogzSv{Ftf%5SUJkB_MC{dWZ~6OCWf)d!xK34r}!A7b4`~MZ)86=%8ONg zr=$Sp$9`6K(SDr z-Ker5re=bA5}0{`iid3xqWEj1TOY3FLuIDkC&=f5oIM{%mhm(>IrtDR=ipQ^^hfO2 zZsl=~KM|nBu`LmDbU-~N8Jy@+;r&Kox?v-aAwVOO;Y zg)~B@QXt$9Wc&O^UjI|ct{`J6tO&%-6fm1MkLF8JR(*ApfmK#ng;SxCVpqlTC-glr z(qRRs^YSv28#v4>2H2C&Ap4xXx>9BpRv{8efxx2iSIxv~K zTXi36diW?O)?AHY(VH0RgSoCzI+L zBzC)MaMpB;`D!|v>c!4P9-I%K=Zs<8^AXj$%4McOW5xaN_N0$zs3&=tw_@(G#T3Sp z6-tZ-<#vWg;w}c{pL+LdzrA?z{0X<>cC6U{;u@)OT`};+ZS<)hD$G^;YirH~u1xw~ z$n}xWP&whHbl9j+%Xb%cahm<6#k9)q)0&s+jic3SU`Tk~`8^^om|u&^EHgU!tp>!U zeSe_GGxk?CJ^^F&jdd|Y#3vk|_@^sBi4G8BwG^c~o(j{lPl(UlQ>VHk)xA!e%pW;5 z4}-!%&x=0lM0|@M5Iu+^m`4R=cj;loW{oUo1N^Nb`pF8a@jZHNLegvOcB76T6a2y@ zCR@Lw6FMrRt@=@1(DEeqN5S2EP=P8GGp}Vi`R(zS(5_W(0X4sQ%Km^!9W{nBq6?Ly zOV(9?e7BU3Z6jWLe?ERT=l(QY9yk*d&9s(9FL@gvK0RqVh<-1|2pd-wnBu6GKj&wJ z$#P1{Ia8z~fZKoPxC$e+DvPHF&jxVqT+O>sl34%s05rd{Mj%&{_(SoH(KPZn+O&W2 zQR;BCEEkI_e1lsI66Dj2h|+c(FO2NqvB14X_vV4uGgG@?w|uxHpg!|ce8{!8QHv;| zz)x}ZmFPSn!!+~QJrCpBwk5VHVq^M1n<3L`&%mG8)p5vjExu1>O#kD-@Bo!;enzbAKeKa%e%YJ-6k>&5X)A=WSZW$$#Qt^0Ms5?ua>`Z#>p ze&d10De*Pt253yts+$?`$ez$XGM%@?t^j>!6+=aoce3o&tcu>v(le^<)!9Z9XOH|{ zB>6UhbMp4>E~}cN_fGJ_tZYGUWLI2~w-gea#b$jrE$z<5cT%R;S=NH?XDpA^04;Ju zV;#+v)-)!IeSUoW%WV{skUuU6fg(v5vytCe>TK>;l`U?ONl(9M#sR%%`wphsk-1jb zld6v6GIVp8a->P|qMm_O%1Vp~ybdb8`hLfBUv%^9Aonr772$skB~gt_+^$`d<(&od zbneNw>QMMnYI%-_L{3`F(P(q;q=~;xAhta`O1ClyLAWGoM~rqBy^RAZZUW_<(d{{e zvo4RELM~$GLjBCzHJed{8_$3bb062_<&jf!Z4yUXgT3Vme8-{U<2rz(TeKDr3<>ht zbxOeiuUstB24&w>`yCSd-06|rf`59O$^bEG7S%Lsu6YN_d>vFx@GFEVXCyJO~ z0$LVm4K(J+O;iU3!0oG!b0fex;w!R8ob4h>o1ItP)=%$pw~PziA5`X1bvvE;1fDI` zUY`6@B=_vQ0yU#d{4gCDPh!2YF^Q8AS6Jk^NZ>W59_&^@pRr)Oo}$OEe%DRk{V!Ig z_^)0KmQ9003{pV5^4w!l27A`nceK;%y%X;f$SQaGi@Yh4QRM_5PJMOT|1vxg6>sAj z>+JlUw8Az2aDP38%;{awm;RRZv;(?FEt9vli!$RX*)yns_=%I`*vA@7F`IPb%8t$# zLwb%M=NA67`Uuat+Z@mlIErU))$n#nD9_ZN_o z-YzatZ*(?tASrPl3@R)M({gPIp%p{%l>PKMpOCn&l{i;zx(&ACy)_2r`FQ^?tFD{P zpZ_pj<|9~v?6mxgc9nz1Sd#FJYeQ|_f+{YUrN~say5wq}BfpcL!SvEd<{NRE&c{9a z+4%~%2G*Nr*@UDgGhfb8LC`9_l@5fAe2)K+-8r+x&7Mn(D(-U!BIZy2zC)llpq`_~4ZZ@itCZ&y>p8)i8Uq&c$aq%Rw0N1P%(3IZ!+u&tzV#pZ-*- zd_n48?xTH=bRj4^2j(OUaaV0gKDQ!lhKeD(j$eIRYyF0rc+Y1C&mIG-k@~LlnA+WT zN|l6R4|||IGXa}zL(afi(oO*<;;3>(OY*`f#@xjNd${H!4>jT!n9<&&J)V+txJ$T~ z>cwY=@`e7x=YF&XfuYnr5}MZS8i7kO;j_{PnzP_WLO3qv$Xc_`xqj3lUY_L+nFX&3 zY1vrV`P*$a4vlMz<;1GP+-0?FPt4xxPumsx9DX-7h;aZ3jBKv24IsYnPfALsNG-x*@`XS_W;^asLS?dNnzO)-Jv&yT!XVTpL04jmqUzJVsE7ZwRt^J}eZ)~6 zCwMHZZCp!=#S_Ur?yK#{GmJehaQWdub=A{s_qf(5hy5Yi!91_F9KwTj21LijmO)@f z>wo7MJkO!ZqD=PWSxx(TYL-3NBb)^5b~-+gE(D&Bn)G77@mY6oua<@tr&f(uj#M@! z{zXxad48mw>rea^lpdWe44o1m4=k`(jG(iv4m=BP8uMto-M5D__UmMr5#E&oYb=6C z&D#~f75-+s=!v2|Yacvqg`^sNeSAGOX1TQ8y^0h)$$mI$b6hm_JVouDsLof)$8zvLcjs0e@gzH~?g+~J+H*x5_@C*n|x z%esvpHc5pdpqI)`)!dcId&$oW1V`c9^bxNma~m0C1V~EOg(VUugr;vKqaK#-=ybl) zp`!NfT7kUPevVQ60>hDV84jzeWe`9aC8-rDPJ9p^4ePND9kYwhgjlU8V$vSAJVM%+ zl1v(eAAmracb+r&WwkY!8#JDUyy(wl1Gb`_*HS}FzJI$bi^r;(5aH4MQopqjUUed} z=6?f9m(FICP_^>DpgFUiSJBssdY`u|V~Nw3F1=5H-a5>j-lyaD{6|GQNHultPRH+f zZ&(D15k`ad-3C#gY9?QA=V%ztKX`<7GygCL6hucuGyS0Ge?TMRBu-mhvQd8$5#MjY zj?Wmh!Z;gA2e<^~tctM^A!NE87BM0^17$s z`4YztL@GMPrI~7n<2Ue&gMb6SXv?nKoU+fDG*hhcE)90>&1WjNwE1>KBz25ZaTc*~ zBIvw0>=4|!YutB)l2^z#H$M@{!+E5fQ^s)kZ^~3QZZPx#@U&e6^I!P0f7vm~Ywa^i z1&GNwOnXAZBP0AJ7jl6 z95-b)In68rka65`G$Kaw@P4gc_7`ECF=OO1hu>Nk5G8+Zxronj^HKixgyGm>Ll-_1 z+_9ccU7D$zPwn)8oXQM^g`ANku~ymLLC~F{#K%p%X>cIxHQ@9R7v?l_A+~9eqmEqz z1z#O~MF(-*M7r*5SrOWZ-1m-Z3AxHYE==}@G@NL;%ggv2vs1@8vB-MIeck!&(bRg+ z$q%fc66V@3>=~;rcff<>A+Or^5wOd@Jx4(=<_4N#qFut^B3@Bn69oA%oW}u0@iB}LaIoTtlPi^*RPlMPt@F#-&+em{B_!yrFG4P&fXp`5y{tWRS{-!T zW0YAvceT{L2oV=LT)NLl358A%`WsIDTx_w!{ia{hT4_CTmnOyCn0=^6(NgtO-{cN* zbG91heIW|GS!Klru;2J?yfrg+AXk!>JFkroJ5V8M6X9*bN>PqouQZd%luUd_l4l9wXs){oPg9$D9ipM~rK9p2 zYQCx$#HJF>#yqYXl^1%Wg2<-Cbw$=IO$l?nqL@LQ-Aw>oZ;&E?O5q-hyD#qFdt~a7 zIH+r4s04=a$OAVR3g;AkKH#2GaW?Pzr%Y+!7 zA75(^bxg+S+yv16^$yFAJqjnnh@bgJK&QGCXBQqT=R8wgE~L_U)k1}sG*@M!tP+pl zpmG220=GBsmqO1mR__;$(ywsI;+=Q>eb6L;@@8K`qAoGPgJ-j*hK_?GExf%YH+wdE zG}U~d!EZ;bdk682GoR~!DCiV4LuGs93sL_|>O^9gP!qT~CWv>~k?b2DMxc-0bGmS>L{a}314aW&ZL)MR2w9o*PQ`VIr)58Ds<>ihdoqF1plMcn2e7;eY zyQ#Z@&QtIhTQavA&ygWq*_)%?GTC2(+V2p#w>i-DUB4%yH>q6+(Yd4ZMJ=RifNn$?P&(zsu2)=BAuPMD3>N{@~UiiF5W}2_*Hlp(^u#D z?z}B6fl20qRNYGHKbksMWsirKT2n8291ApaGwMy#0T#0l^=c0~4+!PkZ@M&uE$^U= z8W2_h9pA@r-VrT|kooA}-$g#lO@FOIM5k;OlyZu`5y*kIz`CL-EGlLzY=T%%6^%;& zpa~*y?w;e;So*lox9sjg<9VA(pIaAX}?iHcvS|n8OZflA~zoW)O_IWNELUB zO{v~9H!(o6dVi_4J~VM}zDth{_{aR!Vvo5g*ZrS@IJh8c1$7RhbJvEj-AMW6Z4!_9 z?_=X!x7*oUIkHhdH8ZBM5tT``f&Y{k7e1THL@3;q1ZuTdaCCCqd=`&AG_<+rx)y^@c3od68Tgd)ix!#{*lc!AbyUqA+}MmdL>A*Y)x(QNiKl{_A~#5~ zPW1HeIG^-oP>*Xv&z!UfQN!H)mk~``ojoc(8=C1X=jctUoi`?b_twVQxwT5lCL1mw zh~o~UxcCPTMxNfoJ~z>h$Y%W+xMG48ToF|)EGm)_qiz)zsQF-`tvw0)k~Vr?sYmTW z{?Mni$bw3Ng{W;f!J~jhIP7gfrN(Fk@F4^)iPIKm)YgjLrh-<#YE{hg>0t98aapJ( zlN(c?q3+de2H2qV*3S^4pm+%Z%j}VF)sr+gN4|wepK6qqHF&qelu6+Y-aAC}A!tCF z+3vp4`&K}O{@V59lq6Q5k#ZNqWIjcraOWWD?gpd%Ldu}Ipno)mN+YB+)Nq;Ak)5i~7*W~7pAScW-{LpQ z6KN^#{R9jHy;kV=jv$wJErDye>BNcuestZ6*lySKS@|K_-)XsLvQWQgvH~>0#n(6r zIlHx&pKrMi=$OqBd~G>CopQ>)FmY9FDW=l62-M%22*WeFIcP@(Dt4tMzdcH0$vM=? z^zn}1E8A-4mqXj0d$OI(xN=AjIbk9%a_d_Pw97{*NuYTMmf0NN(5MMuPBV23`XJCa zHBr{~AM*@0nD?J&g<2z#{^&z8#u=^Gb*1ZvnF2{423Q__D*m5Ah13#F$gOdM8oatb z@S?}t#?XMxgj((fO|F~8;f??8gkSnVi;=2V)t*pwfVyex0)Nr_#Z{%#(46mX<;dJ! zg8q5<b17v+L-_tjI_# z0bl5x^LLTRISgg)(jU>q#pTCS5rwlN=d+azuGCrX@I7PW*!(R;%zWMjaR|Z$ZQym< zmu>K+JCzdNvtl@qnNR!$1@uQaRQ&TE3e;8aN9d=U&?84-aK9*~Z>(L9QmI4%j^ z7*BP!3N2Tmo#L?amUf=^^e1q+nF6JSZdXR zDDanLN6ebnQw>8KN(DHWz8b+5Vv~k^u zZSl1z38S;!<`Aq>u386|Z^fmY1Ahq*I?nZ4%`7oZ`nM_oYjig9sM{Ky6A6<6HzBNd zSJ*alfL&koiVRqEtmAzb%E-&tLa3>J-q!aBP+Ok1XNKR)rO!{6@y@` ztGctFr0cr@?J(EVn{ACw;{uL>qTox@E8%?et{O=zTED8hDde^CRO1~8N{v`Z{V-ZN zB_=iB5X2$!>}{A={ogx9>F$eiQv{7D@PwnIT>?+OS=^qXs3y!4`!`P84vdP!w*N`P zxCkzP4NJdRd_WH?&0EjADm}9$+=M)Xd;ku)i3E(lN2+HBTXxr;Q}LWP`DsIMRw|*h zyHE3kMChc4!rw0Qb)pnOpg6c4&~g}gVqVQ|nbB-FFmD7#?`4h&?xypObk(E;-eQst#Z1nAwn5 zH+Qi)b99CVW!flYOb?)%2tX|=X>I{m?vqX-N0PF}1*>7W$&TpMi?0uIp}!C6)dacC z&7_CaeJ0${@xQ{8aEw5C-Y~ zi>7P@rcpu@=PV`KUT^17bn{N+o$N>dyNiR+SV?c;U#!|iA8OTP3BnGN?|H*E_KAiC z77NMIMH!tW-AFb(A8Ont2e#V$@CmAwlNB$SF^a~T(g-euiXp#q6;L7VU3gA># zx>$*ZvW-A9*<{EJOLprQgQ_kdKHK*|zDK|fs(#KotFk9xH`doukFnkiV~>;-M|w{R zx}@6-1RS*YHTQHl@M#UV9G8{$y?5+#%AYh@u zDRZE9CJif%jKdbuc5Q`P`*(^u(&Rr(UOSjYfUoOh8J)@O8fs{IM7+ihWktdU0|%-Y zm%$;znxYUO#Fk-NyvS{f1htQ!&7$b8{$OYF2#ZPfeFvir$|LvNMv=uOC$nDP?pu)V zSvGyghOkcg{@|{?%ZOJ4_Ml>L;$=MHv`mbLwz=kx+(pjgTd@GZ^4zX&|(VPBWXy~f!vg6eHfy6kl54R112ex0#${)R?bXZ>ggY-Kv6eNFEbKTYX zK0DKUQ3fT$tXYl3I~Q~b20dqa799Ne_?Kk0(2O@82{XPNs+O_9d`EO6{ajNaf7E-# zrY_w*cB-%;a+4T4gsqd5d-DkPCsj%`jKOAZh0=u~os*@m;6qo2*1k_yMyjdRi&0|# zRUzY~iUgIjQ(=x#y+*lHVLAQ`&fMb(R|F*Qti(!vz#E`Pyc|b zkAiHE4$qY@TPq3hTl5%?T9weS>4c@dq>0X}m(MmRQH$)e#{6;QpkcX<&RP2xeKef6 z1k>ek&d!WbZk617k(x%R(GaVxa%3gEad-^IBCsSvdo>p$7Cc<$5}m8DZpk-g`wg<) z>UQ2R+X0M|22ZDF-wydF_yM&BDY|oQ@@DF%5O86*vYUkO7v|G^Tdqwy4{+uZDAsYQ zm!G=bc)0egKe5(M%Jcj8SDkl1T9;`H;v0?c{&R$WG#K6lIo#X2dREWz{%6 zuRZL){0J_uYHLfk2>4&*(Ud8z$X0*5eg}wS52bXSCdt>>b2_OoU*(j8GiKe&IeZQP3C-@%ncDAVpjU z_BfdAEJ?X>GuKc2M(&*e+i7?>D_OCJKIB|~yhCzw~{9b8st#d5h-zf$_Otwaue-2z+(JZbkWAZh7EdbBM2sFnJa* zYtL|dPbKa?`w4 z4EQwoUwF@d5HqLtmJ5cqlwjsllwjmM>U{#WtNpYPo#?scPQaZdaxM#~0AdWe(!`70 ze;vv<<4Pml7u4~Omok7P5^U*{Y3MMQT$fY9`#aQpx)!T%pas(T#>L6e?qoB{I^ud< z(v5Ovm2pRGiAy8U*u9(IsGsV9`V5QPMhE1f2$9#V+9^#cQHk|qQU!C8M>B8as>V%E z7#8Qu5-gtWtTW^YyMRD2so$y$`5H1J7qL&ega(#AEP^vhyC^re*CP*Yl9}J+sy3%L zCzxFbsoOSsKIpu0@UvM5e;ef<*{n;ZXZ2*4X>u4><}@^+`iP(TlmzV;{vsXqlxbMiMt-2puN=+aKNG?wm2{;YIA_c}JTcc^qy^Kl!Q|tn<$8nJOgDO5mDnTN2Sc9EBXt3Pbo3C4F-af= z;fPden)l_2nzgMTZLT3DHRWGa>YQTrlyhQXXmDniyUO*wdVAtnm)Kgf*<7NCR%!t% z22iHB<1}QL>!K|q3A$+IC}%S&^|3}zc2F2Mf-NFeWFd@hgT!ID!T* zx1TMs4<{Z$)yl6~f*lO(yNjgr%>Z$gldHCb$E}7>l|5-mcgu8{=u&^bw}k0_PY7 zP92AO`EzL>^Hc=feqrB*94%XjQNGgFnFrD7y7{GeKjbs`cWCLQm}lG9PHpSw8#l=& zyQX!5*kK)qidG4*FYpjf!Z;c?HBhh&-<#+N_f2q<5TSNl*Hj5-)Qqqp-;cB8aN|fl@5Jy^?rQo! zCjD%S5ePj(ZJCu}P!u4+aDAca!w<6(LqRQz#5n(gm7+6aw@^C!vn&D3`Y^r@x?ex2nW|6Vgf#j566VMV(_5_e@Q{#W!B$_#lGNcG=V7Ir^{QNz zjzktlXbMRjd|4r51^o8(^Xgs0a!)Jwq|n7;I|$DJBz=rs2g?vSp|*8i=Z9BMut9U; zit54Z&RsOZ8wp9=%?JMTj-#3p9E<0@BkRd(o%YA|n#0Q0X@xu~NGdt;=&!~Hqf}>_ zboJS=k3dqFQPw^tcWwD;bHD)3b)mbpg1@bF&KZhJYg^&*!ZnAsZ}P9A-2@mYTr;wM zPHPc&X$AW?yrmA>e($j~xkvZP0nmhg!$Fx7q3^GgHO9MSQRLS+)HM)L8+FWOLBcsn zooQ-9v8x}&iKAWMi2e(eKEZXn-;Sofd*=CQX{a#FprRp%&L1v@^ z@4DZe-ALfJ#iePucfu|DD14Tw#ml|AIVxlsFC#GiwJNUUm!y^zh0lhr>)HWuxBDhA zIkE3Yj?F$X-{~98x0Hjl7?ih!Hsu0aV)Seahyk{Om6NQO!%~htXmfMA`S}=A4!vb~ z+O!2$nG1znUiym;!Gf5vKj7qP0T<}uGU@Y%?iQmpmuv^J|WI4`o6?ztX0kz zkzz@KSk*kExkPWjBKtuxa|?Ohw_jHrc0vcLIFwkYEY9-<;l0_W%Rg?ey_}N86ReXj zT(Av9Sdg3Nh$Rp5`TP{IL#F1p7wZ`L=XZ|T6Ja-9tc{}rHd1tjpN){^t9^a_mmnfg z*7??xF>FhmuQf8PrBqEh%YC7wkHmedJfb_ok)7@3MV%G&o-H_k*VldHfh7~#4L!WR zT7}bBX_DzgZ~rI&XB2g!Y{n^D<8B_`GST8{5AJBzbG*M$$DpYVe?`Sq&ze@`3J7)d zxDpuvp5O@_oG*K<_Hf`K#_CxJ|Jds_oo>!~4aU;L92AC03JaZlhj z+~g;K(=0&hN1ntZ9{$v)$|In{{kTokg>BZWp6B_{?uR4qui0aZzZ@8sj0Up5h6Vn9 z-WNZ7zwSDw+TOB9n7vz459ivs^L@#fEussLKD&l`0V0SPj0G)I4>0s3tT78h8Yd|}q*dnTjs`Hg%X*v|<1;d5lFFWt5}i$`FF zq`ha4I6Fa11+C~WS%B5Cr;3T$e)eB{&=YQM6Em_LZZns15-zpE;8Z5Ro*pYtcE7;a zb`;&kVfdJ`>-vBAiOL;1dK9~gi{S&iUo_kwjs@8xJ%Tq0pJwtZt*&oY7Hq2YW)?}- zwez^~XmUWtk3QqPdChOh)_Fuu_sXu)+uDyldtYOWTPyRF-1h6Q(sI>!=)!+s8jv|sRDiB%8v6XC(lul?IeWZ~l-5(YHg zW58I=H}}!i_S@H{WNt4jRT+ z^qtq42ZDw~sz~JhInWwlX5Bg0~-t9Cbjr)FV*+e`{jM|TgIF=3H$S}JJHPIWg3W5MT=t8eq!t4+h=6Q=#? zg<*ug-=a@8U^kmFKDqf3Hewy>c>8&wD-FZ{mXfQV_ips2=Tb-1Qnr|WaDFxOdXX?U zS9fNv4`^TfTC~aT#i4|!mhmRCYnfNt(ayHb)74xf*1Qg0mFEltN+sIQQ0(#Fr~Q<1 zeAYRPu_$x4ESkSQ1)Vw)*Bb)hRDznyFBdP479J2IH`tis_hlE}!?WQs@iyWz=G(h86FIXLKZA%xLCS4mf?zl4Sx{VIrj^OHzO)v6xz0z#977}OlI0D9a%>#2b5}=z1fm&lg z_!P9jNz*A8M9A$GUh3u_fn)BEkS}vkp|(MLJLa*h6KjeS^@Ua3S1f5)qFH|)v$BI{ z_ED3&&b~72C*7I^;(>4#)_**l_8+IWKe3N{y1sYlUi5@mpO{_Kmc{sBBY~G=V!9S@qB7^ zV04Jvy}ogBSMWI`<0TG{Zs?tA`eRo;91Y=;*0<7a*D%iv@XzCKZ$X&HcBj93pm|S! zlf*?P{^?K8^}#psICQ}6=N?wBB?MXHE-2W!S&krD@{gJ$GruS9??nZIDhrQ*5v8pW z77IV~%EM3mGwzL`j?Lh66JM8@)L&+Q2D@0Q^BMhWpuW$q(2FxVt-4nijfJtQUv3z( z$8T&b`;Xsla=E>gzMI@Db3nd1^XqfpeXvM`k#c%;;bYzQ%(k*SuxXUZb*zh+7xx@* zu*ov3W}_C`axdpU$sILT;D6Ins>=NxRd}Z$XnT>2MuUITI@v(_>=|eTD1Z8*8tOG9 z@mvWy(0Aa97vic z3QLAPXr;TkFu>g}J)5`lN0kojw&XVttAfPQh`l`3!#5TZSZ}Xv+hq3X4}PdG?cIJveqidT|nBlOIOz->nB;l>-g?6#UaK>gus$!$PxeWi?h? zSL4L^Y0lH9eM=BF*Re2zH-MCyP>>10+in>S6~7I^s^YXFz#V}!iC!*=`d&5^fT zru6@AsL#&H7+;Cu&=}0m6~s8Lx#@j%E!cT7+x|lxjmA&kMuI+kb)^V;S`qRv_~p04 zj~vf#>Ao%T<7Sf^Bau8`uG2Tqb~pL3rLGqX<1S(H8T&5aDU0!JI3DX)!1Nu<`79cP zYJDP#@l?sC;Ot?`9VbJdACIMuOya3@e&SJOL1c3zM(giD6zI=f^+LJk=_1PD@rRe} zJg=>#a8-$zi+aEfe0lwBta8%}zCbhE?=qvVSu%VR`E!2lg-_#7X=4Fhq zv|%Z{zQZFe|7|rG<*|`OHR!x!g@t|r8nZNj;D~%{}rrt)aT>4><;5o)!fG!x9J#_Em}xVCf(UXB@^;ZQ=6EN#^Bu9fFza9{AESq$hs zE%_N4P@`on`LOb5h%5W?V6KC1MvnQm^&p%w7XQa}j?YO^i_Ab!}m}1$$ss4cK`4 zduC2w5A;-Kz)a$GS;c>~L7(2ih+FN36u#2Gi$!Ce%SiIDXwt{pKyWL$i+XjGN^jsi zRA}3?Z*OkvEBoYQ78IgCEB~wRW=Rx7plz8TWt8|6*6~L0iV9eph*st#4CNABFe3efWT8U1z0D4lJiS>g&~XjUI=Zl#jrr zmg{~{B45}7V}e{Jz$#s#CKpa{w+{5vuht3iyLkV0Ux;VVM$-iR{QuL9$uk|7} zbVQ_l8WU23SyQt7c1b{M!an{F8si;v zUJe`WA*-@nb;W)=XcBJdh>sIo^J~Kp1;TlXHk$Uu*}~!nhil?_>#~Zk+}SOUN14VS zgej@ceba_rmC6tI8s#PibWzZxv;*Hs4cOdWt4GRf^uuV?hC{@X81m~oxtmhHVX>3E zM9Z&0KUx6jv5F5(Tat8Y?8V)QyJh?GdBaVxj44sIq-EeL-c@POO&5N< z_wj{#yXynr410dhYg|2kkoaNfnST8Ouap4h%G-i0L3UsooMmEvML84k@UzfX_>X#( zG5CqN;is2})4*|~=8cU`6^2_8!nk3Y*?U(@l_y3+5W8wzO(RM@K834arB?mlUdy7|G;O!eoOqcES8Ll6 zZO1O#hYHvgtYO?YsDko!?N$%IIO>g_AR2TlXx9?mR1c864JBE=n{E6dfXIp%8j`j< z4)--%)9ko+%Xg~4P!|ps3?&%nvEyc2l|Lal<%-Q;*34o52yA=Yev9qTN(sFA;`F@# z1?YBR>lw&+#&6jV0guXCa1$O|7&o?nNNA#1vClsK8TWt2a!X zt-tOnCO#k9H3+BeiZps;|3WdV%BYhI%1W^hpGyhU)u(6X84hnl<=dCPOCbHoce8X6 zMP-+zMLQ7nvj3j&&RWe)zVn@a|E_cnXd{7P^U8QwJXWQz-A>$f-qWBp5647xZ5%;n`w}Xl*N^?lbbXTGKSPV86x2 zi>!BmUZf(Juo)S9JS+pI3Uy~x4$u+Q zzi&zDB#*=)A!I1;P5s97FcJ8`G+$?{jl@$-{G5h=q^e$QRoWdkwO1+~MNWaY--4&x zhuyMaJR_33I!*k>hv(ef^mhg1k6u1h9w?v`_NbmyorS^J@% zL^Ep+Py0x{IU*ZEEfxaotWz5KkMF1grNXiEkNMo$*T@RB4%Re4b~E@t5CleddWs5_ zNwzN}58u^o1ltw7PPS*O{D20fN!nM_)S*#ZN{lC+ zNnUSVB(}JfRHd|?e8QeJ&K0m^OT)ps<|1+;%#PYt8|7nDIk2I>hzALeF|V$^ygEnf zG1R%4q2lDR-tSCKN#xU0Nw4#i5#8?@~;bkx6A=?amp_J z7My+pcep5Rd#o>-zSHU{b{$K3Y#End@Jy0f1ifcE-`uyo5Hih-;9BOm`z(8=b4&5i zep|Bq#Lw;F{3`QlcJ1y|@VOc-5TWT6*iZYw>s3%Wl4oBYEMc2{F(ZFlS9#F88-^%h0~6^)FLu@K@3<%(*Du4^c5w1@ke+gzi?n~K9_tc zl`Kaw7#zNJ`AL|JsC!^YXv^Fb@m?qZ+QPl;3V+LUiPG@7Ar)@XtY+~oT1bM7lH~y4 zSU>Q3$5*GYL5#qiT}r^G4qr;=Pc%6QB{fGMIm zCt|mAyiHw7;FllL(q3naDUK?B8L>?Er!}epo>!CJhfb@XD{rq^2e6-SC6`-&4G1)t zIi8LVDK{7L-xXkuxt-@+^>ez3>PcOwsVtv64__EnftVM89cw?Lx=S?8mOVGo`bZ4^ zIG?v}5q?h|eHhCNBT;F~VlVv(*i97I&jd<@=t`@v1$kZ#$jEVp|XDxfgL!Dv@&GMF40 z#dPm|sND;Lqi!l)x7#qmKh?9#+bMdLw+nL}a2X`r;#>F(veNk^W5XWCPyO%L!x;5k zG2E}kMF%?W(kbtV8_3tbU5ajQ(wAXcGEg?tqcWS)t2>QIm4tL^?rg#zdW|dpo@}xH z2e1Ue%dyCY>VQ*eSPu7+r)+kH&hoU3#F(^t;XbY&eUACV2Dv^PfXu)?+!njU*PDQC z%2nPI`&|!vuudy1;!IgcungY~v4$KpO+JRgj*uVOdEoAU2v?)9t=vfYSd`XUShi@C(!4i~tNE2wD63W1Ehh9M+?v?U; z{;t6>hqsj};Q9Kuwr$#-mAPFnPU@e=D@(MELbi`%m!74aP<^kgQj@|yI4SDm`ej_# z2%NNTZYDVKp)P@wZ}NxJ6tAH>8c)pb+q1Ph?stV39n&W>e$_LIv7CvotsWYOsEP18 znzmCq53lo>=uvr(M8}kV7xe7*ErfMXt1(^le@4haL$P9ZQrr&*TQPsm>{Iz?@4lA^f+LOefQW}O1 z_Afoo6TOW4o@y`hdl!R5Q(jtHzGdy*vV1JC9^+PyZHRSeOISs^I0Aq8+b<4xfF)V6 z@;M7_%5{)9WU7}+v@K$)OAZQ=Yvf~2?On_ua|@Qp)4ayi&6CtfOYo+a(S`oRej{8$ zaozB)+}u_b)1b}5Pu>&t9e(%zP5zAmr;y#9*zF5Lv&m|)zoGx`SXWcR&=C=x|LEsN z4_v@4{%e-4mf3c4n49Dy&@BDizXKVFkVvD*1mCy%*t&boc|9QdIMPGZW>#?K1?L$J zs;{+e;`aG_*oz;u?BLlV9y4tX5M217hfLr(j48Ys=SP1b={5s)mK86|z!2$V6Fx3j z4I3^C6(>5O+~x*f5UFzYMP4L|t@w`t{^VS(zE@N!YcA~%8$QHQDU$9#BrLp5bzdp` zeWJRkC76Rpzs;mqTJ*9vw^qUZew>p^yn5u90ezFUm6A$o#&DsR%)`$T-JLN7fMwl& z;)Xz0_C0Sj#FO^&R^@k5rKX=w^LzqE0PwpI$;9A(8i6ryvef!zMu8DUaPGnhv~Nep zmc*ZE&+(BpIuH59NZ9tbcDT+IUaBrgdK4!fMV(qcN|4@2a8r;TM;<_RZ$F_GXUh!< zIPW>y9CkqE97xhqH~lv80;<-^u!N|S+-O?&Q{4>R0vEw3An~Qy&+kQTY0y7B(Sb#T z>Ji4d3YlbAC|FLB$n+Ns>M7{Zw$T*rgm95%&&n3sCD{Hps7<_$p>-8@C+4Y%@3K=K zD#R5$ZcUl8_<0g&$rilod!yGEN@NREXq4mNbM|M4ms2gQKsa;X{@cD)5og?mro#*o zEZGaUje5qG{7n~2iJy0(v$#IH$MmVJbKUe*)7 zSd#;~@YQ9L=iAIj}RY! z9ne*o54L{>7i0J2%bHhl$cj!O?@JWQb@U~NjjiL;AkI}{P9lRN;tIQ}HSd3k#nzL5 zOacKEL^K{TO~9#1-#G$*vJL?vF0lntL(3w4fHy6zObDyZugUf|AREA->6 z*1P~Rmnma@i7aa}Ewze{hfAP3ZHGj|@^eW%2}p0e?<2UA?KZsh-ollt_9l@lVMjUV zM}+M(Vp@jgWbtV59_~ulLgKqWqK1|kj!O(g+L01;!+(Q4r|Tkr{;+k@@u%Kw=-;{5 z1@ntz*XyXpOzx=dR09aSRd^lg|8$YtM|!N^62$~*YT7+%wXolGKK@s>HWZ=!PL=H^ zdIplK>v`b(m3TbAR8{2J&r^0YvQ*f*1+9)Xd@4*zJ-A#xKmQBG z7!U}xBrqtBC8sWegi|Q9`jTw~8$QggGRnG3+?OB6r?TX~>f2|QYVa@lm+H-o z#;ml#+KbiJ7M5d+0a{q50)aFbQIrJo;o|zThJM+k7taty1QE@vrcG0m-GW z<%ZM139`J2fn@4(q;J9Bka9eshD9)X=m%MS8Tsw(=;>ktYxls-~&1ao~nVym4WurFa1F_u4OELGw_w}9I7Zh7hB-hX*vBXDF0%of8pZ4C>VxWe zfFN)6gTr87tzotDk|FhAeEBlhZYse3)Om> zsZLQqVA?rDnh&3VDw+q%27J9#5`dEXw1a0=?+h8&5t{_Xzb`H*5}>slf13+g3x&?~_TWpYI9zeHU=;Z{xNI=Pc>xYG?IQKqIv3xF6I~4Um5jR%(s9aIBZ}GqynIK&m{UW@Yc34@f z&ZQq-Qmabjuv8_|jkTEiFKuS6^C|T0OMLS0U8-(&ub>=C@_hRQ!h4woJ5uk}MM~rr zuv5|Lhn>5e0{eP$&@VsnB+%8HMJWRA%;}kTP@j&H1?$8<)3i!B3{dZmeg&9{-hTXK z**x?g9QJR_{hxbdSVS>VCsKfP$LFaHIUnKCE;{EkO}^glO(mI%H|00*&KG;IAa#~s zhIb8~3t1eBXv*~{eVV`fHUHp;QXWG{aWalucQ#Fa!&}F2;2AqbOn#bjNK)#rfHWdO zi%o*>CuOa6`$?zUIJpx>C`vSALk`g^-wrCLl6MuuJU*C2a2y-u#8?!a?yQ}oKW0~b z(q0o?7K(ZI%I_Y9?f`0~TY9ngCc;mYyd>VaH*+w*tVv|cw@p<5z75`8t@UuN{fQsH znM!L|9V8nT`empex}GdSH@My;MuuuU&lZ!8F$7~PNY3q-j%thc^bJ-k{1Hq?M+(WH z^76#RP)+lcw!&nN4KF=ESYwdaO-h0P%H6vr(+p2LFS{Cf5bAo}RW(SmX>D}9Jo;}z z9nMc(%=s78`CoDOuNH<1F(V}!^Z+d+XB>f-B*v4g(SRlg??i7-y)ju)gCd=rRGY{$ zTh$eOn98TAlN)Ffd@sx|Bg4#_VuIrpzLAty??rKtNPw79ff4X0#(6UJ-vaptll1=b zoOrAOpzhJxva0}Kc{nshVd;!OY?>0VMQDoH9l4Bt=qKZ|eC4gdviP=+yx8dK&Wi8# z00uY?>|9@`DI+0up{yd6$))u^d7I(PDOt9MI-Ocy8=gFYfh@l@a*@1HOEr>9OBop< z89Te^PJ^%y8q}{ohkM_3)?*B~Oezoz@hES7-?s`JtQ7Du)pQOL!%eI4-ZO+yf`HR- zb1d<{`0#jQEA&52`oELW|Kuj8aG{p1e5wrL%t#W&slIGve6 zM^FeofYxmRd~@P_($k4=^sb#U#CZ#aTUf(wwG|cOa1i{aeY5V9ui1^7@_Cn>O+tDA zhgM$)J>~}_zs!{D>AKKgi_k!%?>uSr{LzQ>c<;Wdk@G3qftcAXK@xk!b!hqYRbFMW zm?C~@AFx~`ZufB>B0*FTOv-ZmuQ+&-BwZX#>0Fla4vALdsu8hbx0Of@zK+^UL|vba zH8N#^A+)=jf$4(%$OweQq@`x|AD^0LHxl4TKb%{JTs~M${9P%sa&Z!+5dnTlP?PI) z?V_3rZ+xjr%j!>^W_z!aKV0)5NzX_%h4HC>g(5$w`TQS4k(z?VREyRsN+bA-ao~ql zMzLSaLv?-Mfc3Qm1cLY9f2`)*r0Nc1TSbyO7O1<@iAaL?;iIc<_DgPgG;J*TG zbOrFUyh}wA>yD39(QFa61}mRx0Gx){a=lKUN*@0Rm!xyr3*EAJut-auS{*7QD z$vvv5`=X$-Ku@fHw{W{HmYB2(z%llserEUX(;cDR*b7eq1@Es)C^0RJ;Zll9mWbjy zzga;(Z!m}-rMVV)J;Jf#mK5|2P2(w1gZxnJcWA|UV`QlT(K}&Pa^BG4%WdWScv-VG z=~z!{as_s(bD8%&|F~M`0H{WtNX9`@5%YhRwz*mKEP(?c6 zw^6Ouo&`@#)}a`5vko%~3iPxq(?qxOA8=5HB%A~S5Ce{y))5} z{EGpuFh`Ha|GWJEJK{FqykvY;n75DygK{{ZiD@Iq^l%thk(Ng9QaP#T{0&lsj%#=eJHB|_^`$Ii9hyo>>20&e9-P-4^Ua56o z^or&U!F)vN-ip-3}b&0 zXniKf-3i{h7=o@zrGUP{q#l|S!Jy=0%u)hq?eyO_ zivnONPHSgRB$%waFv4&mI#fOS>f0Pf;fRP;3+a0_Hi(t=JL4QhZLbX<0#e0`p`fXq zqJ3Ji_Na3pUNP<)Jf*8*o%Oq*pfejJ_yAq zs>!8FC{w_@B(Q5K1DJo9u4Xx24pScbL~g^WfyROcXLx>c+#?mBlmO}bjEw`v*Eu}{ zP--m2z7vnfD=md}TQ$An?G98^wUlW5bO$M|XPp3H&;& ztW6Gz`vD9+-7G-Po2}{kVcD!sTQQ4*Q>yTlfjMlGDA1Kl{ndU3W4e7_ue$zz(NEI! zP-poWSvh)~6cElge4|hA?FqtRXQxaHdoNIPp$F)#ZLjHq~Py-`Of>7cBe9iq}ptfmyxeiz;uj zdInIW9;|;iSj2V)!t%{(Q>Ip5jayLDuoC%31{~)$@Jg^tP}WDc;6&sg0=4!*r4r{j z-adXj-=-1L1x~7yI>;)%kU~2B5pZE78P)V&Al2lOaqHQ5;5iY7YcbwF~&p4HZvUZS{ z8DCZaBuN?>HiQQeex}3kUWLyd4wn1@7NeEE%C=O^sf#r=)YVcauU{4!;tEM}v1Z`x zFDv@A{ar<2Xps1xp!Z$2485FeS6GJY1DgPe?Bz{!XVOd%3|=VxJVpVp5DjkS!|FbTx&)fjP4-Iz)Hrl@D~VVJr0|nGv-c)6`!W z<#?YodW*ryUqQFcP+?Dg+FH8fqhAW$l@>@I+CPsCF#qZR_Cy)FU=O)OByw^yNF)KM z$e1DK-VXZw2Jy{s8ciXTK#flS=qgfW}Wn+5a(7LQW;V!Z7I5dXlnlt?u4#I&Z9w>oPvccmR}9n4!e4C32EjFP#|S>r%Bf z@Qq=JzWwy3wOpg)hvZmk8i}b+0*zV91vP0RHoHga_c46$!4-st-wv>w=Jfmd--cMV zR40sPH3L|hfI+X-gWe~u*V2t+RK~R$Q^wpE6{Cd6w?O%1HC59}bW+awHL}XvF1rOlE;iO45qiK|Iip2!otCHoPPHuDq@H4vSoirBbwik(0 zaRq4f7{oOsn+xNeVhufMXj5~?w=!t2l5ujYkdLKrA7#m4VUKb>OlhIMY?Oq5RNG!Y zQ!w29s#?yI!Nf%Un2_OIK#YE#m_Qt{^yTpntn{R*m$FcO2)sQZGS}5pV$UqKS-UgF zFH2v9OWa!}t3BXy6_?kvZmWwhVj9d2P?6~7FW#J1KY+O!WSyC0)O|ZDs0vJn=0N-{<23WQwG@=`F`a{0a(PIe02d)+6#Lq#u#h90Amh#OxRKEJ zeOV}COxRzG1`C^``nM@X)(N*PK!9*u+;{Jn-RA(9~pe(}O>d85^hMwGT8@v#u39N#q; z-rHQJ5Qcd+l|qKTY&`6NQhjYc<^c;9gy?jna3HJ=&Tz?)RBoWOo5F=rQ=Qc3;%E4t zBu^J>5VzgEE8B*+d@Z(g#d82If(_UysLQf#(gyq9m_(*Aj zRpv`9Tk1ODeCB9arpWg!Lr1IYOZ3{BjW~RBJji5-()0&}Wc^Fq8^;$zXAvgZ_Mq zDSNQiM|t(=*D@OyeK5H0DFP4NI1q1!RZGd!(;!E3W{Bt4(u$#FGPU$KFA`f83}}@o zJ-X7pFqI!ofQ`^L(N6@!E4_I_sz^_%zM%Sz+GbB~+bTMgrMnYrElj};EJpTSMbdXE{k#Ezkp?DEyrf;AB!#*f_7xOa{Jjm4$b9s12(iDY@3l< z)c%LbiBp=wYT*KhMy^a2D$fRa{1j2vYL&)SMMs(=wX8|&hd%Hb&ePVj%lp77{Cz3# zJ~e@X-`CzNDyy$xw6DUZi>{+=kFJnHE8cgCL2q$IikS$|wi3t%TU1Z8K7^&x2@8=m zguJ6!O+;R}K#nal#*u@bL5Hahdz5YBHFEg&bkEK!ke%?lA$h%IH(3iGTe+I(K49CC2A3M814>&UQQlZ1o>EMTZNVOGt(q z&lh2;Ua2QDwrbwi);~(sY411~|9pJMB@9)(u{gIMr^sh#&rJV?5aUVsYm_V2X<6O? zcNKB_Ew6A$bld~mQ@^A(WYxQ0SK)ghjtA-*tE4&S%RJXpgCsQx!z@O=l} zLDa*i8X1PmZ3cau2-qM8Cp7iS39bnobE4+;t=|*gXaQu+f7$-MN9J)tm4g3RIGF&J zULo5FTqv?acIo{NQ+aGCbWF`$>e@BRzp3Yt4QA+V={GX-Ph?lZlI(0$h&oCjtXp?G zWj69NZxMzHwv$%XW>d-ivqUDRFGtIO6M%=wX({^hV3&e7FENaucv39%wo|OaUc5c; z6vZkuI*wj!*O3~5q0YeqJ281An^o{9*xunq&oE!aHOOYbswiC;RjC2Z5yU= zW}a?V!oi|ab$%mJ0acBPOtl@X;1&9y8VQJJvbw}n`+IdrGG$yhgzsLZG?|WFy?@tB z)U!07QU1;r;2=tKVL|^Frm3!vCtLh)M*n}Z{hR0)BTOIDJz;IGS`syM2HW+Ze5J>~ zok@|iFKk+@7g{PMnxO1QC{dyXQ`O5qhqTJ;VLPN8S=zh4MHqb{SYwrCoIy3L`um47 z#ZP`)I$|qtiZ#|z0r%()l?k5LC%IB-gOueYp2-9sM|(EUrZkB(xD5w`+CW>;XYB74 zSHt}_D9io0=uVWUl_u+p)?vl>CuO>-1kBtVl?x>k8(rO+{po6=A0rAwr-eueXQx`U zH?>Vexjwq|BfgC3FpniAB~>JXCe8I8f_3RltX8u^kLV4&^h#5Vbj?6E(|&&P!87HJPvNl38){G6DHxD`WV*qOx-zzOmW> z%F-xh#4i1sicw@ZN!0`C-UY+yK-GTV3&I+P6o=9{O$1!44WFEiq?^H;%(E@k9iX{nix5G-`dQjz$OCgjNmuv(w z#7_|uB8cF!sJK1|H;|@ld>7rmW-Tx_p{*)$q+f+6@Nhy}Djs6gmq?01NhxYM7^(!x zXo+NF#LIOVfg0+&yK<_0b~%NaCvPOp8lg-2Zt>eaQV#-Ck7+v3e?K9+F#3to zUZH7;eo0VQEtZ&$35(7sP}*(@2^w^VLa7w>4k%R2q#JZJUq_hI@-5k;HtNo-5vL0S zEU7P5PA!C)=ig+U=3(n*+@jFXa@Z}$_B(W1{owsB^F~_+Fv}rVPbavocw5(rErjwq zdJ1Lz!IK{BO30P`hK+Eh?uAt@IFxJ1Og~Zsi$bK9C;=5~ni|R#9eAqfFUdJ$!M|D; zhLXi4jx#GeySoG=z_Q;^=e-~NtJNTfh_8kOpOB>^L0S#=MkDmT|8{ESIy-aJDOO8338sm4huBtubE&H{2~zWSm|WoiwlDuj{}GYo1x z+nA+UmpFAh1LRPyY+uhsA4RVfq6ZG@ z2E)0dU*O!b_a`r^>)`vbksKH~RZ2D1S>vKyiIPIJU05mt!OXqB00X#>i?0;P)?q{z z49kX`(?`~jRxJhfPPssZZOf9erZV({)@)LcQ-siB`HyP5SLra{g@K2?pQR31S9cl4 zYA@jgakk^4`xd^-=0{6 zo6ht^mo32iH-%*p>g@;D(xAHG>jWG6&q#b3h1B;4AQxZAmhaw3p;PkJy-Io(NgTkk zm*cB-{%yg~h1HPUnNqxK&@a&>qf5(R&w)WkAZ78n!da{^U;jZLf7aEMSO4s{gM=w! z2{E#FH=rr@Xti(jH~U4ms5XPP`S{bpMZDWyBI;g)^sBoO%*}s9eSOrs>q1fF@?&R* zTlN^lbkP*=R5%|cq(#vsgN5)1Rf6JVOOPt9$T&Sw)I(Xe@9N;i{Z%ith`wT{^iARL zv&E@=r+srN+q!R}4^~3vojJ9fv?qR$5a8>Aj8L5&fesRmnUcS)zy<(VA_3l{H*sGGC1e)dw0g9wJ5wKho>h};|&rzxFl_D5PTTo-2)>L&uiR8qNwn4R1I9|KS zx(?n7kZ4+1P)(AsnApVMDHUr}W=em713vH5|Q#{)MnCG3}iL^`&>;b&~t zA42aftwz5RgIHyFTu8KQ3?SNiNqMEnwG!e7AGzbE<88Q*U!HK%nXj9> z5brm8^oAsSTTnkkYhLgbbdmc-c`cGnPo085_RcPsgV5PCos=V(PcGSCg2fEsy_ zCf>eD3(z(?xL=b)jOZrEVOiL%Vw{JD&3f$5J4$oMUonOYofBW6zWRJ1^T{5?(tSV{ zOSO^iHOrlh(huoKak?tDOZ+9jVXe$6TqlMyhfE7DiM@~Cc1c+%icj?>Gm=WwxG_44 z`7TD=-?3hcIVqRs);w1*XXFvFO~+lyov;$q4KUORK;u%$bPXr=~^9e z*#8N%j?JtM+{}sv23p4*4pVb+YnNBLSK`}q(e`sZA93C;sQ*x~@hym6z<#=-UBxov zXmXo|Bu}Ny)VuYn(y8;4;p6S_sU42kn7j*=(tyfFM2wZGRdk{#>~5aBG+4`UsMBP z3bxOrP5rum?EG*U64phRI#34o3U6T^pjvbue%y)wQ*GFn7@>!uAqW9IP7kEO43KQJ}#SCTg`&i$B?u@@XnFEV}n1 z$3z2sVhIKrLiD)@j{HZERv~#__m9!?BXsf@9#^dE(p%FwcFmG{Dxy}%n_?I^p>ALX ztLuz5?T3$w!8TkD@M-#AaY!#6g5%5?+JOJR^z=8%GypGGhPx7y=BQvAXb$c1-C=xm zo3x3gBz(InGP#Te(4xle#i^qCiswPoR!}Q3LtHtC*`fykk0>IMkY9dE<)hLqmvvQ) zuha0+{tsbq85ZT+t&PLb-HNmzU4nEs(l8)BAi{ujNDBzkjW7(-Al=;!N(|E7Avu7A z1Husg$7k=* z6RV!IUW|%;qaN?E5t7^n(2h*kvlwkTFq3s$SX5gd$4}%^6jbiMe0gGny}&~OKt54f zlfK<(t6b7Hw#)D%syts!^=JD3)&o5%I;VGr&K^$5TwW*$a$$gNves7H9PqGlP-v$_m*Zu{GnS<&VnfGHpH1@Pos)x?&k4}%zpi=~;QKQVl;syN`Vzw8^f!*D zt|vcC*z3G3?t1(u@QWhqvPQOxy_3gO-wnh>nT9f+EpdVBMDdlOoSpdQP^Y>+Pv*w+xAk8u`WJ=C z{C;RR%?Pl(*2$S~*P?}yV5v`CIEg0-e9^%#J0{E*m)v!{C}5VDC3*+vGA$BZ<|)_m z^J+$IsEZHaoTuGV8agcf3yVsd2V&j-0TyYIzFiwEo7bc-3kM*lQ4nc5dE%p2vl92p z;p{jVkxD>|9oQhW%$=s{K=4XBtx;jLWz?(famZ8lJkh=j+Di<9Q3qW5H%J+|h8=TB zOBt+nw9;B~Q-WBe(5HFs(V64jQmT0_U-P}@kgso?&<$<#wM(9&DMd4IVC#(of2X>G z7{DFr0$%79=`6VxB=IrupG*x&-eY^nUAf-l4=#*GMZb0qEl_!(;)1nJy#=@5oL8)WIR2I93`qNX*B8@~g5wx-VeLB)_ z9*MN$_hPO-Et*^byp0@-RL%=?TexC2bY?aAMWV1S)b$I~w?c7sWcg9WtaFpH+w^vr zGAm1#3jx3%&Xf4jGqmJ{@ubjO9^`*{bT&1;IsO9Ihj6(nr+J5R?Tc*Ysxi%dx_YO99-1wc*o7IFU_`TQpi;*LXe z$vzX&ToAmx!gsCWP^Js~9P7c!Zf)0;diUOwCuF8hh$w{QawoOC=HfeE_659QOe!rz z5VBBjP$OkMyKwVLNzP~OqM~)3s51J@I0iClb>O2muW6x*3=}Xqn0LT+%t_@}a#bup zjq&n2=VE~~CWPLn@Q-K2 zM3F@oYlwt~3$n&O_N2DgZsv;3{tk2FJ}h@*Ux`K&C8rJRBN_)n``%%w*>AjoT^NgK zSU+)C0J2Q5cg>iQd|@2Rqt;AE2-)g)$7nCwaF5)@pUvX75NC*9I9#c;q7Qv@XWEQE zb3YC>+WNoXVM6c4)7}nY+OhysVn?I&PM}%rdPZHdOdCsr{!;@#E%0TMxWqJD!!pF~ z7`K#9%a6CJutj3n`ye^BC8%LI7WQH^>*$B0Pm|*=Lf`aaZVlMI(-F~LO+u8HH)h36 zM=0&{glX_Lacsx#GJB0^@W{ zrTRvuuVI)g$xjJAf8Pv>&)!qBod&hje27Q)+E5LMe!y2EISA)N9|(^R3$U+eyh0 zr+LTSrM9Hbn%{()(>jgU2}{HNWs)h{&&$l02>1(u-q3d9{zGmyqzs8R6LrrvEb)kr zBra$_N(uKZ;y*#?rH^N~IF?HxGDAF&)ugdp{0kFHW?bXlf@&Bp?BAxz`0gpA!x335*G8OHi)_N^Xs=%A= z(49ALIE#B&%08xJJT!*#3-`~hk1z%y&NC?50>l6-34c>mAVDYEKb*`wF8V4>UloNU z>gL>Wn5k#(!P|K;7?;IlFUFpW1#&7m!)DSXfN-^Z#+w7KHR#&DoijvUBUI9`zRe|_ zbTWHypX9P4D1E*myosE-9}CVH_e4}qes;2QqK7Ky1Fe)|g;As#StcwkuQ&ms#u4h_ z1Y6ou$_j({7uDL6!Cs8pKL#j~d!JD&k`|KKCuIG|pjjX8C#!g=tPENsOfw17A~Uq5 zDOrgN&Z+DMRx;WUqL#!qG_6=%G~Il*R)GOc-sqU#c5L0b6;T42^_i(=V%i$ykV*BF z-85ZC(QZh0KJ87NFbceq0)<}Mt%7A@{=t7p)l{m%E%xmk&u2hi zbtTYOO=iuPK_CL1P`Ke|cJn}u!bBkQci)_y^&Jd|HJa0d{aLMMm5`kW@vO-orcDIE z=h1qk1Wz?(MD?EhHCRk|k#mak0>8sDY^r>jW0biwlt5l*`RhnU28ni`vJ74-sxCzK zRF$fYq-}k4mD2zUzW0n~q7F&Kh4|1`Q`*{vS7%h7hWOITKmX1wVTa)oB1|YEa{@Xl z;FkeN#FZ9jOrWk1?t6Zjn)$jcQ@z)nWEN=OUachl4VDiioq&G|77X-N?>=5gwbcpa zmcwIdMUX4SD2956PE1UCjWfkm+NS9fdr`JKPnAY-ckJ>tUyt+jyQM-745>&c34`K^ z$xPtfwF`fXlPus0({2ByNq%aXrM`m|1|j~Z3rGB^B=E1Y(_;-?T6N;hk3%g<;gj{R z|NRz#LWNW%L@j@y)?*&&1qdO$cm$X~cKbyluj#ca);f#u}_zamcDbDft1Fitpd2DFu*P!^2V z2o^<%ULOpRhPgk_5}Z-gemMVV41<$M=HhNV{=l-j%;YFDwiWM|w`J{#>&p`0X||0e z{y(~RR1K@$!9BYgo&=Z5x;7P>39+HyzqBfr1^JmpK#*9v+4IHvnY&f|Hc&gxzz&21 zj%%9EEt@U~s#PO$VM>!$;67=ExJldgfLIR2qWMr#!8s>UAq|}_(a^c20rsoot z6n!&Tx#ecd69S5zlI&ooEZuCoSOO0V9a8iKI1^i zU7?OkOC6IbRzOh|YsMLRV&7u&hbw9i@T0M)oz!(1A`4l*(HQ0?nZOyr%84OovnaWt z2c0ZF7xTv_Ts}O(Ql&6NOCY*sL*!HsnL>OH3vx<>F##O{G5j7>Bvih~}P{bKz zp=~DXfp+T=dD>7gDw>9B2`obYq0AqJp}BS;s?u8=H$zu=>EfEM>;-?wNABqUARQfBrZ_RbXWQAD}{SyU6i88pyd4M;MM zT|QHC%nZggLo3cVTlR;)bk-h@ugXXV^~`^eH2gI3hy|F^nM5=qR!pTSTf!nA%$`VF zk~u2=3!;C5Y9JVwB7DXF|CG7!+2Ru@w%`>4&YgVUy$NLX$B&Dc6|bx>1rbcDrMj~DxU7)9z3LHN4!ns3Yba)nMZZ>5^59-oM_+5(@4cN$$RqaRo(;!h z(Oq_v#1aiS!0sanbvJRSR{SMI#+zU-P82_@xJOxt&~tFs(;jo3hNamP{Osc1aSbaV zs~*_Pk7s=18b(3(|Eh6lE!J)X-~)~u{St#;hrBcwg>X^!347rz3E<*z3J}NPX&woO zicuQ~N!P?`1U1djbcPM2X<$t3&O|nM?_Mq?%?ufnZSob!tl7h)h$?esAlc2NOj)!c z_Rg}Jm^I<0WP-KMzDN5S?A`M#L2Rk9V?Ck0A73A;=16>txk@GqdY5bY%*G>I_h!2A zola@=LI(SVI(igyMJHCp#Qe3Oq!86a^=qK~W1My`skjkdSec&1q5SjD)%c?@-_$cx zQG$l4Ym+@wZc7*HM_M@$39K;MJ|g}bIaS&CwP)+l(J~X}le`y%L_f~?rO6T?84|K& z-7Lo)*PT#?Ak&P&XPJLg#9p5Xi2S7(o9WN}|A|7v!t`AMLz@ua&O``YyO?Tr|HTVj za-v2p4&Dz=0yQ`rl^~H;UJ&P-B}vP<;!dO!Ma^yl=0T(8MIl1p1Vt_KVE|U0t5PL$ zh?kG~Dk`P!)oz^-Cd}%->Z}xkp!!`hRoSyz>ry_)`8)MIJWcH6Wf8YA$LT|@GeoqT z3l?W!mN%2!a}B#j5~U{24FN5avFv$fgA(O2X*EB%@Dx|Qc|9{Bh_QYZ{aWDhbsvjx z&zAFxR}F%kV`|k-R3q=2!n~&jh3c3b8O=K-T?o-#`08I%h~@D+<9ijJvFpI-)Nh^O zqDgjsZu{iNlw2t-kS#qDeHsDFvO{ODk;m>?vRqeL-rk+-DHib-1Icvk{GSu^AC#`2 z$y7f<|C_`5*nIK+A%|5;0a~Sj8_+UCvuQHiW%vr$)N3z<^IA}T{l#N}I=G{=zD@Qz zA69fLZVGl=1)BJbjAZB^7lK353JTJ*o#Pp@!i~Llqr9a8o(qxeJgqx3YZJixfH6+0 z8*z>JIRC0Qg5vi$eDF#HgXCuz@Su)@dh%%Tn)q9sz2LYmSVt#VHHX4euXV;SeEuuE z%3M;SArSWN3aOY~1iL;&c#@4p;pHnYscxT+RFTxnS*RIjF5 zjOtqqeD3yK7=gY8?{OY#NFZG?)?#)OokmuIF9fyibq0ADqrm2;0LSLZr%nB;Ir>+D za!98*OZjD?p0-wz(z{)^UVXUC&b;4MJ*jE>3o$B8UzHcVOL-C(rKTJUi^%}Q&i3tIEh%;{=d7~V3fC^mzQeQVJctZ0z~OvyCiUO6@Ph}B+ff# z*zDibz{8g)0{l81>8GO7G}}FWpo(v~`^r$-m$4!y_@~hP%XCQlE6|^;qxv&MV5-SV zmVUJ=bqMRX^1glfaRmo3Qs0&HgjIbb*?HF!|HUKKHcSLh@Aqvp%+&B&4zFc553OeJ zPUS~$Jtm7+NNB;xCHh*yd!DhNEUai2%g3ZoV3%RZCdQdQ3OV0=m=~!sV}p-B1lHGD zQ8%8WK}6~cN2fA_z$Twxj_P*X#7amnyQxZfkqW3+lrTVa!d5nLTV@(W;P=sPdHer6 zW@N@adqe;&2(b5SOqm{neOH#WZy%$;x?a)S$cT=rKG(m%+CT9$ z?#y?*$-=vG=7^n=h*FAjIPo7E8*hOnTz=ad=YIYn%WO(4X0Z zLyW&zic|SS=^o_vjH$6O*#PxIAaC>vS3}V|LZ;^;x8Jp~valxW3_dR(7X_b*KSkHB|E~QW`0ZZZjLmy+F8A70Ae&R#K~fqfEkYkM{qP3pBoncG^Mq}T zVW1l0&2y@fxx(^O?h@CSkGw_k{zBhMh(!9&9XvB*1k3g=R9e4m-M#(GA--+yC-^50 z5jEZ`DXEw?N(~&;!=4LS5u|qDUn?K6An2$k)SmdtgHgYGI6yrnZwcRYyr*_Oe8jV$ zJtBxI0Or^>7wY+TaeGW8x0TkkP+7-lN4Vv(9~=$OCtLDmd$HRkZ>FvZTwRTK2G zGBuc~)G6YZWUSWtp42pj3C+olkBR-G1!YX0V6<=vEQ7u;C~0Wt*6FfG&a>HoKsOUU zQn7aP6cpf_hXr>($P z;p2yiJN!`M&}vd>%IsBG>vc}kq8uR6bJ8{q*JV~2VQ@A_PY_xI;u4vFA{|-i`Z)Q3 z&R-lkWYyPkYl1xm`Tka|>iaW?f2dk+n5e+>XjJ?ty=Ra8U!o$}kkB1FyeW7Che zHDlk$%Zhr8aHG(yb+Y(UvEh=B+q*fXcE2RwD~ZD!Z&jrazNa|W{#pqQmJXaVDUCgp z_|&9`^WxNs<7=G~@cVGRQ(I+(H!QqSsK}Z)KW0lPdQgn+cRN|oh~G%fXFe`=89r2R z5w>*r`ETfa_8xHjr_iA%>veuixcVktWY);96c|X6M{i-vsfPuF2(C=>x=zmkt-yOwcGo zJZg1|8pX38qkoC^{X&v6TtVzl_){B-3_P5fl(NnajdvA$`%aRIl;1E7zq}x`aZ_T} znLVxfaY*MMEh4UxF=x%oh~@YuK}D1b#~)R%sTrB?!DxA=GbC$gUs4Y3_k7Oq9=T*+ zJ?$DckYFp}P=;$@e@(Ha)c?Oz^lD_iRTQiECSN~8HBNTq1$-qVgdAz5cNt(1X+8?J z?3}@BDYynBD)){{skiX}o19rDlJ({rte)qM zW(;=h(v^aUSL#Y?*1?+xa+HjH{pLs@&vLPpJzCShr+Ri~wzZS_;T0|;?Vd>axy`x@%zTZ3+u`Y3a|?`jq5+S1 zQagP2a`T#l@gmjp!%Y~o4V+QzyNRp?nGwTFi0)4Xy-V0c*xNZQr)_I2o-c;;n%Y&& zz5yRY2#8k1U}IPGb-F*>mIW8>p@4e#(sZ}VAJ4m$Wr-|@ zLaq3-m%l9nEbfoc+G#HCXg@t0iWTjT{xYNYw|?t6M?U`Xf7kEc4CXu^ABd6IF^FNY zk{^uhk8E-1Jvx}KAi2&DA|E;=D_0zCu-6c@PEV`{(w3kk!!}Jx=}YxPeN${t>cG(n zh9D3hW<(a+PZ`5v_B>A@)bWy_0{UF=DL9-!M8Wl=3Y8vGy)TH)jN{OXu0f!hL zh%ZZAB*0fMN9H5rCB_Z)u8ZWmsJOcX7M{L_)4i%paaIV8IquQ zUuwn#9?6)7bG*Yl1CM;F%G>}tc*J}7AId8qaegru?f*fsMQ-@(P#Iq!T06b?as#)< z%F|ZqFFB-?xmEN(tsVb@g9f+<&Qz;GTfsRk)-UZ@ih7X!h8HCXjiZTe1dSC2?bGA+ zc}Ce#HOA$13gD2%SV`Q_`asLjaRXwUa zl*DPug{t$v7Fy5M&IrNXdkbGgEjQwQ_BO$^+w-cs$FlGmZ(g5w*W`D|bE70(^!qtG zeXg14iwB?6&PTl;U+s4?%h}`~{Sdarm8J7b7xu>S`Rc+T&oN>1S5_lmIz752( z0Ub$n#u$DkSP4VBqIw^pw_QaX6!_lB*-+&Upz6hQ6lac4HBa0HDXeJlZ)J!zDj50{ z#FFJ+I5KT+aH10?+A1c>{I`yM89M|1Lme}A#58TO!Nhydj?-fHJmUJODxEGBwPE9O z3C&eQKV6DLrHm5v=E@Y#offB@w11J`Kw7zYQTJ7tan-9gPs(a)1}!@mjrj$|D{A`w zCwVMxcWlhQFF%=W&-d$_f64kR08#5enHlI=@65%vTKtzaJO}cYvv;2Hd=ZjY8xkvF z#pHo;RrE*$VubvFgC^<7GRj0)u^#wkVw;LG7oSC(3CNLw@V<8fMEEh#i5IXc=0d{} z*`!CJE_?kP>dmd+6AdYPgAc{FxJ>dg0K@TxP&lwe#W${C47ou;bXa!5)q;}ZZT@#D zK0%Hh(0KyD*%e0fkAshEKiX06T8EMSvaJOb!OanzsT0YEuDkaB%PmnJoLS?rS?;1l z;PQz_6^f*)2u9OJi}+c8F%QkEh`rQb$vDGjglaDFZRFQS83^`-Fq!5&1#LEc(8yYc zF2ChA`_q)Hk%YlSn6t}^QE5Pkf5?@mkx0#`NXoR`J{Q$c5AWqC_Dkm!9<;W7ri%5Z z-0w5|=__2b%+z#SBg_33QgkPe<+GQ(6N0na^anhd60tSo0^tkETMiRECA;LG6M`TG zT|wdgvnS&B#}I;ew}k4lw>X#oZ~PZdTHB&-3!?dz? znk*_|JW;o5VDE*+Sz@TaZ8d=9c~=T(K8i8fxx+`SuCD9d(|)N@j^vYNmr18evW7IX znB7S{1{A&Pw%<2n=RP?o){=TGG)k^ypjUHInTz^;!?U`QMs}OYwb_7}ONxjD{g6|U8ccr`hBS2apB`m~%aHzwpHkL;Z-6-Jf|R32h6GQ& z+Wp>uo+B+-dQI=v+@IeUEUJQcmEWFaHCD3S& z8tXpxMa*tsQ9VWfc5v%9CHfxOgsk7A*m{zL-Ajnt{1ouZ#&@2(5XO?0+TrQ9F5GFW zyYk1jd|aX4KG*}Ojhn8>ezJX7VG#K0REmrV4(%VO{~Ylqx68)yNd3j=aT#uODebmi z+U%74cXOlSv*;^GfwQ~46YlGj+D~+l)c(P-V%Lqm=```biRkxKf-!W73MMFQ?n|T- zfA&^GCu}HSdw!eqjAbkSjPDH8Q}wr+m~H(Yq5q%e)4$PCzNaWk>TjlUy26t}p}C#%FLjkgCQ0Wc>peIqqKw{INV$B7ubE(>ApOUE(MUNALECrrw- zJlIs4NnVcb@NUqM<^6-oqz4rC%xb0zr4zRIhZ-5jhkAx@FNQ_R^7v|}r)H6lUJI4l zJT{b;xG}kxq-e7e16*S3;B5`QOL^&RoVJei8hJN(B-pM#H@o>`Gi6mR4|I^DKars7 zue#`Sjx*ik-WnwyULOkeo*9qS!IrL%r7w^qM`T+^f$ryRQ(t%ct1m$nm#hNQI@g1-F)MGzAH3&P`H znXaZvIRntqqN$R4MHJtA+HozV z!j4Zn&|90I15{d~-QsOErzZGIIE`xi(*G0TL;-k=oUz-O4acw4${ zUnM=29ME2&&8>+H+W(-~ye@{xiP8mTX)EUucwY%J( zhzPg-DP*PWrLJnZ$XU#TkWI;w^Ut7kDrGLGdq%d`z{j;2O;=^8MMvEqm|GHP(4BZ9 z)-+&w)U2|X`O@!QM^f#kp(P%#qT1h-p_~$3Z^KlryI{kcT7SG^U`d{}^eCx2wGDRs zm5lm-G>0 zd6k!_uCHa@Kz{J|l=S(LaA;*fvrXRXiK+{=P0EWbFw$q$1}Z%3MvKTw^OY-La;4_d z{;tGjmLo&J8?3gF>=9e%`=vaWc5W)Io&5E@EqGAKf9=QH-5=GZ#V-Cv{+KMJq2Fvq zYBXYlm;N-?wU5B8KXHX_49hRd1(Y3kqnsuIjW(QC6Nh%}w7IyanO{=-X}9F&h89VU zn^dm#RO#u7Ww(dj4)Qw&`fxV5k5~OR7ny$l2MbP31-SjaLFLkOU$HfB=87k}=BwEH zfIL!pwZR(X8R_#|7{wZ~aw>YZ&BEf9cNT6gC7@{xVS< z#F|sbx}tt?JvOUc_YzBTw4C!CG+8N?1tQ2T&Lw*I>BJhW(f*SViy*cjT2kBOFoJ!? zW?U7MXE~J#>&2(=OEd3FMR$g8(ujBdT?Td1AQ#6t`| zA4R)Wz1lmeQChmO3g#sB#%*fFz$+sV+0X9VpI~zZ(2I;!RR%8uv5Vn?{;f#HPc-XI z?!?$c7nv^Y0;_HVms=4>H9BJ#;?utW%_;spEO`Bmd>#x|5#RDAZ$?s-^@#-W<*S^l zmtN|--@v35tjuyQTur`gM;wuR+7hnjcKw63Q@f7#GtiCi611p>`qAM!O6U)I>B*kD z@xay62)Li*tWhQvxz{c0inX*h?qIV2u%)=2vURg`O6cAV&B5lEH=VY6;0yF|cC_7U zn+Mw+tgIMZ%zRGwy?t6xnevwG1*^|KIEBIqIhDHW>_a7yf-zV0a?l2|df%Gv_zsEBf`gQxg`-86w4%KLLJ z;v5#N4-8vYzg2wWlV4aXyhf!vU%*}WZ^~aG zruX#^+UV}8P7BNhOOZ>L97+yH(-n!oP&Awm)JvC*_ps~-aSE^}VzwXrG&s9} zpqfwm$9x7?Z%Tkmj9oCU@aEUNtfG;M@HJQpnPX+$C zzTqLscB#6kC8FOIlcfFKGhI^bn}z;H7%nAjO@zq$BI?5Df&*y(Q*>j`9-c@SVK_XA zF@?YUxfl4ou1Z#kX9f73s~xpR(V)nv;6+L6BzLco|ziuNlMnU|w>`)RJF=^?*;jW*lnno6W%B>eMqo{JU zD?P;U7_~n0>oxqBA{=>kI^cYbQTFopMpMuH#K5tXo1K{0_Q$)gIDScgG90V%Z?A&D zIgJeejerOx+gy7>l$Ss$vdbBIVN2<{FsUNFgGDIWReW48Z%M-w4?z(ML70t>(HvEy zDqZ0rqtEF3E;_@sl!MvPBwZqNcl>O38|4*srGG1vf-+cCQUQ+UargIrt_K>6ArA^>K70w>&8Qdvr-9UG4i2VN z87Z`-4%fXf=yZZMJVtpBMZ3-=evMIIgWT`-u79p|9I=0!BJF|0_#;v4eY{^3BeMPt zCwgO;dso;RcqRr*33C)(+2rlONY0as!)eFLGoEM&8w^AlRO{|$s!^4F@scCWZZy9; zw*LckcjbIPGbiy;Dib|%HhTGrM8nB!1wP6acy)j)!edrupO{E z#M57BZdS8m(gd^1?+*1)+BqBYeIuMclwskFgqOW**TZbR|E}1kbl6bV=%4aBgXJDu z%r2JdTo~$yqstnZGw6pe>|CUCvSE=R12j1jwJwvBByX-HhKaC0KkKz zsV=hWJPBDEOlTd-y5DyiQ&azq+y0*OYzifHekC(j!<=s-OBnk)v*r8kI^V`ur8K^H*(vuS z==@g7e>sFIB7@sl^!eQ~7!nYA>+sK$>!tOA_aZM(5LpqB!z#_d$Jui|+!Jg^8l(G= zTC3Nb)LbbO(2=8Lo)7hI3)Gm1uwJD$Pk`q_s%lnhzFDYzYwaw#t;&pr+TH+;olrpq|i|q%C9m7l?bd|B(sbA6PY`&k$W(Ur5RJIDop)q zaQ1m*^>an}RE2v%lz)4$-_cOC)4{wqyC?YVPN?}C9~U^?texXcxliD1kA~$qPzSGp zS0B8auI{xd&|YjLeRn{@5PHSqJo+jv6j13D`vsKN4^CR99u90y?l~HaLDNAyD$ram zSJG@L1#=%*zf} zlJji%%!N!)LZGBDA>3^r>77=mZ6_c6a)p|iM0%=4W;SK|vB3{#b2C1JB%1Z)SG4PD zAn@ZfZ|zSJ*HIk}X7MOWVdijaFyu|CWz(M}CZqWL4{7}U2mG9SR^qQLc>=lG_Z!*S zPUk7Mis>TWn*Qf}Pzcx|jFB|=Wx(~5M0`mf2I}g|h5W=lLcga8z2z*mKjYnw`7Kg{ zGy}Ad5BEOd69Gtyy7PeF%`UfU>>H9cL?Akk3*w*-|JW-*<|AHHrDosSP2@N>TWNT0U+}~YBhBs$rR~*`G?LDm@m+%So37b>V`6{jaLYDajf?I6tp{S0ViWYOR$dzh z&}bC48tL=;p@e1!7;t%gsB4@{*T!m;W2IRf5E*cMsH5ppMn=rY3-Vih{)JDPKInRC zh~kseSp~~;04B7IEa+mSA&n^#2F`yN36q7(Bk62w8#pE*7^i`Iz*k*h}* z=c2VWxJKsgH_cA>WL31uj$9tpj3<4m#t;xRR+QnO|n1z`16f4-oPsgHr*psuR=eT;s1 zjK-_%ejG_KQX(5K+mx3u^ zq3Icx`VHTobVL?iw792gSqWp{BMV%LnrEzE%;~_&bIcB(j3k|h?cS9!?(3_+FMfsP z%j)l3DmZ@{oe&YtCZ26=YvskTkK(Oz7*IwU;9~F5=jOwi;|xdnPG~HI`L8+bX&23! zwjC5IgP%H{i`(+LO$z_-$v;HZh`*2~3X1O`52Umkigm-B$3mII_p=ANrxO!vUJmJR zPXeD+fu9?jG6#8~{Q^VBcpYyr{uF1r5Td{$ z!9xmzS&&D7!hbkpLw1$qe)bn)X{Kz=?&`0l+ON51?W*YKx+ac6twleA_?XUQu;AK~N<&tVUylwia|CrBL-!~kF>J~b?6 zfQS^KtPDE4%bm7d=P5lL78j=O^!eWe`>Z!v66I+xC!G%$LLT)-^D688BHqgo4HDj_ z1XtpgF7~lJC#tje9+O-%;*MP}LwB+NKD;e-!xZF?MPa{(n?Af1^Mq_u{D9!c)6d{g zWWcRcpqD{&b+QTD>NaH?$}2UCaxKg@$8p?JY(09GrW)E?FVugtve`0JJS4neE=_ay zuNgz*KvWE`AD^EO<&qL7jIC8YRJjTDo%;OI#|R3&y;^Z4xqU+sz*D2(I?4IY_Z2c{ zk#LCSjCLfcfP90Sl9T0ptg$)dPiRKPI17wpm(s?WshO9&COnPlva zvyy2d8W9FCLY>lpT=CtF_Jm&AM)c@8fS)q+1oSpVlkX-~{JwFdNjsY$^kJW=BBMrE z373Q59hf%rWZv^=>52s?Y?WNj=;f$}R|$~dCZz@F6UZ^g@qwC=UhcTYg|7yAydAwF zjl+?i=LpuS`^Dqx-*gOhF-Z4C*t;*ar3)nkRoN8c^x`P8pEu>NRW9_+EIUVR6}J-| zqJ(hyaYYcpo;BxtZCS~&p3`lTogHtJB2MeJ2PI!T>c8WPqtm!O6M?6U39&lN>!=0J zTZ7jI*(Co8qh@?mWQx9IB+DI?xfo^{Fxt)(=ewPLOgq5l;Y*Li(3X~##(S7s#2nJG zULE*@^M+y{WCN!^Z^=7zxOxB0RxF3`Pe1G98^`I#c(wZ;|IvdOKgINo1P>=45XAJ+ zszDl>rxcq7;05jks2$a1V&T)t@iRw)!z_j;piZQFHx^HLnQcBu!$!Pa$gKHt%j4t@ z5o+Ogw12_H)T^H-x%TbIe@^w1`#ZNm5qO%|3@<0S8e&)Fg+?Z4#gPkE$jUt^CSktd zp38p%_(jUNV_Gp4Z1%A`b6F2+kIp({Pue=2?wUG{(iP75+MSqzW@Q(OGs8@TLT+CyP~1D6r885zFT;e+#m z7x`H`5#>Ls#6dA-u2<IebPcYj%{2{=)`}w;Fj%c76Aip}3$}Tla{U|`6m7{|wZ1EZ$4x{F+7FKxgd{P_t(DV75`&|8Jo~xdP`7 zuIR3YACy`FaFl7s7^))nf$?tCC_sEQ@b_9l-^5=7Psp4qijo~;_!k4R&c5+}G>HAK zP;5bseNFP7O)N*j61tEt8r3A;$wu!g+UFW!>9?CUkb1r$#Q0x*2J&gIBu}il_`8qr zO%TociJqi0>xVhs&vs>+X316!td4DseTf=CNdyah(JmAkdf}zUYT?BKs!kJr0SILO zy8JoIU-xe^jlQonej?ABJs^%2BC>cxDKZg+VHg~%(v}e4-!o|yfn-A&*mnHcEVi!7zr(SH1hAnpG zpb~+15n38YSMf}}?-XLpuXIZZ-`lfjNL;%-4A-cT3fKqN@!rl572Hs!RbjL z{5$65q}WM^N}ts90H-@7NHAytCTK4_acI!Sv_C+Y8~Sy}^F@``ZwG zZM7SQKdnOxeq|k~McOF|h&z&8%Uhn9rLNoB>-OITKWMdo;{8FUf57uuZ==zAP~Q6C z_n(ZVAs+fVZ#r13;VUHIa-48~PEv?f^8S%#lhm$2JgoVdnTwZonb#jDC@|d>`Wfqb znbqUTOJ`?^Y~BSJ{OGQnsh2|D)bz1)UeS~nupLoE$Nfb=sx<(}HwBxO%>F2MNC(gi zs#(Go%Ur_@xHvrHq-bvo3wBYAkaZ2dWIa~AoOiV~kqyALMTd@OEn;AzyY!Tr{)skF zpp_u(P&ARehh^R82uQ|i2&vTR<>cVkl=o8npr#t>XETqa>cXRV4-3L<7wMK@tP1VZ zdUi6g+B{C74~}AOwum49s#!)UVuE_+1n++ca4br}@s=paH1@B9l@*r33o-~`zC(4p zL<<%ju2v<0cvqp$B}5MEd8F*!R_$={^}o;(iL{V8V=ivbGnpqp2mX&PgCy-;qk2E| z4LM5xd554QUZ0V6;%?R~-G7ppc4lBz*cg~gFQTpYrS=`)Sy5kWvNMI3B6Mh4?qt&U z0?Lft-rXmT3|MV;!aaNTb`8XCMWln4U(3kTZ+im4+ow?&EFvkutUn$z%KcGv;Aiva z4spHX1MROOi+W|2>cmz*b)C*e8`_WqCMd3|8SN&WM8qW-nR2Pbws@ySGRskVy>BZj z%+TX+ihQokkrB z6dzqAsEaJ8CEnM`kmc^6AQ6v5>=J=!M7%PxY)jg}QpLD)Pkg_sFuwMMX8XG9j6z3@ zQ~L5DT!RlEwfyo#0siaRe9&3y6aJXwn74TZgr%O`tY{28Fvp|r`yCR05QyD z?8}Yrs_o=D4J)lsS@u4L62NxRrI2r&Z75x|gV}E4wPF9qI5FZQjjkComR>EDXjTRZ zdPPyc(%e04%LGZ02Nf}{r6Cou(U0%#4ZKmq9=+~s&Hozq*Z}bVRXSA?&}e(saVKb% zr9>*o9+Dz+$cV*vlHArV7a}uVyX_TAFm!@sZ%rl`AfYu1jL61oW}59tdT(DbWNAUa zbIaNzncqt~B;_;N|JEWx=9JNVblQJb9+Y45#a)18CTB=GyOylM*F3Kgypg+ZZH9XY zL!ET*>1tNb!zV4_ltn(gX`^4V!DTs8&cCL~+B}iQpuD z^fjy}*6qg>{=88tyx0=3O}iX4c^O+dIUl7@s`%3QMcKNyjhyc~#|NWIH5^iS;oe_M zzRm12UQHixm5(xts|ysZR<9^vPNOH?w1)VzK^`yoE1nFRrVD`lmqk^kaEBISRa*Hp z(hN4c$hrkqrTtU>Iu6*-kL*z$`)e?2Txx-K%TFVE$X2NTH{E;l){T1x(x0ur#@#OG zjGPY$FQu^(ibXBojbpcF6B4;sQZ-hHcSqS?KWFG1)z&kumOc(P)RWjXGKs+Jl?bSfRIhaT9^ zWlx+#Y=z__R)t`A;*DW*z(vo=>h`8RJl?)%a)p?YsHt9%7p&@*E{>0zf*`c8#OCk+8@X}+ z5xJR4QX&Op<0XAHU02K3x0@~BQEW}drc)wbyvGs2w%S+W+B{6Sc{tpf`pT(VbO?Cc1roKC# z>i>P;Dq0RDWLDlKk-gVZiX@H|m2oQB<0xbvN12%wD)Y!X*-6MeR+M$@8OO2rIXF1y zIOF%~JwD&xAO1cM&)5CD@9Vyv*L~fP+M6COj_R2ONivI70e7^$SJoCm(ZX|XA7Ddk z@^$`#^E+QJWTSNa&aG#ki~+>cl`lNX@R09R8yN4W z*_BQ+p&cqg;~rfP(ZDnBOEhg;{}JD3LG1(e!qWc9E0rGso$50|2}iMt>aE2OuN5tG zG#$!JOe^cJi<<12!@)4e(XlL4-bkDQl4rZM($rxq&HskX@yEqd#(GhqS*I3FKdZ48 z?z^NAc$=a5Aco0=wR`+~AzUbneQ|s}H%~f0r(pndqfHQtAp2hQG z^Y^*`fYfSopT_^jIGZilh|+QD-NNVY)p#mTr0ZJho%iAI`H){Y*7Wt`JA;pDl&1R~ z&V^k=O}*b>$E2)2#6B++hkamUB(76wud&w>} z!(ba;ZZTG!6Y}(`@2J7S_b&_l3V@*>rNSFC37!aj*Ph88wqcexxW0$4I1Kib9Y4v7 ze@&X2&KJFGHFYEQLH$#m6z6xR*}C$E|Csk2^)v987<}fCq|tP|QEBa_+2dY4C|q4g zGPK9Evf#MbAp8~QUOI=*k2&toDz;|!VY1%`e#@GTmwqZmJ*d@h$t!BuR$!I!o4$;E?g{q#0kJEf)j$W??qV!odjNo z?MbUvP4XECdQ{DmwJJcz{0A|J>1gs!bAXkUTM}b>3G1-$7k>K;#d~MglwBri%#agm zcYKeeEKS^2p#EW9^o0YSe%DrRk$K(g^}i+{R7{7>zcTtc-(tMjct9?P=DZ6kUY=$c zvc?LIQ-dkW!HoxP3dKF7dK+cez7f^B9~G4r*mhSM4%TtmcfPwe^&Y>|!*N$b?e@5@ znX`40xh_BHlUYe={Fkfw;Q4d9jYA@A^7qdfvv3@gd^(E;WmP@U#cUjbIeYag2IX_1 zi5DKdy!a)q;>DVwqAv97-GOJPGlkT<-s`JtoO3YC{0dl;1@2xVzK*U+d3uXa^C<1B z;zA6EUK{kOV#fpzM6+k$Lp}6V( zX@M)VqN))vF`@hwxd{`@Ed#*Nm>x^K4w$@jze>C3av#Ql%YLotY+*NSw)~J#pp8N!`TsD zEk}KzkrKzuZGjx!rjSJzuG;9Cp8PsoItDfF%ad-g767w&m_`ubae<^#AKU#iJ_aNKwN_1Dt?-~CQ zBc0w-ymA!6zxklPA0ulnEw&jJVInc2CkGYN;9&P*~Ak%_u02y-^Vy>qFK5iHddnXZP^jlTo_?1FPeA3u!jikaP z!YH=7FDMNQrRMy-o$jdFah=G@v$*V!Qg@kfnJ6m_jUWghV0ganEz;@R&a;u&WYOo`JAmyYI6LVsT%74 zWiZKDCK${15*P2oL2jnW^PonT;l;5}ojeaYQPQS+4lZ%`QX7`~S5vHz9<#m%Lj_jQ zZiUfSX1IYq0#*DfG%LDHsfFEslKoMEuzziqw0K`&GGYZ%&9`VKb8mUV(r+t|iN>`57k-71RX;NPEtZMiPfMN2mL3O?Xno z)#KJ5xX{5e|aIvoIaG&+O1a)AEr1 ziGdGe6y=>^@y8xGga5n$T35TgZGHhpGP3^|$xKac)36LUP9M7SuKIb54=#c)av41v zv1+g_QD$hbz1@DMtsc9l;@h~K>1XFpmJG>xKbCS%SB(0ljq?OP2p`mXAxh{pL#si& zVX3P86yCp6W6amE`suVgHBd~m%}A4Xf@9fjpuF*)2Uko(`TnZAW=cG&vgXOSBdOsO zX}TVCqEkp1dJ12zkB#xzRr?oXzGq?fw#vU(Il0j*+Gu)Hq$RF`ezzz6=9?6miNf_y z8GUtLfySRM70JvSJQgdru)m|ZEHP1iy>n2mY6lQv<$sBHKPNS|T5us-JXG{_ahQ7) zrPa}49eqO{2UxmU)v}%2pfH<@D962%wjL!E&At==vfp5O^e*`q;dJtZB*RhFE?%2_ zk}S}w>GP}ZNO=7>;Y+h>`p8q-LmLvH6ECxaVBrUkH>*AVi1khpp$uOr-wdfkMKLDkkh%=!lm0%N zi(5*EaVCZkb6a&qDQ~=hH>E0S8JbQZ7lSYULDLA55e=Wu2pM zV(Hg14c9U}IROR$_(b!De?Ac-O+V`#A&?+h-XOn`2)-`2KAwPTc`z@5$~fJBa!d|m zj?)1BK4+}Hnn!#{LXa0a6*G7LOJJd5vV1HJl5Oew`i%)et9!cWacp#y{n(TG_j!Sfo59jDVl4UQuWXl0Gy?L8*5*YfgtqIG zM}8>=S!JxBVF_<=u~Q6HR(_a1s?s1kYc62){@sZ0Ew($4JkPz!uo3@OUs64H{H9uL zd3fo$ZVbP~drT%1wu;pf1Qq_njw-aEP_3zI57%=pCdI^5kHRAKk$np(Et931rs0wu zuXW)3MLQOkk(>tK?33g^izAcMU!+cQ;6DO#8R6#dfkE5^J^v2Tau!Au!`rU;On?yS z8UYWd@5Yw1F=~-;2mjH^tXpF@8Ou{Mymkk5V>LeASN+8r8ocdY!#_y+Y&xF*2V>Q> z+ndG{bV1X?BGflg5gG@0kd>|PVvn^m@+k7)^+u}r`_NljXG7**i$~aM_(ft6ThO-B znwg6Vs_Xx23B*_eE1ll&DJ1Yz04-qLpm6&;=^%)m)3(yULtdldi5;Ib=`6JZ(|F`k z{p%Of_fXlM3LnaM)xef){-@pHMdFa-P=Y$~OOp6Kw9>*cYtg4}9Nkae-}QQS5nuR_ zU(+wu5k%ncRhacCchBd1w==OeCcxZk{7?`u|Lk}l`rxYG37rc>)8n*n6_-wYv~2&p zdD9~H+e(|BFfCf@%F)eXr_G~fljp_DEzJFluSOCr0!qv*(k^bptB*NZxofegI{g02 zgfmO~=Ql|RbkAO@u)`FkW-&&f#S;=TR3oEA;lWU)-jjW5EY{IL*RL=x6S5786b;;t zbz3;-jO;N-?i0t8Yl}u7EU`B+4%-avcEqX#;&(d{(_>>h*V%=6vUZYT<%=Nr3N;!3 zQ!MeM^Ji`PcH)T|>@$7;UN^fl`Cf*9q3n2%)TQ9~&%g71t)e{#I5-Yfby290y1OuQeP_ z<0XuP%1MU}j8!n)+T(DRogrc4-K$jfdxQhq800rOq|dbc9sR+Ml23R^QYRkyQ{PCoJ*;4q^&nShBW2tUUE zK&V{%Qqj57$UW1H`yCB%1^zQ}Xet!Jy%mH#9M$mNs$Gu62DAyf)y9(h!EjlIrS~G? z8wxCD^J2omAdu81$~!~pMA$^pTSPMiMF^pXQI+=I)}1HpNI8T;2)xKrYwc~~N%ZzQ znm1vh5;ZCjhQ-jfKQuPf{E8{S-#`U+}U#f08-Yn zR=L840+M`}^huQdmL%A=DK3Et=uS6RP&v}^P{eo1K1NN1_E|rIu??mNc^o#Xpw%+G z`|xAW3%L^_!Sv`SPQfuloQg{b!VjE&yEfm_4_sLX5vQ5$tlNZIbR&-fJpr4X4mz1=lbgJtZM#8*hSqI z5C5-cQh+5Xw=R3=U^HDWG;5!w1Dcn`&ra{3k#PFqxpSgJz?B)n?Q~0LUK)n~pXNd@ z+eh~^td>~ABiH|URu2>j_!n6pI&vun_yE44pE7b5a+G(nUwrXdaX}?Kmni6VgsYh9 z9h0hp2~bk*jQUR&0&1YP8HdUyX_+%DoO+o0Pg`C2&TTRvb+ zez{PR1^wKbJ^o; z+S)4zA;~@H%M;42G6|5OEMDZJYF$AbcHe^`*Rb>fQCs*!-AX=dDP*(~nVF?oEsdp3 zW6y@{oGt&D#`+8o#CR)&(IdIev#Z#;{d9-HU^FUd)!K=#J)-Z!7|PTI2+b#|3Q7}) z0sGS*(pqT712N*e$n74d$l`L(tOYv@?@?gf{rFO+*4DE|rRj4>3ZoAnVizn=e`kmO z)Nvu65dX+`=a+aCn3hx%)dm6wyBYvF???2W-#036gwi|dx!wM&p2jc#^wmyGuRC)D zaHvdrHt}*q^&D83 z8W;%*8@p%=(SVG-Vve@J!R zFA(PW*XuA62>T5;T@~+T6pbp{F7i^;YC0gx+%+213Q9PJhhys7Ub1hM*y0;@`v`aj z9gpkNz;l2C`@^guNGvZ@jOu}0esH)(<&by136st z?=nXUG*K5N->n_m5nGAvlndL5tlwM`u|+>5`{eqw$pfN6E_2TUdW#Wi%2MfLuXStu z@G}+%G(3XgwPPUu18*L3Axf6$610FL6~L$+1Z(tOI!~LHA69rqG<}WF&fnC3K@5F) z6L(?Tw^axa#|O1x8g`r{B5x@;P(EpHhVmFugniMb};Wt2L+AmTCWEMP;*bfZ5cUV?1q;gTLv4_|HjU_ zx|+Nr9EhK~nA=znD_i(IYFT~dw;s0&#cx3FxOfb0 z@ub%|F=gx&5el>3$H- z#I~8uf82Fciqv&1^*zA;R`XxG6R^az`A23Q^ZeMUNdsKl^cQ-JYJeH(Dz<&8C%*LE zJVJa%?BLfb5=>6SWhpvE3~}?5BqQVh4B5@KR3-Z8cWg~zUA@e z@w{K9AkI1Od0BjNFg*%`y-gav5B#1UAXoJF8Lx74`aahs`DegH$v4DzHfeI$m!|!_ zNgJLfvzb@fUWC_-C;Z{3=-d6jwm~fWQ4qx1yj08oWE-;_CvSwRg!qRY9pTCE9pduYq@zt z)V}hoK%dug=BD82miS+pOgcBNNEvY+(I67@6Nk=monIl*yJc=-THfq1HSotf9j<4E zOt|f=O)0!KFx3q`YjPqhSm=DbYPpP zwP_%MorwkaFDpOZ1uTgE`p1F@2*XS$bxyRTh82RQ|Hd$auVK2!^;884fLsS4=@1XQ ziQeD-jU;_(RdmQ8F9fH(nvTBIxRkD)O$fpUVTJeGt(Kq6{#xnO+;>|a`=0v}zLYDP z>HfXpPzzt^Q6(=g%2-YujbFtCFAc30`c#2D!Wq9YP4b%S4~#15@vuO1YWya+-{Li- z{5wEfy3wHYMQEfItyN}pNAal9mVKhfD0QVXLy7x&S0i3n#G+B1mZ0GYQ<_()AhER%`KSd$yLHE->e^Oi9ws^*ycDJ&o zy1gjjQeVsj2XuJ(<(_Bq*X{a=crTBfKI>i0-mwSE7e!)S!@)bIPCxL~!nhq7s0c#? zQO&p_ILQGRgVR4psW(wEzPe`$lFf8$Onfzi&HZcYF)s-5Qn^LY{^S{EsiV-$EK=Tf_Z>jk_49|x(Z$ao=Cd~fEN}l9?pCHJ0n_=_ zO*{b3((Uw^iu_Yt{eMW>i8L(-V2TfBOJQ&~e;SN#`F9YJmca}%!FIbQ$FQxbj{;OU z1gQ{7Pkra+KY}%RcfLi!Rq*K`&hL?(WYMKic z$%yQjEC?7ov!+EDg&n!i(**af?fowj_`xg$eu4p(?Uqcf(opU>sRguJnVWXOTKo^ zz4Wr!nvEhion7g?8E97Qsbrtp(sRMn(HyM|L`31|Y0$`+5`C_)XMZo); z!i8(Uk|tRnIZ%uSf9a9(AO`dCgwt2crd|LqK_X^ngnGRa5`!1Sa6iDrHlF2zYHs>| z4a0!6hb6^7Y2s@n9Kq$wc!c-~8jp2g)1~9>_cvS$p@);uQ;7X##LVFJ<}<^Pz_~N_ ztYo(~gKfV$P(1n*eC1PA-dGeK7*N?ntmc1+bkf`fkI8@h6i)!b38Gb3*0AcROdsyv2Mb^02~FVpp^PJ< zbQ4uTw%bx*^%;2Bdr~E&?+GMF~ zIHs;IfZE8d4RZazp`@Nyp^doQ3RggbH~iKNavbh*68+dBCaZtX2!?tU*TR3z)MG*t zsuTrKdVov8&#%6(hbw%lOqYE|xMw9KO3eYcMLzk+tc#14zSqil1*Frsu8Xkra)~az z5a3>6%|f5NdmMjK_VH!kE6X=S2}$yRhhBomk@N^>Ze5Zo59Z?g_mlHF3kJ1cT;yrD zOTl|ei|y2!qL5Y%z020V(&HSEW0%}|-(4tmlI>Bff9Cg$jbk{feb_8BK5wz<)$@L1 zL1Nbs#P<{u8ZXj16U#_QIO`ECpqsl3!0i}su|NLF7c$`cXIj^x2X%o~gtZ+QEfH(k zy(UH9~|IDo2Q zXM*l)G*%70&U#pp=oYdYq;vZUZL2!Ip0ZZlDmX(ZAgJI2t-8NOFG-!A)FS~8V3grd zn9=1{27MiU{2-y+9U?|gLDH4Uj!La^V|rh1P^}pxP+Oa5$kFkgXgBh~37L~%27^8} zE`_x+@X5 z3IB3EUTluHLRDgu<@LRjBGc{`vj3Qk7bCbzE{0=H>Y6*d8nvue3GL+z%MH6}2Dnwq z)2iP-R5iKd5+KzW>p6cqca@Aw2gFV&Qz)k$(x-Y{+g37#lP@z?-dd&?boZ$A{gdNh#p?yKuiH*>Wh ziZ4G)%;y~U+)ZWk%T@F?2g^rdIohdnCw*{9^Vve%sJ%ga^e&jK>ii-O=CI^d_mpFp zJ!jJ5z0C5(!tb~|VtRamc~UR!Rq09qoTmD}zVMS48joa8`s zA{j2Ko5Mpf&x)wsz=J2@1e#=6 z3OV^RY0z`G^wZtjI%-7LJk8DboZA(0Zdc|{iQ!V+Mx3cGLhOwaEHu;}FKD%^W zgVr)NFuqefU@sOt_u5Nv=smy^cC_Wc{j;{9ft!*((XV-^hB?M(>$5#Nzhpu_P_Hd#B-sgv?DndR4b;uVHwe&> z+9c4n?|QxY%+y@*SM-)3U018qQ2`*wb=zv%t^DU-12Y^4O{J?_wTD}Tk0gPeda)nQ zN=~`d&-%zz;{K~8yc_gTvWjvrLtXOfQ$s_$tAW8YOvtZ9`hAa@9)0lh7KX#0ZFJpz zUz_2@Ycm3#({)O})8x(0HFI2e!lBD?O5oN7lIGQz+Zv%hL&|wac5T<5==4z7XsYJbrV+Mmqo);jn- z)Uat-k7-u_VmG$@X>8><3n(OU=e*EnpT}b}It_&ksUweo z=w=wl77l)9u}5riq1;R?4WGa zhbsTtO!f;EArbu^MO5eCnwF>#uezm8De3{8ES%hbW96)>HS)6ayinc)>#-rvG%gdJ zW6^6row`_e?w;!%%UeDYDz0yHdd*0ZgUj<{3aWmM#~E;D5{qrtyXe3=`CCum(WkH+ z?#(N#aRNKBWv?ibSoVft=Cs>^N2@@RmmUbZCEXRiEa4l)UbGDcw{Y%!*QvsGbnFx~VQwHT@I5v`?X~bmJ9G`3^@anT8-|xu1de&Tr1e8l&H0T-@7x4v99>x+&`fs z%c7SZ89GDw1oF-1&ll7m(5Kz0R(@+UXOw*<*6p>!>vz}Ia%2Dmb3Y`j=evDQMym-~ zRf{5D{nSdBmZEom*fE5Ud)Bjmrf_IFG-b?m$Mi63H$%IiFxV);ixkGgE%B3kyf1$2mDpX`y5jQ2}u+MSJ3%^BJj-Xmo710r=UncgkR;A=z?zz4m^ zF<|4OLMhz#emN!JqjLSxNOpARGp>aF`N#N=tiP4+)~CJtJ7yhZ5Dt`MFVoZYhj92a z5KX&MYk8>{Bh3=MzQLDDJFR@lxeNM&pGDGi>3w*L@tcT_RE06cu>u4SU}18gB6_$o zed5RD#J_p3`SFEjLA8vkt_1@es|c$~xCKbqfuf_2{;9iUBD!`vEWYqlS^P>{^=x@V zSKMp02U&ZrA#$F&&)uQj{T;kj4vXBm^8Ovp+LRv+1D!if7qcbHHT0G>z6A}#ApRjH z9QrN~2cl$KtvoI@CF39Y9=AFA5)$Z#eI%@!>8DNUGi*n-oWqj6m*2g3|G+a2l+!`! zwH)V;-UTs4FhQ@}*hRd+!U4yu%AhP01Ned6z`jd6;uJr@1iv7YzmWlCO`T zI`q-f+Aq#%iJ!wM3mf=dl#sqtwF-+C7ym3boTb#Xb&BP;O5Vr&u%y2p?CaM^urXJu zB#F0nHV9-sOQoE*Ij>Z&#X&mXU>%F6^r1(BTlj*nqizdvCNb8aG`C(`QS$BL&c_m* zXzaEJR$Xh@p&3dsMAVYe^gVRJxKtn)y$^=a-_;l@Zc_95LaKruf{C0LpWP-q(TOTm zXl_n$gC5BnNRvaTChUO%qe;zs>25j;WQ|@(4By4jeq$6I&LI6GKlyMa1kh0oJlJ@i zP~J=Lz*0w-pj1*K#H}S7rOKGz#AoiaPNOMS;DLr+ji%fH;8o>J*lNJ86V5{O0s zDIH)LI=j~3d4)6>eF;32UBJ1izZbjncg&wfws(k7=VSt`cLCkM@f39fL*H1!Hyj2P zxFu+j9w4W+j?_z+jBNwa-gvPs3_GvRp?|1J(Aom3{Ea_VKBTQyFx{$Yr+VoZarZdz zY9w-rS74hdaOIcB-2JOe?s7zeHEl^aeAmFcL&}>ggtn)mh$^ou0^m`7+Ac`zr$vEY z^FMLU$;I6GTHysnPS0T{@8>bV*kM-3>g#}&#Joif6Gr}aZkWf_2-|KsJz$N(NQU)K z8FhH(4HwEc{7>RU+3G{CS@xH|uB=N-ZWGG~v}TNsM;RjnS32&3DK{T@rz6kzYwe!; z?nA_3qUK!16S0E$uO=Fvztr)pOB5Za^A_yA9~*_>IW`geKjzljQjPlc!1)A0TaG>v zF>aG&H;xaMk*jWU-!P~o&Vu;A94S|c1`b00_Ou{KG~{X}vlbf?`faY|>DkH=>sL%F z-6k4@7XJDIKzKufx!Lc)!re-CO5N~tVFVE&-s&UFK+%_cDPDwF6UPo^)GnnNtKkTT zeHf^JQ|($;@nu9PMLORqN+ysiFJ&~6TV<%NS>1pNcLH#= zvE6K8NDjLFG>x5~3Br3cEqFlhROC~FrWKjeWBH)&#+h{)MIypMT-vAR5aD;vrUoDa zZyf@zvsLBxCxyes7)AG|>E_@G8${cwMoUp`L=$jod?}V~KSTBWwj<8W2f-xR81CnO%B?4pG$H zYvzJ~j~WJTx%=MQ)5Ev`LEUvjQzTC{&1(V>62JjKyuB1)$xjDpk&Ev&C495Vmm$ln z!t7Kxd(sjlL15mzTa-AdZZteHDP$fJ2U-^vTjUv#jxt6o#=lFbC^!sd@(b+)EDpzi zN{)PFT{!lme;62Ab0O(k-pJ314PC2wAn{k&Oq8~0P+R&0W#3F>-I43Ozd~f5iB9cJ zqLtv2#HS25Q{K35irkcB_tE%UIs^JAO@8!WyPjuIsn1Y<8n*l;)3(`7-XD98XJFHO zR`C^JC5e%4q>1$K`ki|DU2*_ngz}!>N}`=r?x-EhQxQd3kk4mS#N}!l!nw3#Un^OM zhJsoTW4$QE)g^tzLR9*PCSpEZ*XRzypYU))l+?22VqYg6$d&LNLQaObG%-Z!VX19i zOBR%@g9a4Y8$p-(T%?spbt+^GKGqh-0}fI9I!WwXZxDF=Ax#moIu_iEbe^H_LBT1% zW~(-lvpx-nqgx_)d5qrt)WBuc?8NiqmlCzq)H z>N<2*1fiQxorL!r`2ZxA@|d$(#}Q+Gj7`%ZLL(jy+eK4r!Pp=}raD{p(VvxT%gkz{ za{h$%Fhbnr?fYZbRlhdjY8vDk_i%$p8PSV3Cw%)`zf7qP_0*hO4T`P%oto`gT1$&=~X3WBj7e_`_aypeE9 z%GgJKl?A@}ed0;W?jV zKFRBkF>4>Dn6g^Gv=qtD(L@DfOM3fnOkeCR8D=|?&dU{Dtdn#yv@%j-VcfH6c5>=cVO2h#R<121(GP*C=MK#&0z#mvjpTka5F^GLkU&E*fBociX zgsve+KuMThFkK%Djt>~CpBbUH;TihoWIy--pAw+dtub0e6Ru(35$fy734TrXOK(KH z={1aft<9l9nS!z5a<_IYth~`N?fA7!rRs_$GnexLJX*&d#a zWy+zC{kOv-TrV@|MnIK;cq%I5^1vp}|7+FU%@5XZ-TK*0g*0BoL6$u{ zi@82-q*RMb{RNmbiEZ*ye-{t6y)p=1X{#AhjiHXDbO|D;2EUHPibB zn?rFxte5v`)@mq&sAa$$)zVHkL}?iV)*Np;rDB7nYb)F3o@yXytdll3d^xGS`v8|5 zNvv-z2hjLHVm14C?Ch&CPXyh1W>9+%kh9Uo(lxfe+h1~*RcSDqt)Y)%oS{g>0qplQ zl~RsyUd&i;cE49rW?Wv47)sZ!R72BNMz@p-OU7cLbUCYi&uN5Avz_*fuetf4hJ^LJ^sV8044I# z12!*vb`>w#WK3G{Vz204*rl%F0kHnEWN>a%-q6QmP`B8!yTzNyq<3I@7jyN3Mmg;? z?_=7==)c6Sp)||cfWN(f{QzHg>=Cx_g8hVNG``r#j`1Qpeh4hKE>^rfWY7_Xlftp&c*;7>So_H zgz>>}ecrT`(muNRptTCF6qrLkuj%>jir+JB4*VC{np;3`5gg0gRtj)UUs5;-vtvN- z91z{94r-OD-*~#a3M0i;H)|ct3^j=a5A=qL*KPY$CpaMcMun7`d^noiwHkQomui~w zuI)iXw)qCZ%7IOmqk;b;A0EXtFDyat6}$||>)&-uoT1`Q36IEi%9(h4Sgi7xbmNgD zI%!@(71mu_R=f4B(7ebfzW}@AQr8&4)o=T<`HDj77XQlJR`l~jqED)IAf zmoBP0H*P(a);Y-J!^O*giltl`!YH0Md4=F6@NS>Vclt3NcUc^wF6hxq;hGhf%Mo_4 z%xlui6@5y1?>@Xo?^qqed3ddT&0l4iOvtm}wW!kO(Q)EAo7rJOGAoKH9?_3yQf5&( zsuIyv=ik*C=0!Bpa0!ss=8&0xvMDDv8%D6VWBQ;11k5`3?4O|9HRJx1qr?=Ti3wJC z;4;k{ZpQkG7=x6!pi!Jy2T%)l&{B_5Z3S=EA)=H06Dj&0vuJ>oQ zOzYO+c&jC}!1t@NoW=7+9r_(QnOhtAEy!wwGpnI5A#qOQg`H!8N8f7qK%5NR_21nR&mn=#& zUI6(fWW#XwC~&{VpR@gqM;c7p?WfssPD8M8v^vd_w7a@2x>b*#$@japDl1fO(8-wh zLtCBmUlSsegXVgwx-O_b|NXqXwD%V=3FMcDJ&KT`>3xs-7t#V@E5*`K*e0mf!>Z-G zuxcm@Y%-}`5Tx;oO3dem9D6YJC?M~(`6E|~vyeyU-HE}A9ki6QP8i}HRT*$ z`d;i_S-;i3nV0j(>Au*Tw$I|?N;thpTs2HhCX8(mHEtg_;V?PI^eR&K8BKCnI7T5R zE7>5m(Gi7oVP<}1Ie9=kQi!m1cV`}FqFlyA&fBQI{9Mx@#d1@#!yJ>sUr(*OA*bhI zt7W;SI0WzKMf$wqY?>m?;12$Zj5z=Gae*XXzS5AKHjTs3I)dqdiw}9?PM70_%zb(4t;JWIz?DSROK%4G$;~f7S=#765RQ2xz{rP{?vq%UDxAY5@WfQ29 z%-QzVeS&p;l9_Z>O|5pwD%11NT*uNX3h5cL7lyuBRrr4=DbLa{5Oxzd&2*i+W%9rj zg`lCEN@PceIQYF2hlANli~ScN6uU5Oh1J$YmREVvuu1>3{h^dWDo>#CwQ6C9C0VVT zY~StYJX@r3*`TL8L=@(wX~av>&$kWV^rN0umc3$XDf>8-m8U{VSvh*kx{9vGS1K3tO+#e<))-g=2Jjk)?&5~cg;BS4q z_*f$9$G`&(?t$E3E_RKF?S8Uvy0>bEwi0v+EErA?;znxau7Wunnj4wqfyo*C?(>0{n62Y1iP< zkv`v2w=S~S1Z*~bGjzrdf|#Z>I0bNnA{;VsXLEkQ5!#27g^kx!lW_S>wh*yfG00J{ z@w;N2fhJw$y;C3_|ndf8DqR!Q(y_Vg9A>kd2F{5Jh} z>j77V>;C&aR;0(W+J*o!Qzg|o{3#&ayzQHR3W)E&1;iz~^D<|v=}SlicxNTIR~#7r zx^wt=MOO3j(o0oPbFNkw_|J1lV6+I_ZD+&^=>m*YJ_Mh#WBvJWXY`YN&o{&SY?4z3tGT;w zR4o7_1YU@zg~7t}<_VgL*9J;^tv45HPsja24*M(KUf+m$=6hQMqpjkG^y$}T&MNUa z@6nb73A&QSrp1N=NdyC;U2(oOgAvCN3{bq_IW9;JhysAWR5?0LG!}LW2-j7=Y>%t| zxxv1MbCG{;u>8L_Shn5XoE-;ri*WC$V!NRR(%g@wrbGPSy;q7~`$hJ--I&sO39sSr z#6iP!YtN>t+J$##dTsqez6UJ4jap8rp8j9>tz2kMm(y}Mo!!~odyaF&C1ZzhjcnR! z^LEWB`?zSg>@6dRhO?BYVSm&Ru=d17duMlpICWlF0iL{^+}v3$5%#421Eplom%+t9 zsWqVYz>l5lQx;YJ$|k{hXmzZ>_^0#ODkpqpII-f+GT_?|BY!%w;=V26^-#W7r%1X@ zNo00AE2x@_&BOU2Vc^rFmz~*=Z>Gpbiq+nx_3_h!_m0=x6S$IGQ54Pe!E|70$Fx(Y zjO%H~OB9%-`capbiz$&x@#2_in$raE?#;-Y5f}E?upgsuUJWZ-yWFq5v*G1vtrE{P zD!Q(sIf>D76SV2O>eq_AgXRkf@kn==V13qfhei|iXG{jx(kX&zLsqsUnv@l>-b}w> zXODo)pZ`1I^DGTV&cKL-r9`ui_H=cD?qK3Qf%#!x|M#cXvhMFbK2cG6<>1|=$5~nw z(J-6zuhnKdroy-Ze!__oqfx!%tW0Z{>`gR#g5GInK0t zx={El4@=eA>+)qsB~IK-4K%9?>x`Dntoqg;JGs!ya9uv!T8vE{8qU_haySGw- z&EG)6RY2e3cm#fgQ?64ufJvh&{0X5Ld&0eyyx?2v?wTY^VPbK@ z5ULy~JX>}9g$GdbBGf$#L9e}MuKr)vYbz_uG=7iW&cl^G@w&$R*BACy z*V+aj-rXz`Pvkdt%aXCLj{EA7NpFz&;bNYpQdJSMyE7hQ!*Ozxm)M@En+1QqcwKI# zGx$M}msO_rrwbgB(YH%ppY9J)*FKho!;DcUiCg7X;8*&m2_r}1>?(KWxGUB6@92`` zH>Sr}F8^B0!E{{iyYcY++8rb3A%XRKmWr0R+T+~ti<*u{hNGTsNOTSJxg0(uzK(!I z*39K~SO4<)R0@BksYWmfPE)++0nM~4(jG{;JLIo$7@;!*rdj3Iq)Ql`5o8W~4p_O) zQE#eVmz%!)=R}Q)adv-BRPWytRsZ`$Kl>)youYX!RnqNuwFGh?F*k4}2zDQRsM)F(9emo@+PVZVZ2-?jUMxSQ+7&%_ z9`&m0`}fZ>=fr7txy`%-oMmjZ)^hIBa(vSCp&t^AqXe80U`=(YhiYUZ>S~yx-)ATKX-Wsvg!Y+Eh8y^8{SbfPt zvLy(@8Vc0{CLDSj4?-GhRcJ=L|Ing;NP*FKCfH9|SaKozrst%OO6V|WmP+L3#ODUk z-A{N9fho%e0Y*Podn7>`M`@McM#d(St6YqoW{651)F!d)`ip%j$}3jWO2r+WGYJna zD^hGf1-nB~<-x>C&C|?MI>!hC-^B;V)cF1%VQ(20Rr_`iQvxa}Asr$yASoanQqm35 zEjfVF4ImFP`VU@8fvCAs_I#_P+KRYprvg6~=j_ zMzI2Fk8`6GxiH(k#Lo6*dfmjOvF2)RPj?48frSg%4kvE!F~XSC-(e;);L~;o#k$vZ z#N>)GHn`bwf+!vmaNTm);>Hg=7xrUXQ$ocpIjt%y&BqlELU|J2eKBsLUq zTW12tq1+IIYeQ9_gl)OEhXKdASm}|-T?p=!k;g6(++=Ra^ROF}OzfujYKy^Rsp{~_ zu=T%s=#@Z%9mnwvc}=De9j_2fZ=9tcwntCiY5Q1ZXq-dX)iTXP(>3v2s>pkgzn_hMW#to! zE~;tQ2-#RsG>=6>Cxn-P=q%~xohy=9z$9S!-03kyk^Q{^uaP%YHro~L<5(mKFp*;9 zxA+u;qbT_Jdr@D;n>NC`rKGKBF1p-Ew-tc$#=zBgmgld_x(U53xBxZw(D;;l z-Guji$C3GNff3a%cHb*Hx6+>5a3#5*j$Ctk~9o{&5m)><^s=L_zr=iaAt@-?8W!R|Mi|A-;Or?K@ zB^l8Xy1ApDCnZ)pl;3M`3Ywg!r-o?R3C^*wvH#NZV8J$JHeGqyN9ZAU**t!r23lRc zc}Q>hT1Fw8rHs>0NscZDusOn75fng=W_V8%A{E?WMbSje*p|^ZO#@V#3Lj+^STY1DpA)JH}P|th#3Y?FC>YEuouR&qvU!9Wh^$!V8*Iy-Eu($Yp=h>;sj; zulKGV4HDq^`nq!v@Hebc{p8}2|9c#-``sHKpiN}QYjq$;Yx+Ro4@OqZ=oT(V`0?M$ z?xVxMn~MU`kqb>O1i zIU2MdKM_JuRst&5CpQ3Xnb&a5;DH=sT1?{k_x&_Q$3AAl1u3vV8MRf7LB89ItLfI$ z-WzgV-*7(-uA5Eg!WDhxAtwgydkJ;alkv2|ep_R3P3y)HY-dQ9ATZE5zGL$Bx9clH z%uF6vG9jzYnmQ-Quq!>rrL^bMgpQGcuaeBmqU2fUjnDfTbQA0wD=Qml&~9+lN&>$! z7sig$rz4}+&hS!h@i8!a%+)Ke)SZM#Q5_%CMRg?7FSEjA4oWRV+~RioLA19*g6=tq z%;fsXUEhDf3Oxjttn3=>#y;leJeqysD2ldt2L~86q+@a!9#L>ceLQ}r0oA{5B-OVQ zkIq|f1pB96-7YZ^*0O3B&3N37tzE5YsDgU7I2!*AlH8=Fwi zqKPkLnSNRITzZpvizeJ17!=dT6Tt-Qv6}Ez?!SMouL99gI><<>r}5gzH5nxLv-js7 zKCOS2(_~>ByKAu4K&j9q?RK`ipJJ5DQbz+g%ISi-8y^tR<($1GxxA36)^ob+jzlqszkoz^D|4?j0iW0%u|a?2H5@JZ zr1>0P%~ZV*Fpj^g)@`o79dhP92Fjv>Wwt+ERR|vF4jiTn5rf(<9;dI+UPm|G3L(65 zW*z?xKdxgR7vVZh6%SI1s6S0#%aqiZNsPU-04A>rU^*+Eq;TVESdpu-&#t0>Dp_}B zTsO#m*G)A*v8Y^=w@nAbPWUsMYD8W?v@U#6zQ`FgLM}~hH7AeD829$eRO;Gx zTuc8%^hvNPRr7n|^Jn%xYGqVjGqc`(m`yQ+o0GQ!o|%}t_rF?4tmaEW%A1iX%UBq$ z9;RY^dglx53*-f1x->j;%Bt5{W7toNVsl4J7AXAmXiy(eahWIya|c)Y)^D(W+qUkt zF6&;Tu#%lX)Y86~+zb5^|DU+qX^JpP!9!)JbldL~<8b47jr%^wILkOOCg6F<$->#lt8CA;@Oy}@Jj6jd z09gtfnzSC~g{WjXoQbF5wTY)0huqzq&EHaPQKJ5okNy_{@4$z4f{Ev}^v!l@A~(Zn zXCqytRvn9Wle~t$w4&#U1Fm;HaY;AM>;$yyWxb`aEH(Yxf)*Ly*!OlEE&Ldt#iUs} zjffw6LuyA+Fr%<7aQQEja@gQ2dvOF|D@hXcD~lhCKl_4scAJR_<08rj@h zC>xBI_=Q2cs~-xOPNbDH^_sO-MoB#MlF4kYB#s;>-Tcbwm(cB5cYbLcFW-Lj@$6Om z>YFBwow~r&Z;7&fkOH<}Nv>sGNvC?Ro(9bZA8TOqKf)x%X1M*y{zumHbLaHIYtyIr zok1%DCU^Z?-RX{wZRxbLYs+Dam6PtTfCl_UaCB8k7-2wd~m+iMha^l{< zd5)>&2i>NPmKVMnC;D$D>eioUwK>z@x?jc*X~HFLLY^AWyutT;fYgSg+#ujE00W-i zBvTc?bw%Qy$G(acIX#xO6Z$WLiGty2&2bu;_mlEf)SlzY&JdOUwFipufiIqyMa7l6 zCVnPI0xKJopZ)28oR>Zex1FZ3Urg#Wh%L6B1z$O!_?A8MRBfQ1Jv#943DX#Lj>tg~ z44*t_1*@`)i1p{2=Sc;Rc<8q8S28)Z547nPLOK+WlU)ZjkXp5jzJ1s`A8<~($}ss4 z6y&a^06R{wMKLMINq!pWfxfOpAlqvqKxk=2NE=Z$SJVcChd0p~Z=jNG#mI}2lZi#8 zny(};F#USJE0|oM2Hlm7t-p3bcV2CHH7<+|bc^@{Z2>MblflmA7}+>je-JN6cvVGC zeq`fekoo{9OsZYc;eDUm(Yy zf9x@*VR1;zxQRR5YH0J}Q>q_C+4Zvhe*h64-!`qcvlfjo`G1H~xeye`In$jXir(f_ z%{;{P%oBWZoTbaY@p7eG6f4Rxne%>FtdLsF%U6y3`I1fzq^jt!Ifr%A;Epg3#0ul@|m+Z~6T+eP94~~`^tA)CHk@Yj>S} z(uVzNMT3njzr%(taw<=e-wxi42WM~(3lkA@X(K@F5acIix(rZZ@=#InRAac`Rmng) z+c@gcCPbx9(Q~!)@sQJkpLOuG@6lZQQRsT&p|6$Dbx-`-NMRe%<+bxF+TEYm*B)pA zY?n}z6Hc?Bhj)Lf5e2`kk~1An1QVTCo@2H)hncMxlgAyQI$rMK9`0kgy z3l_s$X!&Uxg)C?**z2(~@l+U92*vCo->3b& zp?}uC_zR$gcs~6i%g()|t|MfvRrM#Fad(~TS*#bs&1xGuMRR`mA>hiR^Za*LZuVkH zO&ZnFUO)D6O`x=eDb0F~n&vHaoOr<;&LeZ1e4wY=#g<0!S=7QGIa7Xl79&!!rQxsb z^IJ4a$Sz))CuX%S&bCLiFoasxv?2JoHu^^T5)X=``QEyRwfdHVN(W$X6w_Q@Es2N{ zEUz=3P5f0(Qp%uUt>BA#2DmKy{ocP3XX>QCn6-z3hqGGh{rah)FHNjg`1U-ndo5x` zfrv^A#)s+lZNL3@0+Tf*!amlqC@3d6SN}}wO4a;}%(hljr=M){LDpt)BeQHaeZz!M ze6)=<<&g!R@>5OC>rxoAR?&3?iicvf`BI@#7d}4dB%J5mNBSWNMC)THe<5KSOBwWP z40|VjMWAl&v`aUi@^I`6$JPw$Ql=IUx&@-4j!NPc(zRoY`)I*jLt*51B<7GooyW>}As$T2gsIWGY4L|Gj=7 zE0x~8wdzo@emP+WGJCsM%m&Me2VZ$=`Xi6WlCSDrkq#rSVC*jH_C#hY`d+f*-zomf z1dlr3cs?^EROw1|9eib(KO(7#Mk6`;VC8IW_Pg-?MkJ3oPo3rf%U0H#vTlzSFi1C; z_Mo()jq0`!Cy3W_&stBzJig$KRF-nj1f>%z>4Hycm_?p6HH$^D5{CPaPv}Cq0=<7RWboCPNCWhEZBDPR#y^zSy4SsMN7tVDEAvz8do1aG zJx$dsl;X}$a0?d8FZcwcO4l~BUZ~^Hs-n}YhzFw#?>PvPLx^ub_Jk>7XCfspis=YC zG*|3=87J*>T%72H{vDd>Wyp(MV!`oZT8;A6)mO6t|2?X_NjcQE3gxW_yqNfOiy)!W?8qA7mah-I*xc>(i^cel`-(glGl%vUPf{-;fRfupQ2S#yz_sF z{lcFhMr>Ss5Ky2xy_3vvf8T!)_%+I_V`paNo{gd56$%JI;%QQD#wdBM#>c+D9VSZ8);%#*e zV_5Esg#FXz`TqCA4RV&9MVd_b5$dOXq$bI)Q39V>`fpl)yW$m)oQC{zBY#_;EnhR9 zuhg__buDT8Fi%C_jnK1yw~aq5L_SV{bYoYhpQ#w)(D(@LJ!2q;+>q>TbD~AolZp!S ziSMTfXJ3tm#5nC1W|8#ZhH2C4b+=t)1md-)IP+IehnHvr)Sn>Q7m}C!oO`PmTfxUa zjeJHH{y!%N@V_?foyErS7w331hf{FVa*ew9Z6mSqVn{RHWVKQS`*@{oehd!_=9zRW zAD$tvV>>vLsor=%uUd{8GDIbWyJ-s@lkv3|EMJzz_#ySJldLh=CfMHw3ul&~2_lud zMqI+Cj!cP>4x}3w?Vku9FG|?fT)f-=u}WQ$+F@^4tH(i?Gw{uAC08&?hJx~xx_VQg zHHmOVpg_ma%|Te`o;VAplrI(T2IUL}YgW@e^jozeG$~ItvuEy- z2BcuG_Z~g;0?=`*P1{$Cx)?uvK5xmsnBn0<(6PsW~ zp^8{HoX5tHdsm^A;#DlvsUyK_j;!TL1x-}V6F<nz;p|_dRE#K@9?siL4ZR{) z^>YCABj%q`Kt3i3x_W0Q6d?Hc(8y5_(|*MNa8VE_QNH?mlm$nilhLnh74jxQfJ-TSFe~j@TU_FZofE9mK$%^bl%Hi zQ4!UTa~7>ruZ(Ij-HLiX-ya><`{@$K{n0T>hyR`sdDPX(blTZWJ<5!(q#SvIQU$ovUA#H@xMWQeq6UCRx5oSStgEaIoq z;R?d|p~?H!Z9|cmdr9!u5pCzg87>6+8>9NmMjo_Li?7vtfcNYC@HIh>9LfB72_kbWYX~2|%k}LyFWpDKk^q zxF>KYmcH-vMJ;bS<+qH3vPO%Hkk#E2N#@iVd^@FD5S=Iq2-gib9dtA0RWT7)>qk#wnRdm(T>Svs zY#n_31-e+X?8WS%`jJ!Dg1@x(Q;jiJ(O98cU;@^2^-A~@p2-sR?Vnb&_iA&~#xoC@ zcg*2}Ka8}Pp#BqMCLnMjJ72eKwo+=Uew-JSb4C-iq1Z8~PUr)!zi+*JOSngN0gjNy!h@3FoVnr=eG`02)Wb(P5@Ls6sBe$U zEzBN1bWvy07WEoM|Ey&8Ht{Iy?p+bK2;$1t`E}*8$G3Nav|nHl*tQY=Y<{4`C*gja zAmdQ93Z&a{zDrF>Gx|GSZ`V9G*8?gNj30%rb-fG)^$HWyHYHSkwtKB4IUv_gsT1EP zSwB-SLe~!7yr1K8MfBk@{+g)fdKvGtii5{;k9(o9=p1m|U+u*@m+il$BUA>iPbf|+ z9dcJ>noR~h!uB65I6q%lB7Y~y=VbBDVQpy4PsG`IW;}9up{VeOMYD~;brybfS?gix z=3b$E$fR)rF`At!=zL~Fl_|N3{QYxGNC6<#3} z`_M&$bhY|Dd5O4&KC9To+l;Q1cgf-8@gCy7fEjA7mJUq~M5#1v!u2?ukFT=lCt>(p z9L8Put9Z5$RZx`}`_fh_26z1=`1pgC8^1uvy3#@L@w)VK-E<7_6;I=p5dBwi`=6t> zSJ96)x#;egM^T&o@agU#1B6BRxJ!Nv)Tfyi7JB1fo9cf~!J))ebxC$ejTVLp+v^Pd z5)t|w)u{Xy;xg`U&_};YPYP)&46x7^Na_q17#9eSEpTin5$Mc6g>Ka?K%l7X*IYSVT-Au%4y zo=-V<$)Wy;Ty_nl>}}dc?rELvH^y%X zqiaBDldnwV`?1%xNG|d|K$AM@&U4-0Vy<=-r+>&z27warE$YKsv*UL(o8?2^lVkYq zEs78ki~QK#$IbP+T&mg*l8Sbb&M&UGg1RN2S|P!p$&yKZE!tDWVimj^42yo&ZuCU_ zO<^8FdmiDq6Vxya|(m41`wM%UJ|)K2acld;E0v(}iA7BiN^$*mh-pfyrR3Az@3qad4z*30A; z6SUv#U&eHLtjhWwDwchj{ibnd^jS0qY=wtA5w0g1+1@aH7gJmGG(A+z_qzPOgv;8X z+pG6%I6r1BF=9x8!6sVvrOJ2z@F3D9P`(>__JAjE(iFY63h{XHmJ%5XfpX|63+$=V zOIBnxNeJC8OV9JiweG}N+Zh@TE^oFbT#?7qhKL~lIMB~*i&=s0^g}eXM*A7)Ztq@9 zo=NoK)i6DA1`}vCN9j?^=~(QCg2I#?7qt&dkyo}(ftnNx&~KX-C)f;|Z!Gxd@|QlK zqTVVM>zx~>6>A0@V*qhPH)$68NfkNMWZs5692kkgaAi!{%m^? z5MWVLNd4t^bp7(S{Y6?UE!b8Jt&vq)8^q(xm}vJ7Sr#MWK&H=Z?`fsepOd$4=2@0y z32!;2!aSfm5#b6gv9>39Y{+|rX68;E9cU6QM!_l!yeHtJ2+{r!`=5CC@98U`-X=r) zkYD-qjVLH8KHcM`N3l;3iTLI5J1X0#GI;*-lWG;IpMs1#YFP}s+C_l42=5B)>^;~2 zOk~c=AOmeJ-ye`vS?`O8UwZEYBOaI7^1VauL)uDi)b;f*nM8Vuz?jr$G>{K3;vd&3;dl88mV^4*abFF~#5yLvb8l z#iRIqs`s)bSMGhcuH&JyUvF14g4(BtnksdY0C+;O zf`i^N_8r8psmJQ6xH4*Dbe!rF3jCh?Uc@I7=g)A{@_6&y=@TbLa%SwK``AG;UJ1wr z{(DjW)ui`?qBwQsqHoTs`+Vnk*bKvrkn~IX42{x;epNYmd|EhV@u+?f)UHD9*Hg>a z9eNcLMze{CwNc=x;lrMAe=06gh>sy|8CA&1tR0aHRt3@1@uo1jWmI?O0l+rfv-aCC z-kQ)k!c!Jb179Prq>8q>_qUrncQ4U#p^s}5Pmj_2pXX53s`HE5Vf^rWqizB;`TB;E z{c|sMQyW<{#TDyHPiJfVdb$uLPVk%wjQF$PKS7*|J*wujkFdxAoE4CG2h6k)`hTG` zU1kC*13v@xk)D6J1VR|^oTl9BdrLTv7W#&omo(K&&Eu~aoNz(B!~ER%dq`|&MWD`}IC zD5d0hZ;e_-Lt57RqIB87dFH9H#BdSco-SLJAyhx+moRCft_zag(T;_faP-^a!zUUq zKXMS%2JVG*`W$`K%{NhUDh8tA66d*@(kRwyXw`65;otF>Zv;Dw@8e6(Dk+aX2PI*y z%dbiq+k$l524jK!sYw-u(cXz2({pO+rw$DT`3GSjGl^LN>e}#JF;=-hQ-VgW-u*B~ zZyRhtA7g&Ekr>lqHR6%bnM*4nk$*~nBgMZZNgewM1r>`-N@U+Ka9{BV+v=jfjT|7l zN5rIJJY&bO33kW`f*_gK*#m|CjMVG=vVy1@#1YCR%~i5^JlyKcjL1f1yPZAvT=BKO z_^H55>+GxH4x*IeV-Pp&V_#Xz{5m&>GUTpr_5g4S7pwK~mP;bI6;v{G!#1fkFn$<>=YRMU z?|8WTsO@ma$EI&oExB+6I&-xpa?6jcDQmE4`{T;geX}Iat2CZ31uC2OUlwrY+JW#(&^O6qG#2)f zepD*GW6YeJ?zY!t>F-!X)k`lqiP9`>Eq&F7gVv})p$g<-JGSJC+sOjQFrGhORIjB4 zvhlLr+k2%Us!@;^uw`N_lfM2@a+eM@wV_XX+!R3T_Wzsk)MNv{qYq3q>Z~Vl$`n(J z$R0RSBFGQ}<15-Qd?A&nUGdLyWbx$hC~Pjz*4|)i zIznQBU8>Kmr#+U(;+q9mo|ygbL;YZt^NmEbu<=l~-MnTGlu9A`k3yWP9>e|Mx@4K$H`29rSO{%2F3X`C8vSxj1soNSRLx`lL z(|dA^;lgEXtUP}{B+riEyS@8*e~LYvlII`l{b;&CVVfU?niO^nCXMSwC$*Y#f?J_2 z?;=|zWyxSzn(9$^33Vc8C3tM~gD>BEDti!&WBB!hDHPt z45AvO+6+-i0=oIy#*BLzv-^VwzO^f7kMsa(x=>pc6Jw zl{jI)g^1DsPs3m2M^ouPy<0xCA2pvTZKU#BuKC}u4DlCojfFO_B%kuQs~hwMNc51t zjj6E3_ALh1c=#n+|7G;cz9v{W^K~~dl-3fT;fn{F`18n>4r*d?I(6gc+gVq;p)n$6 zY|3>QM)JB5b(MiAl06(FfSa$1udMII2>QO!#LbaBrz+~jR|Uyvx-unkHJk@;uN*R4 zl6(~!ZJ$3@A$h=r{MPW%9=iHx8p!&ZB1HcY2t{Ev$J0rx&AP^ZBP{#a| z)6~C_*ex=!Bv{r}McmH0}C{J9ul3a$J{+0SODP^49e!pspCvqMML*w0(X+D$BW8x z*nUtGYy&1<6Ey~NCT=&iJFOT`cDqNX+;VoP z41(J$pns~jzACEn{k}W>Gu!OBI$HrBi2h%B?Z2qx3=W$2G!BUt$H}PKaiu|0qrervU`4kk;;(@8oQ3kq()fQN-@MJ5AU|jP7wl7ov|a zx_#S!ti^TT*~B76lde#^Cb+S;35K#-D<1@{K3L&#HoG+Z!J%7$yEw$xO6qfr#Jj|i zNyr68WpN$|*>{^HM?@>rh2za7mM-4Brzg;T&LM7Pq~7H`sv@XSH+|V0PT0p9UwNsI zu#FGz0LGA733=)yQ*hX8cS3WY4txrqLacr0-DgbBa&YvVe9Ft&dhF|RH=M199YJJW z+4OK=#|)$XQ4pp0Rb-l`?&7G(~xJ zIfeACabf%ZpP>Mqa>~y2wv{-Ke-o}q4LUCvJ?bk~CWJ-u_t(K)eqCTts9G>${4n5^ zUl3g2zKQyoELJNC5!n!>{S=b`D^v;tHVM8&!w@PO@@{1n)!d(H7H?3Lx2WCZqi^3- zkC=Gm8*QTb_zY&_VuOh;MD6g^eP&0B(zRde;_Xv3L&gow4bb!#NEY$khI}qtwDtiw zAN+OVy&^Mt&vDCVruU*o@??9u5u#L!eQZ$sO21jk^zCe~W-mnkAG6%>YdT;0AN#&q z*cpDa*8IBJKH#&o+-u?oi!s5tkk8FICBJy;Hrl2B z@a;X=*b5h>*nKO^sy>#;vRNK9U84X47vyK%SE}L{Ra->(H~OQN3m}2-&0Qe(og9DdaFfGj8ee9>;5ai2cL@XL$WiL^rK~9 z`JNYELhLc&XBm3^iEKB#sMC@o5%3{A=IhU_A;q77F{SjUR36Z36aWUh5bTiV-24XC z%$gy?Q3PcBlGxdd>$sJFeKb6Ivr6ffz!!U^{H%SFL5AI^fdz)yQkisW7wJ9I&v0K1 zTH}4!#H8}K_(tC-_4H~=HBl`=wgZyGDnpZZIF}rt<8m5dpVl+}vnH}tW)A3mept9$ z4&P)tx6$~?kq(0YDUebShP~SPLgCS~mO~5LZ&s8uS<+@G^vBg2=ytV>^hJaWUOX#2 zA`|spN00|}@v4v?SbPKUvqVc|CxqW`Mg)%pbJR8NZO~`n#s7TPJ7m)Cw)O7JWudNfG zv@?&pLG?s8>VLc;J%JKF%wQFxmY~nVmQ+#E7hXK;l06%0e;$qS+7-nd*z6%9fn~{1 zOA9KHZz^pg3+#vt1W~sOs-GiXb7hH7`k?Otw1>Y$N2pH|y;`X4}a097-?@O)LF^%?N&Sa|R=N9>gKC1xYp z)AiMwTtdYY*{u3c;}h{%Rt_1D&Jn1SxeZzYgU$6rI$98seW2+9b}QD@HN~Xfk!5q_ zH!Mm8HpvM?Vu<+pOHT=za&J!-Y>) z>e+q)urz>rJzsD@4^MhND4UteDnt_8D6lK#zyEABfW9=E>x+=ajzv5rI3k+rx%R}v zz}|<>8!K!%TJP1;Ha0+ zNp75r#cG(%j_J^JGyL>iwu+V$0Gpms5#QfFSiz!*B~NaH6gBt;ogl*dFNq02dYUN%}0Z(cQ0=kYe`4VP_fMm(u&^Y z8~eQ)js<&<$;MdmMDjPd-5EyfTilLZ?oV^9e;$R-+Ies7+Y~C&M8HH6ArbNs@`bh? zbig>cuB)VDny>G|6Z-Xdr=^!|Pi~{ZxmNy^8PrI+j5jHc>}b9+$Vg6+>5R5L>%Wrr z)WvT1KPGJl8q_6Un8E}|yJ_hmgQ|jfFIjKZim4uMK5!>a3nqf9MLcnkf#zNAHT5vS z9bg`JaTU+Z4mTA(mc+g^(-5!;j&YwXIl}Y( zW79PM6J712!5-`XxMeYXBu|*)(QA8#hM@;j!)n}r3qSjbSu5aH@a-3-E^FzpL1>_a zA-xfa|I4mKDZz7t+#4kuQKwz=xfg%w243?0OE)mFROXEBKcu)cYWShgO0n%pCLJ*K z4xFD4&D!K5b!c+ic>ZE%y1?mNqe1W=V$NGOG+2{kNO?0~vB&7MSS}>@17CrZwhbb; zD7}w7iAhtuwNi4~K(f&+2?OzBniO^YuqyuuSz`E zMzEdO=-x`{*V2ma-+r1{H`K=(D0pq$ykV-oQgXqq7tNEZ4hO4VYm*#irVuH6rNrxz zjp^LB%FG>DtY7U_7kXR$c!3{5>l0r*F$IiEO94BvvrEw-AiY&7&bRGMl`wgoOk z7*_UL548KqbX9{wRfXf6p}F%)G`HWAW)gkv-{*XA1^k}%T#uMH(_F!H zDvJr^>-l%WUBF_fvPvH-mt90Ocv@A|*ZOSZN?0c=2)|SJ^XS8vC#W}yU-pboW`}^X z*=|7W_r%p!YLD2G$n{3>P>3~+y>avLzIy$-{yzYJz{q7F%F#FO$vmF*1Rg9Ka8yG) ze>Wsa96pO_m@rLHAErUZM_#WlJQ0s~)#;A2UJMDq(RA&rkPK{!re)&QK?atzOf>uF zC|rn+60&AS>=NfuQ1P{F@tR0VbbMAc+2Rb{UKD=Jn@wRok+S(ZaaL*6`^6^|$!R(c ziHD|>px8@5_n=?aU&GC>sqpzD*={`FV%>z6HQ#q3G(*t4HMtGQ&Yi@pNfQUoPOL_MdGN&tYwlxZR{i-`y z{oThlTwmjR@@qSt`S4F7f^I+9KD7>@#?kWQsTk3iIT~sOUCto<5Lnr`7oC5?xzYb7 zN#YIIB%#RynbsgYNdZS3}?>6+{7 zn3sOwsXcpKRd=yc#D8mon27J38lc{kA1Z0v_>32xq)mG zq~wFeqvU!DNE{@+rNd$)eMFBHZfEKWWg60J;PUOT1yx4&)#WRJLHzT08$!4KaaSth zuO2!9_C03besQ}Dboom07f$@ZBc-9oij)wvigUNy_ zw;7*jS_sZO5SIE&V-r)X72Kri6lCL7cr>3sxLXKx4qwIsS8^xYc80qoq@sIM6V|Yl z9ih-}o3Jh?;hn>LIg8$E4WVgH%skW6&co3* zvxq|KV4gD-m-%n6moXOd8FI)R)lmCqx7Wop-qW*fcjR1pMe^KkjYjGD$N9Q%iW7z{ ze>2opUR=G11MF-G|gZ8 z8w`J*(wIcdb^ErKiJuofdIW^U7dR2Q_2nSr_b7LR`Ly;~-W$VPYmuC!eo5+p+ZXu+ z6+i+RzQ5QU+O&3bR55b%bD7<=_T_5jV_TQ~ck0_mL%V^VukUK_u?1+|+9+>+uM)dv zu!>bLqH&F>;M@Dd3j0%7RJGz3b#8%UFOg&jd(yYG)MaWMoqh@XUWm}7`0!FDc03@@ zQsoAEWbSu@K5+ab^GE$BFL?<6l>DO^t}lvvXYXRV$DdY`)gi|?eYWiln5!7GQ)1sw zXd1uFRNo*J)`QvD$cxLd; zQ7L!zMVXLFwiZ}Zj47IjO0f^}@Cl5w9VhDf6V{P|;#q623W+kyj5JNFMNij*?}`U$ z#R%?SR{0NHmSNSF8bj{L_>pJMZ_uZQJbtoPtwkiJCK1C0bJAnNr3^SuPF6nr#6JE; zdf@7N7=DUKu^zW`GQ%co@aj`oa3FcEq##az#cAR>o*D{ZG`3 zS|w5ylyR5~l`U_@HvXvOk@Lu2fbu0wii|UooSh=wm(AL<&nzShSrnT1C9=a0&4n&o zj~6t7uutoh<+HmQeM?-8-|0p;NEyT~w*uIiZ=~WKT^>V6cFO+_m5>D)0jt3>Na3m6 z1%+>0&_je($q>3}?34}F50b12lR~Myb|y?*Mw5lkwW$&BKczd3HG@*wr%z!j6t@EG z^|YXylE^C7*c0`Dv+KaXLz=N))F^6&!gNj8FI$@9UF^xs8Vu zk{cYua$8qwEZ3t%sXs(EBq#A^ErzfsP`1X|?WSc68?}iiF;fzFnTi0p1Ur-n)hN@; z3tmRd{T76?Bj|dr;EtT!`9bE+(>ESLWHhhjBaf@nTFCTgr&KpSBq!sC>VZ&r2@e;7 z9(PNJsygxJx7K#>v8d5oReSM!I?TVa%-ZU2lrI?&@Rz(`S5Ma;Q{G0abv?(q2`9xxgs!2}hK z_4iQ_w92G$Q?Or*vC+$%K>1-qO#Y1O5z2f(5{}(tU1K4ftUcS>QKnFXw0qe#^}x7`!&EkcJm+7xSw$~fnT^qyyL!%M;W)do^zr3Xbruqn~;!) zsGsfc`bae6cjDVriB2xc0s4ogw$E8Xe*+0k1u;D5p`;b=r?4g`P;r422Xf-HGRL}4 zMw2Us_ylla^L$D8p-)A8+|z}tA7Mabr5IVn_DdbBG?-vwf7kwQlwhSY<(1Q-Hszh# zpuLsB0ii-aV`GKO%xdeY)9UWh^XxWM+wELW+tS&ZyQi__id9qWfr0)^1hS^`sS!LS z$Z<#!rIj_Xx@v8;C+HoQRx;liR4DFh>4Gd)!ce|4rgBOIG5KAqfz$-{vZvf{91Qp! z-8&zl|8M6bo@%iM6cl^~d1*NWfHGUjc90M;GfY^+lk9u&v|zM50Zb6Hzu3f^icRgu=i=jhmOd@#s^Zd z^F|Ppy^t?sl`w5Gv)FpF0je?GbF5#ndMNwjcyC@Wj16)ViOw@~GCE@GY*CyF+E8{> z1m#>fqE^4!Bx_P1t)nL{8hocl^*?`eK$f}Ml=B)sto?I8tX^ZM;j2RKc8<7J;Wsmz z%<|PlJy382Ug(N1YqNGFu0H`JGdNRggJ{z(cyBa}XjOANOg;Tn>gr+!kmrjU8>)i; z+*5~l6(!b|e~$~HflF^-VP9Jdq?CMqgP({roJ=XGi$7QG^zoP}PM1p6QDngIUMk3E zN6Mxa7DJT!eG|S1en_h#*-ad0RtY{HHI4{k?;cwQz|?lf4zf9!_uJBf)&f7M`7x;J z)%Amw{n}&CBj01upUvaOv$IQx;bDDxWEs=n-kqFJqAq^r@0h5EWd3TSDTn2~HSZ5uyT@X$c05eAAWmU1Rwq}F zTo-%vbj4MN6n{NPU*;E;-aiFLF5pHTVl9AyYeiWeQn^T zh%o4f!Z#NZ+eq$6I$B*r7mlyiNP|_I&#FG(qm>)MM3Bee1EP(-pwP7nPL2{gAFj&G zF#&j3blmttesFizw%B7pIJP}`zHosDkZ(teU%g-dt!)Yt#8z_5AZf8-2#G(Xzz~%? zD0-_rA~4D=wkzIlU$!AnSi~;%{|YeLPEwimo2gkvSt}VOg%)F zvCSZ1EXk7WTS%l~gfU@e>|0EhDTA>jSt3hhmuHZ?Kks`z?{f9Wd;a_Vd7pEx^E>ys zKi}_d;PJGK`e}~q5|d8!Ozo<*Y-tHVCQu&vL}NF%mg_j3V)u5k`LR-b{wUT#~j z=X{@%nwEX1;xVJ{Q#R!2zWOPKlNNnNYaV_?*Vc(9LR0|C)>9Gp?Z7!3fNVJ0sZ8lN z?TqWI$U^TsCp+AR?f0x6jhw3(P=H=eoJt4it8pO>-UTOwDK54jbA1@3?%DRIXHEl=?3HRNxP3fEh& zb!*rb2|esK4IIzITjCYz3U!CZXo-T+0!;FJG=-o^8*KY37(Tn>Wj%QNz4kl1IY<}s zlo4K&Vu=-i=;~-&Uj!!t20F5R6;eATFF^up5G%S2{K>SE6T8;3z}t{F?`zkEy;t(M z;fdx?nsXQX*SK3<%&sTDq-3h>ElXG`kG8KYibvzOcsKMQ1XZe*5*OqTE=#JDm8VVO zl{Oo_>eCcPHbBqu#Tej~pdJ!my8pN&M=pnda2{E)p6T(VrLaANqMddptw=H(J7!cV@MP@4Ox2+iGO-;aETBLaJJ?~SVgHs9 zY~o#)NE;XT=~$9<&kkjIACmtyH`U|AWecu23J{^+*p$+=&hfT>l(>-nJ0;|$SJV

T7b=a|h$Km{vlCdB~@f_<(YUm#;5#Azt(StwC zNSM&9zwi2Bl;7&+)2mzhPxKdl6-B@ubI$z0yMNL%anAe|5s+Eh3stoRkISCDgcsNk z;VO3u>3ZnR7gcXnNrs&uM}k-pnK~xwM8iUbUz2EEWsQ-_8)M~CPFw5&CCkn-4*R&x zJozoIal(|?2C(fPL3aeWS&vc2euvP1_rCZ$4HZ=fAd!12ra;Z6A!@X#w=`rar=_W4 zioIg9AUJr@G@M)|0ln5!LmU#|?RlOy#NyzAW##xu^7C`>mg^hPi|g=6cSB&YmCF0c z#Mgy;PJq}Y)U&0+HzB2oJET6}$g3gv7XD^t>FNJ*mTA=U7WHsJStJHWK;F1(P|@aV zv!avX)N;Xa8+Wu06Y55<4771bTz>;*i|z=Dois_(iR&oF*lUD2bp@+t-~cB-Vlngw zab&J9^3MTzlRaaQQD22cx7UcdMo;w;AptWJ732tZa(ls>V=e@j6K{QMJNefzP-g#s ziNGz+D5wu%lUsNl4eje2Hnay+_B;gO3VaHlcPbFWCc$%-wGTO9e(djJcRyEpR7VXL z(y(Ng$Blg=`cJHAI{jNWNfxAb^794%ZojzHVug9)V4idMZj4=h=HgCqvf?U+l}Q-e zES8s2%K#TU$J(I5MBNXGo6fidtLan3@i`*ygE;A?e&h7Lc*O!jZgLfC~bQMx!KH6OkL1O;M9JLQum$9`EQFOfyR{rK;6pB`|0 zNPMkdc)42@a5ofcoM0AV39luPDoCA}<4&Jv9TQd!bNwBSOsp}<%A|8x&}w#4`vWFa zPFB!ptoG5I$mCUvx3;gAY!Ru!OQGzmKI=1DNs$Xu?R&G^K8przs|Djz!SAR{lI4^# zz&y2x%j3&OQ4!HkCWJKLHP|rfgk45v1*9~{W2C6FY+i=^H9oAs-Iu3fQ{aJyWN6jl z>IVDtufb=}2AL7con7KIY_HTQI^ny1DTsEC?S~FMN|u0a03G|KYL5=q{+0}LV0uLKBs9-qO&F^+MCJ7A>Zzk|3eoqdH{OL_#N+7kz|XQ}k~I z!w~$s_C>;n@jfn&V!1D_ZAR}HDRcX4`oG%^+jxrKw{4vTZLIA6Wlko=U~elcd=oR@ z?6DUvlk)i*`rNvUT`y6uu7GCwSs|jQ3gvOYhwVR<$nExLdF~gFz|{Fh!$k&Cr;)!_ zH)LvH*5PDL^Hhtl$5YY3o>^Od`dsXZL8TkMz=)bg;$zpAtf@{K&AnX znD@e#%X8`mZ#sqcBfu>}BZ!9i>F%7P8ss2+0;;N1Ho7~85UvYbIY^&#A7Y*xYFabq zFhb9(`izj&w0Ck7H+T@Y`?RDO8`!knr)yWhyex083$ZcYJ{B6-^X~0?q7dM(BVH@iIQK~%RTJ*INt1= zfh;zJ!c3cXTy8Z67>hfqm-TVW>|38`)#324T)2|Q>t3QzL&h+ZLECr15HN$YH(BQ?rmjt?0$Eo%%W;Pj9W8_ zrX;{D*f2ELi&eZp85u&TW*vD5} zPt{UJw}$*ZvoU<)a9t(C`q;+9%I#?}1)ZCwk9W>|BQMv}Qxw}3azD^IhlN^|0|<|5 z{cA;60_YKU>fm+`N{-dBnXh?9YF_^F<_jAAxyma@HlLI+DY&1cwu?jYXC-dr3o!Gt zOvOdrj%l-yx4Q9Pi~q0iXH+<4ed{Dms9U=b@7%jPu}@STX40-n&%dyd6Ddq5HoFS= zju(cITTp(6vs$~okcnZ%YZD&1^D1aU_`JBgYr6&K0bU`@BcV{d&JjY*iZafBJMcKR za(VhmhBh(wPTEY+MY23uX7jo0(l&=b`M%-EOp51%hWamyq*v_XP+bo9#tTQ=wP(7v zy5=d_19wr03wzF-0}Y>4$}yp$X5@}ON%sCdnP}f|Ul6ZBRXr3pBB!0x pPgi02OcX46@S`Jn_N(@-BgTn^8N*BQhD#@aaRX|uU!{8|`X9DcT;u=% literal 0 HcmV?d00001 diff --git a/docs/public/images/projectops-write-issue_light.png b/docs/public/images/projectops-write-issue_light.png new file mode 100644 index 0000000000000000000000000000000000000000..6c22bc7967af37b08bc7bde3f0c3f34ca9e2e018 GIT binary patch literal 272380 zcmeFYWmFx_)-{SlAOx4-5+Ha8?y`~K?ry=|J;8&!ySuw4cyNb}ZQNnwF5k{M=X>8X z?tPwd&lvab>CsJBS9f*olCCw^T$3LPauTS>1jtZOP^gk$M3tbR5PP7Y;2e<b@|7sl4rh1Rq#DX(G(TWw^(RY`EEHBes*glapc2c?74 zd0(IRMg{jWcyHIm!H~(PF-N1mF_8ZvXBeLa^EL(w6(6ces3gWAKc5nc zA>afwl5Pd1*qBVLs`YyOS}msiK@AC7D34qYk2cT){S^*sjUnOpB{bPEnH>wieo>DV z`FtV(k-SQ6Lx$Z}ZNr(pYtasibR^)89Lgk3h-?B*s2=g+7{-u#*6^qK_j;8Nu_DK4 zwRU=IDj0p2#i-Wvo|pgA;ZU|@3^IOzzmyV|c= zy>}#W`{qXxbNiSx{hBu_xn6e7lF7j0Cq(K*HyS4IpMvaQ@cjb|rjcwYB@Va41}sNu zkY>k_Fk$OwHJos&KF3mEiKasV#)!vmd$b6~gHdLZcd@W{O1^5|B|PejfZQCA zA3n-FWs)Nnf=gf68;pS3(7x}&hl>t%8foaoyAD2@zCsnA47SW8kt8*PuzjuMbZbPL z?qb3#>x=&0EnIUC?zIepJbEWIda;a1;cAZoU_^{>h%nHE9}Q&@m4!KC8eBM?dwE^t zKcPc$55XC&bNzf9_2m#8+haxa5zbHK143A?1N3vJkpk5HM6U)8&HK$+b%_|3$zrA7 z(9vY$up4A}YxIwa1ptx{{vk23Pra1T6(aZmri!u`zX`ND{r5~J6bSe`>k-xiIaDm6 z_+Q>qAz+=@16J^E2PoI)NY(H%0=(W0oX=&Qg-*(~$hS!CldWV>(8i%%I`Zv*d-w%= zFZs$L*up;R+zV?@TJkQ@0oN9Z$U&V84evI9wOu%gbG@04{@8HIFMK_nhRs02p(rN- z1KTg`%)1W%3h-%E^p|HUc3Ekw7MNpUZH;OY3S>NCiGitjG>

&7ZL7u`wP0047Y!`$@#NZf6@*^VSPsE1@A|Rq$puie!O&n!Dg1cUSkz#IH`crcj;qV{C&7xefaS(S+0loCM+o z>S1^(njK2jbW6Z>?tpTADN4!CEYG3Eq0J#ZDk`cIs(d6q>W=~MNXN)$0yFkgi;m)h z$zuyXEjn3AZMkJJUb%KjFR|j8%7d3HY)=6n?#^J}IN#(Kx%kq9g5L|+7UMG&vlR;+ z1@{@kh8ip_5x*lu#NTg`ZNcPghv%7A_RnCNkIj|M@>IC!maC_i@{99I@ydIp-q@Zv zEy+87;hEUxOjV&i<@25c*A^Kw~s_PTPu z(z(XG{<^PvNIZ39V8~#Fo1HkK^^50c+rY!89(OpmK=;0B3>QkKNcVCB6~S|ZKQ7e9wUkqVSv`5O6} z;>(d*k)DyV5r7EO0m2A*0=M)UnJ3vg+4(dg_Jhx+X%A^qG7D)WtUkl@#!kT2W5*j> z*XYz(&63n<>vYX@poA0QCEO*&rO&P#LkTWX_}lPCTt-~}q@tuPMlC=e}u|e zwCvv8Z_8+#y~@9`bLw)cOOixlK|;u1<>bsgm0_Aup9MDoHQ|vpmIdxy>AdKC=l;BN zvY)xtx%~K>E8St!fp>uajO7;N&ieA;%=EG7-uC+BjP(-hPW68Ew)qV29(?6D+PL-A z>DE3QkqdDM_8ol3j>q}#Srnqtck=I4-))3>gx?6`2)hN01+WHK1$c?9hBWf8)+R1qxe+9 zuIQF$lUFSEN(6}b5mg%Dfz3

Ux~Y^>rnoW!1rM6LwR*4Zf6S{a@;abpGVbFijFmWeYHEE7y{5=kVM0y~TaDHYWihq>x#4faK7^4ROsjXU@#ZsyV=w7PP55@Ss~3jl zCP$Gr~ zTDF-P_7}sYDatm*z4F=5RCmeoW-Vq>nb+LQ-s49r8~WVc92stc`k=#k&wb8j(7VRg z<~jYdmPz-iOC#mSmYe+KC#K96BKP}b`X~CmYH>ZA?j-w@f$P~LVop)ctd-Hu`^{T_ zkl7;JI&|i#|?J5w@|G238RD6?7n7u6UdcgeJt>s01<=hq1z3|^_Y`Lg4xucx0aLxy){2mdLD zXUPQW%n=Xj$^JgMsGkIf ztV+1LHA^BBS7K#p%MuLKaCV+y6q@W>(05swMq{X2> zLc#tc9|j64!~zQLU(d)v&VRNT$nmGlKhLmn!BB{hD@@4Yo&)oLpGNG-f&IT}I7i4m zC}CxQq$K35Z0u-iYU^Zf=Uf}YS_R2?WB*0d2?`3A>dyf!sr2Ct^8Q5&6%A(%Ss5N< zI~yiL6FVbQCU+bAKktF!bLW91ZA_gF$=q$MZJl`B`6>SK1P>(rC!3jq>>rOfTk%t9 z$SRNl>>N$WIG8>$eWDORCL<%`b2RzNqa-T+ui}s^ehPDEXL}xIW;ZuCCO1|lJ4Z8S z7H)2C=1-rQKYwO~Ji+MXVe4$@&S>jI`Ola9-}i``IvG1!*gIR;*^>Qvuc48hi!(n3 z#h;4)XZz>xGk#X|9OU_ zp@Gmee8`ZAAp|8UDy-rTeVhsJt|EaKEHAB{({Dkm=a1+1hG2y_tli2UrjHDr0S@UO zSM4}q*vwUau@sCrOMc_isPt}C$F>pAyB_X0Ypkq$;~j2PD|WjX(Q92kkIX+VrX)zu z!==OMeOgU~>|tQYp#HOcodZt5AN`c$mH-PL8Xf9C+MCIs$X6I`S*hRrXLUfqoC2Uk zS{_%dMzP_9p#GzM#UCorzPV*AeS1XzhJGq=OThZy0r~%&#OwbZ zkpF%m|G}#D-zDq6OV)p|{{Gj7{Qo!VMsL4!`aKB?WOs>{f zesVwGA2E?U7}@^)vGwlOC5*XLs7vRne=mD5^c>Xw8Z)ljA}XK7pKmtdTUb1iHB-OW zJq@;7OBqP{;6Ndj#KuA;8`sAc!q-}-JY22Z7g}qK{@1p9oe9pU5naG^=`8`?XJOB3 zYFVV*H1;ydBVEn&hh|WT`T6vf7GH~#>G|1^(7|+3;cTh0;-LyHt!|t1wrbN`DqOS$ z9ZjtUO9@0YVl`*Yt_-{}{j_xrNGQ30N)ao@M|`MSyV$%yvv+m*<1Q zkGwM*H<@0}`}=Rs!5{cvuY(NLf5%bh#`UAbo7IXWs6E+4{~dBfZ-q0eM1PqOd{y`{ zy|bS?1}h}3LnZA#-E&{hC>!hgRPK(SRBbTz<Dk9MwFJLI$JusO#Td)k|` zfQ#7tf$0jM(~0FKLd!>f~KVC69vG&H)q{CedbZ;Pq~_%`@8N{iF#3r>d=5IFZ%y&9DBb6ugGIzI#z zHylxU37E-p4D?IEW!9JOz*+(JgySza-9<@x;5y7Fetm7fC7Db(yLXmg71x}BA2A5=HT7yDLT;svncm4#a@Jw@Tuh?!myW8r~ZNL7k?hnJwU61Xh?d3dR9OH^YfEiJ*$`cmonx>C_&)(C3FS-PU zQ=0^J>Qm9_(uO$B`>R~7+?2*Yo%qadd47!WqwkaZS1dgUIAuUu>GH}(K#ZuX>ELxX z!MnZDeYE&Bt?Jr^JD#y$2XFS|cCr2ba(^??%5}kEK89wYdA89=fc^aysZWc1#VnMRQM*g&Qv4mkWHOJ7 zbv1Ath%iMJm_E2#DNS>6b1IzO=Wt9;5NOZ(+pSu;N2FA1j&5E&LyY#jl&aZP$_T8kH3O-q^~g@y)Sd#X|=hMOR=l+v*%H z)MJ@WBmqs6-JiPkhwMa=Iz4xm8YHA(x4k!eLvD%-D2lm||Hk|Hc7)U?MV{dnw==3M zga?ln{kFkt5LeeG(*k={ge$t!;MWs2hXY@sl!Z4UU!eVCJE%j`m|&ANX0yLHO4N%d z*6JP*C^MGDn!PJlrN?7-_r1GFnQc;ReIsAu>Ivx7-y|veZZ<*RuTrDfw6Al4;>vJV z9ywhq7pqr=W~RED^PGYi8!{4JFiv=tIl5kGTB`Oh2a?7in!u}!D^g5RG!p(MOD&P@ zno|l_O6G9gspm9MK56s}(V_S%evk83gnQ@m%~m3^%Q_AmX!?`Ww)71%usc8j8&p0_hT z`twzKa`zXzQ>$yS!7Rc^dk)1i_v|*S4Oy7sAr|7uf%c|aiS(*D7RuDE3~VJAss@cz zXAAm%it~1jg7xam*=}6O{wM4Xwh=-no~Q@Mz{{}Ai|yZHNAuJ|mqWP{t8`x|<7xj*Wr@|>rlu?^4U&wDE&@Dk% zB^rI4TmCwMMm~G$Xdx=ZkU@Vuyr)>cD7t?fzmtjsdBfBFg_eX%VAkEdtlzw50_t$G zDpHMgwmn5?Z0Y*oDJZ)@FB3z%P);#7UC89k1|QUl*J?BQJjY6>8ENCuq^8T$U5#Xat?PkeMe=L!7{UJ;E5xL<;8E@rGp`@(v3v8%cD6i6!|G?A)r=4_r9SFgt zT={x<2lct~`Q}7htKE>$r`w@?mQ#IuJT(*H=Co`HA@Q%xIuy(UQXdcbQ$=N~c7#EvP7+({4&$P`5xf zeU3CklZP{nkiY582Fl(ZnKF4K;OZq!v0g+<4%%q#z zN{v=;796?~W}0t8 z-r{!*1nks(XPsMT^Qv^}Y%B71i0UXCQVX4AefF~^~> zze6Sx5Lt*i-~JsxRdu5MHY6iim(bM*4wp$!#P_B5ga8rYPHALU_T>1JDDn3p>>dx? zmRm(P=KLe6j+#m{aF=Vh1w6`bv1BfJf)jPI>x*6+&uZbb7Ep3IEnvppOeiEw>Tq=88J zcWb>bOsy2sUWncfy=p!or|n_(h94uh&RxY>Y4GF02|5mB!4G5vC6{jwjSw%@*m2665OpR>KIpe`tLd^L#P6?M?U*L_K@A2Ayf8jXk(joQC-XLX$bn^u$;N@dR#>` z5#5$#%NRo~Ht1vJ(}DyVIKNuC;FDW?S6ex{ErR3m-5bl5hQfQ5b9U)nnFgOD@qQkB z;h(EWqCx1VwlXaGf1t-Cz`%K5r9E>JSZ6{3`rdiv+-#YjVAWweMyJy4%3kj3DR06( z*y>jl@&2Q|J!xl^b7Q;xIWl~RjGDETv-50P4pFyNHrF8Xx40`kW*G4aIpD^{27VumR@3diuj|qX4B$+I2Bu9!bq=b=hU+Kl6;=4@6V44dve4o%l3usC>x^&_rt1eLlRvv{>v3w zwSmaELlYq%$=2upu#DFygWC`*mKQ5zW=HCIeb_jMRHk;7_Z2kPSZ9$r)4qx7HU}cHQ7`B-hUa`o5OHC=KZ~vxp4l%snIRh+y~ZPo}t;d_ME@s6Gz|#n=KC z2?ujk(~`Y*-OqBmeb3&H6N0W;!wC%H#9EZ75ybfTe+_AWLVeeu4D9x}3`WLbl&sd* z7QADfa4}IJW4BoOvW-S6!P;Y%KBiU;tT!uUBwWx0>bPJMLp}^$n=YN~&pQjw_8_J( zESh)OQYe9EZiahSa~48-%ugS7W=jnD35bu~*JMhKRlW%^P(qROC9QsXiw7sP9zgb! zR+r}r-+(jOmRMWyoC5yj*b+gr>ijpka00|9Y^<7Yi;>)LemM4Me{i-?Qnp_w<87yZ ztL=K6+dr~E*QUkgMB#HaB@yP*H1GoO-~W|A*!1;+K`XS)RUw+dWa0NW!{fe#t1a%w zZhlH*#Ln-AxwL;h!M)Mpj3UvyJdQXH=U26npJ&ej6n^%f<3ly;U41Ot#|Y=An?YZb z=Xtd-bVcssY2;;4;ARIp%@#O@&tyFtsTVO`NHaShZXynCdqKV_?^I_mt zf*@qKTkA{;4bnFu84CM@VHacq)+yUBTjFmE6ZEZ$duoqMu#q7_#feN@BjD(y1L#-p zLF^Zhv9=b6g;3&faua*|_S5u^6*ik|Twe90BJ|Z<@^9=T>&QwTPx{kQTZLktxl%=7 zQ|rh$UbTj_b`!YvGMVfb9-EIyO(rqI-vD~(=RYl8YXX=p)thB+jt(bZ=4oyyQyvbh zR!DK$u0(J(^X)I@GTy&EwzF{j?cfXn7VhjEI^EX4Vd%69K9NeHxCV9uE^k48%1Otq zg&8fI!~OM4sL}TjTYI=xS-|s2MV#k*if?tEqc?gFylrJ3VDc zsk67#-1L588B52oytDhExK%uPpUtG*=ExJ>EF(j*Qq8-A9-B&$&*$+F;fZ>t?tC)S z%)9fX269Pn2AA&VJ1y_3OxK4RWzt71yPXunOREE0!|*tn#?n5|kH3Tc>!JSk4YJ^i zAo*S0)eb%Diu07${MafLzb?bLRxTRLaUjQ{7-vN5y4ytIaXS3ybMc!d>1%OxzA{pF zw*dzH+xU>9cc||HE|v=_nUsNNx9&Wyr{cV>r@nSI+?xuQ7NVi@`8yBS*%k|@{LVXv z?4BP)>;ycoLQe(V&5>^>z$4hSU3n@L2|i)iv_q5tgo_J0K&#{KrzeBu{T7DhOZ;eJ zL1DMkwZimf+nKR+PBEqj`XcHMLIKs`gam#sjte^NG`?`W;t!IT+OE-DFGtng`_nsa z&lC}_#NKoQUdMp)C&~-c7w2=#+89G^u2G9|BG93c(?)T4UsnRMM97^exy?_I9cVfi z5OT2ot9O%xKd1fnbgI+q_TYDXF*PT|{uDw?e)_Irou~tyT08l-{8d7`d*tcjJ-dGu8+>pP1glX$yDO-GdKA5L{O;NcJ=e>QM(&> zs&d(l0$0Vu-6ZGj`>tGPiy5V~+0xJn>0~-dhoCPTWj#~;caK7)-n460rAmb=WqBc+ zUM9T*W6mc_E}nO1u?O{5dPoDe8|BqqY@K-SED6PC4l{e=^s2#|K@`7+x=*5UT%#@^ zzx}cCj>);{tdrmI3jajVe)5WY!)nPlsT*@)b3%F`fDy;Z+A zK6A?Nb+DIh7fRd!9_YV~K>_i;WEvt^Oc&&SE|d-fuNYkc&9b?jG#@S}1P?9}%fkc& zuz0`Mo6gYS)A7`>2>3iCoUZyA82h-T>4=_5G73mn(N*hpeqP;L-gFuPEkL><*J=Ue zLw(0P1@QKrDV8^T7+heC5$rywUoSgq@0oayLGZY8AD&j#bfTn(t<~D`1U5-kHuK&Y zj+NcUm@wUW*cnluExa|LPrvU=wLkhwTBrV!o-do+6*dR!bcP_)Y9oA{9^2S^i*@a{SlIf|>V|)o3mUE5ce6IOsi~ ztyFA|L=l?cPR>Q5%72wD=5Xp_$9p;Q^7|Rt3M;rrpXph-F~n3&((4B&+QTq;@-*ZpX_w zw|W!!9^}71|8oA-LlvA_*D_yaLqB6SgX6!pp8L|^3`FiXOlH`Sg!m{?C0qUE3@gl< zZ7XMHN!`i_S6~3Um5RC!9Hv9;N3Q+pPCT2{Hr;cnxpLLq-|-?iM_2gwZVpqMg$)*$ zYW!oBOP?t9_~zSGQIbQ?lg2&1Ppx>M^tCj7!Hd&qYUbO$)w#AzEY+N$PM~RSgt7q2 zowzTYcFuMg<5|QznaL^m!@ViE7N>iH4d^qosx?aP2|}3;D-6dziohog?WaV+V|LhQ z9W`DDRXb9Y#Z3Euq};L>(=J>ER-F-Q3Lx)H0M=HQv|IPUMW*HRKj88FG=YK-ca)ox z`?0E70$y_bkB_u%X5^{xru?Q)+o@N*sZOr4BmY1ooQ?JE!=DU?8F)M%Dl*%Z`ok59 zUB@8)#NUO5_i51S1JC|2NvgHWvZb@t>LCM>Z<@-LP?ohTEltxfi#m)~#$)9G&d3{D zd5Ym*Wz98mE?`A2ugC(^C1Vb9+p=HJZV}S+X$^B#D$Bfc;W_t+`x%t(5r>`^Tjuyq z78cTZn(U6IYmOPdMdNcXHS}sYLB%1Eki0i{wnxWdQu&l8W{utB7Cwu@-}y*@D@sZI z41#8Uw?ADPFyflf1#wCTv-(Sz(?#)&w6^Jql^n2-n} z>D0@Fp6*98Xye7DJsS1MpLRx)+01L0ZPtvsy%bJYyQm=$nN7I>`<~jz^KtlNooF!n zczCqGL}a1M5ho8n3T{@&-P;^60eeog*uI4sGFT>?+bZgif}ZkaxzR$bv(pPbdg{x) zLZH2#!Y5j5}p9k1)5#N#It@$A0uW^@|b>Pq^urg9eC47vvyhM{l0=3y7x*Sl0 zBCC)A`O~T9l%9e1xM#dB2P7B>`o>&oa}0SGa+gn=tmwr3b0T-+y6vTaVq2zcsbBv0 z7P}Fp32c&>A>K|2X=*l0?Z;iIh=y{)KXX^Elh7d48NAL@=heftRp-q7T$Sbw_~TCy zrlkJsZqftifOHg64{>B#2YCaL$yhiElLMV zT~r>p^aUzA39?C~8JX`+K=E~E%F*6iv;9-=|C*Ot`6d*B*ApQ6&dDc3iO?i$ zIm|A{ljCRO!i?nJq6$!|<%$bCo1_!Q6XTUdMEiBzVo9rsBJL)BdVi=yY22}5W`Wlg z^mlR-3f+qFUmj)Gy92uP>vi1N{1=%5C3Zz{yK40)Y~&UL(R+DMP&;X{39{Sme~5?3 zsh0d`EdnYJ{0Oqk?hl22htK2xhbZL49Y-DK?zzT&cXG=ANr*+B3ye(4Ii0-OA6dST z`L%ta`&qmb5rIw|<_oeJ)vK)M^Im#bRTv&^j=4H33HM8Y zkqd+tz&=SD*p`e}m|(i-=4D(Kzd4_?;{0f@QnG2f)MzcESICcZWHKO~T&*~{C>b_K z0xF>N%U+X{@G{&ZLSD7I;}V0;J_uf-a9$kGeKiFH^qi&E)4E@A9iU%_I{X1URx?%ki&Ng~oxgVX z7dM_0DEieo)bhr4y(XJZcu$T$!-n_2=l`rQT_AY?i555?OyeBnp;3`uAI-4@HK~=w z0~=f|>937rsib#D6Bsm=+PuIdy4}72r;OD$=RDe(uOC}kfkt8IOvLMcINs5py)R|^ zRwlCetLOU5vfQjlxLXD%{o%(kwA-xV0UMM2e4kTXuY7L~iu-c!?>kKjYRpIcTa;KH zy3{TVtqA`K)PBtqIgFG4ET1pIam?Vb#42@tjG+9=(1G0Mk~bS#0(U-15FbG*nWIwjQ@8Vd*aq=X##V-4v!bRB zdEn){ah_|!*sKX^zvP{f^yIE*4nou6l&OT<$MMzn&6l-Y+4N>h-)ffhpHTXiz>ZQT z8BaXo^XILzU2Z3DY0bK?MS*WHCj$_p1Hbu(Ks=DLqfYfgDXKIMkG$O$qjL1B#`Ou; z&Cvwq&;s0cOZ_fyF;2TRwg$5A-Dvk-EJZk=4da7g^f5-1y_j8{X>sXC+vk%DCC=9> z64g?T`I2&T8&Z5CDfNC3RZ~!Jp8R`3f6NbeJxx-Vd?rdiSl6|t5U@NdO?>-gXC83W7Td}2@_7O0VE3y*c^@V<|` z*k-1nn(5RwJ6vv0Zdm&w2EjFBS`9_L5>b*N<&6g4cp;8#2pHlgUfEPVDJAJRoLqRc zXJ%#8HwaVOI0U+-xty&0C{w8_!H-G;2lTZM;u93;Y*^hX5O`BflJep8**He%FpUmqfWgjDj5Tl2Wb+{7Dz0CegOTcowU? z`l8#PaGKLHb^NCiXGSV*Ncg94Grt~#Q-?OtsxYc1BmIZPpsPxakS{N;H~8L3K)D0# zcD!N(l=U2yVKp88SlL`*FA8DaIPB(Aq!JknZ!`O{Zz05OnEly|GvlP;#@Tjl05-E8 z--w~uVJ!qN`aGg395oTE4*upneD+2}!QhK-AZ8ZQY_Vqv`f+w|*;;)6xbbsM7hAB4 zr?^-?Tj>`CRl&j*^34vIHxLpVHM;d>b=$sOowr%GSh@RA^k~sU-)XDUJ@BE3elFFf zRuSnB1FTZ0C95mqdZfl!B34hGz>**0F^o|S@#*p)A%iJ~^Uk4c)XF;ZUqo~pnmXm0 z3G>Yd(+drY{TF$wJWbU3ygmA18QZ$pj&YCgu5dlNuYJrkqsZH$0IuELQYT{^FMM{u+GMo~J$bwSS|!5`-{UiK zBWPWiLd(U!HbGEuZ!tq_MOx+oCg7~qQuPVjw3!pyo(!9W2z*IQpBGVjVf zO2Y^y@~5@VN0mAm4`7YV4Q0s9(i_hvVzR()$~un`wZr-RX2z`0f5hp#_<1SD#}H8= z$U?bTE?pi+-^0vzZaC4IpKa$>dB5+|rb3Nnq19g0Y~XyY>UwLf$s?s_r3=vDq;w8hXQ)Ka5Y^r5$h z;;-*M?an?E_8)hYOzBFH9ggkRj_rq&7|Rb`#u5czy#u_TVO8-)?3X>9dP-#uly+^? zs%s(O>xzI+u9EnoL&(&~JoHp|w*$SeUEXg@VW)%4;Ck4!?X(kvJVWfLwcbp@uog)~ zeq;Y*mv65MNc}hjuzd*=Q$kmT-jmK|WvZ1zLFm+vykjo42-hDZA>~8D=l+HLXjVOP zD96k}dU3my%~vF4no5S_g;BHCo5d%SBB&wK6h36Y4%pVYtJ7ONGUHj(z4$Tk2&g#` zE+R4zmDfiRU9YwgBody)KqdIPQ6_s&Vzb&I>@*cnhJ~jl;B`ZPy$`n9V-el1e9krok?6#xV(+#I`MbgK7_g_9maPJ)4Y8SP!2d?m8`B=$;yKFf@W5 z;4ekPt>h2KE-<2C^GT8+3G)M;Kb}k{S~+ho((-t2HW&%mU&3>t-P?m+ASl+T{!R7Y zh41A4Or^V?erXj_r9)J!aSGMPDBZ#o-0^Gxl{8oP7EN2=S*|a18F$q6>1ZIjT%SiE zy=rN0n{osI(Fw_Lq^IYH87;GP{A#UY?9{Q4?8i+GhS1FWjg+EE*Owl76$lkuuYFKX zx%C9tZatoB&#uxf-bEP{CD(~=F(v8VDW5lsS+><^UP=f7)@4t#FfVQN^VaoH+=ZEj z%aGTY+9Vtk5$7w-rIk%V{c*r%iid-EwY&e!g8mQjJw;3JRu4NgrYP8qweYE=3K(-V zUAI>Yb=$6|b>Q-F5Y~>BtI@~vo-UgCN!C8Zi{4bc@PQBR~uL!!@fbJ0QPA2yq}^P>eQUVJ^teQET5tloM` zt*vmEK&aNmH&uwZOMmT}e}jf$QA0ADiX#0+m#D+-loCi)$fHdd?o5=Wf_vCto2kX- zyJEg<8$6K@KoazQ`rxzB5Ok<9=lH7S3YiIPE}mSG#KlY<$H3OP1kS~{)uhVhQmb3N zBJ2Hm)O_Fm5p8P;=IG>5Mf9DnG^|9zBvY}R8y7D zK6J&1@y6VTABb>;D38Z#^N&HJq_LXGIB*ehfw{nwrGyY>P$BqW)hJO}LXy76Uys~- zqRNKC&d2lMdY10)F|vElBq(UBzBpRC*LmcD+tN)9X+bM+TV~CPUCom#@x1IKP6dBB zUSU7V9(SOubjKWWG|6({SrakOOcwuRK?N84&od!Ei%zwmd2sVu|5vRA2Qhw>1qK7{ zq<_Ueq~oiM3yBsz9DSr=JKFaTNmnD2s-ChqY?S2`V+C{x2sSu>o^3)kauaiTuk^h@ z!o;QQP9>)hO0HCS`K!vOZa$X)K-AQmzs9pdKSjyJkvAYrS1#S0m9$;#RA#ysFUS2a zKapCjfmDdH>255&xg=PFfehoK)Gl-;q?#IyJ7p1Yos=a?*B7EH%-8``xru zIUkw5M0so)n=%>=S<&->Xs3at10e8WF}e#I969tcxmvH-BV28oI5uer7zfb>lrg*G z4J9vQ53g$a?W6roL^DU`&(Lb!lU;9jG-XuH%YCUt98Bsm8Pr0v_HqV`_;h#;w;eS( zWlh4PBr8k~DW>^E949DYtzYboNL#5f&U9qa6Poi^xT${e!nGR=kyAlsw#!mq>^oP< z_f);K=%e35)@$}P?rYtF4zVWY>ASOKlqS_On&_K!P$~cFGQy-b2+>;R;#Mwc0U6{q zWEPvf+Lc9WfFQ`Ihr;t$V#WvBt9!rbzupk;3@a<}*mP#+>Uf|?ib=f#>6YfTtFVwS2QdgqsbX7!=ueD3Zxw3!;`uV{plpXh?SD(AcOzue#>N;4{K!f2qp-rPyip z4Av<6`1?O;C}W(*Lzc4V-McVQdef$xgjz#NCa)938~8$Y zWIJ?9ivQt7PqSjN*nY#m!Kkz@#p3j5>&fF4vAIB_S0;{tEQ9k$D>F{Z7Qff;7T-fF z^vjdRXn)#;R`3iTXLkA=_gFXE08@q&Z`jxn^kk-*tOVNye7u|so;-F+5srC812zsD z39-4PNLq{Ikr?%c>qAE*1~9~%PF5sBqOx)jqeKz?$<>m zA!j9XmHj}wHm8jS093GmC$g{_Xz!cNh?RFz!a}aJF@;GVvZdeYNb7S0G)wwA!y-ub z{Co>KKDNHoIfjeIn`jM5m(SwM6%pIXZ4P-$^5tZ?Nv%VG@cAiZ3W6L8uZ_hcbAnM1 zC66LiJ}p>Mr1e5HgR1TQAINnkG*oCV^-WvDR133ZI}Hc9lR24P73qFp(#&^iYnKWx zH`#zBGuwyVB&)US{UHnxcupO z(be_*$zl!+1JM>~C(HHac4aa`LT~xDt2@3XD83n;RZ4zlLH3n8Yn~So^pPXhTcGP^ zyH}2EtxjrbYLLS)g=bO4Fan#_zqmm<*@nDB@%NvozqVNB7Qlk!r5NdFOd3TW~R=n)5+AgZQ#Yi4Ix>j z(mvE`Etprf)8jJSy(6W0j;v7WVr#UX{#j_eO|+rycAPtR)cmFTC=A6H68)d8P$Z_) zZz_-mw6z;qpF#iiVo;kY6oJ)qd%7$SiO9t{x;WqNrZ{X_EM284b$hwl%`g(sb2}8G zkLOl^!)n6aPFHdv{V`RU-h6O;f9bs0M_VXOzf>fb^+mN@MX5shv+s}y7s^~S{K#^% z9ZFWStkKSt@nB(IAtPyiII{I)`=*Xf@tFaJQF8!NW4Ve(%D8$?N!g;`!?vQ-W={y{ ziF<1zU2BR`K>wdY3QCvy|Bci%xIU;>seCVzM^(PgZB~-~vT=)EOdERY2#Ktg=`nZ4+FH_O$^12ngJbR9mp)RXe=*YtQ1WP?Ss1QXRW9S9}9MMQ^NL`Fx zA{2UIp8uuIRZ})3cRg)Dr`ML@x!?J%Ot6h7WA}0gaM0lH9+L`qaCRyU^}bz$CE&LG z+=-4dn^)$2ZR$v{*p5>8#3QDni@5+%JpTo&{v9pr&v0sX7+?U@u8_>7e3+k{V=ZUn zz@8^F?KIc>^J1mtOzBDJRU<#b2^wu?;=Dud@Go$e1MLCvPIW9Og$ya;X0$2|fzHjP zX*n0`zW^5uJ5^^je@{R z?oIFgb>Z2nO1=hHQ2-th7k%K7=6-K)2Co-FBBSyWJmoxCgq}^%>u|Lk@%otDZ(_eY z?Io#J3<>lPNh6uOZjBnl((huYsVEYjXc9r(snFps=}~C!WnHWm;^rk>`*CaOJ^XJ}{a&8b+k9?G zh#~BwMuLa@2=RGdAXN66k%O()Sd;nRMowkP#36Ii$g#03(E{Qxo@h#Hl>{-la=ez! zFH!*DqedS=ey{95 zz-Xibajwy{B6s`iWR|lvUCtTebi2$NqR_qD9y#QJN5u!n6iAF1O7t?VFR@*ArHM3I zAhRdmcpUaWRD3p{>zDbtnpMin=4pXiNu)hVb1^R#`2?q+W{XuN*08|V&iZPtDVxz3 z>7=uQ@ysRV+B~th;A8g3PZxha3sZWv*a-vugV`$mRv}Wqr`m?KSmZ|CCrgxZqSmA- z0p*^()IgOHUoqs}{4Cuitu$xiTT)Du}N6qOEVb@Xk6Oex%$p;jdxynLR?3Oy+xHwEH$zABQ_E$;CB1D3&n}}Mq zUnw2JU^RbGt}O>V-WEUNR|^X6oJ{(Na8)7f-9a#$J52CPH%Doy!av2L!AhldA3z7!dr1@OZgTHz+l7u-5 zY^iT%A6(DTd(ysideZ9k3pP1~YBXjJSfcGW_NDwQ&dd<96Sw6H>ur9W1}^M^P_zPG zyUuibR3P||ncqbEhgGf2f98-Qvx8+~X#-#H_p&j-7|x0JjdF$pcerQv_$*>DuTOUM?+kziFq5S zvcKPOx1A7($K`_8H?H>2Un@E|Ei^*P)RT&}Yb>8YZ}zI~fK$s=Wy%ow4g|nt^7Eh) zA@CdYxo@tlO9i>fq1~RCE&Zre0f(O4S2LHW`w7lvt~Zve=e4nybK&G}MGL+ZBwBG! z&u4lS_L{`{`7fSlucJJRw9me$`)iu(XXKl{kK`SC0Rzqu2}@XW04XM9&O_At;l&!& zgC#h)DQ*$)(fCD!iMr|gxILMxKxFc#XU3h?WQYssA}OG-M*KX}FYSDPf%704xYzA| zfVql8{@D)H`uO56M*`{Ra<%Hh7g$8;>Kd!ZuMpxIpanMX->)TS^BG{UxJ{u5YEue}WqLlZ+{)~l;Xkp8EuGxR%Xxz>qusn)3( ze(E+v^Rrpri8f~!L?QvHt;5QF;|a*YPxOD-`_8VW)^2SZilPvtN=G)*L8W&E5f$mZ zD~R-7LJguI2m&esN)?dadneL+hd`(TQUin#0)ZstUF>qsK4z?=Q z^SWl_2_J%8vTlRt&N0wZZ-PE-!ppTDtE-oi7O?>s<wjF8go<8e?nM~d~o*3{RWm1 z=%s)}fe02lN=E~o6_e?z5XFdW)tDX_ljAB-a*LB(3>}Fy22*$bkj^4J!0tR{ndgQ{ z+x?Q+Oo}$mE!mN4aXyo&hN;x5RIEz0fE;rud~fkPmZ{Bg9*iPCe8}~0VGW3NLEsA( z??K1tLGc{_OuM{;b{e0AYRCCp-^kQ~?V9yS}3@pC1mw8UHcP+qaVI! zD%7zmyH6UQUYalAyD3p<4E-qPFyk<_>^Siw!n`L7RJ3)~dPO}p*vBT-Vk z{%^6vWy^dt#=90pXnCX6<;pwO3dw)%0&pN@pZRoA6Jw`qv-@4cKI7MWq|f~E8=I{I z1gF4WA~1H*sN{_W2B&VHrNM&PtH$Vl|VlVrZh|<*dXC4k4u(n1zl$$15Z+)amDNXO?e01*82R;D0(|9ZK-zv9+p!* zPA9j=O6-^^G&p25dKL2N=so{)10Hal59sV0oW{!g8-3Y=fx5jaDUVIWHB4Cl!?5w* zk2~k?D3GqsvMR}{i~{&m=EM*(KUeONLw9S2{T$Awl2(8p$FPs9B#lmxGnIOhEEP-I z`6YZLOH~Enoq6$!r;V^#WPqGLTPLZ@QP%s6XeEf`a(KU_z3I(TiWsB`A$e=oh^y7v z91<23WuKA19Y)KqGq=#z#KGq*iZt6^pVgQ0Ctc7IX$^W*uXFWzaGs2NA*jQVbH#pHR^=LtaB$|bC18%svW0P?qL;H?u03F8!2jsomuXq(xXX`Oe= zeRVrv_cA?aVe~ti^6d9i!=!Q%pVLsz=97E19{8~vxx|5+@jl&;x~v4rZVaC9PL#fc zLDEP@Wb<=v$h*my5)ZR7c^19XyJ%S85ulrbZ_od`2g3d!Z6p12_--{#|7L%uS@tup z)f2^~;p;7bc1;*|Z^TAgCW4w=j+uB3)4g?WYBk2i)qI! znmT@iieUWtw<@y=fTKzKF!W9Y05-!Vbf zkEM|E`HVRfvbFbR^6V;ADveyE+X_~1G!^DNUMtMSegE}^1jwF;dF~K_=%F&vmD}|z~-^X5oE4dyg1OqgY7gNKX3t%cP zwHMcKUcdG9(PgSzAkWLW0i8upW>v*R+5NjmmPOjc?@fV;bIe($yCWCL^=vYwUV)0P zdhI72Qj3gW$?u!>eEJ z!z{vo@9?68?bfLCH;+!CP`I4W=7+s2pq9d6pma%WYy@Cm0I};SfCCmIxa;}v1H5BK zSYg%)`o#Zos2TAHA!JbssSf+C%(hqW1e>Y|;g<%;a#3Ygy>_-`(y$}PNFIe6y{H|z zMpI}Bpbf{OO24oY1D#$oBj43jF&nU|a%szFlu7M7lUe{p>k;Hl1BX=&SzJ;2R{g$8 zK(&oYDz82_M$egJGca*GAan$6Za!Hl#O4-!Kv~l;Qhhc9ZcNx7UcR!+6#kk!-&dnOd9Kgjg+gyVM&^^8l7a_|^3j1{X`Do0m%Z0+3% zRa-6D=8poJUXPBBb?ZNbDqozcfkg5IRum+|ob&lYT+E60j4HgpE^1VG1yf+izO}2w zNssB5YF`y0-zB?6-py?M1R%lXJZ_Z|WZechDYmn>mXT+h3^II0bM-321))Wmt!C%( z>)oT)akoZYKfXT9v5wD)FrZ<&`&H1S!9qOB<7TG%3Ex5b>VF!yOtg2-hMc`aJFWtctneD}^Ohpq8!fCK=I0N@IJux8}xZ zJsk}{8wG*TR7v<)Pr4vrR4M!}Y5zi-6DmpaskCqGMp9+&gt;ZObQP8^QBuGjD}gVdjg|XKLMeVYMwM^O>hDC%`$|2m}6aV6J-P zhx=nys(kC93W%{OK%TUn(CpDsA=OtwG(&T7`$f(J;IKhZH#PsoN5Ln_#ttx-~bos%FZY&Ii*5P z23Vms71nwLWc%W_u<$4r=^~lS&zENk8I|Z~0Z6^dw2khLV8>I#<<}7jAP9OzU^kC# zkk7DQ?^?obNC6CVbzI&T|0UcfFZ6Z@Ah_u4z9gMUh!lS0e1DnHSk;Gp%kwEWQfJ!$(HQsM_KnfbQUMFC#!5gh54`YBSM zS%;qePeCT}Ud5G#6MAUb@~`K<=-($9JfY)bDG9!05Ujzsl5CH7n$;OuPdunSl2Lzl zIIt4b;`w}J_7UQFz*EW=*}H-HQrU%x6Nw6G`C=nEW7p%xgI(qv?S+5Pds zkEz9c5q^QNM0jvNd>#0Nxd}{tGDM) z3fGr0vwT8sQf@BA$+CB^L5at2-$s*WW%lajn63P5GX4B8SWAx=xR%~H{%`3@N$UEo z(v$AX0^db0#Hgx}&X>B=d2Y^_P6c+S`{*KUd#xMm&s5`g4rkd7j zcyx9HR$5soIWiEtEpE;av~5IeH%lJX3o`vXFZD<0Q#PZJof4i=8z7hDnP0FtFmW%9 z5G)H1dql;7fjD3qc*M?7_9ZAW)G!8J*?WK%rXF^Giv;bUqp|qrn z*zZ$kI^L~ApmWKzQKuP03$%{kc1_jVQ!L`R`HURcgNAi)S1ikzFlB}~R{ z_Ar-iaQN!?Mqs^%udYhP#{w9~N26RegcO%;_ko~ohhd|c49;MAfZ}n5mWQ4BVJ~ez z_mFwh&V#8tak?H`vcYBz{%d7GKjV{UTAk)mrg)L!`@W;G3Id~tJ-RfK-oD#KY6J|-!&Wqg%YYcp zC6FXswJCsKQm7G4hr6$60~1Bq!-#TEdp(U5nSpmS_+;ZWH_wx39%7A9 z6exw2c|IkNJO&8kyc>oIDKb8Gk}vX?GC~iACwR0B;7qbU*fmNTAx*uhWH8X`ED1f? z6=KUsx&X5QI?O-=PzKX#i%_Grw(9*{CE>nVq7DtJ*vDZ;2FjqC1Js8jnWw`%v1nv`irYC5#1H`(oOGs z6jpgNNssrWopypv%HZ@{XFbmi-wL+hnnVNCG542h`mBvHmA-A);cuL#RTN39ITvSq96&9V zv|8`U$YS-vBR7J|E_Ftx1J5>&?DgN>80YIrR%bby0dfzc2A7oDTE$}g0Z7Q> z*Unm5x-zMGl?Bb=)&1C7wt4n9IgW{XBfcCoz@VA3#n0F_ep!W9>*LL$h@_j1AC%hv zAT{hm$)ZThRrCupRE@!g-dsm}qw2Q5&t+bu;62uPBbn%KH9k1$PN_$eYYM(bzk)eV zshu>k9*mP?P%+jc6xIVg*Mf{hfps&DPk3O>r2nbItj0DK?2^h3sc<-avcC4;ONw-x z7pdeo<6_TH`j*F%Hs|WH1=~~J)njE0b}3{!C?cKB!$>~Q1MI5WcBFuYS=K9wf`$xf zFw4^h0}2Y0QnP5+KPwz{?bkq*u*=MxFKX+5*7{&I`(prWl@c}rsjuZUw zcvR8#meFh#6(DQUXpA#j&QyudwTqM*xiwwo@U6h`t_q@dv6FRBEBR~D^^Qh%pWq06m0OeI}4{a#att^Si?t1E953$V)4fFAh>u)`r!b&%-&$(zns zC$3O>eQb~Vq^42AY5dVbFo_Lqx`4{>bDkkcT-GD$CSSrulE@UB_>39< zW)sP>;WJ3Vz0xn{9-kS-onxGbB-S&z-jjb5is6cZNgKN!9G?e9bo`#eVm92FPu3Gi zZ;eEJJNNIYhMdN^;hVwb+%Z66p!;1DGo-2F(w!ok54r=(jf&-C54OK~cZ^MpbRjUT zBolClF$2A=9OoVBUMFWP==?#S>uR-16e>^#;N+RTO;>39)XQ75rKzj*?ZH_-1uMYt z?d5f(Su~UELjdkj1$4InT6WmOizG${d#t-^1Si=BU9^5;;|%bYuqO2rg$^H|$XnC0r!iKVe3Q*lHne#F-}I6dG(s3NrIvtt@;D@pWFUKI0$AjmDlN}jC#?jH%5u|GwzK?+zu@&0hX1h+ zhJnn{ah?A+kDIC~H>1C_KF4YUD{|oN8#RUzFb{0k9lpfn%b{n@tGzN6)4#*4C;XXZ z0W}|I;3GN-d=a0{#W6|Ud4DTJRg|KCTa@=EHQZE(K5M|_UTCyoC}QA)oB+w;H4VEW zJH(_V8)|+oE(A=ER$J;4tlpmCfG${O-t?~G|7zm`-KOqro+s0f44lll?6EvG7{2`} z%;REnklg3nK?piU82~tWcp)lXzxXo;_pjcVm?O;QcL_oIe{XS~xlnQWK?JCXGvTB) z4h%eOqUV$Zy!CG&1!HJr+4b0id)FjiMqdNGV}Zu-^*o<2W;o5jxw%Eo-mZzjFM{5_ z!8_0p`X1@mCn)@l7&-|57wN>NqYagDueey>2VTAV{#Q>Vt~Y1qB+JSFIZwCHVpenM zeMt0==NvZeJ>v`l^SX?bEuB$hnYp8_nUG|7ZZ2omI%SK`vuW_=cQsSrN1a_X-R*+% zw5^q1U#6uF4_6t-avr;n56T~W1%|5Y-TK#nZzuuow6K!a^0UyY(rC7to6VgOfOC-R zu7Btk8ZdZ8pH`jjkKG=HTrXTZC?x={OiLOQhJr;#L|~`H#Tx8Q=poUi^!t6YLFYtK zYG(7tlBLjSCee`mz};WDnSAY*jS3R0LC!;uWIxLgo%+8@D(d3(87>H2H!5?e-Dq5d z*hx;r;_G@~;2js=J#3)fHh^{cUM0Y246jgw5DC{j*PaWdfE`BPKZ)ng8=uYf9q^NV zF-d;}5S^(BJ4GJQ`*Y+04{4aCp8qmM1U08=QJ4pOO?r4l@g0j=dOS^E=nV{M4lle< zU%i?9s^G$rnHvj1!L`smC(03f^d=D~~4@S6(ZMhheYGO*p{Mh~U*pGf-SzHTpk zV)1g{ws$#&ve}_{nw7G1ebH7h={9GZ3&--G8xBn4yJ!tqBZl_hoPRjVNGYqF`%aT#nS^_v$rhNNR6SUC(^}(ylqBcVHl%2uE1XPo!oCM!X-|yNUj~w-^6D&s z_(z?pNCVtF)c^2`ZmyZJdsM^u5`ammlWXAvY%a{z#mN)#+QGT9Pm;J2GC1i4d_!FJ zr7eEhC|ZyxTX%gKegkw2Qs$ZniN{#9P@N}&wv-gIF=m^g7->VnE^|()tvS72#Z&3* z$zCB0utkmJ%CG9)^?`XsV2@rJFkT;dN0oikA0d1DW-!{X$}mDKujsH5-e61BD!m5q zCgcN;^9^2TsJgF;sRy@SFxA92RC16FeY^Z118p9$aiGVd1=FPLFFYHb9MRU_Y=&E4po$#x7K zsG~JO&C56XdSz_F%RVW;y}IcBv8Q4>i6efdE+BNDRl=s{Qc-1Cr@tvWpOPJa()S2? zGOjbq^o6k7=rmf#8GFFX=M|P6j=d@$u>W2nytNV`AJN6VYO`KOvm%&R%ois}eb`5q zTlMb!6T^Wuw)x|mT)t9@@iS!s6ar?Yu%f|pAMItz+}wbV&wNHti80mtfO4DE?zgs^ z08?OlvG%Zu(C9Xc2kdjbUL}c_zRIf$+RZkwbE>~293<76ZN<`&_8HbB4G=vH3vaYX zFvdT;hJH6T^DFQCJFU1im|Uj;TPvcb!ql1yet$* z#m^Wkj{?(Iw9X#soht2?oI9K@(E4h2v;;eP}vCZw{KPp@mY z=D1~ESw6E*kV=1kfMCfNv@bc+zQ_7nDPKAPhcAGQno9Gz z1yWiL{3Q@h`QK4kXF)De_dZ`)z~9bkm>kcja<>@|=hV^I^mxC~Qvb#v>;p|<=q{+m z>K9WvKz_wfVGugmbKp89YK{lHVW!G}_TE*}bO`|sOhEYEqN?nsQv^-xEM9QeO>fUs zy_4v9ZPaB!y3ivbdGj8CZ|jLwGxAxrMX#uyw8wL~I20tLZ*0)9?ZSoPk79KHD#COl z4pyx4j54As%$%cKR4%E+31+i5ojpm0S%mE_h&p^re*44i45&rG7Gz6UF{(;|y4)eT zut9d;89w-N34r;G{y098%kbSbmcDy2Q!b@FVx(`!cFzZoeKHY{b013Xn*dS?|2kO|5}l;Nnq7JW^q#ED#1WsvUc$y$BD zGvQs@LXzW`4fCyIbXuYliGnowOuIn4HZ`~dS$4N!W(S-S=H5eV@AmW_gx}WkrUNgw zy?ZL%W7xMsWb9IC?ZtN-Vl5fODpJGRV)S4ay#7uBGV2sn zdPG6=i4Z^U-mgBHfZZJ1)yz+B4r#i{$JxQvh`MrWZMMmEnmi{m{|{eQK0FG=O|>V2emBMC@OG`{Nfp1 zzQ&aE{G-Eh1Ki_aTQ>g6!eEMgHo#G$H@k4MLdkMzXoXqIQ&`5VvCAj)cm^(<z>bRNfrzh1HA~> zTz7MYeP>q&=w5O(3pK6*4DrI=1V;jMu=RmSrJZh)>x#8jqjMiQuEHv<18$vsLwc)5 z5haJ%kiYLeIAbW`IY&a*DLPRkDd04ykHM=|4fw&t;d|@qau^Tj#Ra%_AT}eljhKX5 zPvO&8Oje}{w$|;w8b$o643iRm{EoM{oSTeTcH3=3uaU8xixl~!A??1m7pCr|*ZNWL zHR+?h?3ZnqqU60=1$|MQ&>27TB;Tp`n3P3-MV3zj$*%j>12aEC4TKx2s;aI7wR8ms z3Gl56%w7V4r4PTaTe=*lZQ)4lpO|Ko@!Re=Vonj;;&h$j;c9Pomb>lOcWX8ZH_2mP zpiL;^AdhUFFMIBpC=7-qL0}~I70aX9fj6rH5BEfSa2d~XE-ZXiQZZ^-u@)!rI$;kB z3HQrkeho{7p=}GH4Lo`I`4he=;+OyDpZ1=QH zYzgh&5?q{!k9S?H`b1?35==DXB zj^ykQrW2p*U+;KQ%@c6)9bD>im7QPDz&t~@ssnwJ4&ddM2eZc+OJk9g!PQy0mgTmc zLQQ+__5^fe#&uh3?TZVBvSpabz@1js&g$Z0wZ24gsQb8>w|rvvFGW@f!6@H}j~@xg z`(9MR;8=tzC}noxaMe7lw;1aW@PXCq=St$0;neW#l-=&dgvG`NB~;mFgfcueBHqMH z$=qqwb<3%~F%L@;Z|XIdn^7Pn9bhWOhTBZVtlvOIRkKna(!FVj1oUPLnDf}8z!Jh+ z2;>gT)^T4QvfC!HIaKX2)+iJg(C9Us&gr^nYhN@^kmpJU)o)f1F3uiP1lEZc;bE2b zCg{Rq6IxHtRv0%j`gIz0aJ8RI{ISX5N*}UQFEgfy8I6e5A znf+mJJI+C8$yz2VSL|u0@VhIF$EM|~CDrL^>|T)esq6~Es{Ao+Yv@FwW<3p`UfV!D zfGqU!YhKSzF-dYNCwP}MviOV*%f79~HSCL`X6>6~zv&*gvJ$B~8xCq%QfqTzpOB>r z$#Y!~_vYLX#Y;zwPT}VBUVhnNSQBo6f|->V(4uTPmZNE(R5PDQzU_Jeak!eo+{rYH z{&e1crXcincB)U7#1+YM^NFJcxXv`L5fzC_IcUiL^{CAu*hNgMCVOi*P_|^?$3iz( zYPdMd&Ps|CB^bXCoAlinW0@bE^IixcDeauY?Rl$-Vf=C2`z-24gW|A#r3C)pe19JM zO`z3?asp(2Me61n*lzVeTH-+<1s)e!xoKst)|G{ky<4a`%kro)RnGYs?~SpaAA;0$ z*qb-KuW%Voueqs;Xp*ykTg*p_jBYZ|aOJ#WG=khn2G5z|XXbq-W;qAeYS*q6&x_CD zQajra=GE%Z_dliO`_JuceVzF1|1*(%QmE+YNMEICBC%xxic*!0QZt+G<7)JQO%+LE z_Jl{QaYvuBUvMM~)vn<`Aq&+P6e(nxpbg6~?0B(Lq%vz_rChv6QcR>Bq?i3t=lx48 zplN5Qsj^StW?$fTE!O8~#B?9|)*%6T4PG|CRbb{U^^EAfWxv0DfXOcxqBIFyQbjc) z1E8IQ%DG1`p@Xc)KT&twesu{to4dhR7ZLMVz4)^IH=74sjFNK`0yyTTrKtMw@@tN3 z$ejvXp?6erM+=K|gS&_R=J_Me6N3;hr#=b4{>o|S{vp|DAghO{*@R+XGVBKQR-yQu z52K{p1AhXU{Tvi6830d3eT}f#PpS>5Rf3w=59S|)MMHiz1~fVEXHNKS6a4VUDSno) zCH4Iy$h4!htXcWQcIm29y^~Ao{!yCXZ+{OPC;F_D^WzoC0?kG~oJO$38}+FMu{}>W z@p9nYht2F;1d4;VZ)5M+jkQ;JcB@!AYO5gihc>XU_UgdOpr2rh z-*N31VX)czr)T~4+arL;P79^}5OAM8Q4NZAIEMfq982@z`UZXRC~rK9E4(;b=Ewkr zE^~nI=CEqAQfYqy4+UN7kSh-GB+6E>ZhsDV{PSye>f_YI+V(+0`QX4ihiiKdy>bU| zok8s^2TEhruh+G!Qy5~z=Nnj4HfYbYe+cMao%16y3}(s)((xO7feD$>N5u2LTk!PM z)YguXi=i4p4h2v8qx(mWw(C3fj2$IG+~R59wa5*ex6?GP6VJ>EjL&o4Msc{%>{gpaKPh&$~W)b#MMcnW$*>EF_-Axs2x}{aWeW zx&M)K{8#ev`yce5&b{7YhZiy^eartrI3Su=cnWMt_`>(%i|%APb|yAX9(L%?^A^#~ zj%Ic;1?VINZcEBG7AF074)Z^s2Yl7NRFVq|0k=HPpL=7>mbmDXI)R+G3QkfT_2j7iW=DZiTDfF{eG%`~vXQVRwNbpi{roAKH---M>*< zWsb)$yJDX^ucHVUACAQ9gfKAE_|nu*xa`C4qJ_xAR_68zOl`LN|4O|6$4l=$ya$?N z6rBKZ3kT&}n^CQrx}c2g16Hz+x#j{l{W#1`8)4`tjb9@#$R9M2Em8zFWRFcVTd^Jw zpUlFnE4l1%O)l+LAA6TC z;^8ch{t=CKHvwn8K%c{2{(^Z8yhe5%fp<_ z|9t6`H@Rwi_CEH*wpk=cN!GnIjW9krVrI=QLcj3vrF?t?W=C-;Y0zJ)BZ_%+5bP!W zSJwS^$^E4lvSg$!epM*)Aa((lX=kTsGNGn|nmKTwxJOGc%C%c*weuL)So&`{{NJAj z<6$E;=lV!Rdet<@!2>H$eJmviU5p@H53@dtt)DxL!ghtq(OUuw8tYt)9{y+f+|B_^ z=uMrUPSlSdq!m?F9URdz41xGjS=R|95d-U|?j7C}fa__&U8cb@rWF74d4LZEU7-U7>tiq7L;o|){_7G>RQ&cB zVCRa3%9W?t6ku*Nf^4M4I~1>0s7_H-wtLTVE|a!|8b#Yt{QaK({)K-Wh}YyE$ZUc2 zO#dk-1-|Hq2Hlpd>91OPtD3&QaYw9*NuJYd(k;|`b|2Ta*FDO2=04SF5%Fq35c`c_ zaS_orFtS1Lc&Cfi68JUk;h7nkJwGin9KVLPHkGmJB(E8ISHIKG9Q<@_0(Nki;&iHu z{qckBYA&1q3bN>(@ivrmg+FN;&5fi}Cb8ytlYu?hmCO@3@Hd;Xpn)ej@< z^N&~~c$TWe-gwD!NBOmuo;TB__(xIt_c-zG;G7j}uyqDh2)nL?%2q}iy8i-S5q7W5 z%jsDjQP=&I=hnVce_&F?Ci=ZJkS1=*I>=wmk6LCqQ-HWq@HP$ezpQZ4*T`ngtl=?71URlU$#@u^WcjH^ueFu z>_hrN3My&z;no}-)7Ac-o=j!a?5-PWT-9_woTok)bosL`=s4c+pglyso|~56bm;yU zlAngySM;G`&iY9v#bI=w8roM+pO($2kEF_`6S{Ame5kQwP`RS;wtL)R%p z^y-CX=c#FbTeUAcGef##wpXv>%QKYllHJBuO_;KR0;HbW`o`Q-BMDV?qp=~Q_b*xg ztC-iEgUU!-q8oRy-WGFI%#MT0?mQO;!A#Taw};LN^a~76eS(1kT@%H8j7;2H#iPSxJT5JG4!28RW?IZvk%cv%Pv`*KSK*Si*BrP2E^8hYLL>-vBqApf3vcuaZA#>a~nsuaEV~*Euc8 z{_&G;^4EPVWjyN*vN%ERC(HKekNE@FAflqbm86_241w9$+VP~wKHm$*!gJ-#2Kkat zDf56{i8G0q?H~RnGO#Jv0E~EjP(@}cJ_*Q-4uVYyZO;u&k(tad_{Zqz@A}na^epD$ z0xn?xl?@MdxOVykY@D38%d{GzR4Rv@K4@gd*a_7W*NJ>_l~6Ok39$4)sp7ZK_p~jw zUBmYPuQdbNcLaWm>-0C3zwA)PhTlWHY)d`%R4=`8IJF_d>FX&kn(JKM{Tj)?<3!OY z{>y1%j?f4ScMdaHPMS_=+8G}C+_d+xsSPf&JcvB$O{?)u-8{r{!c^v{A+um2wH zn(0^=919&af!`qjF6{iwrYLJX$xr0;s{Dk11|8=)l-W1kADsR93DRi4`*$>Y~M!htS&Gnm2ph{FDfl~J3WnIF~ocCMEkP))PwghwYwKnBhMTkU5Wx|QD)J5qbo`c|vE z&#}A$Bfl(CZ%l92!E(n!7G}qJaWw%t-oX3|zfxe#$Eb)nO`9El3pz{DVtu@w@WlrQ z4)4z`%8lB;hq zD&qc^y#Ia`KhBU|^#&bp3$ZY})AmK?gy$6IGrzi3bQq=;31W$XL}#)Xd1L#X!2G>!4*| zlwWF1vHA4+OGd#Dg;XhpbSVKhe(75u%WT*q#PPR^{(i219Qm7a(AjG(P}gbkr8;T- z=vVy;JN#E!yBxo@u4@hUo;#R(THhp=J<)_0MIBEtGmhSBeBqc)GjBXsBja?86ADM9 zidTOB*j;s&uIuEJgH@JhU=ROauPCm0Gs}GV$JhP0xBH<%dou2w4~g2o!^2i@HPEKkZ&G{o0Yog~jrUE>?#CYqW z*^0>A`?IY(#~;v#T5|r!~}(`D4>Fb)vcqP293x|WV-qg_Z(;S(7m)~?&AG99T+U9@(|!m#SNwsg>MX-}&BnfS2LtwP_JifJnZ;#RJs+fY;0^VQ*WcziJCmR)2_Kb?TFg7 zdBV}lns{LFV#}z`&9+k#QD43kC*7uIyhVLtbgjFs76Xfts9$LH_F3XlKt)9n`Fp>* ziMowiq!+F&%6N-DF)~5Ngo?mg&KeddgT5zHV7Im&#|Ui@NUu@z_8pm<-lBupp%(w^x-aU@#|_T&&8kZZ2o70q%SQ5T>geLTHelRDHrW2KXT~W zXBG0%H91NVRU9=wcC|P0La)Mn^5dWSKK4hvnKxK!fXW?KOArFBJ$Q&OrJRkVpy>S| zXNUyw6Pxb`8wjJN1lnm&2%?=(g`JK$=u{Fny-pS{#E*hZq-U6;Q@mHrkYSph8Ffvl zMa`lC!hJf#yQv{nr(5^6gML38BLbA?|VBx%#Kf>C5ThZ zvCz$Wcl%CoCEg??L=TuO;T;}$i`{Jq;G?-Mp3O64pErSwxN7Jf(6$==elua)IM)v> zpN(@BlfuuMOWvX_G#Fbh)H;~@;A`eTn&~=y9=h%}7$gB?WAA_nJ~lSi<~&g6$;PsN z<6rBWKktlJ;RNq7ky>udJbIgrp9vzBubn zD*~RItDX3W`bdx)tIerN4Vj4UPo)v!_ha{(a_gj*cf&KR%AoKus5Iw*?<$9N8(#|z z=f*~us745Rd394(;yrVLIJ!Cba>{wvp^>E5J8`f@{>$JbcicUh5#iH{IGx}Vw^uBU zi-ec;X(ks(Z6s`*ZQZg5nekq5F7|hR7=OS?%Bm}V7veRdKE+C0v^QpQ8BVN^EyV5E zcLs=7CF9Ekx#spJ5|<*X{cAHE9M7W1!TwxDP~=-1gK>?kE%SBL&r!|dOsPd%3?kK) zmF+?COiXZl+Bknm0vreMkiPHDH)=4q5tm=A{mhB}eB#m7gCyrZ%@1<-= zI(IjSY#nxnd-fIe;+y<8<1O-0#xFyYtLAQa)!i@lBI^&~uAmNo0fy{XH`awloOWW6 zf%dbXuXhH&v&lFblBR?#oUg=idJk;WRIxRPYbPFXewlaeWnNT4;uPrW9H=qP@hnrB z4gutXQX8))mon?Yl9=dd0?)wFFr3*+mZWcjun=hZ@=8m+b7$lBq{K?4GFT`IT@1Yq zIT&JY-)+o7-k@thGzhNpJDad52Q063!Dx_8$=*K$+l|4}4Js&RirE{hrh)gB4Rd{8 za*WSomJg_v3&2TVygFdf?^pvDiJ6T>L4;CsdBGG@k!*A>V}LwabNOwV>1`Q(P}6X; z?EiM4e{(k9EP%-gVr^r)*>iQ&PgvIX0O#1HvxRf2R!<`AmrLoV(eJVB*H(M-7^l7w zp7(v&;MytfA&F@gX*}W@5kYJj=f3h$yAm-UudtL-g@kM-Oj>OI5_Be_hN(-4-kv`o z$I^q5jpkMQ@dtrN@rb3K=_Xia0f8;iOE$5i5nWaD+?DCDJwqz|$+){CA}c=6akDBo_rqg+_CSPZEKTArqNZbHKFsMp_f$^VTAttsQc}SS5{f z&VSulimq_tm=oD_+bglkINqJOv&On4EH9Ux0r)}xUU{d;UZ-P|PRUvDOC~R0rV{kA zX?VFORNfbJxxLIea4oU4zpb#o0cz8}D8hh)3tA;pc+J^m4}=Z}Q2Xclnz@Zyp%9mx z5N@Wp=2arvy|i~Md72`k7%sH}_gy((`;{Sptx`7Pl%ssQaFL%hkRXXuGPXDVwOiXY z@#|7wjSxr4G@qfJ@7`SSPdMS|dT=zo*i9#i!|bhbUsNR+VH`-n@-0~F=(c$S6 z*h*1XRjVT_k1dRDiy4$R+=ao%HsRD;$YJwX{XAGr=Mrxds)Wlx zb%-Nab^tMO(OI3)XaL0!ItSGo@4Owqif}s;cOt&TucfepKgVAAqTaAVg&Il z=vY~Rw2?*`3cH$rqlA2oMeaZhKrUSYvl`ANvf;C|wLh4Qiau&uN|Rn{KnNKC>yOnr znxP*b27~A24jZ)>gREKBxCLo$1HHZSk4v(S&htxQ5(}@Qy?p%UKKYB04*Eb@|dWhfMgLc&HbF&{VhdSqsA-%GThc>+TvCJPhll! zxsa-t`^LrIej=43o;=9)pSu}Ck@`;M_VLx__7t_7C4yF&=T_#A(O}o+YjmEH#pq^3 zXK7(GXe&aBt~~?I5*gi(M_RzE<*TRhjBXlvDa)W>anY<} zyNEA;W;=`{FIG=0h1p7IPtrSesMACIy7>WhzSh;2`ho4nINp6i;r7|RETFRX3D_yn zP0l_ro7am=@Rh0G2UE;au9^ofNI93I^`zVB=KR_jR%e9~gRUzSgBw~vNHweRf8K!T zMXtMQF3*G!H~xL&cgGODZ(>KDL+S z)*Zah8k~Kmfj&6fYpZeA%ys<^U2$f}+&=&{f6rQS4XT#md$^4@^LwpS9M+ zNpS<7?Ow0`xQXXs2)J0$8OY(3Yfzt4l>!_CaL+pto=_sBuK}G9wX`iQl-l6vzaC&7 z2CSE`uL#_&=juFP&bsOLIQJE>h&L{9h9Q1-#*=xc0RLH0E&L5Qz`bhPN*c$N8aXe& z8)^Y(5t@}1l*&VhY)AG-o)~@v=QWi&lXzwwU0o%y9{;_a;dVm7W-3sIG!g2*!kt|C zbO)PRf~%{l9`@$NSrDS9kp$NnMm=?AqD4%@-%t0CkTP`XTL2Y(37bs*%JC{QeSd%d z$NZvje@E4MyQUz0Fh#~CHy!VTTsZD7Lqj9{B*ahJAEj)C+BdvJye+mfqZzN=pf@v) zpA(X$3-B7CG?ys*b+iar+ct%ry*=NJqUuyIdLF`J{;1i1bt`Oko|cHoiuM%rb%hF; z8C2a~5lms^Ks@Y#QDxC0<_T?7P3{&lcMm>BEoxzyHt&0@XuDU?PNipM-GaEo3Yi^C zPla0Cn9y|H~Y_-50m zjV7R^D%5N$dYyW_d{nbrRqQEQs3UvH4`gP-DpN@HSI4)$qVw#jo(>Q_&=g^;4iGM? zN8S7(ZXF=Dk03(!+d_Q7-LFxFc1MCP*RUuQcOuKH03kc1$(BiBj@jjr-;X zRcvy;m`)4Vcb>J=&KkVW0=Jcw>AQ~Db3Q1e3!8Jzps4V^wrXl|S%$EE7Nl&e zk(uii_^%SywvWpuB)6^J2P8b;{a7vOV_t_JGBg#|-0tQ)qzS(%T`neT>f1-+EV=ls zI~{m!xkkmK)g*VM=GLqtvmuHgz}2Vsvmvd~L*_E^g6v`eF^gFrt3?^CQD(De|5?pC zBxZ%IW)rgO)vtBwi4M;8y6=zPgTt}bt!Gk~Mmt^zqm;_`@HkH8o2$-f*T@gtb)#FR zh5RNviff%V{w-MOJx)1XX|kA^livV#NDz#Z;jwo+)@v zv`qIg9}Fv{X?GuXNZs@3R6*-tkE8W{4sQ`2GQ?Gf9F*-kFNvDjk5t|o5uG8DMKDXwueeQ=r zg(dRyx^wULBEiT0?#s%M4){CNXl3{;MP5y`A2O*i>T7381>2?7ftw@X8_O3ky4eg z(X~kqe;yLZf)A;Ow*VIO7Yg4)maVYc1d~lR#0@>+l&G5*ul~?n8twrX?|vTTmX(#| z4vpNP0eE;N>FT|1z7^Zyrex;Qv|=&3gRh@00Y3&twl?DphNZUTh~k*Lpl) zNhIVNQ5h$h+WK0;61RUge^N?HY#&?k0lhz(KdHuPKTs`A;$H~Igb-wF49&BG$o*YnBmu#yyg$))_`@5jl z0(gK{hUXr;C=Y$_9C{Z_OV`ou9#!>?QXvG=ph8F;|JiD+@ArV-jny4iF~R$082^ks zd?qeJ>5rg5R1ys{?WK^4?_f`8Uv-E{57zfTIx1c+k}e^=SkK{|eRu;U*a##A??Gon zemIx|WSJk^5(!})U(w;bDVu<*Z5K4Qm@%y?pU%-DDpAswgT7gLh-={^(^# zUmiTZ367s3tKwwwTpot{Qf1$Fn&s5h)y;YsUiCiUxQRWWI%9P@HR@zM96Eur5A+w_ z^0^W{)_Osj);1W0kBtr6-S!kRHwiMce#*Hvhi6Z<-L7uPgzuQZSLOufy*Xy9VdTwy3pj*e*bzrOC;2A8+!|YQ`e~xAcM1wA93Em`yPvs@;63Z}+tbCz+D=d490jg6SzaC* zv}>dBaadu`p^qA|S*aEk!sx0|T$K9Sj#Ld3#OM@6S-l2ebW%4{yeOpfaP$@K^?qcz zP;s__{?(Y^g$3U~`W9Khhei6lp#oXRhGUQ7BIEHVrV28eFV9wbvZtqg75uYozj)6X zRoGlc%EUCfiQ8`JJPKH3jXxwkL&fj_!}h0uC~R|cv)rpkvE}u%lt!b^sU^}Ag@s&X z{#gEi33sc7UECELrYqaw0+ENy{jHt}OG`_mKP5y`a8Z=2j^(40V*gGi#fx`tX49$d z%?!4U4@oIC_J^c~rhV>As1?Q1P`8_YvE$lT}Qeo3$*;;qn0UrMXNMH+3-g2I_J{Gfl{ z6VDPf?H((=`(3xAy=cyx=J+Vx$LzI1$3YheJEY)%ci4WMLYvpWnNfwC5sie=GZXd= zZ1$Qn)s}jHw7(>K!)E7i4f9Pyd#Rrp1LbkyH0_?9b^M($YY4A|x-1;wO}tWIKe{Lq z{@?c#+@(tThogeec^-WRu7Zw+tDqfkv}7K0Cpa(RO_2at__k@(qk1ww(G66%F1WCw zF5wZM4*wAWHC!3~*>?KFot5N=gxqnN3|Np*Q;VsCw=lf0sPm5z8 zjk-85D=px23+dA<6OX$m(XZLh;N`!gEsti3zi@asjPL;<_WqnlqcQw%45-4VP0ED} zm;d4uDk{UDi<6}Oi+`I?0{62zp7O1K^&)xj=jbBD{uSl_;!hdX;nOCK7a1Opl5n_q z?F0O|4}`&g^%CW9_wIP`=A7aGuABV(EBXI1iWtX&{#P%d17Ed`d8ggSWQ2d9mLC2b zy(a#ngbw}^jp(T0!Md%<$1;UK3?vPIPNtgi@fh{Q-;n?(DA@{9#P{zn_}{*hfDeDp zSm}`=xqnz|<24*mGg&Hjf3;@+0p7oRs{a7*f1vOG0p9=BGyfAa|M7VLlY9A($NTpZ z&3{7ee~V&&8tDJSP`lkI_6>)Xl{L1N5WNiEhyOz~9($K)qdKSGSo~9UBd1B=wkX<5 zMBj_mK~VB9s0xQ40s&PJA8&cMs$5Bqg{lgGhfmVU$%*sqP>#wN`iD?^a(YtgpmLsA zO^{`GH{^U%t^Cnc|Brev`bQm{<;h8WX7zH}w^3EqRh&6C=Zr^sH)Xfg#l^&W>O@_k zW^cQ4>+3%)&F}~Q3mf}aZ{@+Ni2Kfscfj*HoM5anhr0S@%jEQIlTZ@=W*<1w33LcH zGa7MH=!+x3$jPsxcAS!9>R`(gZGJ5^t=?Cew#x{pleAJ1u{8RK35kiot&2C3y-OhG zHX0<>Zdb*upitT6?0MPZBjFuM&Y8pS(emp9`i!zOHuNK!Qd&@K%_2`ALotIvc@Z02Awe`rKF6&w;b+x3l z{`!{Ex(!V^2M1PFTKLrFpSNKQmyOj{(`%^_&}5fH&)42x{=Atd<|`0kh^C4y5VVu& zyEgyee>0vxXf(G5Xo4SoSXrjJ(>h;k>n4)K11R9>1@)yl{g!_QipvYl>4 z@4;Qmm5PeQWx{VLYZpy&f#@v~IwjYmwasJ?r#^-cNQf<~gjIQpNujRoh?z4|1LYBvX=hs7L?`dUuQ;#2tfG@s$} zWL*~BDlSSNYx&8T;uxJKpt!h7Wa$!3{gM&Ht*3UTTMe)NK)J$8PDCn(k^(dyV{?EY zL$>b&E>gCWsgT=@A;-#OJlywdxVN{~ zBE2vc>QXglnyb>0DPUqj7{ne)FsOo~7tip4>J8U3XqVA(b>i{Q(ngCfZZ2uztvG|@ zx6En)f=efh$?J=WPhsju&Wih7E-S=(+|{||Qx<2}DODh(H3}MC*DU$mj%>{Y<-^)2 z8R(@Ns5po9u9^jc{Hw67=8;n-;1w!L1WgVRF1c8}#I^Q08Rd|4v199W0X8D-!ZE1# zQiudjmYjc9@WPzd>cIk-0MdI`V;AE|^`HtUsK5j8@Bmd+RVT4Z!s_?QkeSIQ-XExr zr4T0BT6~!JI+Lf!g8^PB&Jl=Oqf}GTCZ}n8of+@VZTNdOwrWZZ4+IXnIpgLkE}2N1 zjIvld4hdO1=dt*BS!vjn!|E~#2I$^kM35Tw4B!W_Tfw!+!^6SfM`rT2j9cdj<%-JT zJ_laZf6H~@JB3>{w_S9g${w=2-W$bZ;t~2j?@0@5mR^ehQnm;u5hz5x2VBec<4Fr% z+@qyN6NWF(*48IjMrG9M^XbdfxBOM4wv6V3+Jd1b@T2ECFTueP;fBthzHHVhc&_)S zua28J^;1vs{i+QhKB@+TG zN)(OtyXG>8gX;NTTgpb`;8#KR&DP3aB`~e$_(%|%nss_mhs1oBQ^~=O@oE#$QhD9% zB`H3X-VT6Yh>$21!q;;GAZ>9lL0`bIQHr0&fy_+j-LW7kyz@c_laZoxdRWV~97F+o z$Ucd1^*+xYUrzW4xq)9juER-u#8}#qc@euh=Zq?7ofU;p5uPts(vGX_Po5_GZz;zA z$!HCJqD7XMN#}Mww8}c_14EK+;Ft((v+o2)W9d~{S}dMi9`)JyJ}9AgI5BO@=LV}> zEyhK4k8FhJcGetW{xJf}$AcjhqMkh*xOEfe1AN z2-$6<_r4H~e?C4d{TP#wWk$f5HS@z#6@3I_EMu4dla9?zQA|^l*M9T*0%(O|nc%!G zS74sk2YeNt$tDcfA5b}|`<{Z5Ssg8!u8TFMS&)vd>}MZ~d>j%;Qu&%KPE6@G5ER#0 zA)@t(xc=6;0X9?!!r@kyXWJknOpx-*-RpLfy*qA0CZ}8^TgrM%g;+09%Cn(hY}v-5 z`=YY;&{gZGxsgXLe{9Z%9r>3gah6P{vv(S@w?=qZLkb5cgM3QD^bKXYRA|g++%BNx zQYBO=UCLpmfN9ujya6XIO~>D|3iH7n(FpFdpe>%{24M z0YzvSqKWaeU)zl5z#3zfj9JP=*nifw>!>w<~5mTMlcT8#~@;r&7C7E zy!(6;d!15y{qrM4$6*P^lCk1-I>zbcrYpPRbvf(WeAzn-jgL4OF7R0KI@z>HyQuYX ze`c+a@6u^j=+fDjZ|5$X{w0EFeA}Mvf8v_|Z-^GxHZamv6{`BmL&#IxGg;L*>#-Q} z3TlEE#I9dOlLZ%ZE;OKQEfc8Ut%30=`SM*FN>uolNl&-RKTiXUyt==q;nNlJG*A3I z!aaAf&^nGCODmYrI|Em1e3?Fyf7JtWre%53*nV$B^7RMfZRMxWvHJ) zA;M(XLT7G5Sp`5}A87d6_am0~RH?fhY;q1+G845BUt2w)+x=-5dDdiUB0NjtHNg7ahmK$q9jh6aeth~4|^rxgsrE& z>EcBL6_A&$rGPhkdP{yHypVcXCaL_hYSeJgsiQ?Ethk;o0X#9r^ts$}SaSWO;4FT6 z)7CP=(Be5Pmg(2B^_nTC&8ba}iv{(`@YL83uCl$Q6!3Yi$kk+7eHbf)T`B?$KR_V^ zAJiKaU6|!VljUKmMk>FIuTmf%Zc|`~dz$4dU<&c3ksEG%NyzFhLh0@JiRGu*{zjCA zFf0kcC?vO+iEus4yTTIkoQhB;nJt`%knO!HbN7Xyyxirm*nwE7MwL(!i(b++phDh- zENdD^!A2_~k*7P>?#5uhvZSk_; z#}79WRY1s{pqo=@9VHwb2kb1^B}Jgo@>+kq`ic#%c_M@XuCbXL2tMu-WRD2VZe*WV z9?hgmQc(G7X5~7AKQkXadEqs@I|dz0u8_?wN-p$jEardaq1(n*jBa6koD=fhvOnMD zM_+H=@gHjqt#W(^n&icfNXj3svhJ@24135#QgE~B-JcwQcBdD*lT_-%%L;5W3pldz zv4wvd{N8M6mxtI!319e_v{=Suu3bw)3dW!ceHrcwJ&V_n?nNTK&%qW*w4Hjn9U72&>-U^%H*^ljaDo_gZUh-7(Uv3FMi&oCyocL0g*^P6mG1S?I~87bKa zTlIjG)=zFWlam_}ov!6gub)95vRhC6;!9X&uDDwdM=tcnYj$wNl9$s17-=**uyVeC z{_6K0Pe~M4Qt6mxTebXI%jcKsNCY@v2w%F?%q^Q1UW!~^%cu138>^s(?Snn9#NnMG7044)1y<5s9zUdoRicL22&UYy6 zq02w-H^03UqGTAjqhc2osm=*l=cDZ@BsVI3E&}-VZZ^4RuFvOrO&XD<&c~w@ ztt1`aX1Nleqt_Qd1y{fhuF9BiYLFie4uY5{D(X|}mq?F(;ReL5tP#4osUpvSE9P=G zq7s4G^cT{HTc);u>R-boMu zrqd`EPMns`up=pqzU%a6fsULu4{0=7@?!CulSsO!T@sGIfI<~9Js7|gEK#-~Y^U7L zAZM^&rwA3VYmA}&&*9}Q2AzjsDx-IOZSzET2aH`9cb(0%R6QqPT&4lL$Oc)R$_Dq% ztq6jb7mqba=RV4NGU4i(R0IT{2+Bd1v=*Yn4BsN)z01obF<$rcW%2v5yGH@59`Qn8 zsgHhky1+xSygc@f$;K?$2@#8b^+{eTaST0;7J~OO7;DmH@)-2KgImPUg-pLwhD;5_ zQmhR1xww(Po}?iGl@sz4^? zbq3a(GJpqGMH|4+@9l`3rru0I@8)Z-%}Bd%MUGV$;;>K5@%JB(l8CQ_7{DrVsLA@y ze+yu6i>*=sJBCV685qD*&fC^(E&dksVfItlI$`!aHsn4ee0L`_c`sx^+=SM7uuqNF z=H`yyn&z>Xsh%pn$mr>t^As#RU%5b`*{`7x2gI353&y;E*`v4m2`~l7sn2gb>F*Z57EDVgtF$*vR%7t)3<&;SS~{Kg zW7yCTVF}sunM|@7&Ci_|@AGJgb1{7lyJUzlqYMG?`(R-BgAHU*dx0-A8)Gwkm<_MM zK2V1Jh6i$%{oRkbW{w#%^7&s(m|Rrng>e;*DdWgh;+W0>O?+;O(AsZB`QexPlCidC zHx&G)$MoO1h9}&Le4x^w+bIeHP_uh_FUP5VAHc!}g#UVz{uk=}`J_Y%P>!71pG&yW zk@f_6iZ$O-+wqmR-y+bx;FJqsCONbx9-E){d*h_7sJ`VlWhyF^8Z>jX#ax>BULlVQ z^#;Vkoh3mdRy4f1$d)8)S7amQElE50b#Ijn3sedT#0hq0`64<>WaKC$GiLkMz!hG5 zq8w&D-yf6PSyqgK^H}&fgY?_`8Bv}7hT%6)=I6D>`0cPJ7Cw~vZmeiQ>?2fxBvgH0 zeNiDU?U7JF?Y-xEN}B!y#nO4>7MPe=om<$JMHj)k2OL!`&7CPTbZ^C1_Z3E#XJy-O zTMVy+l!5}7=-iJO3i`FREXNkL#L;Zm5ua#YFe@lmr`!L|DOu%mwOrgK+l4ywFVFIs zlOF2gKq=1cN~a&-SIv{e{av4jgV6lJz`!UZ0!BA6O4~&{e*laVSv*UJ7@0diF^zvp zlEfb)IZ?SVWNv3CMWiyxDl3)FYLI&T1UVF#T8-7QSt|xP*)}X_7RJMs5VzpBA><$W z#4pFDafDQj;~!xV+3ECubaNg;?jpR$Ev5wWum= z;edRdpVxN(oj3>)9*dE-tFJCG6ll9{c8iTY>FHgTzjeLU^G03*A^zkV(J2bECsJAY z;MSrivEEYNRT_3ceEV6uOiJ1t@65UFSR)P_5ea%8gbTe=X>m;qI@&G`AwQG)=UD(! z-hmj2vfVW{{4zD%=ae#vA!bU3R^ZeUTjTInt@WAld4!0$mUR969fy?9u$|*KKN%m5 z8~=2K@bJ>1{lP#g0w&~Xj?KlCnLnvI!JgfOt{`-Z7>r>%%oYJN}Auix?FA-YD$!zCEQ^a2?o;r#yD>CY2y=NclP z0&tmt;HE1Zm^zd^vOZd^pwww}XD&DWu1%$=^1@MdUQt)|SxHZTvCy#NhC``tjS{or z^62P$&V#Q(RPX3W4T>BoCVsh?>&-^1hw!cD%UR)KN*NR+)Ykyum$g)7%2y|NhTM`e zF4(Z#%5~cDag*4to-5;DJ&nXd!2vP3VR(L3Z+xw&ePr-r@mV7O%#M=~5S_Z9HxU26 z$}MT|&5*5DFgB%EW-p|}*wfRK>^8DStphVtA_y{yEg!=AcmV!ChP-&`Pr?fB>s!Ka z=X~C`IZJh%4m_0b)lWgQVE86z$@Hy^nDT^%JhJ9(LtJ{P}G_9|B2UmwWe}g)|K9tb8w&;M0D)kuSMtw}VET7YP^sc&s_j zj&aaN|6E1-5%f#)3lX4_%}javw-oj9)(T&oC1GLwG2A3eJ25hqU7vQ~-ucqlSR_3P z%e&sJE|rq(o=tyhI*k{)cAV6Splm0G_9#qC71@`<{#9c? z)R28HG6V`nwsM_5;RU;6_B%_+B=+H1ezPd>pxK|BA%?(}tB>s6!gKl$gPce%_>E8BW4_r1vCx9*soa-tUaL+>;nw zE3xZI{6!--##9y+Ae6I&Nn91iJ22E4;8(s~4l6Z8eVfH%AX~0kk0ULnCK*eU^jSGo zPxlup|6|5QL|e>DERg$*a)#sYF#ca1ff{LxLH0o}gfc~=#RSsxbfP73pWon`t(;hk z$T-;K4e`?An_xnoGHtWON&h29uEu%U$Wj} zXMK>k^2Mpwk^UR>@E?|yRYBlZ4k}Ddpd=-o{z7U)jZ`WdfE{J%luZU&H!Nu7-tV;e zdNoXw^^@bE45V+5hc`($!VMj!oa;9ZryoCONj(%(&Bw#KI4*bL;Xu>FRw)m#fC=%I z9`&MC5_i-C_eeTA?Z(##Ls@T$Ml6Y5?9*mR z_i&2v_TqbJ>^(m`53Q>5#24|6L&(t4uoQ+UZ@UxQ_mjAO>mAE+u(7hDr{X2ZHjMua zBf0SJw-5fC+`B{XB?qmfo5crb?LFF*&ux*ztqIMtz9?O27oBRYmGP*-arjdnWkQWp zwt?>|fC>4XJKom=D#qNeMuLr5o`nvFTomxu0-QN;4?DUIf?jwb-I0ZIE^=e7q@bKn z)m_0*Af5Nj>WW!{UqLg6_!FyDjFN6CG(zP0NM`*mZE-Aflx7HmsUN5%hcmeR=Jv_6 ze6Q(+?v7?~!hVe|T6g*|Uj~XK0|VC6xGPA2S4h*?*akJ8`2LuX3J6$lE2wAW zjDM+iDo;Fk3YEFfZeYt`$ixspni5bU#w=4h!#mwIu)H>Bjdgg8=4`iEO5eGT#`D75 z8ys&@FeQf^ZlCo9lZ#y3X`>B(&+d%5eod+tjjqI%-W4l#AwI(2q?g>09g%oYr6h9K z=2rmtD2HwLFg7iISgt3Yr{ycnd%?t9Oa<^BDD1?Xlo#DTw5yYAmBF?!!8C0VT3KcN zBgfM z#Ji@`{Ur)?lvtw^!9hB=v=c$xFdBKL^48PeB+|Q>^lm}<6L>5p_eaSIs4ITpIaUu;cVlI;_i5)aARnW_Bbn9|d> zcqfye|k7!esM&3Pc4*!P1+&31R2pw)Zl!OjH6@xut=6rRVe0lm943-12Fjc zh_s+*O!^$R5IFCOSbpx(s5H$xpts@MH$4zveA@&K*lfIz9z^hWjq4fuhjEMPnqEiQ za?l%EUDM0N^l6?5hArPK(Wz+41pz@87l)?z0)@b5p1NdFrZ(AV71>;K@N+4of6cZF zu3~oxZwB^Jh{cUBT2^)#eiF^DqWL9Hy*Bt#2shM>?x*sOq1ReV4D`$0CD2JlSSFQw zBQxiT+0H5Xt=(3Fu{x7|(#sg6AHH;82{)q%R5M5I{LZ^Ejx7Dwv?3T~5F=Q%+B4gG z%RGOKy9m%kIJ|bEQ|mGfPR~oBJm~VXBUciRUsR(|S!UQC7ESx$L<^Z&-WSsb!RKyO z&T59-zl5DRxISUQj0s878p;&R4iJu-Vz&{sTfvcZLv}fr|5!EDR5Ko)CO|}*wyUAM z6by|;Yk`3U+i5;`l0WSW4A9U=yE_a;RH zE={oT-IKd;)Y7?e;EMyY#3F?|<3A*^Kq~j@Ix!=9M&RdU2H z2noq6Wf(LqbUSX67~}a-LqMyOFQA;hNk#T=CsqvsAE%&k5$&JfP#oAR6_B03p_@Gw z97*<2;6f|c+d)#u>E_oD`xwq86wUAHp6(u*eAhB#yZCv^YTCe_v0y$Wx26VJ4MSy~ z0mF3IQq&Ciyou12<_KT}0Qf(B;1FvhrfEbv31Lx|P3+4hVbM~IxR|!ARWhEbq52W_ z!TvIc$ZGn+Fu`c$XWSOW0qb|?X^_e#Y6V{@{Tg!$jVp&{xt<*BRElsRL75FJDiW>R zW~zGSMV(=3nhUbL_Bm6Olbp?S9j_FF0$Dg}2VT*y|81Ax8PgH@0*Z(jC~IJ*i6G>c zvCj5O|H!5+Zgt=_Gj5h_HNJbaTt{l^h*PGXospy9pbu2Z4M8aSA)wi1z7Y2$WDps!9y=L+de*N&3YOR;}A<_tQL^I*C8EykBmY1F*mo4ux1Xg zr8WOU{7#@a?bS?8h0#(7T2h2US3i=wjSGbko|0Q?h{Bh^IU@rLXGAWeKc#4QLkPwA<^vL9$a<;4VPB< z!ehVT+}a?X^YEseOG(>v59XxL`7V47gBiaM{Wc7GAM7;in|)X5JVrD75!?0xr2^!B z9$nANFv2S9Yldqwzre@oe+5t36g1U zQQWyWXS4l_zf?`o)9Z3=$4rfzKx72T>qTkO$f-cA>@Q8ytRfd_U;E53E}bw~FN2_f z*-TDjzJHF;=P^U7-aatuRUH5KJ^Tz`u*p219Ya1?GU%vPpU~0t@6uQf71SYOToHai z5GHHG9HGRtPclQQQ*9GTI85TT__2*K+F1re`&7#d=wco{I2H~9H^NR02^r%UccB#G zOKSYczyWfpaHoh)q~@_OuW_WK_xR$%dPu$NT5wEkT%FJlj*crre)0DiAd!-3fW0~q zk|--Cm7&xH!+k&?$LLJNaV+k@7XO*7ina~mEMrId!h&W}D;869k*`~dH&}grs;3GC%$l-^8xXSb2N3%ZG4rH<=dXp4mYV;(Zz zwSKdi%1L+1Q=-~$^=-HyL}7ln70Hyhg(NcA8j+iCo)g2)K{gLsXN{pa!*ow;ns|gW z2za;oeL|N;xDE(@Zk^$;?mrXR_J?FkBzSk@?R(l9dn_5LqPbH9d+T|^mEW*=0kY!a z1N;r%B*li#j^i7zchX*OkLbeyQFkQ3tiYO>o0i^If9$9Hv@HeyfLEKnXs7;AqAfN9quZ zu5EsxX}f*7Om(&^KV>ezg4K?r>bOwy2<>)Qhi!eANtq-~LZ218buY2x6_QNh?GkR@ z?BIfYY^$>a5rQ5cB(b}tk%IqX8#Fp6f)QqpkW1UOeXumNyxuD0nzk!kc#ft1!5SEh zcaT|QP*EBbMn4290`Oj(uOIu0^tC}nRc)S;YR`{q97uo#!vob=JI7UZx3?|DO==Ly zLitu3XR<7qsmtBNCC|C8(UUHn+6Q zxX^dSg-+bl#y$PJ1!@0Qd4u@~7$E;-bhHwgCd2#15~w}zYB}z=T3fpAkGf=O@2%4c z$le(XimhMj2W$E+7o8Cf)~xpoP;B6rk2D!v!h>|~S^ZmI*pbu6ddIgDQ9Z};p~9$* zDln{29^CT5?Xl&>0C6mlC#l8>cfI1W%G$M#J2FINex8$2&&j5b>-6x})GmWu=2?qApRG1cS=Vn8)VY$*|O8> zv+d%yTI(y*)6!W5t@rs}+(bCI_omzZRev+t5L-QX2e-8STTeTb-%q1149?UTnr;Ed zWrgO`+&g7A_RKqFVfH2&sYo+bEKT#KT*~vx0fkJhpkpMlSjNGeP{ugC_dP0Us6eSu zW4dR}{a6?os7-hpr$+2xJSI0raMv<%MiTmdvlj`L@UJKQbLoPa(J)db03QG}7LY&N zQU%ZPebCZ9c$IxZQ!;EtpWOxkX$`MhDCty~X~+$_Dej85OR@CA;ATO>UV~3x`&rEu&1Vis&bJ zDH|g=!+v-qaX>h(MLLyFa@Y0p7~ADoqRIzy$s)ZJ{RTgUMjSZa&kVvyKm5p0H7~a6npd9zoino=8hp=w@g`!<$@E*+&OYXCY-qsK@GF2L{wQxV zUSgfgXu8cd8AaC-)eSdtZ)0XxxovS@&KyN$o{@R^r>|{w=w{`L{i`Z+J&7AynFr8MmClY<=+k?t^5%%rG3&==QC+$P_A2#V~vNjzm=7 zR-v1{Bc_539<;-AD+}0rn&4PYY%jd07lZOoEGSbax(pqkpy9R9;+~b0Np>fPgbIW4 zpa9c`;a*R9!Dkc)&&@4ML#B#zKbwU)FmJdohx1gF_NAR$G3EhPpHSGaIOwe?_EjC9 zB|wM1cfHrF2x=YM6-}dG^mNn5zCY)*rX&&f+ZZ?{6rQ&%sS4^-)702(X?#($$pcbT zFS(H3#nV_>2;>n?$1zYiDIGzglF5yUzUAcF4NOM+r23*YXZ&Y!7zprkunKnZW#HEv zJqpPdExX`Env8PtSbKb>wlkJ&J(Vq^xQsBEgtB1FuD?0 z_GkY)4PAd5G+8U$@*AsLFCUx9x|;i-jFCb2rM(A|tC5rKgw@^5*P09UCe6waZ9Prf zFb1PE%u5d3Wj>+k`%Z^&*vq)8ge24kk|BJkym5|48T%E?l$~Z7(0k+kzHeM(x(;E> z`%GtYO0Du&W2(tas^Sd2p{jR}oT|pU3PF#dfw<0V{qlmcM^WHFEMcRq$&Up&mpBPSdG>>^UiPaeJiRV zRFzAF^@z;^03G*hEDc#RAP@v6L`n$8O+guPEJ8~H;ML^xHKdqd*!yBKclFJIYH^uE zxgS794#y_L&M?Ea3kw<~6agOAY7&xO>nfxCEa!S-@$gL9 z%Yo1sX>@K=mgC-f>9Nbd-K<=zJHSGrbl+X++29j6Epmc@Z+I#Quy4m_+M*{Q0?j{K z_{rtsGfAHZmZ_u(K^~N4 z1^SFQ8NP!wTH8=s?_>>c#onvPlQAVwFkB2xFW_F9adzTgbt|UOkAvW>wi5lOO-6m~ z_vuJ*;s=}7th=^h*+4M3)p7GtT zba_}Q=>#2T_H)P_+UijOb#(FvC z61XJ)C#YbHj^=mSts3K~z?>$1x&54Xk zmY&2_f`;*iubalV|PEJ(nld?3t>TNB>$3`()pTM-O8Y{O*$-@R9Szcovhu}c&ZskDbJ z!bvPKnkhOP|H~88W12|6$(&?FWKS0T7huCdhxzUD=(d=RiExfTV7heKFRP6b&J1d< z0XjU1EY!=9(hNo}_=^?{9l85*aJMv*UiMi@&yJM5a~&d#O%-4GZUCmpfGEQjfgFL$ zo0aQiOM9U^6&yThR-^wTf~y6=5dGw^Q$%j_k`qk?H?q^3=Ua6_zy~{eaF@C5Cj&!u zZY}L%w|4gn0xI}DGAgFPe(J(R;Te^ng#)SQ`T~i$FV)#EKDd%LE*G5ZL#i`8SmGo) zsGy$6`frX%GwfGA-6FAS%v>xZ3)iV=;OEIIm?(t9$bAWyeaEX(h^g3@N8PjAaHyJB zbJk9l)7)2meFC-H-4A#Rvju&hme3O)_f+Tw(+{d!*XaIZM~O;YEiu%Ea=@DNrO;A zUn#v%sjZ>&uqi`iW#zGdQ^I4|<|BuFgX{@?e$BWTZ?85#Hr+|bcZ*gsmS==E@GFI3 z?_7#G4%6^5N?{c(95$v%oaKf<9d6DH6m0Gdkrv02D^t~wMQih#5*s>zryH#loyPdB zApC1YapDUkx3?DIE=huB0fNJhyT@*k`D2+0Q2E(Xk4VSgWS(8blo2YE zt*-Www+#ntnXyyv@2I4&0yxw z9d2!tN@V4$%)3mg-nLB6C`N2Ev16sC9NZq|-tTETd>8pVlDhk3t=}N-gEjhDo*v%H zI|YQfpx7KCq)T%g!;59x;^LmLKB~azB!Q3ok>&;!uqI2v+)cmG)?U6#OatqTEsW4u z*(%o`!{O1*tI`lU~e!ouM5#*;h(>h25vJtxofMh21EFMr7#BC9Yx3SlQE1 z<@xKVH~b}$+ZigMi72eS1Bl6ALxjN-`)>~;f>zO<;eN=+F+Fm!8x3^0V7RQB`H_0k z9Jb>S8tDC#X_@aFnG-+?WK1({bV7XndKRM=c;d zrc}x&dGMGcUp_CH&4drx+3UM9#gew^ea!OKAIlvd0fP}G#y`dk0&p4fEQ;e<1j}y> z%u-Ne=+3rD&<*Z-aU(AxUk=wgl}$x^q+=*4VCDusbz4%Ri$jidnxitXfQe>oO&ZF3 z3MRP@_fwe|lWAKa+!AlJ~$w zrAi$8?(SEeyvQThQvwOb?zkg5%WC4KQSH@Ef4RFh`|#f*wQP-jZ*)K z{;Z92mtFCcPjJ@Va7a5x29HWV(z`A-g?6ehAI^{9cX4Fb$`ir`6YtD@x|2jJ=mVQ_pu;P*Fj-iv1(fbP7@?^GTP`DE7e7aQdglN6nz?L@h>)JVCSvWi&E zOr3$>FcSjoipqM6>18U7M_5X~qGm6A#BSw;1l7mn_W@TaPieZHUE)6MVh%>8N6G37 z+Q^zM7#JuEc8vvV&I=7!|EkhKZl$&TeV00A?4q+|Kswej>28uqY2&1$ z<$l(Pu`oKR7CL_;rBR9{frlGC7AnDj;A>5OxJs;VXq>`0Qzh&1d7X;#Iq0*=^3*9J z2H~`lo_1`md4txFxs^?KcMvuiU$l|I%Sc9Z=As!vYR-Rs08l;h>Pnma~C5Aq@s&{^nQK?JHg$TcR)C;+=i!-iJ` zbv*Bwn;27&+}9A)i0XTmN_5R#xfgcE=XnR_A6R*{xUL0po_edB_!%y~XI(LANY3@z zW{iFRH6W34$n?}UyYP31BFFdq8)jX$d%aEeT|Ukp4JFzUb^1Q@c|_1hZ1rGGcRGlx zy32VwY4**v%GLm!3aP3dcjhiV%rR%kw3av}%0IxhgjXUTV+YIc7ZajuoJA64PYg?5 zGRN|Nx)IDf<4^so$oZ5SW{M`Ojk`RvQgMD=KT{5z|BZU2;!?XD_oR?_nWmk|LbcuM z6N-Acj)lEk(AKE{>(eZ0CeHF)ObC~*eAQO8;V?3v7k-PTv@LhAOH_Y|Wgucz7-I~X*g_7 z$Sh(oAPt#YVDlrWXW)8Ui;GOvMLyh;h$R6{6H(H8^f@75%lDmZP+z6HTZXbw7`dn4 zEg}R?k|=p9feD3B7IS)=vs^``5nj_%9 zs-#6PVQ6i~#ckV6oci%AKtY!DRH-l1&#LWoY3+^Oj}yn=8wwBFI&J48&6T?yff0in z-0VWPm_D~Fm$FTTV3F|9wVOk3h?v~cFH2-;y)4J8ck#W-{I>1y^$SsGk@7765y0n|IP@f7sd>s()|Wc-wNT{zu*vZ`d4?oaIaT;I-x;SDs8+ zL3j8&SeO6zb}pyc{qJ$P_{~;I?8D#pHa#xcH;Y?J?LXtn;G4G zhr(XLJR4WoWVQ~^_l{@v?{gB1SCk2i2OA@$@Y-jX?I#`jEU*ReQIvR3`&RA&zmgttdsp)gSNT>fzpWUpr{t80bI6H^b;o##{p zIqVR}>iGsF??lPTh_9Ec`lQw6155G`MO;feL)3j3s;7NIki(=rc3Pa&VPvs>62Gp&Ka$N1Gx z(krh62?*RVXx4EV3=k8cT2aooo3{ z(k$Fs@$jjiUJ1Rsz`O*xnMW4w;?q0wm=0$J7hIS|qA+M62*;qR%+ZQaO;=T1rO9=n z(w~wG;_VACN6ulUv3S&~FQn}9fTlA@O9jl))DGK;KV4i*bBEa&fmM$?PN;@vRAvpT#3 z=v&h?)Q27gpP=T$AFc19>qI_S@;-#pUbc3{{*Z&pVOy*U%!TO{SZnPU)!r|4Z( z*2FNoUvhRYzv*6s$6thCLJpg6!5~YMh6R7_C+_ECqc!i(W0#efZnW9joXwTGSqB_I z*GrE+xS^j^h1BCN`iC;lpDrO+yAr&$Z!g=KsFcK%67%Ol^6U@pGYGfgzQuY}@iv&T zfWAz11@sNn$9pdZh=B0*egK?%OA8gOMQ{ zxvwcycU|97u>C}<(1G*mczmy3ySg2ARugt%d4@^?xBAo%k>34}J@;Z7{#Sfs>XzWQ)E6lXAyvUAUk9zP;oXP| z@S|P9!l44@xTSg^u@iH;bhHG-!u9vazgv-*?t{rZ&m$S>V?MEkG zy?I|sn-$8ZQaIM9XcDWCvH}a_8POITe5i8UfipIj4okOYD&d&!e4%3HQd_WScGqQ& zc=RI!UWgTN-u6f9iMF$21{qH34}3@x>mebclx{yrvFOMyxcT9QqblqAh_ijar$pH9 z?4Ero#xqTw{o%s`8@6%HTH`knQ2m@~scAcp9L0Xqkp+eXu{Oo9>E=t(pBG;ycFOBj zKY8HT=Av7F-q@)crryoXodizXUM~MEq;PmRA5WHK{K>s-B8FUb;h+SsZ+1Lp6)xDI z1b;89we{94I*c#z(MQ_q1`j{hw9@hI6UiF!$;yE{M0lLXIOZEhys1jMqrWIX*ZucW z3`LUKTOhS)LMYbz*tLPsCUmv067mWLnL3|@SnSw&O124|1tju#)(%7$QFWG}XY;BpmT!@=UlC5ae zwZwiYfyDYX*nX>K$d|)bXuLDFH12mYOl$F(Go%8Y6kGpZxy7cBtNP11~-;2$Q zW)1EIs`EZ!K)Ih@M7romCN>>0d@BhuXKHQXvfu`!whHSQGgMVaY#QvOGTy-L)7|y= zTPz~Vf1fl@``s)UPU~-Zq(0BvwtaYF)47K{e*n%0oXdX`g|W7kzdys2*au24jsIq69rIkIt!op4}E#>r3tq7W_ZFHqPEJz?~X57Y@C-pCS zu?E(-b2?%^Z!0f>`;NWu{4Bfo-A^R08(gZh552W8s7M?_gLexearK_u3xOKc-D+81 z^RquJ7h*fQb_Zt*X+|}y5ya6u9kw-MPMA&<+qMVOwJ%`%{!5`iB+)1zl1?M->b7Ss zoo>23#p~^e5ai%v+5MN;A9r-F-htdJYTt>Z+IEr zxAjErNhm3og$7121@&g1fjE-tzIx`BR1LIJBc-0d$w54muZJ(=D3B+oP5T*kr8_

ZCldN!p#dC|ArN4ur~ zym=ClU?=6lo)XIbXwhd*Umg1ovo6fk_%OY_VSUB#HnYr=Mj*}xa;&2DPn!eNIH+y6 z5xDg;q1k7mA3NXm{(!xyFqQtO@?*KMmaI7afvJ+Vjnvlc#{AIu=1ZTauQgfx%TJr0 zN=emhlv`%!>w<@TsH|*C@i%LEbH8&Zr4kz!4-5_#F`VW~I#xl@y8%a%V^siElb(gOJk@Q6W&{I-?{1ST zGS#Hjr^$$*tJ7-|t&Hu89Bw(TT18bNuN=gf${&;!d{o$Lb963!$6Y*$US!A%AWXXY z)b8H|wv{`aS@D3Ero8ZOA{N;#kEoX`p(pmx zvsRN!DcEZ$77SA?JVoI(>b?`>T>)xex#LLX&ow>)%U4^weQL6kJLztn;Yz0 zI8X6q>A4~|oOHu5zdx)y?$6xR$N-;bg}v$db{V_YJ1NE8 zqz4)esyY0K_p3d95^Jvb1hd2rQs&b@&MhX!3C|vWOqJ736$9^zB>gnqW0_tEu9vdD zh~{^{O+mCM-Gz^4)zh8&TGNs(o9(^j3~1LQbXj=QmQbqI))!MCb$`CTk=wAt+A`t ztDozsp>e0Zq?j-3Gr`sAw;Nwx(PGrzYMIKLEY1zpzR$3r=;4a_p&wI6bVjUI;*TSr zN%V<%yE6U6Z%KA`;Kw{=5p1w>oa*|n^?k&?qku@bcNVQoezXpO+emO_YH{N1{LA8r zIb*-detInxVaqeJqP;5nWa#ZD7P!h{i4sn9wf)-MEi{tL{Deq)n`}2zH$ayuZ%y@{ zTsV_w+B0jY=bh2^)=wIqi=;1_Gwo{3$bZ^qp5Bj+WT_WjEyomNaicC_U)oo6bQ5|! zt*mN|nwMpu8T!E~P%HCPRcCj;f;-N;AcGs$KA5}=NsgutzM5@1X!YjlZ?0E5eq(XG z)(;2rQ{7ZOO6u{2&P(xOGFK?Z{Hrbr*_v;$DWKb{E%fd9drRB3M71*mySXp;#vAjQ z#Cr8b$4=^O;-5arZS46kNPLQxOXsh}EnJriIhkXAqBi=(vUr#sHoB~_W01dp_^Wx& zR?iw7#C7%gQQ~iDKy#{cl6gBt3Sna$>Dstq|E!3$Z|bRh;T7%9bVa8K=psd<-0IsB$V^+6+U)q zS~8M+@WV@Xq$;=RpB8_~p*M=*!n9|41)JtmI~lFBcl zv!3t0crJ)-Px1qvV>K~uHilv2TLnaHOQXjt#pS=wMXUoRrSdDO(R#Nl>~p7c&4GKD zO~ave&;Rp;@j&Wv&7&`hlkK7DkAU^P=qFTFRVRsbD3w#olK^PZOMy91_v3%?t4j=w ztoGnt zmdF~aNeAYK0%dMnsYVwTfnPNP!BmBKg1mlD^Nt%sLQLBITf2FevfJ98*Gc>nQ4^$iK3B z3J3UwyZK778|R`OKiHHnqa2@-SeZIKcX4SjdZ@^x$F-!hGL8j&DUb~Q(_v^d(0oO- zT4@53k2&z_v{(X8NE*96Dg@tdu4wn`rl~pKB5yC!Q!e7m4_B1WCyhu-Px%;7W&TGC z?UzWt$nt54P>Dpv=d4CKpbKPsH@sUbb`U{>DzKqssO1Hg(i)WRAwZ{b8eDC_@6(Qc zJaAl@$!|Qa&lhI<5mj^1rVYo(DUM_!oGK754hXH@@Fa+C8q#S64`a5^22l5E2O~)n{wa>|R)3YNB zT7{3_iKN#o>`bq0DBrxnTpiI1cJzu|xq3DQ|FC#fz9+w82}*=}1vnk6K2WyM!Z1M6 z+i%Yxh(E{{Q}fC)nyrDA1UgFGBw(ja__Zr(N=ysM>Sx{JH6;E&@ zBye!FE-+?kC*8{Iip9Y9t|V-{^w$QoZ2$Gyg7~DbdlQNf$TL5O;&-dQNF03ppTT(` zFXhY|t{~&b$BAmERWUx@z@XA&OU0XEknV&y6&o==%2C5XayI)m&c0bzmBg|yVrQ0D ze$?pf3-zb!W$YpK9c!U9%!VAe#< zGjJAxjAOJ$d1N?woK87x%cp9*1#EnFI6qaB3#A++Co*M|>7a%1GKM19dm@x0J-GBv z$oDmzMvS9ww}xbAatSwS_)Ho-t+JWW@+UGZzMK3*@A&7pMMa6&2>4}$y&q~QM#@ps z&Xtu&>m%fNn#k#A;spanyfOUW40)A!ws0evph5vuS1(E9;wvR4vc$kY@|!*7g5=8L zJw$hK%E97JA$q*5EDP;O`7e%K7K)EO#xU(GF`?Vr&ZlDjPDc}4Ntwd%bp87`OB?1i zCB?3WT;}};@V|?)r0o|g`J{0vi`G}z`ZGB1s7RH5@})F*j$d*z%8Tk|v3}In>~vsR zY)xXL{q|Vnx~$sK>*~M`lJ+W3GvXFC#(NN{m#bWgZsO?#2THS#&qzsH1P*`9Kb4Z9#-)aI zO&lr7O;zi9c{&4Dm@cV1)n04(&w&=BWhPF94JD1tkHE(uC+B9 zqW7LxJExkoXAR0{O~Ees_uFJ+hl?A-NRYID5R*yA2-3IUr z>q#CB<|88|1&ysTPQMc0Zt|XY+||M{FfWeS**lckky#x#>;CN}shc9Z*8D#v@$TuT zN{H;514Y21D^cd{=DVuaf%(oB&cTs<1L!{|)!^tHSE>V;_ekf0a+5wnA!tz{c>DV( zo!=ze%O}@Ef2A6dwEr{1FVz2jXzBa2s$(LNgUszSoED-ad8_5EQJcrL^re!}i^gQc zUGTFOY5nWbS>CTCj%F4*5%tE6p&^bZX6k!nTIuR0`}5H!%z?8d@^Cl8Ur+TT{D;*o z-4w%U|0-r*%-jY^Ong?FnRTB6)V+-`w;il!2}pi7%i3jweL@(xaG?7nb9ixqc75!9 zn*E5*tBu10!sV-I@VCmUdnL6=+n(BKh8Y=x8|ST$x)_<63u3V1p;bjs?PZWFr84in zuGq#NJc$gBx$X(4;wgXRdG=i6j7u{O$C;ac57cz>q^U;|Br5*iVGYa)9`ZWn zQO5n~(Qqy9PG7+!^8(fJKJOohG7uD`dncd1&*K-#iTZi6y^y(i0F;{)O7&D(nHgy1fZ27g^xvNs_x!vpCwTjAt6zvD&~&1VQs z1U;|3e?Tk^C%b(S*?jGb3DE1;JC;^6?G~%(7H4p4KKBw-y7chI*vbo2G>la|eliGv z>X?AXe8M6KH9~bNsq_(~D#i zsN&y~x5^SWmj4>Nw0zfIB1!q;3ETCNYIj4BW<+@e^dcB4oti$`zQ1n%>joWpt)&b- z%tJh1*3-M}NG2d;5<$gZpjvq>W4|8)o}%6x^VB@1yF2vE*IjkaKFc zdVVN)&mSOc^m?WSz`74R>g{%Oo_A*dugL!6dzvq?hs9yfHJ_tLiXwoVAAZSiyzVXE z8jiR1?@`=)(b#q}tsU)hq$$Am;!_ zuB%=Br2M}`xc!;Ct_!$<-icJm7k|SD^wy3ZH~jYWN+2a-Wn|wm2q9fzX|6q77BYgv z*m1_8#k@zSiEnnaQktBbei>-u#?7~~8;70IdtmTijPpgOkhE&?(WC+Ybp2fTeSKy8 z?|ZGJU>4wJfz0)_BOO+d4pkO$TB3Y=z6>dK(A0va#~mbmExYyIpf8o1tZk{=?_$5j zrx!8*v1evh*Ah!7CERksEU)wi<0N5hK2EbDPnYdo8#6#X0icqZ91v}o?84hsjPX+ zzft$Kuk=Z=1h-7Lk5sP}s)@|r>m|)5VSTEGCu<5y_Vg&x_QQO%tu)qgATW-2!z5$g z;Z^Q+d#2fj;^F(gmxn)Vw>-83JZUNZGZ|q}(_eoZljr%#m6TAb$UlrY+G~#jr`mVz&qp6p zG)9${{~jq+)s98UdOs8`ucwP{6^0i-y~sN!5X)6N!=f(;1~t*`3(N=_TxPryux_U> zfnh@sZMy$J>&`w!?l^Nb|rWD1wf8%Lz$~u>t>XLjkznQS2~BM-2)gk zEPdo+4h~26R7kQhgyl_jj zXHc9MBV1Z zozW!uFv<k~}HC{%as3UFrh^1DT9>kh)*c7dz>DM`x%t0V=&tTS!OF^dn{+)%koTU!Pn-iKolY~^mS5h-~&zgA`u!Ho1!a=PsH+<04J?v-jy@4(DtuS^8b3>iHCWz zEZCoiQpL-(h_!R1#>J-ouk(QWK!KnV`8}f3{-stRRS^MkE)OBGJGNS~0XNwccvHFSCpL1;o;vwt7RG*P=uyT&A&@3|tM z1bI1{=FQuRcfH)oc_6Wv`&VUjeDgfx?h4-B_~XDOUm~iw*KGBIfr&webm zW(3ZxYnQRLvxp)&d$-Fw!mQucm(VQedLdZ%Ni-LnxaEsyO}o=Nm4idKL$EC#yPlVw zrfy-C$(Qxu#!g%H__rHbdk^!(^yEpX9Gu-~$1A;{8_m0ixm z8TT@zphB4|B`okIz@*jANJ?PLXvIs5;0x6hE$(tF)a{8f#kb^1W{C8jb_9;z;EmZH z6rrQI-ENRxD)P^NW3jl9`F}%>g8ac!G<5#0+S^5~mc|0t^(p4|exit;hKAyCv&tu_ z$f>vf5|w}Jp=KZ3v<9^S;p>Wu$~e|W-vtg^}M}YjE7{#_^6Je$@ikuksn022Sf_j zN$m{&mji~@>b`Dno=wmaBITy*%Q-Jp3wAo1y~hqbJFdR|S7I?vHA&`s7}RK28X?wtEy9$q-E*9e!W&pG9(_`*W z(KeF&$fWrS5yR&j#=Cj)eXJ}iV3r?KTi+zCC%jU}6Y`4O(5w#hh ze7Dk^sl*}4qxo=^_|pK?QN)*c`-~We!<==+fnR}}T0 zEG(wq=og>-0XS8?)JbKP>S6H0=L=Qi3oGG*vm<$n&a5KNQ}sjv!p}IXx-@u&yDvu+?jNm7b{Td{MhR+<+*dQX zxLQltS<-s>MLbzg={{II=Cw>`G+qu%oMwOana7<$I8EX<6I)XE?4UxZjD2JBlG7=9 zlEiF@hDX{9>8!qwAp?~x`uh6Za`M}MCSmOBMM`BM!U+lFH4-Gs3q1dbz%N@|aCR`t zP)XaiLlt|=CT;0GSyVmP8O<8{5AFpRaE>R{{Y!%CX1E*{tIl?1hv}101_}$qc4L;W1$ZReJ>Q75i0?@iy!+r~Xnd~g{K5QM=lou6DV683XYT-Iz5SnLq0~Ze7 z4I_=+5KPSsdTzC^LB&QA?b&5$Oy65}QBeMNqeVV7Eyj4`$zFI{oA;tWT2WBo_POVg z4;897-(1Cvfv71ra~!tloc=uX2)-|CWcQ}6cd{i*`0`@1aRax!V6(3Vaz!Ux&QBS+ z1qNf~uXg&u&T;7Lj@b%)iO#y4B&R_l7C3CpQ3u3W;*s;;Mm!N6i1dH-Z5nBPtV~Rk zKb0r1C0Zfp`Mc0z@r7OEO6j+*`5<}(s41y$5i zq=V7*z5aw{MShSwUgsJg!6l_n?rNvvF_0Tj4~+O z++`_Yr`Aa@=GGCdw6ywj2OFx4xJ+%!Bjo%XAxucd5&M+XuSOsyj4tT>cGt3&^NExJ zr3!7Wbl?~Mah1}$NfY?^QaND%Jlu@W4Mz78+EU+#JzHof9uUjh>Osrlx&s;6%$^AeP$S(LH z;n9*1CuOOveegr*e2_F7qLE&)iSx0ghLwrrC}evICQTXN;qF&)3~@eqs(SGIb(o5b zKv$C(w^4gg6AX4I97}1*2tvrLNWlW!-0oBgNqzuS;p89cHtbmQoNIA+tLzC7Y!3F6 zHi82E#hDo1^@X^qd9Uh_(`$-BDO}+8R9muK5mQBhWBTM^@(vXW-FF3v+qars7{7)T zT~U*E3tx00dm`-Ccmuk67+}}yU<^KmpXrjDd3#sl4CK52ca<}P_FEr9)Vjy%bbDge z2#O|tcQsrOw14!IneK5Sqz>Va^d!0g&bkj$=QUV6AD0|u5o!o>* z>rWC~svGY~TX_4Pqm0}4Ph_rs77k$5qccyx5uoWi+}-Q0XJ7%|=Uaq+We4YOHlI*V z{NWzv%bR}depe&qX`B=Fmt66Hgeo%Ju1aK4iK(CY^ZHNoH==Dmukn@(uE;e#fIy(UKVWuJug z;G-k!vy^AHtEqa%A5-DKb)rgxBTX%LHG$HTkUoxT^;>4XMRr0qdh z3K(+;c9cn8J-bK!`6K>gj=TTw#|*=JhD;F*j26}A(8W;LIm&t^szrpo%D{nm-`=pk zfzRKQ%stzSjNolQSzX0N;>&vn;_tgxP#MV7Sl9GHeZ_tIr4%pS~TI4u;S zcQ^?kH)Eui?kBWiy$+wSSWe*Vm46R$SH5(tnoA5TG{8crjdCBFq3NOCM_&|@2(7`(gCap8sbJZLX zdbJ{+2+CeLC}gvVMUQc*pHOF*>Q^mSYhLR9AhT6i+f`R(5`&Q0ron|A>Cf-C|A_E- zXEOLi1tAE@=MGOPXJhyNo#TBIX;OQ5AeJq-bnG{iSX5yUQg?!WBY}qnqBRo-Of}+r{0KS zNig#HdQ!-R#0ZJv8j<<};{rc|O=;!Y@m>FT@tW)pIpTKIcDd(Xs`1zKcAGIS$lcpM zsou}SHk@q@%GOW^-+&tt@TL3}NP*?=#!To6X<^S4By$lsPzoH0rCU2!2h7xZ?n}3C z8OSCnI80AcN4PHpB6VZWW*n7B<;84waKUl8Z`?jWGebD2XW9VCC9XMnPq*mj6`^Bw zlfxoQ(xIDIlk()H-f2)5gA7lj;b+8Ul0h;;!TNf{e|9ax&Frbhzm4e69XZrL2RP|DqhDS77!_7dnl zs7uZ|YLcyw=Jfk~G%aSpS4$U=aWV-aL`D8$UNEONX(_`~Y=uBJUl5{MC5-RYa_kCKPcH8}2JDa_E_H|+Ynym8?OL8kc zbMq1K!^#~tWU`uZS^>ySLbLPX*$lm+3A=iT0N$|)8q0gG z;Cna0M5>2(jP{}UlHDv1W!3}SWD=>T&&MS7P_gD!j(xEE;Z>ZC8A45sDB(QGCEt2@ zc7b0W-LVm?J1@a%Wt)6Rn`=0m?WBK^RKzR62%FzT3}banX+8D)t(hu7E${fy7IpzM zy>5luH^GaMirASh+A_dfN~Kn3K05EP;&gBpVbm-;>|?%(|PPf-f`9m9D_~o&D}0 zL`LuKh+4Quwm&}-+#K#vuB)^Yhl6oO-FDigRad4(BUo5X%xtc+N5iX1aYTGziU_IZQIBd{Qiujz%PuK7d0VfybC$yV35T z)Gi~^sM}-2;DB4Jn`IATvHTW8akbOzvghPjcL%#F-QG>owFl8@tH8gd5jaxMmeD(C z$0c;P5KzF49_H*(Qhde3_EYDBv#0QD1 zSi6fv8=SojSp33V(tdlbz?POUFJx_fu);pEReKoHQu|rCeDQWHDIq}H|9{Eg|H|t& z0Ad3-N|@&aPgJd`0t^KTURlQ0TSD`N+!a~evpI!Tos|*5OGbdVn#YLa8{d8scnH~$ zzAK&5O!|A`p^hBWu>7P*8L$GaT8xTc{N6yDYg`_iU>$cL`;@|BVrL%Np1UXObUq(EL;v>w~QM4#zyjjCZ8L-c+gjvC^|c@G(=7WObF9 zL1~;%yIi9XjAluUfi)EA>^6vLnf!!Cy90)qKt-__@S=~Z#xRYo}Gl;I(Aa zJj#x=gNo0i60_1N9y5cnvUwaG185HOf@#mTLWNHp9ov4^AN4$1yfSIS4;6I6Kg86( z&9SRuhpyJgT&9gJjv5^tl^qJGshk}EN~bvHr}o#GtGYInP7B0(M?pla@khdq8J4tp zrE@v2D6LjW*x2P(o+<#*igszxdU=7Qz`HO^+fmQ2F}8r=_hAR6!M9rv;BJ?KkAKy8 z?DX?DDeiK7(JVf@{)!}4*P&NJ0Ea>=%|5!bModpmcZCgpaeALAMb`C-8{Ow^v~}$i zHML^6Pw{|k31NLcAXQyEJ-6e!8CRL^ING+M%Knh1dCpFsH3A{d9&~1Faa@12w=R{E zkd!;@&|~ljq3vMnwy190j#z<=wqK`;bU^}+-%pMfc=X9Kx%#aA@)g^BpP?Xbs80!4 z`2*h3vYvB5&M1-As;VaDzIvH|N1~405p=a;QsXh!x8PQ#o}>)Wn9EFtq4JGKed|F_5ZSA^nHb_Vl3L*@v7KfhYvZOV)2z=M%$ z7(VJJ#SKUAC1fd^{iiwczN3prc_74SlRjd)rU4qK;{Q(clbUtf-9}Q|s0~h|PwF!6 zA)+xa3F*Y7dwqm}W5|@AIbQji(@%azpEqRvYJ}ocV@kZq<|`HD@D57KJA{a#u^tbY z61nod#k7-}4nG{Vm{9Gju!bK1@p_3J1!f2#vej|YUCd5uovbgwQhlByEttOMyT_~H z&x+{wO&(FZIVUcR-7N1)f%9DrgS);$6YA zr0-vN@&9@eg!2gt4{ihfsi5p)dq-T*2G)b*;tJEdn!yvl~44_qpZ!>&TpZdVxQ>ZY=*Io1W4 zWdik;L8L5^3P_pJJxiMsP@Rtx-mt1PR#qDZn}3#X_Wh-(wD`9##b@!llR|E?&0HDR zAm1!ffEmF}SJ;`lfQhO4#3uL7X2Z?Is^{zycxWGgU(^+QFgW`oaOZp%Mo>skoCNr! zB#!jKM?rSg*#n8wEe_&Hn9S^tiIi?gK*&l~(@L>v`mo!x9CU*0Cz~NMJ!GxXX-S?Z z;mG;A=~_uSA2BqwZrc~(ejO6B<~zSgPI@^ib96luo_Z{wb>nrub~d^PO?9jlCM>BZ zxB;g4-j~4@4#uOu>a%9xBKgh?ULW;;*YDzD(V^|xBq8dWj3}@HO?|d-C38iVO`qMt$|Zfpe~=o};rLoDojU*3b1T=-3rOGL7-lzuydclsqiSq>r!; zM2#}BC`#}g2H}W&ttYwYhv}zj%+;3ENRIj{7+ zQ0(twaEODeUC^=}E^}(P9I)SRzh%LVde)|0L%QJWxc6ZCVVCvwev{0_8ACdnLi8%I zJ1$WW3GFy4L+tY-*+aUXBa>P$SrGfCP+f>}m1 z_c1&!?IAnufR21H79oas8n~!B!+-q?oA*ieLCE4}G_J&@ z?H0dcXT%~CSlfunyG=Admvi`Wf8S*7bXeMgqWl}H2qn~SQbcCmq++#k7{P2Fu){IW zAG9%S{ZSs!mfG8ogp`s&IxhMc*b?k?W$r!_8u9C%q71?tU@dnEIQ(Na=R7 z5W@xGX0NWBPg88Rgf@&r(&pr|K)2aip6FbEx%yv_Vehg=s5IE!U;4)P+E-z5pK>KYa+1o3`yk5=2EOQp4q{F+}>9^Dfypz z@_E{ya~uk}BQ{6t!y{Jbo%YsnA*^-heTRHH>3TC+BEMeWvh=o!Q#K}%dH2fkBNmCA z$}tH%S;8LI@R8U9V8)97^l#DXs=HbnLeKe9)zyPUrYdG5c=P9Dg!Zm0wgu%nrM-RL z=RauKlk2@qsE&s(jov6h9Ssm=NxhC2!x*TWeH_2!^`XC zz~5%U!NNp(pHk<@ews7xjylF+e;81OzGt|9?SlEca@*6Egp5(2QjST4(Z0>R7aml_ zZvHCWbs+##YaRR)PT7{IBGXF*P1~Hh4|M`guVR!o-6Wgm8P5Rw^_K|)J}s)%~pQi9yWi7-i#Pv z*hic+b$`=my-g@)Q3aV*nfA3r@3=(yv840kn!LoZ9DsNJ=PTqlr{(VGC#EO6W)j~(h%7< z4GG$pqj{_kwRZdKIw~RehgJ`rco~Gl1_4q}RYRsx4bL*d{_Oj9P;UP;?Vpk<=Mq zJ4V6|G=#JzwEq2*_#etkLg8bJtmUi5;a}IU5Xhyy-G%E*T?;-t^vSlBK@0Q#!kyLx<2IeJ$g3v#pl3JmoCYw_R&yjg$9?}g!EUoOfGDki&|IXk| zHoOq?l;CxH#LjTp!D|*>N;VrwX!&Q=7zB&$XEs}3%lTZDa%EDz(T6@)Xrqdo(FWks zC*D8(G(>O7;Bivx(&cKKaoXchR+1;g$S;X`DgP^y_OC8?Y4#uI+?v1V z5fm86T8JZ*&?{X0?jrjh-Af1+oi6LlCB-vWR^4*tA!Q)?eJb($wBBpB>oru!D!ltB zODsvqp^%sZk^3Bb0Wga2w;7~|)bHtW_Cq#FtlpZI-*KE7_V>9AA%lC{JlMrwqK`;7 z`Jre*1#s&MCqANH29~H81rWJpQzk$=t*4{D3WO;UqL>Jm7GKfiyErtCNHyhggnN+Y zg^StPx*0wTCa?Nk9G@=L`wg~XKloHk1R)8og zNVa{ppI>ldz{H2RwAa}?Dz=j$n>V8gjkjY&HF9IooDlO-dnT`m-m;c1Tcgj@1WXap zOO6?U$qiG0$v~dti`MkiB^2fKmrgK$X3y0{+d*jx7_}P>Y-MX`Xc#^9Y+1k>Q^G7C zDsqPM(Y>ZrD$X&>_}@Uwe;xI+d-{T}CslxHbc@W=057TY@$%7L5zy@;-ag;@z`33J zL60EM@}Cf`FDo`d7A$x;SM(Rah{|59*`J8Eb?A4_hj&fR7oZR#MdrZTOirLNmLn=z zw&sxxb?Loi`UnYP;aQsn?UD%=3F*PO1giaIJML4hQL!hEw4>mP`;PKH)d`n-pX#_; z>2F>swpLvEMdyyYHHP~h)V-ajd8g%59l2CN=tuyK>u-oeP7y7vtw-*-hRSI5zInB3 zy0=FVH<4?!%LcxSisHEEOLlFF**h%?Adg^*=*@C|Ghr0>N}{|Qk0~)a@3~Gb#h7pT z66ip<3-SiOnnb#}jWGcwj)grk`O?D8 z%RNdYnh8)gFJyXW9DIhsQr4_X?osl8@Y%ZnEkLFyBA1H$IZ2V{3W$RAc@P9ZL17$T zZ?-U3WqwC#K4JmxXwHQ`(y1qdU+0Oo6q!fLBg?@Xd0R3UXA*EwI zff*By4sL1H_~&!_%{dJ4?;-jBIqpzL{cqdh2a7PJi!8?RXQ;$Nzov{%791JMM<#!SW@^*%-O5cf$EcwHP_gJRZUYw*xi$4hFkB zY?bzB!vh|PFW4%a-V<64dcwM%i2Xgq59^v-(j^|@$lV*zVj*fZc!&0lI@8V-qS%mG z3`kUFTX$oxE9LTPBE$2eutqOmIVGOtu1cDBc-P~xtjNQP9$<&x^9rJ1^8u*C0JKD|Xh&ud05Sp5bW&!7B@5vD6 zin7cU+A`@X92;e_>y7Efp00Ty5-f&rONR&udEQ0V{aCJ^sGC8tXHHdb^dd3 zzxs9`zf6f3`Z1_0D&fIo0>uqM`&BR2gwOJsRIdMXCkH55ifoT$Ike3+((1iOu3a|n z7wz#t?zksJzhOrK7s>j&0uoDeZ8{b*p9iTc%QZ)dcEox(bm*St3N(M=tK&!9v(3*> zT{bNWsO6Z)4MK`=ZgcMTe*x(f1W`-ENG_mV5Zu~4>9vlc0MrH5AUa>ADwZh87M8sd z)-prAFnr=I=EOF#pZ@@!E1Dy)6oGmXHSdbvN7dCUtx|InPUGB~6QPK%+CgtzZP0*3 zkIEmN%NhZLofNaM?kan1cM~7wZOouv{3Sd7=C_ctiS%HXa)+^Jy7Gn};9n3?zw)~B zEI&&e>*-yik8$K|%r&-Qh^uX_AWXtn{AvH<+J)khBTX9i8)IE#qlEb3{rZqUk2b;> zGcs289~%FEmP#9G5`z#*zyov0uScnxoT<#e9fboGlT~FOM~T0ZAcNj_B<&)txZ_{{ zP%M3fbNF=GhSF+uVB;ZSGkuu4%(`z|x*g8%qVM><3As{-7@WqH$;u}TP(C+OCmE1j z;K6VHOqAuhxT6YAQL7PCnJX*slPRrUOkNesasP(EgWze*uekC(L#xbVmRiX&nG7860J5zgFm^TFYr_so)Qv?S9pwY^>R$Z*I4j& z6?!Kjur1Ich1ebJk)aFB$Te@0?mMqDP5B*Kqq zNkkb%4sauc<q&zh?_QphczP*jzrOrBKu!M%-Ij-1@z zrv1BK!nW1vDvj)KjENcFtx0qpB%T5`lGk?PDh?rQGmR@Resm7yq1H0yO$mSVF)Por zZOAn$aw<8{p^S7`L)!uFyu?`CAD};YCtGNY>0?khl~IJcDHYqho#T&fpN}Lc9VwN> zO-YYYIHaM=ZOc#NQU1QYFN7$vh^Swe@LH7wqEPK937jM8RMb9oW5K-r;3K$ zW;=UNFaY(A@I03#sTFTASj3A}Z@E;y>Ltvbe7=;8_D~kUi;PQM1LQHZHNRbXI3erS+6A(}l5S1nnI*9b%LXa-fL_~TM>Ai*$0t6%=U8M#Hq4$KE zKqx1^@BY?0Yky~L-@j+A{XZ<`xo75@Ysx+MZ^-qD>4>F(;mJrxe$FoDn(lTaxFLcs z`Yug`ni|}f!0Qy$mcItc4cdO${$8gq7v@CO6~>Vx-z}!_jFMk@N$n2j1N%S$sS0Fl z-Z^iR7FXmN^?TtYyX#KZ7PdgNE1SJ;Y_fC0M$flUn`{pxtO%UU;4K`hai^O8e3CD6 z-YJHwEJV~wrK#agf(%MpW)7U}8F+fxz)K<=T%UGf9Jr5)XB|foVUvK4|kOC;D4IZS@?YRR7eiWkW zW?v|-C?QxT{h$L>2OTYKt9Is3EzdRdFBZE&Us)J2^qufDhrR)Dt z%Ao@pJg$qDeP2#1y1QW6GtjdzbfsC$qfhKf^X-;KFN?Dc@3r-{(3Jk$;kvhsX-K`9MSvhT0Vexr+d6qK*OnLWG^($%uC@7-t^q|Gy+v1K8l{On z2#KNzQt*DM4ou%lW6P9p52vo0oc z8t{t0*xqk$5}tt;g}D_8W^S%8Q(OWWe9gf_`$tS$>A4cfVwi=O0*7KBtKbGEbzf=y zhYrNQ$n4Xij#x?<{AC34Ov2Q2!d9o3+EI4s^IYO<5)^%yHJIfJ>0+}@CbPLaZK7FK|xS2!##n!U!=d2 zvAqst^?|3;I|GOei{n&q3M2%NUSLH*#e@jA%25Vu07BfadU0jPO20`zETw4#MGsku zJ#==xKXWTf1@hwRTz}d<))|G~QVhe!D}>muiGG-e^s4TD^Ig@v>)l3)a}5P#>PlQL z@%+%Qr1Pu~medqAeyU zCvACKvSU8QIwb1!UAHRvm9T;C+1^_H0I5C;Lch>J$%NOt@)=ybHH9b1*#e9aaWZb_ z;@li}f4##rW8j|k81_xPC#d{=qt3#R9||ZOMXlM%X&K=w%)MlUoMTmxB(!qwhA4l3 zkC~PtML8u8jjsVncLDKaJ4bc*vO<7;L~dGR6~c0A7(O*DgDC%mj@XbOmM;uvb>~~- zY7kHZ$p`-=)%&AwVayO7Ay=ISw*NrL7W*&0o#= zrZ>{16LA)LWj`*c=P4!3exUNl`zQaoHbWT8v6v>YGo{adbYo<6bp7qjcXwFuUQt!e zNqWUF+ulhSz)zOBDH&k@qMTfpFwr8-9xd^KR_w7zz^nNfuF#M?xf@2diX&6eJ8_$d zJL^`g*$>1e$yvJG=*aq4+@^+DryWQaVsnhIaE0}AuYT#$;n}gJ=W>{(%ER%IIGV62 z!RakbysED3I*snwNjCKl(r0RUL|$6Gmvt#qB`_o`fu-VFYjUQ^?IC(d2fSiIK84HT zCjL^b8V3%-^x$jbxI;{~Hf@cwf8y9Y7wH+`;D}c2Gy!I4PNob;(@GPXz-^n=^CRlT z4vQ!F7QHRP1-w4%Oq9Ual$NP4V!GK0L}-U(bVFtBK4 zQAY%V_cMecnQv}l!LlS|kaQ6K>f?%6B&DhuX7++aLQ$g{cZgxVTroE2raPqJ`8Bd;N>u(33pXVnzg$5ks`_)`HeqFqYBQdGtBG{?U=d^T zPA6YX_j+}y2krGCskNK&B|9h&V_u#7VywkO23OBh7)tEbtMn{{#Jchol!Sw;gW1jh zJqY$MT>PK3RE+TS(mitU_}Vz%Y~j#(9PUSzj!HJlCHmTs$Sssh;}dN4wdS7;S^7gN zgpRCnNgU=m6D-PlFp`I|yxM2A?vXdx`e$iW;`;gnmumJaR9*XQkv)VtnkzT zBbRiWk}pdWy9Xs1=V#u;=Mc}Sgp`LR5t_%K90HD*YObVZwiERZ|K7a@imq|KZ7@IFo%bw-0}ELk&!; zoXFLNoO?A8j++|?DMp{%983j6D1>9aybHXDn(mG(?pNwISoJsfmh!suZCk1}ZfN&s zvkT~R1lc6>>^H%EjftY>ZFl(Ct1o!gjp2Gie0hqner5g-;!9gcEHx}HFWBOe;;dqP zFR`Ob$4zNq*x2;=MnHp!-xwWbp+_I0P;N9o zi0_p9AGqHL2r#0a>%?bK7rfAk*@rX;>DD&;$D@2cECx$>9g)f^`SHX*D7S6mgA9gZ zZjp|v7=+=Y;6(P12CW?XOQXu5vZPJ=!7R1Lc3W(bze|DC`4!g{>^o(+!SIi=xXG)E zQxb1ghBlYwG}$+wS@~^Sse=hk6Bhsr>n}1{5x-o*6Y-X~A!m_mNv1m7FdCJ+(^WKD zpTU-vXD?n;&4d}Dt{OCZPHi!ATf}(zCZaP|c@{ZZXW&VsK&M46&$c*paP=aa>%08V z+vD~NUwMGHb|fq6{v2Qm4J>*{Q9WWU>L(3!*$J&Vr|f)|q9)Ov1CH%vmW|gEG(w%? zc2*zFirk>$z464|X=5+9O!58FGxn6{3BnlxoeJsOJ<@sh`)|Gmv`%e6NShyCU*EZZ zsrJFkaza^QAD% zAnTfGlvl8*5Y+L*)`r?e3xEVqS?myPIWTZsYh`lmLVGwLWKXkOh9KJ6%%%dy|YVa*j6W}ki+>v2|2ha(x{Jq7#Eei5TWAof|N%1Du?@5 zI#Ffu$k%?1Dc{8ARNc~-jiU*XY{&j)Q+qu}7<&}_3RaBOyvZ%(Cje9kdVHHarzB8k zQ}}<)z5W~A@r0BxrjDvKiQ7!70)O^s$3JSEOpqTB;#>!kby?AcVR#4*N}bTAb6YX> zJAn_=tKFgdk#^O!UrEV6EJH-3O(5WIz4i&B@C6RCOl%v+{><=q7hR<* z=DdT>T7-o~m$W82ulwQ%b1r4>`Oau&j&s;`j@mE1HQx~HT{WG?=g!F+#_=z9P^>Gw zXoaO#9ZeBN_tTZZ9Qc!fM&F#yq)-eSWWRpnAJ`mU2pe~JM%OdGkfC^;s2ln-Z}DJY z46g?l%I)3usImI?9`EqR)(ztMN~nqr6~}FMs`=fWFo-MLxbIl)bA|VnbC(ZxkEu;! zTW2WjAsC=NSB!%8XKl=0M=E#ylS&h`$3zDZf;U=x_jf|qyxyB|Zw5hKUawQvmvDx8jtfS2T&<@%Fp78z&AO-nGR|Z_$T_FkHtvbb&Ov zVu^Dm-bwZ$#9l7oP}HNdzud1)Jy$fFHwd~E@hdytPyvuIJ^gC+=;?(nA%r5sUIqU- zgl@GEu5rQQV1z-#Zs)y+b7(5}i|hgmwZhMfePz9%zxE?8`8VQ>Z2Gcr5q=J(dx&T~&)nxFHOU#KI7x-E!0RMyY;&L9;co+a#o(!0t5 z2B#;AEZ7Q{?!|2pF9Fs!EUj$Wt`_XOIvkL#M|WM{eB;FWF68O6qv9e*Mp8RKf%qEu zIoSf*P@&JQEmB1S8BsB^Pbh{S`o*WH-r9T_$>M2j&w=3!+klv59<2?BqlR$vB{#}V zYJ>l07eHBGRMQ*kjeW?_jY&$yxYrddgssCd)v4AX(Ndb+K10>w-b-!mS&Py8En?v> zYPs?1yt@Mi9#cdwU;k8p~NP8iqxnWOrWX}$1%O>R2xT5diwSI_q($Y zb;|^5TW72LM*hz=lxNKyesU8 zedBBEFNKAmG1M6q*E1JGitgg<$cM!HsEo@fhxz(HZ$)rup4-v8ScfHqqhuo&BD}7v z$8!S)>TU)kraX_tM$NC>WG0?FXiTw2F7H>1t*8-FBg=Q!Hr33^-{|so9sj&y@Ik_f zdt=Q`-Jf><$T*gm&Ym9hh>6Z?CiKXZ<@7a-YZU9=$|9rL??m0{+{F|w-)eaA4~ob- zR0F?f=GRiC*3U_v?bAi}B-BRulRAAIvXJTc{+dpTM&zO4`Y{e$s-f`Xn#LC~ZV}z| zykomhwVX1z`BiJQ0k=y_1!IPsk;9IAUc;R@;v+BqnI@8nQ%A`kX#u1&gmx;4z1D&0 z$HfqNm8LkVb1!x7yo)ShNQ&GIZ zlts|9Ycdu{e{>Ywus+h|52F&l({UHdfoYx@pQ1Pxmk?a^OG-!Y^t!uH2LvJv# z`XS1mHS`dheK+cTg)R@@4q|Dsl%HhCk5IWA9w#I)PP28>B7a8Trvy+T zBhc?pk8+UX;G;=F{(?UH-nO|f@MK8=vev-N5Teadhtw^X<4~O+{TYi|OsVaJV zC2%LCjYShh(d>q8+a@0)sj>1GW`>(KZSNd5UDT-95ZY60p@gcv0mTsgOexIs4m+Jf z*N4oCq5b9}A=rz|6yByQix8&rn=Sf;4!o!b5KV+=WMNI^S0*jys_9M<;P`t^slv7GGm zbi!Q3LyeuG?~Vkt@BqKb|1(;M-3c)!@EeUtYcH^?gJy_Io%YV9u%(XV-oosM=_;2q{gN38UcZlo4_@H7K!jqRcM5h1GX=|$uX>LXc|^{uSDN=xv{T(?jxjYz zx19;2?lC^xUjJ5mjS918$Q8Xh;QBxfM1IcO_yE1F@wQ4={DH2x&2TGZZG+QFy_F2# zcCc*ZL0;Cu_8zgc>o@XaI`l0PJ(Dwdafdu-FwhWj>(8_}nqnZDXXf^k0tPuFw(O_3 z`tL#4y4L!uV1?OI3e|G&0|UF(2ElGCw}qOisB7!UHD+GFu22s$;S9hx@-XaMgUo0Y z&f0KT&IF#gTTIX3$5RZmrJWTFnY>LBIx=b)dqILVNNkC$u!c*Vid3f~V6Fnx_Nivy zYocVsd|R2=KGuoKJvjy~jf6F}eev7wgIg_s^nZP~;OZmVj&E432is$)$l$~hTRfqq97$7CJ2EL?nldMUwJRh%SVVMb z)z)Bf7uy|KvnpOT?5XN-RwFXPg*jP(-*wb0X(1SY?=pU#uH_lw7F74fCY)=Q#Mh52 z3^VyNdA{p%(-qVZD{B0@qQuPg*-$heB9$e}kqTza>mocTOk%GNHZzT&CTtT>*M%js zlX#48K-lwI6y|U%DGS9xSXHWtiJS$`a!TL2Zvh{xw65)?2KUyy0LNv4fL=F2k|Ae!%X{44nf@K7`JrcpKM+%)=u_2 zt9~d7KO!~~YZoT1$4zEeaFcSgJ*?<$ov!VK{AV_SUiPLKCJ%~8ly1URK=pgKMnyt> z20|Ee=E+Q9Aa)fX0dKfcb+XwYA_^AVQZzy_yri?#u>INF{$!YOa2t^(cRiEvIUg{M zmx;0Mb^&9taRB)SR*?v5WbLnOa?MWxK$kOY2y&{NVWoft8go|t$C1K+m9hv6EDl3Z z+o1CW6zZ!$>HLBp;%0`wpoxp_a_y~J-sp!!ZEZn1VoLXd$)Z-FAbrvcKQS_}0HK!r z$#WO?p2IZL(!1o6Vd7=~&M4KnFa^;FNTAbiuIvzrgfI~px0V+>`wYz0zTAxzbu)7Q zW+Ymja9dDD#jm87p2OhI5Y}dL+jiL(+R=gN;yD$r>d+(G30rw^HG7Na)zLKBXhc6M z`d31E3nOr1VuF_;`V)7C<8Q?^C{}JK|5XI&-x5&Us*x>X4nUjF<&}y3V=40nM)^(Y$98 zV{?Q)OM`cVXC+O5zkOVbI77JZ(LlUj%!u}%qsb$SNUE3V>_hM0V=Ay&R~CpNOP=MY zT$0X@0x%X}cDkeE8ut+xnyB`1qvY@k8&DwguZrKxwsWfNnl$)%zBtZOUkRNZVa`4E|^{gN9JyCfzBMKx$>oXq-He)okMq0yJ}jXw~Z z`(Glh-wrppcW7>>JG&SJJaDb!QT$^Ol<1RZkLnWx~>3=7rD6oD=0--`wp71h^ zMVQ<^;yCoPOmBL?=olo6duvM+X$^Zcsmy$+amf$ zgeHh+`j?2D1QCZ!MWT2k7y2GD7{?zf&fWjuZfPA%!5+9b`75h)Wr%57K51=Z0k^2A z#=51;lVz7XbZKVu4)2;MFSAcR^w!%IKl1%_KI(SIYB=QjUBI&#KW8@xI0T8-lwr{L zv>1#B4%e%5`>x2IS`?5SaNPP?_z#%WIK^+xNAmy=<{An8>+Tm${@G88rha6GMd+?B zdGIn(^D)(G^-{o!_P6c&YlReZ?fZ`${{fNbxt#lB#%<^d%7pu_L;OWnpWTN+o5Vp| z%dy1*D_c}k|F%adh zE6tq?yJez*N_4FvOz&@hey<|~fVn-`A-WJh@M)dF_-!qOOl*2r!cDTdG9V8KhqHuy zT=nlorvH~ROZ5pK@l3_9VP{kp3P|P}@yyiD__NwWjBh@3a4F^i8gP=<*;@+|4lUtr z!1HQE`E5RPL#Y7NeL5L7>_A5$^Ahb&@!Rb zpYli8BJ}@r9uzd^g<@vG2?sh!e;t0e$!mju02#U8uMiIZTDakHd{$YR;reAo!?ya_ zKMR{0_qVL}i=$#xjU@zGnVnjsRQ|!y_`Ui|7frNzrA!1Xsr(){`sB~K(*vSwzb#yl zyy~5aXu3tf`~z>4qWnwNoH)&{yOV_kS&ggLr%C>SI_4b+Fr#(_B^O@$oFHh6ptOe2 z&HtB0{~M=%dE+lbh48twy>9t!b47t|^}v7d4=u2NA1g8l{|J4b;`g~ehD6x?Iaap_9{|j=#J|1cebeEWb>`p5v~&1l@1N+O@EqV@{*T?}Z~J+JgdnTH zE_1s6KQOvtkG~bE54B$1*w7DnFsv`?4F0pQcKLtHI^}nNAk?{(AnTQkO6`AwaoNm& zgN|D9e?jMedCY%7=Rf$@e?jLz_}70y=RZx={QnO+lMq{~%Jy>&4xh<9qed_8kXVMb ztu57CN$y-F2^0JbvfDOCHb!w9=?jL{^O%|~+gB_$Vo`3+#( zKCTi8Tpv1~USs9pco=-~w(bP=h;{emB(3F662KLI4(MgcoRE~3?nGmC1K0vWNbE}A zf*PHJhYt^q_|hK9N&Ffg=V6X<4z^R|54ppX+OM2c^ugUgSTOmC^;oI?+V-ZJwl>XY zQIp7Lw`Iy2cc-RPAKr_e%Lc4&6Ng;77`c#{Y1 z`gt?X_PF9S1nRFJk!dHk4@@l`p4>W!F)eus8yR`#f1LO1UDe@dwC-};D8jZs?jaxL zcp-xyWy;}5SHk?YD!CF!H#+M~7;-dLC5X(~l#W+K*&4M4#C2i%bO~2mg3+z^9DQcK z$S`Thy7TfObnz%-9ZOgw6HS-X6y1?+M;4XmPqX=;#to?^u6SuEXk2=CEk7Y)suFp6!pGr` z`!1fau47B2eA0J}+nHLG69qv0bZ6YQlaqyuDFKK3RG?_8;A0`DsUJ#q&Rl`G%UNr( z8a8jx1CdCUIs7@@!iHm|rv09>7R!Xh}`!{*@^=1s!j9>PSIX;$r^7ODv%`w!q z`@XvWXt&|WxH+g1+BQKJrh)@PDMY8wvwL^HvS)1B@MXPJvXmRV9a4JjZ&upS>g7^p z^jlkbM}w}xEUOn=X>?2I=6$K|#a+(I_h)aB_QxU1{>-A;lic?&0@o}ddt(AA=GZaO z;LEOon;HGsqP?D}RUo(W>8Ngh%xTwhd*}OAuIJDy_A!3USXIt9<=dhnRU?*B6&=g% zXWqx>rtRW#pOitWqve;K-1560^JHPpcb6x*}mOWJ$|Q0Kg>~>%MRXxq(;iG?FPQI9wb+#aG&GNFWwO!A*+DFg02uWF?Wx? zq1g+-QrAVBtE&FyGRs8h%+|Wi76mK3utH+(T4x zH%;V{&*y`<33Em378$3>>Z>eg8z1+sp3Gq(RD=zN%lH=Fkmi%TR>IXXe4TcO(rx^> z?~n)>A3W6$sGVgLwm%te?AvMWo1Cn*KOsXT9gd!k@rxM--!dHLDvp?1#KW!Z^ zdtHlJlvGQ3x8wrru8)l$o!ZUn+d-$D<3siLx!ixne4j->U2V*8?SS|@Tjw66!C2#G z16FqecfM^RapU4>!VaIIt{7bz(15jki*=Uh7Jk-7K%RFY)cn+|Rh_3wY5mX-(|I8q z6Es+69_=}Feq@7G-6!N<`nUd0cfR|4HLy1#BuXb!n7Z9KTG<24o=J}Ti9BXX_o998 zY}e&<9>TqtiB3>tKiWbA83o#o#uf(wASW+*9!LH2j<$=mMrBrws3=jnlPkF8E6PGu zQ7$i2-o_;nv=~I3a&fLJvomRpi5L#P9>XkBUYQJJp0GQpQ7{pL#bM#fXK6p*4E4m} zw~CY_^0R}x>xz|{!O(reZj&Bx=5x^Kwcrbhqh%xa^c!M)Vus3IhV)7vBx?bU* zA6d8)a?bs>R_CnkCO32n2)n0xTCAq+#}nQB$_j`mVPM`-VusY+e-!~vD|52gpRHd$ zb8?7vX|TFBZBWvd?{Gl3ka!F@D>a;-K?m6{?MO`=S>if}&5V^c1LTHn5G~$#7A33$ zWU>AQ*jPaEnHiB(BqXjN-=Vz2l(6He%zi^WSNRp3tF8rH(P4TvVy1#?gokpaO%WxX zVa6MM3eTM~wzAX92Y-V}twwsg9LdVY@Y2ReReS^CJA+ZNzU@_zd+isq1u|aWJo~ZU z)*B>tYV@FSFf=UZ>=btIeGAR!JAy5FNR}S^pZ1iCtxvJ}Qc^g}C~p1p@_+-pw$0i| z;xU*OR)KNcECE;1ZBDp$2k$^U2cBh1Lhfjz^Xk~K6)E{gmFxhZ2uoP{KP4NzxAF&B3IUP>4@ zsDi&BApHvgG4@c5gfi}`sr&L6?fZs@?U+^NEV*3SrW{uywknV{oOD5<}y1QrhV>U19H`8p)!ACa+uN6)mHG>`vT^|{9y2!wfPZN& zaY!*0Xk{QKCT6|L?gO(b8^nyM1#f5ECigR&k2q1S6L? zT9?UuP?2%scJR!JO?Rm77VL|Kc|Yeir>Rbxr-HVZ@rzx}&6mN#I$pER8LcfX&+anm znVTm(yWP~4qH{RmcQ0AhRaf-Y*5qnxZ0o(LshQbRz_S;Oi?*jp&9_>Ch`F5|F25ka z{rmTw_77zP{Q38%hdJ?}`vIi~YQCFpKZdM51c4e=!#gc)bvz15eKJt*LvI8pi}ROF zxiNTQTNP)H;><-O+V`kIeDrW;3dj#1eHbrm^7%|eOiZjd2Sr0pLL_f;N}B_=rJ<#j zg=Z8!Ar2`y&FY7uT^w9jhij)PxPy<*lN{opYM3kq2Xke`({rP{*J{ezQ>bZZ^4fzh z30DZqpDHyb=})76CN)gy5w?TYqF0sh>~EDbd~DOdTibov6xVMr(miaEZPXf z%i&p*lh#;nmR7il&RWN@LF%^ak%@BhtwxH{&BK&V%`6uu(zu0`$S_Pa3A4OON|vIl zvbn&?6zt`NwngyfJ{`jB9MDqdJTtf7Dny<$giJ%ihubR`RxPBqpQx|&Vhf_rH-4JqWF-W7P?MyKdeu#(Rp1jyi3l;VkypXD1j^p^<-jP3>?F31` zMz1|EbDkAB+pd>ycWv7@Lw}2tp0mk#pOS-nzKVv%h&KOfR!)pB8Hzo1tyO7i+kxV_ z-+I61OzV*!)lk8`i?6&X7Wg;V3};(g7&t%vO$H+@xZmHM#pdoI+ArGBJp#(&=WOoz za2?r=V@<2s7H=akC~SZF0>1>eSe%WO4w_fv{-#{j^xgl>?t-FwSA$`^bjCjK>~b)U z9~3yXY&{fPmu6TlLsFC#KRGaF#x)VfH3WioJzJKE4JNLZu=$1vkL9ArHQB1pIUS-SmdmGbddil|IS zf9grm_rYff<({UgC`!$C%7YB6De;E$;?E>jtOlX7WL#cwJ5f^7q zH~CD4I>|WS(q$ei5fXwYt4%XgaxQ4aMl8-cp$aA{g1fo3#K0~PWK(P2sEhK;7sxue zzS^}x*g@LfgyB2g)eZImxCoy)0b4n>g9-0UyLXC;de|A)P5^Kyx*;|Ry!Qn1ZQbxO zbU!r+2VB3&BI|5c1=)C$d9hE`xC3wM`p$x9S87=mcz+ zfx$BN!Kcer!JazR#)sWW%g3*dFJBONd}tW09DP;5a{uV`kLMtlK2qX^W0O-oVM;B&C_W^X#H4Oh}qe7WIzaZCXibM zMfPFBEO;^18VQ9fujYnTdn{YZpm2+gpeZTrb{MR6r-iJ&dCM1Zx8DwgqKfx`=5YFM z#rWVZAIKt==_X7Av+7P4<7G*6a57~|evlk&7x&_*Cbusa_@alMZX`5aOXN%#9(qmaMz`kqSDnaU}+{eqEB0h7BAuW18ocfpq~|IPv`n}Swf=vMTk zai8>Jh>kCGL0()(GuC>?=WFbCR#H;_iU3p4Q~~1bK^MqndiY_+XJNBfT!OZND!AqL zi+sXU$p;f?mD6lIM2*h-=xjgRx45o6>kM25FO0i-GUQ7W%!vp*J1tW7QDQxnZI?!f zw;WC!eqZH`ObFiUGHSBu95Qf@8b*H?x2I}Eo3Nbj88$6{M)Uw_jOX{$4ci!87l%J= zZ%^qsKnTCk%+aQw(V zCP0{apkG|?>az#b)GwctB)Y7NTwZ7Rs{XZAMeM@|k;D&>+g2>^Ia7NHyU3N%KhpLq zrX081CgdD*-nwS5W-4-`2hwqK(Q+^I1N04FrmhCzMm6Kjx->V+d`_zSXQd8y_GPwb z+7LCBr*1bTqx`#%tOoRknxCz%Nr?GAF#ifi_KUWD+AC}R6@>kq`-D#a-TMBf^y@ED zAwi2v(O9ZfQB$9(o42Y4)9?F)FHQ4}POgkGAMFH%^~7d8An=}vQJMDQqz(NtnMv;8 z(_Im1(XNa)rWvIx4uvaCprA2e!wh@R1tAt|c6;yZHL@`~n>xSTKPcXh2YH-_uD%{! zD5zB0-YBd5n&Be2G>|d6k~H-wETa$4UQyB)G~_F9TR2PvcruU=>Y+vN znl8O5>s@Ta&Z#-S0zbVC)Z}_Dev2QVyxgFqVw}w-`B@4A8IACL^$K9GO%kiqpWH9{ z#F~!CX*xDdM>#@CrAm8rl}Xs6PGX`0XW`$n@cuqyk8V=wp^gUJqW!d|4z6I==}A~H za6?IhpZcWn&6psg+wL@d^RouCa?U(A$%>r|%N`Cbp#lGuf%NQyS4L5F2sQdC)lZH@ zA1XY5@rEk~0z6M%&iaUHz8%P|ekE!J#7@sg4Nf&|7FPA=TvvK&=~*FSH6Xg;PiI(x zqPKP1LbM84R(9(v@F{HJ@)mWMGub?`obtYMk9XaM}ee5ukzxZ=#oW;a2%e&1yuP>HZ4dJCsBU99c*+sD2;qxgFxTw6o}{E=BO-wrFcez9TPI= z8_;AZ5ql`JQ2xB_b0_QBLFKlI>0^qkJE3aSp&fc54~*uXy~E^xIZ1%3hC7cKM?c*E z?EHFcqdof4QzK?kpvW!x)cN^srnc0LG7-Sw;PQUr#;6#i^B}oFfop7KaER-niFsjUxX&z5x4jaT{6Y~A zxX|-%$-tGDgf$JzmD_eh>1sjT!K&;*!Mq1-GPyZvcRds6S!VQ~usO3!C-fNDe zk*6<6G%f^4;fK*zj<(o-7QY&lvs)x4Z!r-5@tFPLNY%vy`x;8c-V6Jcq406TI4=2Y z4F$>X?z&nrv!6n>Z_fsvYZvBoZcR2uUoSy>AdWbp?y$Td#Q3jDXCYnXK6+F%c`&E= z-e{A9*8cXJKs-y#yXZx@On1{ZsRUH$?iMc46>x4rc3E8N7luZL8-%+$YkqRMoks*8 zF+7}b{Q1i{vl+!J(pDWqVRO}je*JfyBQfL&3+xk9okU&s{E@MJ&KQJu{+3B|tI<5RhUXLGAq{zyYlV0JiaP~J9+Vn_pph&-%DTiR)VQc@Sr<1OR~R zQBe+_%)RIRgQQfiwK7e<-udT8xnlQ3p}8pKX=t39sk^Uk!52@u4PHmo)e*Y)1~5uGmOV3R2;09QuOR$Dt%sIFyl{3w^%?I6DK?=QgwoSBe@xH z({d|a+VQEGobP=*QSDF8JwhOa$anvMU;esw(C9r2#&w)~J`nyGH&yRX)$n>u1cfDT zKf@mu$~8EuvgdEf_Kj zeLRYq9ku#x5|4sW7%xs~)&*?}L2F5Kcx=E?HnvoHl@wy|H>0H$j-FM9pr1eXel(5p zTR(D{slDQ#VDP$3s-|KVDZSz#Xi~_8Rpr3e-^WfTS+7vqux-^yN~{b3V{2;{ z?-dp__uC|F_EidfF-5qUj!JVHI93ag(z-8aupgkVDu^4^`6y1@;@Y7LD7P*w_RpKp zphQ$TuN>FTHceH!0$4umE_EM=A`91IzcYP##Xh;+*vWsGS(7$FHKAs3WlD63Upu|w zIhjwRhkXi{M;c3ZV2|%i|LgYUCwFs0sv^XEwx*#|iOMq`h%AkrxMtZEO!P}5K8}pA zni@bE7U|#B(8I!K%Fo{(+A$jTFBmMM;n2THfyk|6Ai-~VKIYVFitZZL-6i_cmo=)fbRX8ErBpBvUi(#5OiK*3vd-&V^WL)eTo=8^Ml$m$deN+C z6U7}a=i?BV+$kz@w%ueQA7AZWEczgjIS1QjdzB?yZ^7KVA}R%j!_$^~Xv)_2 z`bDgz`W(CJWiy$}s^$_G!6`SM)C7Xz#gFqzv*+A09x3GArXw*Oab5RGHGb&#$+MDW zOqeghCw4ZRLM1!s2bHa^R=<|xFADk~bzq{EFKYu9F^F@~iO>U|Hp{ zwp}(e8qX~UB#Fxrn_A+{Cbec?!JgO@OepXJ{F)-ZMN&1YbVIS{WR*&A(OEzL*xEr{ z!SHr|W|3wVwo@%iXu(Zz*u_+_r!Vbi(Fo0iIm@Ex96n7v`=SPe;Bgp!EOzVG&#Hog z<$^Jx&n@9ya@#Ls`{Z`~+JVB++DS)+%YL38Z;C4EvX}$)o*p#OtmJ(kv))=X_N%Bs zDeG@$75B{h+1Ach?_OUDq?gokK4`APao!?-chISpbAQF}`UhS==9}*pwt0fN-&C^cFJbr@K?KzWxMgye;JSM=o z3t?63>FQ(wD>PG___@4$5@AY~VGveYeHe6qfaUZZCbpO9izz$ChsyY}PN_h8f)()< zCYO^ZUwPV1o1GpHXtV1bm_+}GUj;M*)$3?S*j49)Cox5@XTl%rJR3-8EE&{mQooZ; zsTJ<&&$SSY-fq)aA*rKBJy7|?9l#&PV2r6HrWm22+2nF`D9&%J{a*Kn0bjtgW$_z3l;CN z<$?{$m7KM7$I4r#Ds0|L-s!ubBAtxK#H58e96hRbnB4Qofyp zq!j3Ee#?EsvEusJy420L-@P|VHslHvHx7^tEbGw$fP!$Hqd;(z4wJyUCfItl{4WQU z%yArU@vPn~3&UONv%UWfSItYD<;dvYl>4xWHU{gtQL<_7D){n|GgKyvwwM#c|0{Ve zv;Nyx@BJQc@nbAsejs*hB@@$?JWkJnl9SEMJd&f}{7eoP*<`>bkE^?Zcx4=?zT82* zlH78EAI>*%{a`NatV_Y9=w{|CT^*8mFElpY;IM3JlHmAQS<&rnp?1#l-PGpxl+Sl# zuYS=`30D*IOn}9Mi#%+#Ua)%yDMIy@C=BO@vgJir?8pMcXe(oc&3VtJ0e1%i4%ePY z7rT;mGiS$4=2gystVS&A#8lbbiK;R;QtDx}PQ{$16%&D9YZ`B5UTQyY0rohVOJ83G zzh;QeuZb9%7Sh>S*a#+XOE9F8-`Z-&gi>*=-fnk)_|8$4S7wY7h5{(ImU5oia@MjC z@cZN8v`5lx z$Xa(w8k(!~1d6sDFxYRYp33MYfOLdnrFo(Wt6~=JejEj?D&sj6Wf#!)r1i?D0asCh z$Vts>LIviMaZul-7hQweM6a=d07TiziA!X)s_Cv&VCSsXZWg*@2nwRHBxHqZ!YyUZ zp+yDFx{%kJnYG^}(_d{*H4Hids-xYu$pp}jFRKc_8@|=iTcoSzxNnoXSqf?wSNPuO zz=)CyZfY)!l^YG;W!k6!BYC&RS2ILME@JhIN?^sg&a@7bM8E?R;a@MLaFL^ckw`Zy zMuCv#S9Kc&sYPs%9zKYFG_JB`kFrQvJu5axCJmwkwIwVX+1b5o~jcXzSRGOWZZ zVvlx|Mr9#mqnZ3b518HEcN2(h0xC z8dRt=rzEtQ`HjxYrIn2J)BWKW6QjYK0~g!u84#&0jVU`X5W|^53 ze|eO3*_%HenfcWm2^i{o@!<*1U^GW@yrD?QtSV`xgf&U~GQ(@g_{UV`gO{Ek_vk)( zOGQ~%HUZic<&5Iofy5FkV~jm<@sINy_6;iSuew>2_BN=5m<)wM-MFFM0Tq`h;RYa!zlXP4~%~ZzhV(Gt;}w zkagk8`AC!+>L6>5I#R9+_+BV*XK42H0IOx#Fi+WZ?SY5GQUg|c;_)U;yd>ft!y2R}5kbPbo3NaJPq@bH|u?Kj_l zu~pXIwrms9@cuZyT=}Sj|NW%ALV!Y-F>%y-n(yLt1>$9jQ_n(B`j3Jj-=je)t&7;iNbUIBmY+G} ztN~D~FbUD$HfPwQFJohN=P9uuTXN#M4l1fOx8O5`@ew`E~}BgN}&al1OFE5y7? z?htS1t)K^5+^CPC;{Jt<=alz;UWqiP2bs3R$YBp+`7}vGyF~?60Gu>fXO`T*;vXL_i!` zC8fJV8tGI@=^nZnq`Of-N=iz)TWRS=7<%aL9N>Gn^}T-2=kq+jweI&{EY>=+&p!L? zeeG+%;yTs8eqMC)_7b+JkZIm!L5`pGu_mH(&rm=o6p#e@r728c>a@ywn^Xg_O3|UR z1Vl+{zjra*A7%U1@Ku>aVO{0o3SSI!Y?4&2)gid8M)RW(-DdqcfCTDSu2FBL^(URYKWxVpAzyO*&=0W*tSLHZ#t89l1Xsog{8-L)ojEM4%}Bl8mI;|h%U5f zr}dyB^LL?r(H>~MtAjX}@UML=%j*n4nn>6EKHWg1SW}z7+ZZ$9AtxdH=WhKqK_p0y|7BObRE^#nP1kU;?O3LrxubuwxC|eswDRI;@eM3Z$!EF^y8`1 zL|$1_KJY!j^x>B6m(>_Yrx}D|u0Vc`;wCxS7$T!Y4iZ3jF^b7b`KNb|N=vw0-7#JV z_`f<yXGrZ*Y>RmR1$oVQ1YLi*%K`U$YG_(boEa=X#Y0-P8jhNWpOgg%z#2%iK-E`39C3am6`^>Z`+HiK!L9hVe zI0VGYRppTlHZu}#SpyQfc2S5hk~80vP5tBlucs3$vBpWOv;jfdxJ% zHl8-ZzZ!Eh!e5i}QvB$U_XQN~F<5PT)5k2>B%_W)*+MUrc(vTeQeAzC!_c$}ubX;m zTN~)+91aQgY2^M@tY}l;8+t}s$|Cl*%w55!_2RTQo8AjaLD|~+C-)izifNOuK1ME` zWy=A*EZgmqX1&itev@{UAHkdo`uyBUGmLx_rZ8=y8Z(8Apj&yADZZkqdAJUVjGl^q z1L}uQXurm^6axr4%;F-MkDIQNKW%+|qP%vB5*Z!W`Lg@Ga6RwhbO!qy@^3h?K}vgc zn&uPW_}2Yi@3UKL>ArXSMEc`cd~N>&9EA;zW^RweL(LTvoQ`jzmwOG)?;$4V!fNh&%yQ z%VSYTt%m0L!2~P!A_zAD-nidVnH|FR+O4CHGzipfK};S@oM}uOvF{sv_}DV%3n=(2 zUF^F?+h)d$GgoULk$gv;&gWQ^vv6L)%0)f_w+NCIAsJ4D_oAZ%J55Y5>K&0NntOq9 z=mD@RmNvOfPm7zK-sU9o7!jZH3|?EGH2$J{)#7|(9~ae)x@5}UOVkT%qx4*&h~};M zl_Y`mb_Lh_1*BD9f|say7I!9X>Q|(3Z%PEkJnjtbV4X6OP5M5fR_W=q%`;j^J%HST z9>eK%dd}L!d1NV^VO6045&_sCb$z9~>0{s<&KC`+7LFk(Hd1-p)l0*QJ$oD@(pH3~ zuijOAM9NZJ%5dS^Mw6T+W%afBxG%gP!lC*)cCkdv6ZYb<>0w>{e7ez#XV2l0HX&2C zSYCSrV-p^VSDB=`(~d!(iYD#Ml$z(ro7PCu9}2zlH*AM-b)m6TgweJK7My+imJh>L z;z<_{yGKCRkBO?zjn_moysipJ952zt8d=J(jajU%si89`$;^ zHa>l59oRsgW-JK*b1mHX$}ydM3I;E|X+E|m-=z#YRU9{BWr@z1w;j?QTqN$A|9IKe z!ei9*?F&fhg-+Qv?&&9)Y3+kkzBUI3OplZm#U~=Oj!5|F(~hQ#aro4N^9@M$$CvT| zi8Igh;kA`u=go{2k^t#KL|*!j%CvZHityvW{7^gLU^&xQ<=u`g+@hU_m*!cA*v8+} zwYp(~zHXNaUi!5iK*may_7$_XW0QSx%1XhkucDbd`q(L+s;&GdjyK1n_``h+_aBHK zR%DbCywYz^0KoA-yi4|Nbc5xnz1JFOXL@@Rwiu`}g9gnY>yE zPCkV1M(5zTo6p%MA-MsbP{xT;svwu`@b_NY9@WT<+d#Z0esrxx9J_w+vvS*)T@Qwr z><>}T;IwZX0+$5DFFS}2#eR^Mwk&py)rQ7=mEb+fkU7MtRdKIr{Ene5r_aM_m z*<^pF8smBC#YX|9DS6Q}OJIyPIn&HMW8Y_BRtGkTh1%(uhizx70Y$Je{lpW{#W@nl zu;lg7NnW;P-x9@l{^%N_@!NIFy6ti|up;1bnF;L|ERhhGB1>$J?G*0pBfbqiGRp{R zJBLg|23mM-r8Jcj!1F~%i=%EVL&1}Oh%tWW3Wj^%77g7O0 zPK9(vh>lw~Bqe`e@)?5PK&LDtj61uJaG&ST9KONY`g}fp*t@)HY9Nqq{+w+2N3lYa z!ZZ)@Z^yU{=+!Sq3nR0ISDi|-d6sXuf$xGGv`pWU-}pJGQchp}Bz=%0Vq5S-Rv)yZ zRr+?jZ5rrZ`FyAc_E~!f3^wHWy8>lTYkL<*xbHjc=OW95gd6p=IKw203rzgFtym%n z_CDT-oq-l_30NzuZvbktF7RbrJPFKA-zjVbzA&TPJw^o zwL6)alg&r&!SzR>GgJ#GNj)sat_=fj_)7q$*5jkx*%uD^0YT=c&1{}L5Y%JlkWN;S zKFjE8yG6ygZEhIpkUtcBPfGL>1VZAY@GWavve$mHXmJ9_TbL_|N3$asE8fUT@L~E6 zN6(x2t7>}HG3?GY4*intmWHWpe;y$7o<1Vn1af)D6Myv6Jb>1&b0`YP;xyes=`MMb ztjY=PAB$>{uT4MMab)4W3M1?t>%ni=T}t>7nNE6GYmoT*LAwrQCsVgx5eIJ>QhJF+ zl=(XN5ns^5==02(YRikRSdB~daBo$l2deuv?rTg+=~x9FLat-}fb4@wGJF_=HWd#J zSs&C>FE*WfdQC}GX{MOH>^i%Ka?hFr%+ML-Pdz9AiNz2Ji!A*1z8Ty+3(c8bf&|H#IGN+nytl<(6KWLn zXVbJ(ACsg^8VV15_;_eAyNzdIr4IPmL}nQ7sG8CvE_-pKa~vaS5y{ow&-Rz)IEPo) zbTFDx?>m3o0`=r08Z5>{Cg9PUyOL}M0F+xv62fHrePkhP0jJQfs$N9n&Vy^)!2cWS z9Uyl2Dh;c3_M5q}U^j}@ixw14qxeHV%5iwlPCzeM?r3({{A(G>X+q}H!87m}GUBar z^x>^I<Q%{Z?jyD;{bSjKp4DHR&DRI#6p65&^eBZB3+GjWFI-QO>^TjM zuV%TXFQ?{S%8lls3p*0QSW8+$o4 zbRNGt8Tc4*+HI$>0olKY53%>`D*Wk;*tKbUK$JH$X;lq zfm*{Vh0^A*X8C+r%fNg0N#P#-ETezM;IYT;7FjEo_nE_3+i2w~}HS%gH9s zN7I4yZOX-3qBok~-ow`e?WqMknJIGS97rIck6p*Ae);tIHjk3B@5p{(wGV@@Oax1h zK-_b|LxcM0*$U2HRn2C2J=0QA&x~d-zD#T1W{Zgg-!kX>MOfT&RBp~X4jy9nnw*4Q zQ4E1PRPpdoD#(yNxWA@qtJKqw3;HMuWXxp4YI$Y@qNTLvTLWSYF4uZAo;o}>U&EPu zjrxc43Aog&J#385Zv`O3p|t5TUWP)}J)(uG^>K&D3V_yOq-wKL*F_9Rpw{Nw@nE>p zxO*pwv2V<$%K%msFplYvI}Ni6x@r^f-K?qaDgzp`8bwp8fLP@IC-Cm5EcRS^{-2`H zJ_>@0Mn`9{7QX@;*H5IQPShc8{6S*7P@26EEXzCE4AszUcBz14?k5t9ZLL%+54niL z^87$|7yh+(XjDIa=9zaCShyeJCxCFn^_pG{`JB0LO*U%@vas3y$uf-CH;nMrH~P0n zX?yD?Ei5({>Kd}r!=A{~K0?RYQQ|7p2nEj%jYRcXseRVccJ_ZDr2Eo4J6=H_?d=83 zxz6^~;a*}?YOLq-Ti4Iyd*z4-3&w7d zdZ}ci>%Kig=w{rm@L&-+=WLQ+qLikSbLpd(^WNy(Vc+$5!zp-VjY)^>8ei#ArW_$- z-Dow&c*Nr+l^O+O&LEIMOF&8Unxz&=-A^Jsm`&()WFGG5+Kvkai@r#$^ww0aaPw_R zYuODwt%mgy$>=KFRw~pkUAmS1WySdya2AW3;V|CV-p%q48ornccjhM6u5c!=H!r@g z*SSS5iOnFfw|9G`fVA>#&6jfuXoe`78iySHa}E!pX$0_=PPZn%LA^a@-a013@s|oL zIZCiEp0e}bpG=!Fs@9E!B@e3C+_BhQZHDvdo15(82}~IJ|-q_ z=*H&H_PD&{R}Vkd_Y-OvKn&r>L^jD25_NMf&Mkh3qtp6F==BP%w@OI^;WP8Ms8kb` zo>NH!>t}+1qI`)?30S0Rk^wNsru<3nCWzb%fu)L|RMCL-@k{Xppb^`heE|{<1Mm-@ zm`n2n3Et5`^VUFKKRVKJagw(DZhj#-rY}5)*v}F`08P8yV_T$A@Ww37`I}j4*%Rtn z;%D}FC=RdwEF(wjPZV<`xB&T&%)tHObWf+0fXFiGsn{jH7#=oJLwypJrM=-!mZ1Aa zRO233=gd*BN5jQ(IIy{<#&mAJC@$0}{$AbEx&S>VyE$DqKv^cH)$=&tA>VS+jX@RH zTvJ2NEZNIBWr5_Z_G$6Az4ZQ~*SKxqS>Ed2SEODGeZBkU5>l5ASTOmG&PMZ#e8+7U zcnW?*^6(GhB;e^~d|g?=AdN4mtey9O@tFh@Y$xh^m2U^Qm=Y}Eq;TfpfVufsd(*CU zXR5u!v!l-;mtmje=srQixcWow8gZJNA-HKCTLp)4k<(=RFD2H+57qIOO7F}B(%iq@ zb&#Td{IS_3E;(>+kmrK4wZL+tUO!ig@)F?UBLLF#+nAC76SK=9sZE9Gb*F5oJabFH zpz!r8Gd72{)DTg! z%-NBp)<-Wp%VW)U@?$f*L~=N6+g_+@)rl3^N)#v}lkdxK71}ZAor!fvWz?~m*SR1&&SB4QMx6b#Pxi~J<_&ea~~|Z*HTo+7fNCJs^a=W zonXm@Jf0pBQ@<8Jr5H*^lmO zRFq5IgRnmG27OIIxxgrmz^qZ5GhKcH;|)v$sC!o^wO~Jnt{P?TPkK7*xJicOdPc+% z4&~Xdyx97Sv!^9I=2U6@Pvc{wGM24=tqnX=OC0nmO}s(0rxTR1wl=JqRBod2C<`4d zwwns$xYB*sDwEv?#CP8u2l-NNPfLANO4JVgy}NUp@>puQZsCc_rnR)gTVNNJ%{dFEx9db6iUEHO&{*^mQz7izl%{0*-4p z@X&o+=M<&D?ic$a` zl3tP_+#@Ko)s(HYwEN)3PCHOIsrys^tOmY739Cy6p_5{T;i{#Umv)imCqknNMR02q zq~u)2Xm6zmot#u{F?XUvR!!ITz-s7i)k1qPZX==)2YKe#r9!6%?H1ebPai0dl?dG6 zFu9y@HBM&hrpXqsR}xJsbii^b*4nMv{?tu(6u>)v3X^7CZ@-FYMK6X?86Zy|lSV`z zj^m0THrn0^trNk?;9-h=R=c4O#JZ!CByP)PCQ|u!z)NE5ZYsq#epQn5G!AXxB|hht zm|mW?UHi%X>ku;vW8r73;3cR#<|yQ{bIIiH@K))KPtNsAFP6jGDv_IQS_(KM;CV}a zLK8kYVcg?r${24vP#<`CR}4t*l!W9IZ^bBq4-+##5I@L6zqE(b))QTB8RtQ`CmOwJ zNYSiL2lLs^DOh_rW@ntYBPnv~UFOh~d{5LZ}GRY&`OUF$|b^n z{CrIyNivm2P$07n93;ZFMPiMBZNx>7=G~j!yA^^do{#q|f>_NFzns+K!%QMv_{*I@tZK74|b((ni%8i2{))yLxscmC3!6;Vr{Ae6npYtZy^Ov-)UMu>JO?xlD= z9^vYexKjs(@zUMRPycU1lqJR}xC`FvG)h(z1rTCJi{sD5r46I!)LU_p*ef6k^bz9Y zv)ffIgZixH6miiqg(TkT6;v!A7D6t3a%WgSy#z1heArB4+Gr#^{PT;5K^pny5WDp5 z?gp1=FzqCy!JxBLApiz;cn)l=Hu~UG=|cD;EodziVl0mxf;NmO=DB z%2e{Gc?@uPJuf5mGxTp!UgsIn#g^@S-d0&SppEDDj9>sbVO=du#lMNoC-wsSWW<9IkBH3Xj?|$yh=CkT- z1iXw!xs%A3mG`*N+HM<=jxw_3Ep$B~pP&D+#5FYpAag~NC>!S#7QZ_J=@&#H1TZWE z-Hy!2k=B-T94+0q3IWI1Qha8LFYyQ0m4LbFwvb@1)>SSQ0P{979bf}CM)yWv;cSK; z4_=NCJNg8Ypa)&qsS^48dKGlD48N4G6731| zLb5v5k2*#d!$s+aZVf|PJ3H}d15a0Q#HZc-RB|4=MzTTcRrh~>slzj4&sj0c@U~rU zM@lII^a?86k%70Jp++pINHJLD)px8C7fK>GD{{oN^<`rdN}0FyF;6W#G4dzC(j{&_ zLQXv_y#RUDG)Mb7;B`z?XK;pi<4THIjM6xd7I28z1wKH@q5@t+a)hcv5dpHyP0Obi zKUAmqpz$x;;5JXgj&xR@c8{SG@=M=D!jg=})CEr`bs&v1^xW^v0e(x?Nfj040pxh# zUDc#Y@&YB656W_f@UkN3BYPy0-JWnzcip$^Yd4$6o5#?fL|N@ZAzQy8Kdk zN!%4LO*bZNOiP~uc#B&#$!Z}$f;J7Wh!pA}5Dq#f2tLye5T+l|?%ie)mnpp{i_bn^SKq-pvEb&FE^c{!Z6i?Pt^(Gn1OcYT)AK+;k> z4Q<*RlHWe;tXXWcyRWj@K1?=JwstdEqg6K^=>`B>TMj`z5ux59n1mEE3cBiR>*A9R~Q;pY@Fssy=H8-i(tAotRs=nwJYE6`W-Ff zIWz{4u-69@NW_1M*?0ZG%fQPfw;dC|BsRuCOcYNh;E(oKq9@GrGbLV)n3=4p(BsY* zaxCPRkZWlH&kGlwL%lu0S19yQ%np?EaMVv3NTI#7EO-}z8e&8sndg2 zF+3@6$bs{{Hn@}cIs_}v?*`><66K7^ssvpC2B|;?arD#qkpMI-12fP7lwtizg_`uxd1rRwlWWq=6BPcY zR8pQQioG@00ooZpA0ng=h!DGL&JGSNgwlxgC6JLU)Zj8WMO}gK0NEgOzi;jW;rQ?I z_ErI}YrIh_lMGJ(#^yuuYf0UF4*doFylKBz2>e>6llHn`#`9+2@XOLTDy?t5gnqE* z?i3Qln_|o>O!p$gLg`H=xwa9Nubfr_u*2B2*qnvi#Wu(@E+~UO6 z$!vJ$IRwuLH=FLnT0|MP>khE8_|lgb7%9S?lD^(3QB%*_GWHmydEi99-x2earrg_7_&>aC>yf>u@VO}8A@M#6Ev@-tt#qldAb%Ja@`wG7T%DY~~YB-uI`n`+`MJ1b3E5A?6 z>#dn8OQe))TAaayo5!dL&q=5SL*D#M-#2lx!ONLDf^v^kn(2NsDb>l|sddr`J-6!1 zL2w7VcYZie(Kli?;E?1hp=9xD&oH?22k)1W;5z%)2WEVqDzY}D1;s;zECJ0?hU#J*$@kw9=@G0Y^8pd{^h8>u( z%r55|HKM+yq_j3&C%{5!Y^rmZ(U0&mt_bYqW(FaDcv1=mL8wUYM5Go!rWSUW_yzgA z(YHD6N0{l^Ka>Zx*4dFXz9|2(&ih<=mh^{)Cf<^{k_#UncMbWAhqaY~0ZoF3Cug#F z9ifcR#eQ3$HhcSN=Iy@x+C_u9TjH||A*4laC?F7<(Ywp?o({vJs}?~R8b+%*zsrQ$ zsFK`TXObge;g81ai`{h28P;htpwHrcsuZAG4+)?;@52O_az1PRUir}%=w$Dle*5TP z?gK}R!V{_p3jC-G_f+kWEBqZ5pYR6VL#TTiO(R|S5m3lLwM6(15uW5) zwyPj?0KwX|_aN~@F0t#RC0?N#II@fnn#yABX``@M6e#PKImt8dO1?egy-EUrwT=^? zo?u`ODPA)v2{QRvanxU3u4klmGC{2LFAi8kPh9Sb;5DIYWVl2NGtsw^u0jHK!?y=1 z8&#yEOGZIAQoOUk!Iv)(Bwat!#rxTOXanNj8gW>?4_E5AcYIDHlQWWH_qt>NV3`qb9J5#=MtT`RubWvsW8A`2Hg>y}ds{#+|8rpCovD$xml!WOVv5sRd=c z+aZb>EMKv`n0Bg(0x~GsQ7@t$Z18}TpAetiq!m^0F})7CY2QnDptR4xwRY(#3x$8y zGp!ifeqyH?s01%}xs}KTj`&eGV{IJ*Wc6i;T=SU+eCj&wA4;WbpqoL2o}J6DW`>_Fy|J zt3y=CZ(jS0JQb|UD=KY>BkIq1y`Jh_Q{w=gKuUVXX(?sNwp$VW(AniD>Uuo&hS4nA zqYY^;D|N?dpa1Y}jb<7ilHpIdP0jr#CjgS|%ZWgh)oUAAl~X6W|Kpt4hPar7Mdq$Z z9ZpN-jCa+Riaf;i1KOUeBfK=jbiN`3UxawNv|7BTcwP3Jj??XtZw$Bi?X>Z~iU0p}l z&^YGQYVg+5C8{I6L5o$jM$ST3C}&g8(Y&;3FV;8TnjlT)zGYxAQ%U7mM1> zP_zg_X5Z%^lhMGusPA*j(=pA2viLm~y}>FYGLU^*q5uy)(va8P3{LAGX6xo!0Dfiz zbIr+RVRHRWPNx;r6%j@jUgxusSgI{sJmXYWjA649K%hkVlGSOoRMZ#oZD0q5TefvKifihoNmwff5{uum|B~Xnh+7Zr{UO4S#b9Eug|v?oGquEfDPFu zYv2=u+I&Z=!{y_KvoA%F)01B3bLZ+OlgnLK$@LtY073fHvEmD>&EDcqfAzv0{}Pwn zvDYvyiG)1ZGI2&W63@3O-$!sR+aC(&hhDG5Q$CK~SfxxdZH%1RkO|!EA1vLeM$R}Z z2uz)s=eZx>rkw5Hb$k-(D1a9kls-D$oqLVW)~Yg4|8c;kbKgEUS|X+vpo$e+Z#_cv zJ#S8*o}(U{jxp6fVY?i877@FlWfRDLx^b3dl^$9Qwi*xc3Sg%>Bi{*)kmM z(KE~bciGoirF3Jow&>n~W1D|9A%4IWQ{emD#g$uI-H3X__>G-ILH^XeT)iZs zi|zg1e7*(NOxcI*KH`~UlSI9&HAY&Gnsq9FH0A0-+xmd0kLR%=w8{15kG9YIV6Q7G z0_mpKi(xKbP5QJNDuOFAOGPw_Ujr@Hx7E5AkReGtCdFe+3oC?v_QHUheF zHPt$37kO;H?vaM#1Md=4FzHM1o1}Bz<-+kf+CTm9?%mFen&%rAL{Au><9{eUO^U(` zN}*F@YoGkSpV#xoQ-px39l&V%qn*fHv>cOYBA;z!bs)qC^H!0VQh0I)(+sD?*?hfT z#T7$PM4qi-dCl)u6OFUpD@^OTL8G>fPTR6uvP`snFXd(x#%Pp=r=u@5Qfe&PI_RSS zV^$|thT~;u;evzY)`uVbt5;wMJ2RAB4gT}>SiQWf$88{SWM9c{%EUYBTDI(r*FNZk z6Lo%d48pn-Cyme>+`BdWE-b6x;g3;Je0TopgMic`4hze-3}+^cMn2N=T&RF?`VG15 zUy%a9nro9T0RBei56jDeLxsKT;9x7SAu7=Zdn269J@8rkWDpr*W`ul(QhU7o0I=1JJX(+ht2HgbF7V z(X~pFmnP1aj2Q=dt9Zltm3}9Td^Z8lGaE?pz&10# zO>8_BVG(bHGB^W?32c4jzhDfb4j9|2`ab;tPK)>rczFw4KNCQ$WWeIVOP1Jgs`zlA z1oX}giCqy2#P8q7PXl@uLH}t9R>9^bDB;cZQJ>HaKzvGzt5gr9N(5xjZcP$OqH(&$ zQk9*nK79??ci#j;6p63we11hqf;b?9*dAU#MB|yc6F$K_*(JHI+z<=u49~5}Tmmke z(H?CRLi{M~{P-A7&ppAmiyR*Ak5!`emQ&vq&*ya7e$g&q!+C~SQRTj3_$e@;z#5&N#$w zg$f8XMY=U<&7V7-@;Qt@h3Q1_&C@Vg_qR8_NEg3rk+5-SC{^c!4@85e$g_0!CAiSG zn_eCl+1fgA2RlBd*01}^sa|+2?ea0Swb|nSvaXOu%YH|YucJqr>`RmHg>@I*zL6)b ze2L!c;nA*rY4_<_y6x;yCoxe>L-L@uNdO3!9cp}*$~Pgw`yj%>h9HN@6v)tW?h7%9 zS4g-iCyT3F`2%zYUFZSbHPaZryZH`|fXQ30HC#sKgbYE=nT3iF7YpS&QN}RiBQ!V z97dq}?4Pu^jqV#KYw7YHqAi~X28K7Kk}dh9XfiEhS_&e2XcN)91XGcs;ch8S6loqF ztlE4^zLa=0@4fH6-qAD_`Vv%%N%%_UbbI1Vu=7LWVqa-XR=wkTyvOs=cs%rnk0Rs~ z8DweQQb8++AA)bcRBxy9kL7vP37j}jSP1WMwgP$?8`^Gchwn1wCj>6~IUj}_mc{4p zsZvVLc$MEhzB*z%DPoVj&Pe8*m1GGz9k&7?v28qHM`av4|M!s88MZ=Kjbq+tJYE6s ziuifAzjLIGg9mTi~la2$Ie#C?yg6)#eDvpXvcr>^9a`sQ*f!9=-cl`vnBLAb_G5r>W6!} z1&lPG-n%OH7ZV;JQ{4^l5N35*@-!+4AM@IYn9u=u^;f-FDC^1|{IGd_fn z>_w?v@@9q}uC2r?tpUUf$dH&xUwq80pWPf#K?S_DtEY%H8Z&lfd9&w?2#8S*F6QC%??Y+?TxJ83?2(ts=#f&k%SL>oi+~eJ z+ea^rA=of?^vbkAChtIfsAr z{z7!wjn>*`DGY1Tvs#EWYf9akCN{fSl&<;&lyoT6s*QTqJqA%(UdqJfr+r&{Yhw9b z5!veWw(;6)Jp}-6_!U|WSSm15M9RxyE#+AD<0Tq;14>}kc^^**`PgPYWASD|Y<7Pn z#teBY4tU(rHkkjopJQ{&YZE+>_vTqCckL`P3x)O?xz1w!Nt1g@X)7Kp~VCkM(#!gaHy=St+tO=dN;^%kR& zgt^cj)n2PWzmN3A!M4wVULh?}YBiOjfAmxCfRd&o%rve`LLkYp4*CNuS!>3|rM2RN zU|&&Nolwd^7w^(8uFqhQO*hG|<-*-?=7t`vgIIEQN9VV(O0TZ$Uh>P}y)wOY78H}i z^*!J*@OiE6_L|aRkk3qDsyG7>If!MkL4B?^&76xTwN8#%T6x_YcShy!ouc7XpAtSYOuEnQWt8a8ZMkKMLpxVpoSP+diqU-^ z#8QW=Zy3+p(f)AIl>O_Fl6eQ}okiedU&!__FnZOU`kf!*PE}9mwzxt6?uF!+wVU(S zO@OG!OnueEglBm1i1G>MwZdjVxr{1AbJTtdEc8}yA=x~Z@U%An82=P9zQD`<^Xn~C z-~^nOa!u;&?J%$GEf`SF8(IkGf2&6khJ(MJ;hIjnNx;P%qSOrA)HS&6V`&{tHoFbK zEuJwf(OtSyO%sV=q3}kq-F#~?OIVK!2ddl%Oxlw&wyM+)q<#d?2q{u5ql_#qJQ~|H z%V#vy$iQ}Z5h1Rd;eE?@lgV9_nw_5W^XVYuLgq7Q-Qv08DN*gQoZG!|cW8dd6nRm1KrbO&DWQSBLSD)pa?Kt7siA zmCh3ef%gO^DY8WI`S&yfSzgJ(?BGygvtjo1gq9wmN9xtS&t1_~IwaM(&wgaw*^W-aij0Gtlf1xM|~Sry7fri1TRE~58>u19A?45n!4)EU-){O zHgeL`CM~q)k&8dhod1Sut6FRrA+;n@2xSawTB+jwNVaxL;?2#J_etl75ws%lhc;X9 zm=Q)hBCQdlKpvLCNA-Or{UDsQ>9EkXhPHtl1PRwHeLJ-Sm3lbue#}KI7PA@{#)^Cx zasY~t%?HRgQ9$kIfQR%UZ%R`lr|~k(<4<}w_Xog+8Tym_l7&b1@!UHpC2O;f4Y}lud%XN5oj~aSJxBgEJi6!^}w&O!#mgL z2%Cy^UakZDrEbs}P_r_NxN$gjR!FiTnIz_s+Tu|Q25WsaHn@Li-zWDS#1vH!OQ_R4 z7e3uB=tWc)7lXO;P(>cY6_$Eol7 zpWfA4irov|N?Wr#KL9n}@^zx;744PJyi51_--Xev{+$${(2saaRK9&#?}6|~8=1j7 z?S6MXocX$?o=&TV(|Kn&s-%v3U@DsT{uS{c@%e(J2ThvcdOn7X|6_Cj(*yPfVa*9C?|bC@F1=5^u%l3dl?2_0}2d$1)w6WsBn-C$|0DZiIyY2?}*(VMdx%_gt+8^rhZ^*91A>UCG2- z8kq|0c=`|taP*?c%0Kxpoc3ilX2umTkrlq;5`fH&gOO-=J(^`ht3-{a!1YUq=7 zA!~o(Fsj%rV3GWbf&6nxH|d}E5ncZ+jsp|eSk@y(Wtma`>=plRJSj>3>`k=(B^SS( z?kDG)q5K#3(dXZHgZ}j&&t`9-1oa^3emJE@6UzSm?}000n*R=G^OlOkF)q+X)r0@8 z6Vkws?uGEt>D+eepI!i?StuIQ_TM~4H}BsT4uj(L!YP1>HFYG@^6!T6escz{r2N~2 zzY!A^`$GV-<0q(~k^OHv;U`M-r$mupJcCReMi8LrCwoPB$n;;mkZF=X^Lx5pGkU2B z*f+abja8lgi^;i||L2uns7yVHib4Wfke1%eeNrH`2n5YMNXzA<>>5B0d<{QZk#&xH z-1@HrktpcTbPIl<7NfN?tt`uo@Z5Umzp8e~G`G3NwV}LnD_zlmjo8#!_>Muts!dAFTq4tv4 zsi)59Qil;I2!v0L6ZJU!-#%A?)SnelXeG6b8+iZD7|KCNWLLX9y#`U*;(QJ*e=T1^1X#ak**3W@x;{hr4EJ5kEHUn)HTW;~%2H~xI3r&i&+T-7%&(2GOq ztCKP0D$CPn_dH`?v(#xJ=SFC^o{OOj4w8649-3CD#=mOezIsAYDX8ntk(NZ>_ z!wQH@&@JZn;#diAMI2K%s@_Z)_~ZhmZvvU?7QOfnI|#g0mFBM!4WOA6K3AbY9oz6h zp>y4PnsyoOb~7&n!@UR4-}9f2tHG}nRxZ{Jd`4;)pz?VcF3-~3*OHm{r$a$^z|`IV zIJ7*DA^x#nMU2@GaT@w*Gn`aa-OwZSo3Q?6=#AO@yMLS%#-YUDt3wrO_S7#hyf0T1LO^$b+MxiDv7P{<$Zs#m zOQSIS&RL=e@|aEzO>)GP6Uq0g+z-OetFH<(4)88nz#-2_A8Yz!xcF_0t zvI!Ju7gWyxIl3996toRPzaR`Wb>kuDhrX=`We}r!Rt!ao~>vAGEh=h7H2B;GZ5kLG0 zmMFYW*fjFhCpef|1!v#w5PcD{`m)Y-fbMhQOYT+{x9wCt7@*}v$e57VDX%}OPgfao z0MuD58aq-`Xb9!};k|Z3@6>)e)#>K#4rjDXpIt+9A}I$ZaPWb-j%1yw zYg5@?`^PV`KxU11!ibpOR9mX&!E70&>c<6U8ppXd!--fj0UDnNdT+USS8Zs~F91ue znoJjaa=tSk*ejy^`Tls+Mt^z=<{n+7YQNWhSU?6(XMnP?;Q@!rhVtDy%sb;DNNbiAg+G&n`mQr9}X0K~tb zfWO$f2vCg*Xhm9i;`IorC(9)=Y&I!DFAjVxR<|ZjI(|^4gE86tK@0yMXI~u^W!t@L z5rPOxcPOBwbc2G3ba$zUlyozMw1|L;bVGt@9N=jPS#{Bh3l_r2?^ zHH+oadE|cX*!SMozV@|CP?~w_y-8^P0)3S&J-$Ts89~i+1RUA7%C!I#r^{;|IKlH) zs!K05RjY2F0a0K>(_B!UC>&@MZ=<@k04#5&wTO$LcJp4?%_v&$_do@7@dGX<{Ptxn zC{Pa;Y)!co68Tp?^rx{u7IZWI%l;S1OAE@fOXP+l6|g|$n9IFn_<9*!M26Zg3k@ri z<9X$Mc&M}uI90Oiwgli8=!Of`1eb`s%0lh9{yCg&4`)kq9$x;roABz=Y}OK#mboEL zb_J4kiD@at$AyNt{)j0?LPV)nUJM8p&p^wqcWE=uzDRSr9s4*>xa4WB+|l;97(=ln zIUbC)-qudNE&~J7+tD~gRiE{Rjs*_tWQl3=?wX`nGMu)5zUS0imuWzWOS7^6pxk`= zJ`-or>P0hMJik}8eN$GD6|BA^_Q|Sp9Dh^n#vp9YfZCSryzeqGu>VQey;p#jO*^}> z5YCa(X%%B5HW;!U*m^trhdqnI*MI9d=>9>D@?k=RTx0pJ{YqeY|X>r;rA0aC(xH^YB zuMK@Eg?U#=!io=+gHiCGKD5s8y?(6PO)>OwY*-Y1DtW2<9pjuAVwdoaQ$33)j8g1N zxClZ}TfFRQ_Ac&>L$DCuOx4`Io|~>!3yW?*O_uy0p2tA8;%+TB%{dx*5g<2djHxFB zI6NP~g<25Sg9O`9+N4cc1+~i^#i<>wS7yHM9$3TriR}OB!Tmq}vi-(yN7zhq>G|Cs zm$+R8p{T>md5Qku0oqZEU3@44*@8V-Z1H|Mz ztDZSyR)TT5iiL*;nchR?M`1Bv&@=LpOdt8))TY1+FEGPF#)8YnJ033o)hX$V5>SO1 z=^WSWTd>st z2y30=er^ixw*kdQ|4|oM&fuG-@HvPRYVB73-(-uu6C}bhNqpJNlVPaodM{+qt zxc;@3{Xf7`C#@%DgmYn(eBZD-G8;Pc_xS9#RixfG+6;eu=w!AdQdYX*3T}eIT2smx zLzSk(;`AJawJ%I$%mpV0YqF?~VScbRhpdLxN=ep^iV9K7_Dl?oTigZub%~ewB&UUm zgvG7~1@G%Bt_Jjhk?>kZ$y=iM1QF+-m-=hn^4qnV3ynUiVHNSsNx^o7Z9-i9;K zKKmh$m>%l7H2bmcc%F#k{Vm%~qp95z_d<&3C-1j`B5kHHs=sr;YckHss#srP(mUS! z467fso(L-yzhl#oKK;i(*;&ah4nct;*VCtmih(%&jVmiBrtGP8XVY%wc~OKxM+b1^ zYN5mhsBz|SnhrotmBJITmEXs^{i|3Nu$JBd5P2+>Hbo_2OL*teF$Fy)B~q+KE>aD2wAUWV<&yJ#LSzvDKQ z>pSEMDa7+BQz!MX@4HJV1IhsEUrpaQmDvNaSD&J^4d3vB22Dp^t-0w)byD&{Oc!#q zdN0Q{Wk2lZZ?y!62F?@((RrDF>&zv-yM!f`0#*XX#W45CE@Np8urQYjD|gY^#tF$H z=;|{2GfUyK{Q<+Vi@7%1wPl7iBt*cv|5J_g+U73d;CET8j7lWR@MgMOl^otUC=v;m zSacpaV23>t?RomNN|9^?rkR8(Iz2+1662e#dKx}qanP09O4;Bt$@DXfS-z?1`%k8< zEzfW=@mLnIuS&D}eSOmc2dXV{nqlRN0r-^XL}3Y!epcD)RDRe!KXEX*ou*sqeVxxH z-h17vBV)&DrVf20MDi5p-}+A`e^5J?$(y`}tHkR>Z}muXglf?$@eu{=+; zjs?$S-rm~D+dVPlz1@x3kpTaX#+7e`4BdWUzyzybf(rM+JVh)M(-a2U^Tp>BBHn5C zDO}cfr@TgzTHji2vaZb85Y82`s%_pzVIDm(&sE$Y**8C_2%p|a@fxa83_zau(&VYJ zpDjXw$6!AD&f7>;$fe=@m{n7y`S>zO>=N~=n$pS1xv8J&z(~RW`WqL-;x>)wb2@aY zLsB%5)wsvpUT1grUxq;K-hW(9Z|8?X|A0BV7)B}#rxUgf>H0Q~k>v*y6Awbq#L<`i zf^IIzKm(NxRzD?~=4brWG&S3*1D(@XvD!P*s2icUztl;w| zaEexebCf`(0X=?%N4_5b!Y9IM(+;ucDKv*&quPMi+Z$%-}j9ik744;tJ|j1oWiltLmdkfJ0wcf$k= zFM@}hVX{!6oz-WzB=oB``P$z zn3t^@nx@WTCc)N%b#DX6TcFe>t*?;ft*_MXIf%@KQwhz_PN^<^CY-b@3$YtzH?IDm zS8jt}pjzc{_5-VvvY$M=F1t5Y`rfmwO5E9cw>d|qTf7JQ8%2;ZDSZ~rU2ik>rkyrg zWl)_>YCT>X2xMW~6WM|r*3_B%#a!Vb;A>yCq0GnVOBBc|{ofyY(?2`7ge5Xy;nK#p zh4Mt%ynJt$D97P)GS#fid`az`vO9Bz<=e~@M_LZ%t&|L4ej1&jJ^ew9HEGuf@fDW# z>=`q&D(vB8E_hOe03u;kD*%VRB&w&f9n0A)+3 zMye|b1=gROLmd5d;Q+&8oORTL8H{(FA}$uyS?rB1Ool0D9hc+G`gzi`1&Tp zQQiCP2=U|5>g2=`{CP#->s=g=kaLZ$5sqvxNC!04Tc3oN?Po6iq6i#VrbAo+@M=Z2 z|39SaokBi0M=INh37nlJaWs{-dpYgfG_q8Fv3CzvK8(b zO6Gg$xwH8$0B3@}BZ(bWPb4^boyQd@9@!NYin!+Nt6)&%!AvCjg!}L%P?Ws(Q%oua zmZr`kKd#Ui{QKFs`Fl1>GivVlJ-wWbka@)@5!gxnd252gzVdBK1$^y1^Db|S+HOyu zTnE?yJd`L`ujqwuES<48inu#TB;`$4{DSO(-xb?|yuiKIQZKLS@UGA@OnN--sFd3y z=T;+mO5l|}*D65S+|-4gu{JSQ!eib?-hx!k&cO~` zG@%QEVJX_g*vhp1XSsaThiDsSsYo@$iA_}eghI+ir)tB)TaEWW)y-^W`b@@rmK`#x zyjF|wvZo3~7A~=V_#)PAHjsM@li4|fcX~kV$IP^Zf`tG5spCZlwYaRh;#30+KJ-Y6 z?7GVo^31Zhh=1fK870phx?560+|YV4WY=c3c%H%4#Gx0^uF5_7gWeXq9W>FQDOF6ggLkYW>F9RIv2nH;n$ttkA|Nwv_(sh z6_)^;Gt@5pFO&G^K~wPH9R8InS1vBh>0es@N04|k3CoRGnluRi8jjZE#~Qz$W;_r6 z6}ry?y64gFPm83Yr*DEkLPF^n(jL&I5naX5(0F_y)+ym=hDNZDP2P`LOjzL(@iLo9 zf)wJ=SCyaa`SF-`%YutH zxV{+xCTevxad&+5#W1(~CwUsU*BS;gsXbv~9N081$32Mi?a5 zuF+ljZ=YF=tMD5706WgvH2FcoB6w=LcP8gBHGM#X4iXoNah2f8|NQYCRr(II!KN3j zxEz7^e@5WEabSH6kmG&Sefjv0cbODs1+1DRA78og-#_0K{`n6l74Dig(7kY#I%%0N z#{O@^_%p~9f+8rTBsTh{x5B*DH5Y-h!V%x2|Nblg8CF`vJHsggNw@tvp2;!1tKdz# zznWkBpWpsJ|LXPwdvpj7Oxg=h;R?19L{K=p=XTR4DU!!3BeB~(T^MJ!z^IGljzfod%o zqXLkT7zx1;B&>4ZAQ6KcE7(3y7A3Dc-R%rgIzOdx--4hK*#^}PYBgmRw>F+#{ks*M zZDIIllb*k-ThS@igHs9%UoHN2ubD=B<2@ns?K(h-HM(g8TYl`dN%wtzPMegoA2gBe z19B@0K4)j7jKJ7_Ve(2SG3}Hi7nfD8O{tY-Ba-kw9Zi5Kc^%S#9v(IMKD&!I&rlA4s)U-tfLSbFG1(Y0i!(Z1-C!3pZvMZR=236A7XN zw^=b8I!9S+R>*0X zHZgvc_8g%MqmI6L>(;k4X>mSJS~%qPdH5W1V>>Hg{35-%$&9OZ^cU@47J%-{&40|e z%x>t9{R8aLsb2>Ok{wkaO9qqHE}`1w_XP~NB<;#kELy){N3}G;;an--1Rhzcuxv?&%ci6b`EOuh6yJMx_p|JO*XKl5r0M0oz(D4bHr|F zr8_bqn$wU7#-)`c6G5#E((Qc-etsnb@ll=mHAkA%q2JjU^46f764}~>Od8Nz?xi_Y zHRj$KK0c>_?n6}LB!oxBs{vz#yAYU6#S@ooayZV;(p&a-(GMF7(mwM!-(gnZ6i zzIU=VMf7mL;$@SR`Ly5r&=JwN!sc8#O{-r=d!+lQ;>UxT>R4jPUZ47-1MaAYD@7`% z(A6`DYt0#rpxf#rKAUxd91c(W)-6cH>Ru`30iy1>-@AL>NRjQEjX|YefkPZEkIOa1 z6d`?E(rd!{xy!6N&2$IUVr9KQGreB>EE{kL2k|Pz@& z#62+M6L9@z8R@6kEAUe3>GnHPQ|IX}&DtU443e{hxjY(Bo9jX?72O+agxzA*oOdBa ztG|j_x27s*ENXaZv$G<^aRv?F&m68X*Ep@|i@{39xgI?N(z>y7lOrtB8rTxv`&TmE zR;ax!jdAAci?GdNdgDr$zC_fy%^9$06uo0RaSXzkKN?THz{|Ue zN&M?ZoMRcwusJEUnU&ZHmf=JQ#V_arm7w1>%=`5&8JKyXjv=< zza<+Lo`-bxCVHgAMw_vof9f-_I7mEFifH9p68ab{MEua;{TqdZx7eDqve+v^weAti z5NYYS6#Mp~JAgVR%wm-P0B?0BLHv1C$J(&-I$s(gv+^1$Q$Fe&=;J7e3iXgc>b z|5V4ToJa0?9__9>w?(9U>zwhjHRlAX3*E^=-Afk&UqLy%#mAS|NHKH*;8*-D|8mFr znlt`hjDkWu0at0@2)OVWzaB{l+y?Tms$uIrh&Mvw8>kHl%VK-ifqqj~yv{sBC}tRy zc(Y2d-vz;Y1y!5x-|1^kEKn9>e#PzsOhg3Rsd|bRr+fI;V>L;jo=sM}&?wTH&5l~Q zDB;U}CAN*H&xjkVXS~^IN-IN50vrt-J_~B`hW5hx-~EuXXbU&=aD4INN`b+0QJO%6 z?59~`cB382<#oHL2r4lpQ1%sN(vu=aJSVjDTJ_V*zWxavWL{1eEL68>*LnVo@7W&R zBiHF`G3pT3fKsx!hgM2Ly^Tkux!c*#VpdD~7zpE1ghD4;V)F*f8gt%k9q+my@<`a9 zns-Es#GH@K&ZJ()x~&#tQ}>#-=N2XRr}d!%_Kn&*jizQ2-EPO8NB#uf3WU`geC7-{ zcTe<+-*TCP-1)Hm@@nydMnmcXJbWX6zQR$A`Ft}(3ZJTD7W8p)o1O*6e*6ry1T)32 z`}KD>T2=nHb7VO~h*$=mFy(mXn%8tUTR`wfDmg&paD~u@V;H7K_u;68wQRaPqDW7C z{5r&8+5PAT=#H$sB*D6IKu#;>@l-LslDqlb**Uh6Eud6>t6feEf*vY($vu<^v~h1i8_Mgwe|(c5f(mOGhDdK-DwPg5~wwk=?j#$;wP(o2(=0`jcATU zk{Bdh(3^|dHqfrr4&AcCyaw8bYh=452>9@Ot_A+s3Nzk*Hsp9EG>>w)AR|Iu1QLpU za>}MzsH-hra8%cNgWf$zwuI6wq~?om#_lt0 z&;v&kS+x_nDB1RrA{8zhL(IYbcFE=9+{R!eFMA25A%C&?}f(?|J6p&q(s| z)7)*q;p>}%qxXHfB65g#)WasWCR|sOT)(K-y6x0@bhQ&K#d__iE!~Qq0yW=hEKyX& z=~L|C?4|OS2wU5!8g_VKlCYfYm;0YhdzxR<*LoDx>^^$Dq1ByhhK2>1RkDb>ZGSpH zKe0_gxO$V~(~9@6?7JxI7IbSSjal+?2NV=?cq=ZkYDLLo1BYQvooPMI0MITh&Vm#@ z5_BI$T~{CMZ;Rlt2JO+t=BraiUovns4#cku&q4>2|~ z)lwnTa!+p(GTBXx7~b=lv4UM^6T4K(WH*+jc{8iipZ@GNkLzdCa!zfdGlbO`$(W>I zua9=96s_^eZGIoKpVAM=!*yu|Y((WU?9rOLSo8+vlN^8=(H*;f=yMIa(iNBe?w0QM z!G!E;*UxmNDVwQ!#UmV|&nRsU{o`gq;&IfczUx6&H za&@2WND4b0zK;zW^?0P+Lp4ZWMQz#}9d!r_)GZzZ_ju^!<8AUMaXhA9&uGOxbKp+I zTZFCQE*3vq{dEp=^wKL3(+QpanEL}$D2Hj5GrKck_S=SXlmgbDFSdKn+>!z%*q;M% z@YgWqYretU@C72<@!F{R!};2ex?M@5mO}E&3h}HbmS1@u1izf@*00RTedFA{RyjjM zc4LL;;WQUE_uCe0Q)i3VUmAiJOBi_?nL+v8DV+H1y0vr$el2-JR=Get$Kf`#iHJ)R z+e~1KoEuzL;;sj`*lFzU=#r2l1bpTgUg3`Jtu%av$Zn$9bh*_tah6azo3B0|jek?+ zQ7nT)wO!W<6sVMAF_cIkXe*nnp(bo!->b*d`9=jeb@7i<-C1;PNGC&J26cHc`n*aOyYC4J(u1u#yb-e*wjJHs&aPh{P24i)cj4I721(?YF;{Yy|{Y}?*iO#w`Lk> zGvs84pxT+k>+I&|1I`yq}>N+ld9>D7t#|on$6KiR2y)YAYUV~jQeeghS`{k%hbarjbp0D(>j@$ng z@bV=M`zN|Q3_Zv)`RM_o>D5LPZEUkX2Cvq)4r6%bK37QnKIIQ`znvP&(3Q{jDbqf& zOAf62CB5f#XJV46<8Ak7fehHgrU^MEwYz$keMN*Egr9x|U&wuNRVJ>0!EuTGL7St2 zdbrdEi`Y=WHt!nu&*ioFC4JrQYdtLNdbI&S?9OKBb&g4~eRI(dwE%8jOAL}s5;g+` zso>z)gv1U{>{PFb;eNSEPn91Q@6>*9=^Sl8cI%HVCNw|p8gpnrE@yqHKg?FLsTee4 zRw#b9H0O7>B~*1uj`)_8NghGZwU=8pcuS?;-phiFN?)Hx3pHWU2|FX6jri2Q%n=|x zEN$Wl@^=sna4wIqEdN>jm5^ChVQbt~4KBEJRCL3KN&NJ?Fu!f_7t>6EcQ%G1s&M{Z zd_zIS49%QqXm(Y zIa`yR{AibL)6Lb-8d*-VO;ndVN4jc{K5%WEJ}}Lp$Jal2E!d#S5C0uDmv~x=(7Do* zKYd<1i>+nHEn4B{5|3Z!4Tn+-J4elYPKjcbQlt>zt-2!+@$#zk&@SUKS|wC#Yv2Fb zvUplo8ghK7(-09#Dd3&Pza_lNP()_pjCadPXH&l%qOJ|%U3c0&2XkE%Vw?L3ES zv3(BC>XIzkeBD6=d{UAwM^A}_crUfZGmqo0m2u=?L-X|Y!%zOq8;AT`BK_gi@ck2D zb$``QO(YFF9JZ@kj#gD0rLby$suxHSPQCV*`1Q&SBf3A>+AsNVMfq|7=Z1bZq(9A0 z@y_xK4DB>^-Rf5*ePtRLJtrQOH~fjj*D?WGdmM3YNlOx_n=uBrZP44|p2?TJHimI{LD|48|kR7%5$P z)pyr)zcyQfa-?vWy;BUOK7mWh{t!ctq)mxhLII#JU&dRQk78K@ps5)Bo{8};TXs6J z+=3P7g$4y$Rb(|E>I!h?*l2JC=3Y5Wt2e&V9NdYT*~mg!tpe0W6N;*>loZs*^7-fxcGq zaBaXWCyOaBl*r{c_D4Y_>s3C66rqFoz8qOcVVBd4s)9Bv+O5Y=aJOFg3gt=)!kx|J zQ4lmQdeP=CoPMR*h(eT6{C=^?1`{(r&5Y+ByXL^WO9EQ$#fx{#(`Ttm6gmb;jRkErkX2`wE{oF841X5$vor-@rtN4^KbaGDYQRZ|ce&ka3 zMeZb46iak=$U<9=;r{7ySVE5cNV12~*4|QJAt+;LU>1M7vrK9G3qFo~p|!O=B=R#- zq}vzgFVV?Wf^FvCo9BF=q?kk&geTF2PwiV_1obZ$-mFies!f?W-GP*hMyjV!)B4!m z)9*i;O2P}^>%%bVBVN{yfSY%J#TAv7JvouF9coN4OhruA$K5sGvgDqLn5c0=JTA8y z{&pGm*}P8aTN(FEZwnKsx*&GUNh2ST4w4px7s6mSpIG)!omfV%zGZhst@8=zhP(x0 z2LkV@yZs6(?LZMab&|8B^gj&RlkHfNJ+RYN?8cIpR6GPdQmMbu)ehlRmL#mxUg)w7iVK zQa3}we)E$)t^=16F@AS+Q(A{2?8r{-$vi;d42x;3FQOGDyl)kK(V9o%v zq`Qx1#?f6umNTiLp30ML>)^VHw#LJX8qE}i&zq5=JU@jrTxb>O%9pq zz5H5!FkvbwMpJytLgj}DPC{BDGEt|1A4{G<+AT+>l0&py0TEz#o&?FFj-S;~c1)qk zI$O4XHJ6a0no+eg|Fahp5}gBzjLb{C@Nhbmth6{v#k_aEnDW~FQV|k=y{M9>nO?&d zdJCRUOTKGBXFF69=WX`}gz|dk?{U*Y=Q?IWy~>d#uId?&2Gjo%!hq1`{7)2PJWV(J z@-o3h$rRG)M@@fvUf7@pxaFCqq@3vHVt>p|w(!CZl1YYQ(|Nh>7N`*75nKZgF)Cg2 zeEIycOInZ~mBHt(=+_1k-;8aimI_zz!KfUo)P~~wtxIzvaOi8_9?4;nZfgZ!cN1IT zwVGl1P|g|pWu;N+dFAq?Sx+qn@2f@go^^}13dOG+))cB=wf78wL(E8`IOMcGNG?WG znln-1F6NbnJ(o5;u>nN99+)NjmB68{^de8`(sAZQyYFv3dRG~Oo|K`*@R%@kl%LWj z)EikllV-Cj#0pNo7n*6Q<4ZokL^R<~< zltvNM^E&x14~rC1F>`Cf3^M04KVs<(=j$ymx=iWQCyumQEfSHfZsNEfzE|aSJ(ny% zRa;qTBl@~+`o@Sw;IGk4f!f$BvFkG7Gy~Z-lR3Ujo)psBz>MiAyNNrxB2FdUdF6FK zAD+BesL}i?jFL%{Ga?P-$b1rSJm`)7hnJw^Qhst*BTs0gIR^-stBgxixzeH!m|gm58XZ^v|&OXW&%LkEaiJ()V|yJ7>kx4S_1cmd0? zw73zeG&yVm$n6)EyPHFg@4G~v)iFH}-B*3_F7naC@lk1UTDdzvYkRAw*#aQ*B_=C2 zVm+m?k?ar%dXwYB@sK`!t!gBRTKoKU3QrX&Mbi43=TsZI_en5xsd%%2Mus{lBQWKI zggsAKHqmv7xfwyw;|Hm^rMu)bkgb$fVk-BO+su-qR)>KQFS*z!$KVe&d0PWqL0dU;~N0$zlne z*M*krE#vUBFNyfu2!p`KbM~7SK|ZwIAuW5i^iG|XJXNI6dInAreMDJ>U694nfD}wLtPMXug+)wpV}H-g1W-1zFTfu za`kv7J+i=2Ox_jEdRXc8$GJzoA(28Or)00vdcR0+RH5M)y)S1H07ZOtr*FHB95IQd zAju>;_dJc|e$zv51;}@jUgfb347v7d)i5bL{qAl%2y^8~S_2$f2ym)Tom@TgM4ZbG zH%(fV=qg^LzB;V*SP+aDglIJ-4>yJOc%f}8(ObU0JzD*>B({-9 zrL8tyW5ODWAOg`USm{mPCF?aL78~P3|2TsWJ^V=t;@_0)v-_b`W~Nb{VQh<`v1r(2 zIuux*M)$pEy~X)0VNLe}5(><^lR4a!jB)4k5Sq?qVvsb$IAGmt0c+?HE(srj7iC%vWTO!-`3c9M#W z?C}6^sH1i=JA)LqtLwKHOY3}tP*)$L_~gkJapOwwdq7)X-YFB;IFa64nc+wen{@A4 zTU5jKcz#=UF}7`r{93jgD|HEcgWi;oxuzhMC*9O_&o^~vPgu2ctl{CiaQ_K6V;dcK z$1pM@mQwrg&KcjIbbZ6kt`)+|biJ~TjmceB`pF3kK_)j_cFa5>{_L?j?l#{7<4Qn4 z7O)+YOD`K8W5`YOw>0e8nz0~pvgebRbPd6vg2LXS!}u&#!!CX>NGivPXp*G`0HY8`t7QpS8@Gr>>RSV0zys>E^tbdP^t7IYeW?oH*HRvLG& znC&?O1wTVTX$_sZON320Bf_F#jqo8bUIEaZ5W|rEb?=@_fCtYoXL8G(Uo=Gs_3c{d zsTSAR5anczS3=&1lMYjYp+8izYRo}DDR^)F>UCu=nJ{u09<%PD?4rAk-H;#=ty}}u zP$^?2*8IJV^;zaO`Buj<3SUg|1j{TbH2PERmCEuW5f$4v!tWl6UI zCcIpqndvOm9_jFjZjMB-yKJ>vShQ`5hJ*}4Iz$`Bt_`0~{U_4Z!3j(fC*eT1&E08C zs4!PNLDLQ*mpUQ?IRowX%w)x13v&P1nlR^ri?rVXXPQN;a&=RlK5^z=TS2`CDn54F zPBBHCotRVaD~lEzvRogM{5Xuf+jP%pQP^>}92fyOmSoito?wFjNqG#r?sMDPoghcE z%r_v{)W0PZ47%tZs#rMp#7jBr1irAN38eVzseCW|J7iKthudY_5di*FlRa*V3m@*> zW?DiEp(Di|ZoLnElNEo`U)2dl)74h^T+K2xoP5lq*b>W>3xK)f|7 zhmA?2V6j^=n!;ynz=&`!SNk$c@nCEHlOJc`HlR7E_K0E(Ed`0#y6{mON(yqG_9Pjb zgMQcl(xkcg-jM(;=8=E%f#xQzO z$GE`lPoJf7wZhhw)IE1v-17_yqVvs0CMPOv%AD*i!(VnrzaZ!KWN6bf9SvI#1e%>} zaVh$p{1$`n`m>d@T?>q$FrpiE#FAZFuRgN}K&=*~M+OaIA#$Xg-imAenL|^x4Hwf8 z4=Ot-S69%2gY9%})NLB!O*JC3kyfBZe81G$?KSosTR%>5=)zT6p{kK|xChh>s*)Rj zFwMEH_~zsvr?ai+*JkC z6sOM1aJxT1R{beygrs2b!_~1m=q8e-)a@rXg`j!PTk$`MSY42IPLMVguWbz0F~|h< z{^pH7W_5A+qS)xwH4fLPqLWI zSgF~-h{oZ7p9U;{VOz}!XYN}68IWHnn5Y;?7CTu3jDfWAwRObfsMUPEwNfZ*$Amf= z=PB(Tv1C=;^TDV~H`~)q`u+iCu|vz*7|yLSagAjt0u*`_`+(s(ALUY%4CyF>C1ab%|!U<8}69nZ*vR7_-Jk-c*ZVqVyKe z>&K`prZCD6Y2Lu`Ga$}6Vj9R&c=X;r2&3vjtn~NK_kz^6;#;N2*1cZ&NxOA|4z=iH zFX1~RqB3Dr%TLX~`HdG@EiOqe$ek#+Rzzk!r{8$G42U;r%G{=;(h-tXmBU}oFmI)0 zc4~FFb9y<48@VqLUoMkRCiU(ElR~o2 zp*_e8$8PqTsFCY?o|a=EG@C+~Qu-*tZa=h30Om1SIqVMNCs2BY$bldRYW14*!gF;6 zAT?#4ODr|c8x`Z5L_X8Ma)^5Zyp#lNr~9E2r`y-JioV`s^RF&^AcakOKeuWDljS@+%hwE34i?T%;$!9Mx|9-GE2F~hlSqiU(kdKyb%}`a#)VkOn&veGn|9F zDJb|?Ek@{TD672U*ptp8eJz(>mM^-i{J0YfZ9ytg9Z^qRv!P>|<)9yyxC3u@Qsv`t z5mJ}_baOfp89K+!!<%^{-$D{oUx&Qng)H;xE-QdT_$HO-(WA$twDT=tot6761^Nx2 zYg~|wCk`K-!lPhWvG)T?1!MSRXdWKaj5|`99f914FeV9%v?pb2cNPnRlVem0d%FDa zSyg55%{;9_MYCS7)ZWgNJplJ~K^@E_Bwg3rq z6R+yaGQ=_@B1I(#z!(oG<~wiDPd|^FFR0_GLxN8>y%mwVVDP# z)+z$l8$C(6^mvg=l*}E#!>)5HPUCewaN@#%{ndaHY~9#g4r?OpP`tv(lH*evGtltAT2>NzHgccNWF?O~J!U-iW)XE;1pI$2(_YxKD|KS3VHkG`5oT6z?k#J9ow zX#>3sS93YwCY%V^_QTj!Urlq5cIrwo>r^t*s3C0ZwMbRZdyuMr_`SQ;8T!C^J)$;t ztZ!)?e6UjoOe^~1g-kwVe(U5any}P*(MS<_;^Q^P#`yfxyV4q+ zMDc|^wBKM_uDM1gqo8;>V-6pJmK5e;!{52Uf&YQV!W@wK1?=zCN%hmlEJ~XUJth>uU z3qq-O=35Ax@U%6*c70)tWO|&>UzSiXR$%an64Oohg=@39OVx-zuM;uUEAhA&5DYfP0qi@; ze!_5JDuBq>du`6sTjN$L_@L3MDz}3nr>g{wD?P@~n`8uExt5apH>ObdFgH8C9ceV! zM%O+6O(qGODNGA1+(f;T5RsU!dNP!!F^o^v5NhEk=o67*?j26? zk1ReI1VvH4tRP@hhxyIX=CEqADdT~j+g)+o9fA!ro{+d_<~A+()Zz>)r6q^SVy@z0 zx5)3E*afw$sxgMj_o0TjCU`CP1;>l*OH*k{^TFYBBpPb2?~4~%%#fWKZrhXS*sB@! zsyqyK=PK64UO6Ua)mBH=Uw=wEWqSIH{`v!3#N<8#{&3%;;)-##2YVO|j}cDbq}}r3 z9gmZ(74*{X6~#w*L(R0GFWG#C!mb(3A$LPqJoZ=b;0-iqYmR#|=;}620U8fZN0hNs z-vTXXtVk$u9GN#Z-?S>mJ_Q*;-dkqjY#+UMWj#FjUP_L&B33IwKL_9kL^~(GO!cu? zz2*S|>{}=Ul|Va=((<=%msutG%K2q?j{^j>*dSZ`q*1!u{rrGhc*B0Gx?XPS1Fv_! zl%U4RF1_zPnTVf2k>|3?YmFh6-4?wi@tj)3HPY*8D{v4NMk59gg&vqyr&H*`%8SQM z^moN|ifvFhN92TPd**;Wvl@l!4{5AhGo}95u8Ds&b&bm%FzW|wp2V8{wJCo+UdMnd zcI&fQjg<7BYbC@E#x)`t-z#^XVdEpsVCpf5GW*DTFfKR_GT%L?J-0gDd#_snl?{5b z(2`jNxWyqoG zlS%Des=x0+wO(mS9!9ZhmkU`57SIDa<+R&^v#`(kHRVj^ivC*Qvpra6@EqgLd>zMg z8nFj@fN;M*PP<;nT(symq z^|E)FNv4*{?fSl8(xmy0ls|Kfve715iEZ%w^n`e;Wzy61$q^`A9GaSjB4zgHPWGnl ziDib_0z&PljUuSWl#y9(-q=3|V%v!tyS4i1?**$BPz+xC}7rxV?jOR_QOUkFWo*RVfp zqs_HbU0C@5*KtpJgy*cg{|sBZWuYUAM$JhZKI zF08IQ>!qGruv>~rqE8f-oB*99Mf7)(@CB?thif4tus&+#ChA*otiQyJ=P$-5 ze%h;PB)5Omwt1jd%{`jFJ7` zNIvSJvgf;28wzUfL`#iAOR^ps)f&{QwIEp|b+get^1FX9BM+@kCEo zS+DztGux}Mq4`Jfl6=vB7|!GU4u>^-tPda+`O((XS|xCkaB_~x1rHvWfYhpbNl(F%l9@rb*)QVC^MV=eMgkyC&;-V}5z1044| zZJ7sO0iiu3G*;_u^5$HgGY`Z!R&aXt=MPKqa@d=sV@&A&dp&oLyNzS7_#G<@9FQJ3 z)UyQyG}FD4y%IASZ`k!IZwu!b42m{DDm*m}(?Snc!FSbv{F)@l?F3S~n8{KKd1)FD7)w6oGE%n3+c&%DBCa`L1Yi`FT0+i>T zt0v6MY>r>*jg05mA4d;{b=nZfP9$%BEz#1s?g?S&nBG|8s5PQLlhu4~o>A?s+DXwB znn@Ut@YC#{eWty2Z?|?Dun+t9<4W1t?~AyY%XG){_6L0Oc?jvLeHEK&<<#dkzxYs( zsOIZ!TJiO=`u`JJ`CHSaF(ekfkj+Eca@l3d zL1?2Q6rkvd{G}PNu%wx04rZ2ZlN;VpcsFZBJZkn?F#r%q=UEZ%DK zNtx4_T-|ub{LrL?=u#APM5S>03`NiO%G(`LCd0bM^D<>1AS99W6}4!+O753bQu*6OcQ4#;(shfcyzD z4%@L>+WKB37}^Nhrl6#V(<}fPp*fgolWAyO=(!_b{hKB3CXG#UNil_47VjFejGByt z`+`Ae9`wpWTbaw0hhEX6!Ji)S$lhR2J$~D~2B~Qot&jqX5!l2x0rwIcq=a3OOO8e0 zbWFp>AzdJp*JvVCGPZ2~LFU@j5(o8m+&hoGMIM>0+Gx+W``sF*?sIwh6 z@x`y)OOBj$X%R;ql9uab6a`m!D6pX-VCr_u>;K!i?IeW-jp@9HSR<~>8C|O^3 zHSVkxa$H=sxBQipn_qvpq$?Nu$d|1Y_cYNRr=tY!F9#^A8RVtQt8stNf*e!-1grKZl7vyAPV0e!l7cu-&uG+0?*>@(5g%$>F=TyAKD4 z;tW>H%}w$;JZhZY;JhEtie9vA9bSmG*0~MP2eqkSp(>KRYth=N@|4zP$)i`)>8EMQ zkkZk6XvD_!!xsGlbcw93bueBGeV6klwMsP_30#@=5%pzedBHn}_TAc(M3H?}B8Hz^ z&d2p1?>!Vz?d{xOgr#Wov98w3W6PlTOaE;5rAzIGmA>+xbOMwd`Tl+1=Wmi|89!6X z=6>NW&t_o=Jb|9fYLa4Ck8QhAOWuFky1^VQ+nJ^G)XTEJ=WP`&Jn*pP4Hxz2?M)I< z2*Yly2&lH$}%&1!!gTI-QrQr51yW zyd;Ar5EIhJFZUIjP#hc>Jd73%=8lT^I%ge>irw}Aq(7lT+}k*tRu#47>M&8Uj>6(w z>u^@NupX8k&L*a_5IysPv|#ys)u6W@c*{!ztxc51=kqVb9Nr#p0ESQWZ8tl*?q2Ud z@fPN;Z^G!y>*!V*p{i-lJc1>e39EOcg_c0s_oX;ogt5g-cLbp{}1dV7XGafduOL6(n$7?*4Rpw58u4m~1L`8Y7if#YIL;n5$ ze1bO$LlG~I7GZoqz~>mieke})37uG6vxzYqyaifEjNvTo#djFW*-UvM(liiFXIX{suc_2*K zXoT`P4NCwqIE`TjjU;YS+J?|r>bC+!aGg5kHRAPt%L8b!sMwjQDobuk03J`MzDHNi zY?)t$?RF*u9S17aDLGcoKi~VXZ&c@S^RaFxsL#XDkbts`M-A@#03wW_UU+vol$IZ- zJ00Zr?Tn0%(G}o7N6?A`CC8uzE1;Gb50q)kPpi~Q%OlMLSEaA^^$ABVg&D3=MXtd( ztmff7CXN;?mV3`t2rJ}C-WCeJh~>6XaZKm)_(xRrMi^`6`s=7{2pRCw2xSP1V@=z^L?Y-tAu~QoN9`1lNr%0R0?@Poz_4 zulE;g*P<$G*G~LMczLSh$b`aq(i7qeR(*Yfi8lmh9Ty+Gj(--KVDuc}AB)>JGe>&^ zL8vYW>f8R(qq|I(@%|&J{ofYZ``w!*b-qKSML`0)rrpZmCGP%XUG3j?0(v+6*4?HW z%71wQ`~tzwn&*#4U?AA$xD3kQz0V%m4c)^7W7eKlsR%4El)gEPf0V@iPxBW1E4myk@BS-29*QFaP%Jb2h)LCLWKX z`*2{-t2sqr^KWDOPYKd3#M65>AAIfTq2vwIRhz{k2>oH{{Z^)X;zZw&s!=Wmbbk&2 zQgw6}d@sUZ4RpZ`AKTG%l8T}2033)6ZHwA5|Mpn_be7(N)A;QZ07qXT$PHWi8;YMf z|B=D-@6RrXeN&QXb0&{w<%f+l;`GChe>K6k;4ePk5I8ieg=vLh<-%r1wZD9+hU?8F zF7%>;Y5$}ZDDE#W%kz2u>ZP}C@7`=kmtI`%ln~f~ z=`G%r`-fBZU#prd=H@neQj05L5e!=!yXLrmxgqC*f8TifW;&934gzmt2T z+1VWP1vq1Z$rXN8*Z5b9`NmJf3!S)=HK>-S21sNey&vuVF)R4@b>WqC^Q@=Jx`Gd3 zQ=6h?q%pft|Ix?x@YJf}s?qM3)cNf6#ZyTr%Tw`4K#}PZ1I5E5XL?)se~i`s$1Hh{ ziQb6TSau?D=3=(Z4Lux-Ni3$mhREs~O&%whM_~a(9)_ZSB^;kV79jtt0c(1Dv#tv4 zT2IexCa3%QFO`6;S^8X%dP7OT4Nz*=$c&JnOY8}gISB*8L~kO`APJz04X{1IIM859 zMEuhk^*H`!G8>Wbr&B(`RuOY{QBCJOxk#q=;)+zDMQwr?gxjU5p zE->q*@see_vwRaV987W#lSJHuY2=u5g708rA~ODQzZZPDnU$O=`m5_cU`1fdjprZT zEFS)ClXoUWye<62oj@WiSZOuXF5U?!{{i%m+?~iYE5mCr@{(G%D*79$_n5#fe#b4R zQAfG|F&qE)jQti#|?A1r$NMxd{2)mtG^vPhL>_`j~r~S@%pgCyUsB*F%{F&yj zhZi#@1p6rGSx1#Wf7EY_hE|;FXWtx9ts7>GwP+TgL_CW10G}}) zn@)qw!eic_>2SgX(q5R|1=#Myu*p2TKakvWZCM_g57}i&fTjykV9TQa=0_jtsQ%~1ANc+wU zyYR5F$Ftn#7i3_lgCPnK6IR$6%LW=NtkX#f28vby#wD{^|7)pw6YUo^fcg8dLJx1c z!cO%^n&>|2a(jY*h5fo{rrh`NqaDUByO|F{wx@ftP~eEErx>)YQLb}03(~xfdb)Q< znSl|oP*aWwSpCRKOa@~+Jl?*I?2b{$9v%1~UWEh18y~5)~`e~qRMFrQhz8V1o z=vBufHz!E~)@0DVw?cj6y{EvMty1(%y2>#1P?eFcz%^3X_rAPom%|F6B9jAd5Qd;k z{8E3zR?bN>ku8WioWTIs<#-CG*y!Lbbix0i$tg6^;~k@sNwzTiM{8f>C`Fz%E2u3l zood0CPKP-|2@+b4~^i-NQHp=Rdm zCA+;IFNiX|pDiH&AzCPi{e1w;uw0$*{W<{pfwVef_I>@&|p7=U~ilOo+RJlx}$i6zKs3U-cAQ|aLL{98s1=wnF z0M-`)YDcSak(V&V5)Ow@3@~?f4SOAt`&dZUedOc0{YGTFF>lXom7V`j99rsZcJ~W_ z+8v&R!*td@TUw#((?tX&ru|*X&7kEga~=?ZImU-H@8Jzn4#K1!M|5usY1ONpB_X>v z=)v?Sh9w`AUs*BTeiMox#5I_RnOF_V-vx`OJ zFT=u=|L-?$lg{s3$8qrVAO&{o97$+;xcPM`WRO|(VyBxrbz_fVNCLbut@`}fg!xg95bQJ3nAkq-?@jDt**9$cB5!m9_ks{3XFZ34lKhtO3Jg=1}pEC7>+dc zbz#q|R~(1inHF$sPZ=s>$3*5%_U~|?3x?X8&q^2#y5>aLtWeE8>VzrxK~MB0!kQkh z0OD+A%H9KK6`schhV^P4(eqf1Fw7j_<7@-!S4v_PPWgd20 zw9;c%BV4xV**niDUACkFH5N1yJe~ZWL>4=;2%0x4GevfjS`+1)+6VCC`sDQz)hd-Rvae7-jE=D%wamtW12j6Yq#(4XznE z(A4l#CP>GqvG{FcXeV3D2a@tr-AwU+Z8 zt8o`w<0|Ag9o>$a8-hHa3^URI&Asz@#i_S#e)9QaC9;^|FUTN?{xQZ8{6%>i<93H> zwt{+m=1-@&o$;nQ{EzarqIo@dB)2+}n-6*fVKhfWYZrhN2iM;{4Kj;+mO$|(W^fyL zMmn}z%lWdZQtSdvhw@k` zmGwlGxbPspg%WtFm(*5PMWFZGyFZpz!d`IK0yyG4z#ajr^p{PN2L20NXS@*t%JS1? z<`J*9a031LqXxd#HwwyP@rn0!t-k>n>50dsg2OaD?UJ(mY>^2;!L#$VesXG+iONi$2| z`(>?B!pLhU9qjb`A=>2J^dIl$%RLpBN&CF4-h#Cv#)i#WNxj;n6T_*vX-uo1=+WJw z4`sVL09L6oL274dGCLjI72|Xj>@4>Gl8IE&ikeSWd48dkrr1q+$M(Z1je0nZ#`qw1 zsAlKqJ5nx-#HnJ}b+RY{YzAfFJNMXil5JdV>;hLDcerqR*Qt-zSwkWrN>Afzxg26O zfWNu&N*7So7Dun=>Jh1C7cK7r^BJT5g{OsAeV)_d)cUVMnW6uwmxt3lO_ox5g&MNz zxb$ew+G3L*`R365*0%bPS&wh{+zl8EZe1A|^3}2A7oKHFWuM&KBVkPKJsVBp6pAABtKq05P9ied zb8@sl-1Luc`CD#z;tJ0RJ!&{(wyfF%Rc!p6Z`0Mp_WM)0;s!8qz0#a`l0qVuKP+8h z^gQj1jd^>bp!vCQ$*!v0XnF3;M`)~xZ0B_ z)$ISsZe!A8PD`cG);q@lXDus)gF}yPIAh1shJo{n7fT(`k%?l|=i^4(mp6H@GL$QM zaYD}cyqx*S3%xBJ8dxCRRX&{XrNaUb%P^0f0u-_|vgy5z%&*w@nG)HZhO*+mNgaK! zdk|Gy&bPnN65%FKIu&tlJC29<$1LKPkstQ_7~ikc<2c<%+hm7aBxrr4fl?}wu}qQ$ z66U=*9DBFaIMjG2C32kl#G(7kQU9*Tnqtq%&{QGH$;ey&GIsmIh)zR=Hm26m8tY~1 zM+^#5^eJ}PEAqAGM9M!pOlJxe{FAseSj=V%Jz>O%&KbQf{!=cxW9t`m2u0b4gVMa4 zJN-hH;|r>f$j3`6$A`;tDf2Ff6~r|a={wn_?8jR$_ggb?P~%XkiQ2I5_>P;|U7PT#r6)Iw6U3e#$fO7}LyKizEmX1Ymkzrvzzyu{Z4$4H=zudDPgw)((3Sz^b4K7%L$^-R*25qP%X1c(XH_Q#U>d#xkv>bY z)%~BBF7`6u0)KF{^1;b058mOR%s291-VlS)x($;tlhedSu@I?h;Unz)^D!xcM*Qh#oT9^~y`^@n*XLr`>^Wwekwew02Fmsk zxm?4TqW5lAv5%{^3hQ?} zYi8)>K(e8EoBM6X4O*GdJGJ&2G3kcglj4AO|7C^9Y`ztf-Ohx7g>J!K&I&fS`^Bkq z%=Ok(iH}O@gGhbO7@%!@6EpC%k$FfAarTGbK$_&DHL3&u=`XD$v5)AEH74r=n5(kq z<$2lGw-(t|DNy=P(crEq-(tW|7Dr@I_+AyT*z;nOGRUKbx2dAR<>($zJ665hb_UjM z6=~izPzg|!O(veM>;nzGX|ub}pZr#$nmR0fM*Ig1L=Ec~lf zAzi;H?4oXYI$2>?IVXj%x%b;C&pHq0U^TMkR7lIXKA4_%GV79r`P5n5A^i&IxCa0e zRj6p^YMhWfo?yJ&p$1M!ul9EhYjgQ`fO_b9@I5foA}O(u#GtF7a6H%X)BPk|Xfz6- z7BZ-xZqRgmVK15)62uB6-@u>lNUL<#1R_oL9`@ku%<`_|@PE<0D?vQ>DY^MrrSWApn_ptMw7F8B{{Y23l?jrpO1+8DoFpno21LwNzvBHFI)VN`2^<{dE8KIhXtQvL2w5y&F%uQCrs==ngJ zMTY5FM`7=h-(m*8lSr54_}pRu16_lYQ5LQ;#GDQ^9SD(rd$Bdnl=Y@I)Rrkvs-qwi z5QQayo=P_R!5KKEy0N!r-E2G;RJIrzb*3N6lU4!ooDRmgI<;yIrh3I;?o6{{UcdVE zE=UlH_u#dQ?IuwhZ$I3DX^KJN=Nn^@a?GBWl+jS@p!*_rX8vV7LId!sn#om+>|N)G!=<1R<;UJrVc z$cnd-b5qByNgi_FX;Gs#@|sL{OzhEm=!aSZh#01mi$Z2|jL3I3!m~!R#I>~zj-aso zsluq*mU4SYIeX4!y2|Mdi`${>*Dja1{SvUTdJgc9cP4~)Mvg!d(?6U&x?~Oh!R@>p zp$KB-S&gfp*HO8TH^(q5-uN637Um#Zf9~Lbu+?U9Q5~I&|!f?hdo= zI^NQ}yz&csVt*Dhk9vgvas+-q%vtle3@{^Q!IJ}rLn$l@_MFO_Ta57DE4|ihgS<=2 zgbu}=*DyzGjW-qYNU`kGFA`};y{<{H>Hjbl=%_cleExkvo-9o17F6*Fe>WAmX^PQY z0#PAXu6?XsUT42pHf+UqbHr@idTCBW=UW8KD=%aAme1pIw@!r4(+S{4nl|HhuMhA< zmbpM7e5dIWNKkT5RvqU|yJ-jfbnmSvEVT>uTdG&-;lV64M;_V>hJ9?yW2R@Na&J~6xQ4iLXpmba_hVOKcD*3ss|U%UCH8$aIL?7)H&F+ue&tX z*0JZ(kpMx5d9BXq+yujo`n9HgjML7C-%B=G+Nf>R&d*S=`vDKCaJr+LhqaLA3~0eI z{O8Gl>EdcHf9zrJV*f$B)4|er;PCKFqsnms`&0Ht3pYS%imj#(df^?QD{&T?T?RqD z&s&{m%gw?rT(hwDwWB*G=5NhplPP3lJTZss6CyT8CEGzrqSqeKGRkywpq6gxSju*%onNps3H7gcV1q^>3SVKM zy;;=`!qKMOiUi(~omC_2tj2c?a*v;|lQ}wD=@1Oe5`|E3yz!xCGi7gq(~;Hqc!ydlpw>O}sHsZMs3bBt zStL8!o%D}oDfm$aixXZ+Byihgt-P!C)xP$1a&?;ip-Wj}GTZ)q`Luvk{u{rOQ=2DU z{h7>r{5zAh#0T)L(($PkM+BYar&@I{y9aMGVXvR>LS%Y*E>j(D%aX{F#;@W%w?y=& zSEv7;3OzD@18yQJt7O5#o&FS&ml8I*wZc4sWWapMGw9q0NH~XW+r#2MhyFQzv zMr--#FkN2GqJes?d4wJ%{$no`%(6e!G2frulwzt40up6^1tJYkIi@>k>oSRy_{0-w z%UAf%3+v(34z)|WX!C0T$eJ|%MWOQC8)? zeYiVBJx%1k?ffAAm~MCf{d=@^KpwnrdPdxkP{sgcAWut`2zTpql#BXcZpu+OHD6Aa z>@^5{5JkVR6|CiHdYo_Hj(DctldoYu$NlASyYwgoK5NqTg=6bTU^uff#RUP;*X%~9GypaG;!yI9Ql)C63e&WZMy$R z)u?p#4r|^^;H*Wj+{A9k2X+U)QD%wUpGJwg;b_BZbquKL8&(?FL92!?k-G0ypYj;W zsN1-hKgGG;F*x13cWPsA`~^~+{}9$Tf@ z)WiwBu1}Wcd6f6TDsIl~Fb{fz0)E@ae=n^5XIA$9HFH9|ofT!D4DsVSdMm_uqH9&4!m_JoK!pYOgL)(g^92T@)35%h71|KtTQ6*OEQcvNh;k10MMd3SHl-Ymm5^9zRcb~kpD zkT_e;(8AZet-;bNmeyeJA zkpC3F--1`W0mB?_KOF8Cht1lI0>SRp-n;;Z8%2QmOqI|Hv%|dA0{Tzc|L~5FJtbZ}&M+4x<$9wwg9QnF#d+u_^4UNF?g`(Yf0Uzc9%y76D+b#2 z!G2A`ZNQZ4&jSIQ%lH1jUR#Dj&dP`k8;g|Ur0xIy^#9*)McF;SR*-t{g%=qhW%4~X z^pW!Zo-g{RC%qY2Pg^o{dDc|)L@AtrVPOjNVgV8Q2p6&U@S=b5!-#eB!Ckfy(qDfd zZ1+*3lOhue(eux!}UqTl7No->r=&AxKE@ z!w;yu3>y61$X>D=`tV?k?GgUfK+g%1{+c8AqL1Nj<_J-y zoaPb{Hdv!NBY*py4R4;;uLhHrffOFBXfOF5{=Zon;BOe=Z$9|G)!7a}%s;H%Z z^}OJ<;O}88y33`z$hPyN{Tl59Z%UCr??A9NC~xc+M+`Ft;Y{g)d_{`W?DjpNn)J%FzdHK9<&>E&N-h7dmC-!Bf$Bb(HL&C>T< z!hbu?+&2#_;jvz{0$b3^VF?J;E`8~^XE#n3?PWm z1D$r5qQ*FxmZinI%M-=C`1KhnmdD|BrROJ|1u3oZL^x`eHSyLRRCyA3XB^4fAVCk| z_eSn08CBahW@Y^^kHm=cd&=z+q@zc`S+b6V_#p_}rJ-aoHB9QupcE$^MLmrgo&@g; zL_RLplj@VDY)DNcFjWw~Iz2#Rzpgr1t~%(6xHz+jAjqqg>Pyl=LjN30$c`yK62g_S z7{Ju?d>wGtN-y?XYx#4;?&G$HlKU)m#aQ3A1zz6+0A?Qij5a$<_l%SL-g8=wBlLSKciGQ?Z!aZX9BZJn1Q{crE3fmRMS8~8xJ?tS8i+9& zzSQz*4|<*17>I$KBURadq;MszL<+hbrB1y$nipw0UKryV@FcR%qV|#k&=$UsctFK^ zxDM_c(6XOz6_LHQmXLgVI$OdT!v$Kd(&>}9)|rxjk%cURMwkrC9g2)*MEgTBnM&WP z#(UZ@Bax`rF63mpqM)A-MPfYu{AShpodTC25(RUb%T3ay7@eJTBUhAQ-JGS3W; ze9!W2n%ZO;ox931&KmR`%_b?z_dcM+PlFbp5n^w?dw1e1I)^qmv>gEG3=gth%J)2ZdNvS=|+*tS3N4S~+ol!>9& z=W~t0OP+=8*jf3XXY$P@o2;}3Y2ua(5Zd8}6H6Tgt9GckJ<7B}1+3Ck2K&VR{rd{r zemG7l(~I_b>CU1>O1ATo_oy_(00*mRs>y}qpjjCuO`NEW2^)kGN%JzP2nV{eY>W@( zDF`^9Y+&fzC6q)AKH?BI{+RJ}O>(d39j}`Iw3#N? zjO?r!do7jpLL7QXfcvI;@9_&uzS$6ycO+`*8Uo{mc5w+0-&E=P{20g*D)f1<`zo67 zW6h(^rL1?71Y)Z}+vGteGe65E;hvxqcm}+5ZywQE`9A^z&u|RHECM-1X*>twgx9dk zP~KQ-NaqciSBj<5(gWfl-UX5Ej6khV@=y0#2sl%nyE(oGMRekH9(8a#k->2x7aL8= zj^xgw%S{bmSH8}xVr;h}y#oC!J7=m%I5w##@xs3RY`0l#LHr5z4o9Acm`^`*VyNn) z;t1t;B%^JZ|9Q4@;oW7_8_goNL#@$eYOsU|zd&UySAVveluprT8)!UzIW*YY7G1EI z@aD5f0BVEQL1gYg&Eg_`fl3sX^fX|rgs59oZxbT3?pUq{y|3W`ijh`*UJ9VNd($aa zdM)1V(vwG--ApQvipQcxArX&hZLIW$xYN;5pdHhpy{sTbP5hA{R)efC?P$NMqKfGv z;rRpHCkHsRUj|OXzi4n*wu561Tka^OWTV{#QahhItGS|qcfGY1!etb?*OgJgXg!3h zsDRrG8ow^2f=*T@9Y?2>d6#LgBSMgXor{~rvje{J5M8yqUgN&+Flt}t|4m5m zZ~H#S9v_5H&Q^QK^W2GR)C$>N6>-hb98K5#G!=pq{TOb8#O!kBEX4?r9F-50g<2t| zet$Na?ZDf5S?u;BU(0mpYt2%pgLeWgAht&3I9f#nIN4W`bF3wxmuZZj7RHBB21_y4 z{y-0MB^YwG~N*N@mPt@$&phm7a2Z_2ACrLX?Q*Vm9qBK%Pe@ zx2P!jN@Xw+jwH9RQ`u!-ENVPs)4$QvbzZtVMm20a#FGBr#eKG zE>$2sj{=Phm>fl_Fq=ddD|uOlv40d!p4P;BB|7n4a7V>%gWyA%hRteMNSt|9eJW|8 z-DI|0rTI@KpO>|Elc7QHU4THiP7Xm)&FZX{Gx@^fQ`U9(8!4o??1_{T{qy659(Uh4 zlvQ4avz$US*OLVKYz^^Z+(hNbY($rasaJ4#;e5ilwT#d3S^WQ36#Lj8^VdG>O(r5M zN_q>sYgV@(HTc}$VHnPS>o-Q2b5~u#jrPaKYV4wf9!DsaD4lGNDt(XbArpD(lmMDA z*SaPk5^b;=Z>XHJPU#^-&{3l%G9OjgZtf^)CtqylRSLh&Rf<(nU|(+dj5!jHh#nNl z;8yQvP;y5<@(|wVrZQLu4MENK?lj-SO6GxF+mpWcb-j)!{ljAr@ zr?NqUJ`T}~ooZIhb#GFg<`~!XZT4Hq8()MDmOK=_o&CqoR_HV3a=){y?%H)DgBol3 z^U#3DPnb>mRV0H{O;pN^n=zT~HB5eN`#LyzRqj&L1E164A~q`t!}8-#s*+GuPR*#I z-k{4Frh8C9Q%@rC%EPT0x+kM+FM2zCL$6gvQ_#MzFj1yjQ-stZ@joUH(4<5(PNeu> zQ70e5O$w3tivDrjJS@$t6c?+cgNQ!zM-LjQ&pOG(=#Bow!)_b0NHP7y%df6u+lRzG zq&ApXVWeW!+b$4)#Zs}5esiqAW9b7*kHdDSC;_avL&)XWb{3r^N3)RfdD8RFY`Zs( z#$#X=7QFuQjX?OF^8x*i3fjs=D{_?1t@H5nNq}2L+l-yHyk%dFx9MU5o*9S`x$5sR z_un5GR@zG0k8gg^GP?j#)KAbjl%lwHQRU)iCqycy;Fu~~Og2R$yI&Alwc@A4tczwx z1SFO9DTsBrIGt0;JM7kmgaFHFW$OU>`^qipCi@dYy)XR9JM0qp^(CGLAKyrG4-a;n zvXU}#=*sRCEgud_`771&USE*shX4%Fygh=(ps6a=;nA;{| zXhd9fam}WaPN8MHiznSRL)ZG*+;OO?Q9ZpGa*U`;H^vC5rRMCDNp#MlGsm3Wt_(^i3PcR!XPO>Ch-8orHDhfl{ zW1&%a-Og_Uyln*@L21B_HiiAO3(!ZNiBzMl$j<1?F}_=8d~<-K3zxX6#6vN%2TFgO zi&8!D>`$e4rV5Bx;uu1A(`p_Gigh6_MokMIig6JX8T4WgMw^qwVedOaS$9kVQVf#Z ze#A%8D1MIhsbvS6@~=OOLmTJ6_`bOBhIZm{OgO#_j%d3pRCo_sAsf{z)#aryX(`z_ zr|18<6!qk9a!S0T&xv!}$P?cNQB-9}FT$jGB3yPo+Fn+IhJph>B*lx&L_jhAC^kxe zA|OWibnqOUnPS}{+2X?;5jus?hI@%XL``+lI=B?kt!n$?1KNl;@(jJ1N~tYR>RgpE zmkMBCac(T(f%5#6>tG zxL!5mFzT+DDp#0#pX~*^8XEXj`giIcZDbr{?{U6-@_@uAlFmbR#@(e<8T7i+Dsk=X zW~EX*j!4t;oK$ahtMsUSDf4y|@f6(xrN`+&V+~VJt9jeNZk@WXsNg(-Tke~VLYT8b ze*>dQ%TO6lP_O3R2ix_L#_)O87_w~SdCNif#_rM>o1~Z8@hWI#spBIUOL2^56?Jg- zCp!)jngf@Yk*emA$Y@dir!T6dsy}Tkp1n$Mvo}*g8NvEghg9J3(VEHZBrrAARcbaz zu3V=HEdz{FnDoiEO^4}JzNdVaQoY~#C9Cma(a%GsYZWD9ahIu9rBdQ#nRkS4lwTB`bjtqQRI1gT^^vrqH)vOJz_kZ+{8HO zmlBx`@^t;Kp#+nXNkZo@5O8F46&j(zF`FrqK}f{G%!bJnVwc-bK>1eX^R%-3F6vnc zgvNg2gApyiW7%c~jY_3?bsay^tCNymp7SYXG=jwnR5l18VTz8na&nLy*+CN>X2U{z z1FS~&N6c&Lt3*Q^v#mpA@aQ?_k-x!OZYd5+^O5Yyt7;B&=@;)-Jwok?I5>L+6U?PG`izdN?`y=d zT)5OYd%Sixp@LvcYPd~Pk;Mx+hrOd)UM|^8;5wOh2`-9s;<8(CTTLt3)LZFdfA_$F z5YoD(YEj*+d_L_?QqbATJ(xaQi^Vs$;@1D6+!#}ch0~v=#$or~K+WKyl!`s`xXy7` zCjIWCS@-OjyZG1V^zS9GT6t;E<&yBYh2M22nsgwy;%{bIj8`c9*mWFa-p`f!2G?^L zpf5vT@eD#msRrMPPpeTSztW?MUUr1kbeT(O#S)E_I8{!CB3V5f%6Y( z8x}~#PtcuZ!>GFROj7K+#f`^chbujJ&aK~lWhynXGHsXY=_3*aC73(!67 z-BByop*VK8!UJvTbSDq(?y>cK^ABi6p>Pued1f@_)mnwVj5g4RR2sBS1d$}(pC7U| zYpK7<5g?$i!(ZGmv0$uBQi!xbqefw?eIFbTs-=gM%dZ=KW?$Wb;$w7_yfNbokL57? z1ii)HR7s;p5QeT&V)!nnsT%7MKWaW^J^~F-MhjLV;Z-pgr~3zXy?vB}C$-Qz66w05 zEvTS0Q~BJ?z)2hVBVzkUp$guXzC_H%Bh0JNl^{g{+N$Tblhx0q-c_rFjbqhU-@$1- zwcNxpr4h|Zi(ifB8YooYtj(c#K=Q##8pMyw6x~5nHnSgvAFdA-BpifJ&RDdXbwY$6 zY|?~6HTw~CpdAV(@i}ZhrQzrMTNv;phf$L#(?&dd3n@Fk^8yKr`}5Tmv8Rl#V_Hsg zSLa(B!_EWy%3hmjg%u%USc!H#WSiT72*MVomLG`pSS3Juo!jTdBP;>aPzBH?foQBY zn8~v(E@&H6T4P`Q{8or2dfB>BG3DzL?D?MK`b@cpZK%vh+#orWHF)OJ+Iho=)y89g zNDWjaw$zjyJ)O)uHC505QuK^$+ogEfuE&clQf8!_bRw97Olbj<>u*1?nDPHn>d24z9R+*vQg&>ood>SZeYBv zZ|+*0A2NC}hl5kY!&UWk*R8TuLWUCX4=>VVh5TBaWDO$H6K6hZFv+6 zmxM6BFhV~GK_%ICYvmfXi@n@D;@NM>j#~yGAd@l=^c0IKr3$i^Z`#hkKI!q*MDG5v zlecBS$7z>imYJ7_`!kw{=YSn5I)0C2Z-;TR>^qR|Fzc3%&tt96mPQTb9cAEVlX3IvOvRq|xa6`;MbKHC(o2Gfv=YCYD{2Xm_Ea zaFEYC&Jg!)_44QR$L^PWUhAlsr<56s7gumcmy&`_FLi&jWOOzJlsdf*iEPNOg#dbN zK7~7bk`275+l$wk65^u+_Aa*8XByQfQ(A+Ju&XN7>JP@EJ|q}oVcZ)NbS0arhN_;ZEWdQ)7NUG z@!GuqjHFXhE7`Wp50Qhx<3GXf$3^HjnGLPtDZGgREVGIJfIJVfmB5D#vJ)>W0Ynjm zZh|Qf?*tGSV_LXvASXN)@!&+`>ElaPE_MHyK*%za@6O$tC1)TCT;DZLlt+oyao*x% zB@t|%-!4);(Fi&UcjMwgRnN(R>{(3`Yz5cmtI^t7oT3dL7XWj6OWMxuV#9sRv>hfm zI-Z9Mi!R1xOkG+0W!1%XFjPWACBal1`8fZ|Bh~uIFsi{m6xt&~bn&+t2%DVZQn|CBKnZ!O+ z7%7}@Xpw|uh%vWE1|D-i2qjEJyNDF^RYaVvar2RXlU#wyS!!Y9#)eAy_4`ud$37W| zJGpLd)@IP*xmT=ApOPf)9>V#ZmpP?cnW(I(p>VV>Fy_)oRqCGj4KvWA?9c7j-y@+e zNPQ=&`TBK7`c&oh!XyG+h+y_$B}v#f%S4VL*#>3ar(f4Y3`q%>`Pbe%Vp2VMx@?o@ zhrLO*+{{xeCK~ExS;-(mP0;&DVvetF;9j(2*ubq&&KaaP_6g{1pQoHk*Y7>*hzbiO zPXzhdesc$Zkw7cG)Kt$wPol%}qBIYN#1FR3E+!%xJtf6PNr#-Z*1dHnQxk z7S>uZ*5gX_M1ry%DkRDT+rpnv%hFAbW;tRudes7cKmV}qrWfaBE8X~=iwPWKVmiDK zf1FCDg{CLxb(R;Qlo-2d`Is%%Y#d)}b2Q4inv6$j%5-S?P7*V0AJoIMPX1Kc6@T49$&h^_$;*HhUFW}vBOMLew@fKiDYcOv zyNJrk@to~c?h4F2ungHLopBJ_8oa%m3+yI({6F=yYW^p3)3$blfHFZNxL-};6bq!| z!t~529ow4#xD{(_r$Hm2o zScOia(S#MgNBbi_ZbTEMq4>jD93%z%p_h^hGx_PlUP>IK5V}}xPG$hI1?7Ln{IE4w zcA^lucKW`^V%Fei1?KoCDiah{$3q*W9XoDRdh#SXnVX+aSV4qevhk#HtvU4pgg|$an;{x7 zLR7V;T~eTX!OSG2k@ZLPw77PnU<@}kRPcTl%v|N?9q`}U_@-7E>9Y2U9TYL*?OI1^ zMhgW#@vLLA&k4I-6kS&^kG3wbz9n@%4@!{B6*jY33mPrOJ?U54J!Dxfc{PhNU-f$J zqc&Zxw~Fr}#LVSs^4)Tto~zTH62cLuEzL>lA&W2kY@~$x@YSnY-pqPqZ@%N9#{&bd z1&RB0)xrC>-bR4_TTD*qPEOsQL-ZePq4jYvwakDHk(`mubJb3rETgBn2lF^^kEe)c zoj1EXy3dk~Z{7^<->Zx+lZ8VhhIM?p<|07w%Y7O$G-HG5iggX%}jJc zM6a<5;?V0%oSq`cfXGGQJ1fr3!re6w^FCOC=W%bzVIQcJ_OQ7KslQBf9;SY$Dl%8- zz8B(g_vd#>d=4xF&~avoW@Z65z&}5$`k94>x?qzg#JgDYT>w^ZZz6`36XH3W(#1&D zn^|UAIQ}6lbrJ^(8Ljo(W!f713$O9GY|Az^Vj)$C52@w*9!5>@m*pYuX*8{DoU{}Kk|GGOI+O?dz zrW1um>TQ)aWV7N1J&EMi&Xlu_bVE#8Ht9=ZsC&LLTRSdYna-5X2za#;+DM=0rfc=q z&(%lMwmzP4_O_bjl}|W%@Fz8u2YHx($sTc-nb@gfSZ@MnoE`T(l$AoIt|(%x4dXO-9^!%)|eTyOy=Oa9lZ7aMVxJ@jUZ;q(*}vU}l_T8Q@Y_8AFKM zKDw9gq$!YMEndtB?9Cw2>|T`4P>-rz^48BLMQJ$u#k)@!J?n^><1{%wXju#jGraUU z!Iik8QOHVls!^`Qd-@;sF3+%ta zM;WR3c()YwRFp%y+|k?D;GQd=`Sg#ER-plIZs&)#JkWJl4ROZQla2oF0`xwo!(C9O z%*yG@_Ewrr^+vzaDo3VAxnJ9U+i+F2W1=)!f7?G;z+&6Ad-=+CVJVZ*aPPUBO2^N4 zF>2X715O`HY0Fxh?!D!7R8P-St5M1;^|Iu&pxqbnK@|hUW62TA(FQ%yS4{ww>S8ix z6Psu=aDm*6mQ;h3(4^QLP<^SO15j_ItB|9NnO$cx5GPrVRlis3hdhJUSB5rM_y~)5YtF7W*bSY&CD4sRuN=W; z`rXoIAJ9LW55vh)I(i%UhRqyFhhlti99+rm!tZj|ovnTP=_)w*sv3HTg*b1&$HS1{ zJDDhmIB!Uk<5Ru(JWq4nhr~)5PM7RXr2k%ptv9a9RcMDW+lfs&ff!R7Nct0h?RdVuU0ZcB0m0^J+5zQ8sljdyqsg(_8$ybw zS~1AGUhsNKX^~cj-y&`Lw7(jNeJMt7AV0EztUji7dz1a{!L-@|iUs@HJ?Cl*3H!L` z?m6SZtJdu<9nq_p_Fk&ka2~UFZx{<#FnOUrthHsuklfU48bu(xyrU& zLU#9)dsx?@VEyY3xv6svtOBi_C;zzPuujvPgF3W{aP?tR!xdtg$VqvA-`V-J#HsCCz7_*@o zTV;k>UAy_f4^!N>jFC#y_j%@tQ!YU@7Eeg;xi&XG4g~#hzzaM#;?C%dWj59E_>11Qk7(g9CVii% z0Ii%s-r?Ht=nzJbXV0zDNpvsUJ(Wx+UOtFQfnZ+cj!MGxk!rD{*uno}?5yLW?7F=# zic-=N(v7rqgA&r9pma)icZq;BNSA<;(%lRoAl)_O&>;g1IYaYaJo-H6eD3=`=RJQh z4$OGPzV=>wt>5pv9La?F>~*1<7L8oj^+p)X6|cW=IkxmY3gGt-FsX;fPDh~_E5cv2 zryayfQR^Ws81Y+7PKwaFTui87#>+5^l<*JPTcNJ31R=fMA-K9)*xu=$jTiq6A4Boh z{pgS#e1I)}p{ZRPZ95)nm$L-3t>3^FrtaZrQ|?^nX?R?pe2iL;j2<0O@Kl5ngtU5& z*}qDJg#T{W9Vgf5R@YRI-0oUuJs>pjawt>rqYHUQt@ZHnaW2rAQ@JiTcN9&u?p~;( z!XzDPgDo~u%k*Jg!DHAN>95(CBhZLD?6~VPvO&#rJr!WyHRKEaB95;eaBSGh1hOag zeyA1)C-=%w&&wJXQ0pLl3UYGiCXL!zWcLdVKJ=oyPt|FJVM3<`On0vIsTb_!C^9r| zS9NO&urdf?_I10nUrZ$oXJMGc*2{k6(@TB|jKIDDA9b0ypd+JMFCXCv0`vsNoYq^C zJ}?M&Li>5B9EGr1Zh|kBC!SvRlERxYKs2xp;lfT0BTKQU)l^#WI^S?*ADa>WF~W1y zChLW|qR+u|P*-Kshd~V+bkj+%wP3T>*M`!0GRo%H;ZT(NcSgj3_Thj7{VvJ8x0x=G zIp$GE^~H1ZX?OF3IuOP8^;yxWV8lfb zimbHjHQSEanFoSD&+$@XUP9h)nSS|e?QJ~$w}8>hKyVtS07wqtY^<1gAPIq@E*VVw z13#DP%UGhMYKM%12SIzJcCAYG%oxFU6?w|)JtEJG)G;orlQ!$L_qXZ7`iUZq&ca%t z_umm~-wiw;Ji?Nj;O($=@3$DK8zTL}t9U*4sRqC~^hWVB`d3&@RS;v?Nq4+onX@cAyk`@HXLQ1F5Bo?rf^$A@9L8B^?K3oXs zoOJc9Dv|0>H-A|IYM?$Yt(zAnoV_E=M8S!kU%%k?bu`M-7nhJn4Ztv)y*FlL2~;L4>ce-(6+mjlNY)d+|V(KQ*3;I=;v<9D=37#6LObTCXAd zN#}iJrI1wm_Yj|o=k<)jdIcqPwbE8r7%L96OW%JOH#N4l!95}#8#=|LUE!%5M5{T> z>K48~LKbSPs=)F&mnllo)3@gaLV!%}Be^a`fqxrMFj#T8AZIt6uK+u9%c zl>G41?<6?6+AQ7n-!YL4z$&azNTcs5V{`I+(O()R8)e? zPqh0PyrLX*UQ6g0YW>=}nXoelGBiV*5BhgpzEp`#ArZ#cdE4Z6u9g-##bauuhW1=I z@{UO~Al7tlTS2*Qr3YXzA=c^n`L&lQ5><=_YKW_L2@*SvZSvY!v;qrti(e;0cT-;U z>a@yX1bzE^EXpN+wOgPe3O}RY>qclWK?c@X(18Wzw5wpw9FC zEu!h{!(~#BXcIV`McZF8)h$#8wI0lf#V9|2JU-s$yZKiIXm2#9=GPB=t8?{7tzgV*KO z^au~q0&i-22p6y`j;5`9cSJ6TMh>lFrrp?rSIwuQyz{-H=GcGWO=oDre1Wb7T<(zj zdb!&1R}=w^p}STYuH?I%xvx%(xI7HSK?As}oT)M>E%>~a2_kQ#3wkcn=OhGl;af3= zrO|F)OIe>knRD!$d+auxtwwx)!uf$ognk=GX;M-QcKO}?J>dR9h$Xw|6#_|9vTSJQ zak28AOa?Dt7~kc}AOn|Qi~Qc}E^w|M!jW^~wmKLLN;{wL20pvryzBPvg0LIOY6=;& z-mHe-;BL_0;17V7ZRg(MUGq-YJab>oGX&9TTrxG3!7Yit^rn~p622!q+4D=N_42(^O|Z4kHl)?J!1;UD zy)}(|@Klx_#Sx=6Dnh&Ryp~CI&K6K%N@K)>*`)M!s7@#%u*)hwdw<^zjOKMK)3w9k z6ZQu>3;OCdG=S0jMqKNBZL<6xkb^(Dr5T8%;Y2%svPjUTW(#s?5N*3?GQp^mg^JU_ z02=T^Yr(t9qUkwt^h+LKyU_^;)DR0R4CGL^&fsb+efQ=%O@d*}I=xo{Z=P;=vl)Vn zBM^bm;k|j9Ch=+8>9)F10^6$!a5v^wA5ARq1nH04MsE>KduUE*qFg?xalbaokhx`0 zMeT77YFI%ylAONuVAU&107ypcX7zA^VSR3rc}Qz0kG*US4u$RRH=KRY{cm8*Z1@+g zi3A-8wpf@z@5mU|&q8$I#vB?-MD+3xhIqs-?XQB?5Z+%+d$ z^1#<=n~Hm-O#U>jn>N6`B~aMr#G5={DV2(Tzg5A$`x+R7XFG`l64Q+cKD?34x;^1O zpd8ZD{KeM8=h?feAVaQo@?dllWw*^S{~ zeCB)nreCLBAMbQD=29iQEBRX+7nUKoGeW<<};?^0XJTV}k+ zNG@L(CJ&dwx0KMYLEz|_iL?Qs&)yW+bnYazY~#u6SGi#phm${A{wm7;{10+-imy0; zeurrB%wh#I@Y7@N_dM{SKLWV)q1kQ}(~{!kIKy%di)Q6+p$JVPKJ9jyrg?Ni&e;~q zEj+fMd0U>uZd^I}BllR$0al;aH>(5XG)bR$pHadVew2(@ngc6&bk*K*Fw4HIdWmNG zK~I)nRl3P)jJt2g35z&Xd!9yQ8apumK!DbgI>?*RBFOn0_M6H)Jaf1G1p=@ZpoY6V z*{43;nGDz7RNyF2%pZz}t<+lUyEG!#inn?PQ|mQ=?Cb>IXl>P&u7f0!KsQb`t@#7h z{>B6yAfQqphaUE%0~?TE16;fMbW-;PsFe^X$bsjo8P=K%R4zUdjGpwZ7<l(;&BlRyrRM5!LM% zzxvEHa@o2@&Z5*!ObhIcWz?uYb<$rAYK^2jBZMD@uG(tXI+T3fy9U%ONla?y0&<5U z&3onn2)~hD2?1o8$e(!%$>H0F?Plvl^}z>7*IvbW!B%Ic+?Md_8J3`VnC0dN0U9~E z8(3abD3BMIkJ0x%%{LApgI3Ykosq0J+A&Ab;?<~pDyE?YcJic2E>8tKEG7}s9?c(6 zvRjDsw}t4Nv$`($3A-0r%9Y)M_xHRHTS6L0@Yf!(cCHLPz-I@=!=458pvKPrMRY#? z<#&*qX27gYjB#hRNvcw#y<0WkDV!F4v)%+HEDj@{#f2yxwSRa(_kEFWn6)$uz31_CwEFUalnhxDbi!7Ts7V38AtJe)%$c8+q; zrd3~taQ%8;{Cs7}U?O+&KnGJA4n;)qJ080~xy^!%GuTuqsUD@uUJMLai8bDSItaop zS?TD1SDbjT1ewJglWLYhG)c$QQGg820fC{WF!A*pl#^cy?2VfCX-iV*D}G7Am67Dl zZXo*l#iS)mH9#SwFpCn;$noB- zw{)V?Tz!INL<&fY(emCEzeVRcqy@CMR;|gav%0PC2`XVky4{-Kcol4FkuDk^#Bjv` zyQUtO4Nng0N>hMll2xjWW>Kq2x{f% z5Rr^{hl(*IEdeSN-RDRT?l%|^^L(}M%_aNCpp)u%&`F^Y;ri+>=#*g-NaX5b4$AR@ zX)mrw9fQ2ZKcftYzSkxjt{OK9#j}JIm6qsV$Mv25l7TgrG!A01Q~^rbA0fo#fS4U} zeIalSt$p4@lI<{G6nIT77DsB4Ax_^`(F9Og3h>g@NjbHXx2}nUPbP6XYy(JKBgwC8 z6e1>#Hpj!3={XP)`ethl)B4xojG$~!;&trtbyPix_v5ph zV;vbu=K%T&SGb3ih{NUz`P_DW)RsRHtc0_$YsBZ-IjzRtU2tCIa`!bh=c$XH`TO|O9p3j8o2O%hF_o>uVAL3*4y~F1)9db69eRt>7stj z3nC+t3d6@Qb#<-)Du5nUD_`-^>rNx^-&7UdCqaF?X#Y8+yBUcA7( zUydf^k&Jb=y{1Bj&F2*c(wbH z_6`8M&rNlai=XGlZvZMzY(XqolUky+ zS;H{`!=oEqs5kNaa9~ZTItzuV7FA^kF%HBNO!m@iEko|p-~F^aKlkM@>`J5mq7EAI z^viUC&GzuHB)LMB%(6n+f-c$i)h5KW4l?F9MM9QAVsm1X+ut zY+d^7Ad^~XWTMf}{wbx#h7k}FSSKr_s^Mf`tV~QZ?OHlK5p@=pJPIgs8BUx4kMuB*t0p3>W8)EMW7YJx2WjEBV z)k2QaD1%!xFn@6oG2W}haBn^AcH08o?^#_+Ht^dR!mEmEL)zsm18Cu8 zA|4DoZq$?)uW~=|<=FW~UJF~D%zTziq;F)g?-|yUJnD-78pNXE*)J*E)yb%ox!GUd z<)h(8KiLe2T`x<5Z@!W)m$A0$nX04;Ek3DtTYLm=H61YE0Xpm@RO||E&N|}jYOOUg zo(8~A739c_H5%@18X6%ao7oqHi34vgpydwIDK5>Ac~jeSLn3BI-q-xVDm>LM(sgVu zn^^v)(o}c&IGpf3d0TcO{>V*Ky1rwr^N$YcLo$ju@MZ)jt#bbjPtOAxNB zx{cNj5Xs%O-7^3Mx!a-u(L2)D&}%B) zmLxXMj{4=68X5l=H~0&$I}QCfjmQsfJWXA|P?$Lzo3gXUPEQfx@Wf6>^8LS6wo-aO z+-j47+J?Svoj~?Gd{&9JYq*YDccKPEYJ)97c$dX~2H+R`S|wXf6@qnb*nd!c#;)0r z(l^oc&iU79SyUe^%A?c;M7SdVISJ@|m(rO@CL~+*w#=gLn&wW}(taNu$+}>3*tf0^ z-ia;#4AFWkFz-3sw+8*FZ(jCpi_`SmX;U>?{TE^Vr6PC1HvI^Pa%&BZO#wbYx+GEY zsSzs>1s)IZr+0=z+hA>N8b#CJZCO9WK2?8Kmq$Kc6(=oF(qp572J~HxWnph4E3o_s z&hzNOvdv4ZdIaQ(_sw$}U&#oLl^`l1CV9+#(74sK)wwz9H0cK0Z(*1B5Rx_b29}DZ ztOaLBWBBcLx2o_Anmk@APPaq6Y$9HlD1iVQlRaTiVjT$UKurZJR=&Tfmt)5G>rxY3 zfFaX+*c%fJs!`oN9GQP~+OesPkH0@}Yklp(T8U?h8-1vQ)}*XvR7u(AsW(%s`*FKtnblcy+#IpnUD& z4rh-rA<3tK(9`gh=+K@ggb*OZj<5i!I1Z~T4*S=vH9gFMJ}Sc&f9oylI8kpmXIT*# z_2$=G8cP48u%l<3{9SQ+Tb%;ODcWMt?q>>izpk$SRydCQ<1xz7eOcEj4W!Q92;x4G z9-^--vBaK7XS+9QZ|jK@3xlj5C$|CSl#A(8D&EBBExwn^HfhTU&ZqlQE9y^>D4pus>V6_5@fPw3TaWG32x)+< z>**%P>n@*l35t?Vjqip?Qj#Av1h&T;1M$vCh0kA4Pk|S0q8-JkSYkVGdQIGlLfPam z(0rShW@!nS889aO*n9Vm-bZ!n9cH*EI+=!81h~Ef{0y7&_54(W04;pGOG%Ge6qrWGsVr#V6xzc{NKF>p?)qF8)%yX1VZs|bzdboR zKWo1^-(e^TIpUbDe$lARzC?l%84`y`;G~@4Trs_Jj{m~IKp*VK1FsWZaATD?L!tC} zhAoo7>N8In2HKc=uOt9e*t~~Xnto)QRQ<&0M5l)f9b3$IoIB^X@AXjvi~GHdXVhd+ zS1dA~$*(|bg^vjh^VeTSg*6II*`Gt8&s~q4RjY!$eWorCnvaL{qSH4x+AidoHGH~K z4HIZ(u!I$4ucUA~_O^(+

H)k_~=ov_ImO&V9!5@P(0QgRINa*99>IJ&#~5jW>{_-o{5ddrapKnBAGoNi@Z5S{(zn9A{DoF#4Dq( zc|AxO8?3=e{TRQ~l zOY*|kg=tLHrpNgoIUyV${9}a`QuH8lsC5ITCRTH~-&}lK;`{7nTEKnwVW}riIzR(~ zGq#BCv6y;0Z>4<2^nGam({mOLuP(*1fYlj-$v5xTb z&vYwG;4GV^znG`LIA=B={g_ltqB|zzs&e=GXRZrs%q=O@RY}*(M2P!n9o_SW4UlMkV+#DxfG$dfo4Z{DlsmITWh$V1!L&jd)Td- zXi%&NdOMwd8!@?dyS-WK_oAhvJo3`ZS)+n^w)0ltT_|}HYb?u;K~-OaZMklU-cVNR zx_17g*WL6xR;o&Wc^a_jcxv9a&A^@8s}nH5TBeaP6i_UYDy|S6kH!H^ZnA_34t;n6-Eyuqsq6M_9(S5=~Ji7Ta@!g7`!{aQ$(QguDls znhPASJ9#5{bL*^K8VaYkFx?kdJ|3|e9#P-+ns+zoBHsehNl!An&PspIK-4A)Fn56( zeS4HO@Rud(t)jHcoL277xAvSM)d{PYTe~bwG*Mg?VXs|Od~X9b2+rii1F6p~)7A~HK?zK;;JS^1u>L8t9Su)tr13?n}bc-V`93~syE;wCA? zRaZ&K%iiv}8ToV)FYgJL+d%NRGAV>yWcfwciAHc?n&+!UQ`F}zXy3thD(Ws#`+8i+ z#+6x@W|0BJ5o#ABesbMRszPLTeWXxKjqd|BB;6gj;)q9mltT3((d_^KiT5o8V^W z7WbVG&RQ)dTC%Ol`ufGyDN9skIb-_?a9>zs`lFvX=i6&Bl8`MPjEz#NTx9Q-PG=_V zitB8;RG5 zg^n^4>elW7Wy64(xxHvyY(k*-g+Mnk58?JA;N6SE)=hHo0qYl$pCF%)OXCa<`1Z-c zegIt{S#QMQO9Uc=tmhd_9ik>kG2)Gi)h%iUE?-+-=f4Sh+l&0yjDIikowTwBb>u5I zsq%^0Lm)m>UYdTmS{c@qnyt5Xy3#4mU$kp#B>$!!+o53W{>k?D4 zq|X3fg_@~4rllmH+7mn;Yg&x`nXFi}Gy23(A%~Ek~r8GjnA~fU2_&kdsWbezwdcp_x-^mAdIPAwJZ3oZV$8iJ;#EeOzios=2H^;- zj*WCZyXA(E3*rPgMcDyQvs2vIJ^_3x=CMySfr{@>r2x{8CNV<0DgrNIi=lN1V>u}US5CD zF8o*sH;zeBf|YQk?sOb5Q6v>)kr3wdAdYbKt(7modh82|EBNRUc2h+9&&jJ7tbs>{ zs(sn96MbKFN6NctSW`wc*v`HydW)6{h&cEoX4T(+sT@Tdi;NX1d3!o;SjAJ~E-W2b z#By&H9%X7{{h04*5`()M-RpT=Ql=4Jdfe{+3A=5Yb&rXasiA;Zl3#d}^rK%A# z9lsDXAR4VC6t?MoQK+34$I^^vhpe71|Jo@J+8V^^Fu|guJ0fP%rCIHCj<+QU6?$!J z<7HYcGW|7-e^xO6fIRpMy&&8dp4x(dKt4N3VyU9}t!0C&1I4gLb{9OIBGP!4y+Ydk z764!%R1`8~ejc?we19TM_Hpl_3g*U66c&J?c4!-kVM z1;B_X?kXx%(Pk3XY_hYCCRBW$A>dhb9Bqhq6S1rdxCDzDe8@XmR%tg(yADjS@h@gP z_T_vPU!A|he`LA6%pJrAEX)aAR!XY8~J3_T#rQ6w{o*YKuu~d`1 z@xs??Jby?07{^tj!SvO*^HtSltR17@7^BL&5$2ZSIoR|Jk=@g0mx3RCP>GAn8ZZ3A zr>Mc+^}gl5<5k#0>4;<=FtRJ{SBi%8+r9dwjneuhtXXmUVa3L^=#RH%H!%NGkSqzG zr5)?wsqz<$o9_Nhwr0oRGQ^7e_A-(x(E44tFRbU7;^TuBJ1A!+&v%0n!5GaYN=cF* zf1d#i|A?z+f=!%n?$U|{L~THpXs(F$U9LH7-8HZiO+wSV%yA-#nlkZfm}qrv&{Az3 zK&+h3vz>hoJ$-IVJ;FgNc7G^SP^r{d6S51(@2KRSK2;-Xdp=V8s3;33`sjeOKnIaY zO?g;3!V%<*7Tuyrs;5=`$*1dx1%+nXp%#mKngoHd5_E4}ug0NlA?a4Vt@FKdV6$<< zr&B+X$hYmC8~s9*0URyMA1h|7fE+C^Hmteri{OZbbuYU?<+vl8CDuXM@`DYoT01wO z;ywhi07|x{6e1q773{7xcW#g9*K5ffaX5D6g<9Wy1fL47%C*sS%EPq^o>ksJD-Ve#*OV>*O5_d5q&;4BXEj!_RX2~y7e=yD4y zJMO;AcS{INzt}6EHqLBYez=$r+UB65xBm@=cJr_-IdV|5`H6MPD|E(>Kt;1ezdCw% zp^*hyTHp;AoiRGT%^17v8$Stw{s4~gSZ6?|D;+^|u}64bdkAzyA* zVO(wThHr1S82_pPbdcLR4mpvRf=Q#t_qzu?kd9$F}B`wn13A^fVm&E`>E!59UV!yQ8W3~7$+Zd8-NSg#zWNg?nR zV+ct8Lv?9c^0P|f>3+yp-J}74+hdw`QL)3AAaT!rv8r*wV6!#US|LZb265haygqw~ z?<3AvZ#$t%!p!o~xaTJJuC}Oz#u!A~2>>pr&$e4UkEcJw7Xi-2uerQxU9VsCPPL{+ z0*8&2P5>fF@!So$V{X72EJztw54vaq4Rk>#y(TMzTGrztl+p~O8fg+%XfxgB%&Mn7 zjo!e&YRfda4Utf*n+nC;yt88?k5GnPc;lQOU+VJv>Xx)=cGlasy);`qb?Esafkg>} zG3&GH62_P5`gYUJr9BYAEq}H=yEj+EmU_jiua~;EkWz2>&1G+TLJ*zuQ>B%a@wht~C(uG3m&r|Z|#t|yljWx6T-A6`oOFeWZbn&f=K?9l$TMrWfi zYNsb87vGJU;VijS4?a6Rc3U=yJjg;kIQ<^0g2tePj9E9M^R?Z!|3L?t#+y4d3vVjb z!o{x(s*PcFAUUyb^9rAA4YY+tDVROYp~tFLF!Z=G^Hp%l`b6%V2el05n8^f{cBFoL zysvY#>Jht(8cJ4aP_pPsEXuylVB8`OE2Ht495F0o%90mL$CYJ2L(b->yf$s;Yr<#R zT(r(=%PFIK=olk=V($k{0(0w_iKpFy1(Wj<$c!}B0z9@KGA30|z)^;`fj*r;*+=6u zFs+fN40^->^M>s@m17 z2>}Q`Pj(){%WQ7vNe8!ly=nMw3oGwq7w@;scMI8PO zZ&&pPWLM&FTD>fI$2r51?qymr9&$%%#YbJkVLp21{>`B}mD_yybITas>uIEoBHdCY zC~A8JbL)0?%PZNC4`jtSWzde0j*+%A)z;g6VHv}g-J^l^8r{Z|{TFQ&(X-{lh-3qQ z*E!GGyySj>t3&h-`Ly_P{5`S7dKD}d{^>JW_r9M*G6Zec{Q*#|T6o15m!m!>`Dn6e z9nChMmlKmD(?{KK^5NR^mC=~t5Pj4e4L#SqHHdJYVqhJMXiRl!Tux&#ybj-2ue6cn z%;Ir9BAJPE^zv}QI}&6Y@lGFuTk}u?^+wJ2^GInDZToc!i^dfqr)-3Uxm>Gu!4bCz zVcunc%8jFgdl2h^DC57ss1ZBN2Jyx+#$`oNFOUoRNGXd;HZs0jk}sl+Co8V zU|9a>KH@*QzKU^N)K+~2Jd)SkvLKO9e-*)2G5-e9mCVs{oqImq8%@2c;nqD4L|u8h zPdD?GRkFSAXa}&f8Y{)CGZM+6s<@E05GoZ?Gcz^~)orM{F43yEBvf@50FG& zGsS+ZJj#zlg~^23;Qs?}Qos@QUwFtY0be?`3`@WpTByv0&yytK!O$SfD2reD$+&PF zkzTD=`(CcA)<&rtS$bR*5aQtuv1V6^%6$-@pEEOw*g+%jUHw7jMSDkeUm-tQw-h2dwUL+gzOnc0FJbl%>PaVASMDy26#TCY^)6PS(JJNq{xHh>%i_k84k=w`WW zNa!n;1L?J~e<@YmL(3KWeZeQ&_)4hn-3c;Yyc40j5BxpuvV%q%Ui-y_W(dj34Hu&S z%v`3x@)}V1`kzl}IJx&-4mOr**2&&^sjD+^Y5!#21e6qF8oIlv*pyTysLAiYlYxc z>O_I;;d|*JK3clZ>d5whXH>E5J9ALR_tu_G0g-xQpIcGCH z&lJ_E;}HdWus|2xKMbY_&I|6gdcy!GTu-+S^6_8GH-EWAF91p29p=_3)=35^>;Uk9 z>LIOKJI(JD;(iN)pa_m8S%A%$`A#KqD=`3#>}+579Dp`v5N7&A&f{1#hIwrF?o{YN zY$bns5kqz^*(!bpQd0pcc)*U=bK*oK@a>}!+_tNW2;r;aX?0>i&|3q~iPyH?65i$@^ zhpF7D)H$LG|EeYXZ$taP|0*^1_h-#o<``e317K17dzdP*f1LvU@j#RT;OpI8U{oaP z(`6*7ku)!>HnIMz$NQfS82CDx-|V;;sl?0is5>^O9j4jO|9)Wq%WE{o-};XOg&+6v zUjpZ=EValQ_i4UKZ}q5+pgY4B+9}sY7sKrujpa- zzZ~d){mLQx_xXyCdC4;fE&-2p{1=LJxqp~<{_8XUxnnpFeh&`fWiExeJLk_tYhKC! z?HHGJ; z`^R@Gf8Vc|3{K~K>brRqGrhOyAII|F-&FncP%#@26H?yMYspLaDE@E9O!pc058Ak^ zxQ|b66idnF9}n;EZ)%17zEIP@9%$_--d(7N0gV4yy#6yF{^J8!#H|G&@cKgk0pghrALeCc7J zdW}|qS$MuVZ@&&}yGc6c5HMixPuB=1WMWO$b#m0^4?8tQx-Sz$kqETU6EFvgiCA}B zv0klNPYJi1;M`t{lUC_ zTi@YYPsZkkD!$;|?EWUb-_4Zs{f{zP&TI5%Y45Mr8N5dp=`Lv zj*MtC$gd*F=mGz?bKI~ff^7EiLfyL_zy3IAw+2sH{Mw~)w@P6>e1Ibvi279e7u?J5 zEVt^>kp$NlQ2Sg!)?8%}#t(Txy`T^@|1`GUh&L?n_QQ`mA^t>*I$OG258U=&ODPF* zG!q9&r%YtR;fNBtjz}gNt<2+iZ-pg%KJ5R6k*fWh6{s>$+|~5{4r|w=`;yu03V_F% z%pBkzEd=#BPI3LtN~-GiJUkQm?s2%I)%#hVD0&^ z4dsxf?KA_5d{%|z(&wk^L*CyOd^H>ep(WM1U5oB=cZTn_+3oCoykidOJ% zw*6C&uZSmR3<$zI11?9N@m3k2yX#NsCl~qNHu+thKEGw~-x0~*?^2=MZ|gB{Ir;#W zA~4Nk=^A~+>XO+U*2{DVb7|TxzI9L3&AYh(F@G?}uC4fN7ct0L7CF<#(uYP5>y_-uTWex2e~Mu}93z{G7sr2K*6HXZ$MCl~kUMa_~j-P&%)d7A=!}jo%Qy%XRzfTfkz{i{&XstB5xKQZx4GYnQy7LL;z~`VEgF>c?t=@QrPN@5laG^ zeLW4p`UQCK6PjwRcUW=#V<^S7i`Dn6v5N1DFUB)M;zN4IT_K#b)$ z0o2_AImV2HxYfbRLf1Cs-^o|QokkeM+oX3H$tjvd@-E-9UmeLFbnACkaRuy%oK_wZ z(M2`};8B0v8sOyJ%yfq|Ivw>f%Je?@BmDHI6fm(w z7ajm5!OCp_C#=|40iSPi)O-8wE#*DyQanV0V`CoVa$mn`Y2N&K=oLY|TdGbl0 z%VOLUoJT~#xiBCL^z?j?*mLicKQeLl4u>us{v_!LTb%CaKC9Ky9B!KzwN0ru=v8LA zfR-B!VqDe9<_-X`1flUAQP!+RcSLbOLDxTpxctbsa}T3I$F5Zioq!eSP$`P1-g{_G z+5hx6iB67)vDQjG8R_~W#g;ta!*fYA1H(yNE0NaOzLv;wXKjTC`So8 z)yQYFFv!CJl=VvdJrif)uUfC&+6GgFM;iTvmlig5@c9>AatxhN7H&{**~HJ5B`v{~ z)oL3m;@7)PDx+J-Ha-X6I1#I<#FZoE(H{Sbz#Iqz|lP*?>Bf`=@>mFU>)vq@A;KtXxurlXUBQ_p&knw^Yq$o+~5WOc+1(aG;>ueU8=iOVFF5$jra3Ww$uv164<~%yx z$d35fJP2==seIhI?+zCj$>xX57ljrL0Cv7$mGFh7ld7ELdkub9COE86-2h(&o# zR|LacEA1Q482~1{>mAl+urWB|t2hUcX2@5{VuCvpjr0PPuUM?TdHGfr_GAqMZ@ml5 zGYuZGjRZB5!wyf}`Ec`Tld0~Z^!haTH_T^<*duHOTV5ozjeI(fo@0Um!oDbeUCPSd zbUQYSxxlRhfTBjYii^Fj{MUlPe|Dy_e-M3z4xE}M{dZFzQ@NlfT5$rs2Zkwb*&lM+ zOo{m^Ck|Qu$d^2R)0yRf*85|3&^6D2y3Gf*g6)j=$MW1tWqjeGBI53?B4auA)!6R= zHv4b<8(!<~gIIIOF?UAH7S1Tp7}6ew6{eE*d{`s$aQd>_Iz7)Q$1M6Qg=%QxXqgg= z<$Qi#;%c-+F0r6hjbe(xPf({h#>d^)rm?9&c=;IwftPAED(-XWhy~SW;fMje#a|Ql zhO(&;WYn<0M<=JHOX>UzZh(jPJCR+w0RV*HG1@r#>2!SxPPHYUh3{C8=V}$>yz*+h zsbw>A)n;v*ci&C0;=61{#`0cf9hHio7OYmOYDRUVfR!XsjHxa zLBFg<<>wur*xWF;!8%9JU}$VQ!RXm;xH!05!>QC7x)l0f=1-^R$IE;f&jHibuB7BD zu|~d1#&&2NweYQifX{m9zlrGV5%Kz^R`iwyEe;D>EeU=6{`(~r_$uQ&e!)1=P2EwR z3{nXyK{$SIwYs+eo!f%HDP@a6cQl11@tO2<&TkTVR%S%ql8Tw*NNbjeOiuC(o8Uhh& zY7{qF!-P++fN*$Pc_IhuA$heoawkBo9u`sq(mD3w7iWQ@tpoDy!V<}LqF?0H7@Sjj z+i!fyeuxe3fA6aZ3VC;SxOR)mkobhf&0Gq`xg65xo2CcEXu0+=B4q~P(D8Q{O6<9fOlS)yAzcN!p?)Y*yFTelqHWGIaR z-It{X<}V&Q%_Y?B*rWGL*}={mbyxLGRkNoOQjG;~(SFc<(3AlDGr2icO~)8fX*HqD z39~%}8WQaZa%+-Z7R|oB*a|N5Rl3P51RXNbBx{;uJJ(}=M%35-@Ur_0McLLINVuo? z&wp%&qchWlhCY*(lXrJd&UJBjcQ0_^AE&35|2~7R8vbl^L>$(gD(pQBVT6lr5n5-W zz`N4C5QDqUTN$-x{ke|v+&rIKQYlEK&Z09YRWrQCNT!sH`+h}x*AT3a|C%r#GE;l| zR%oupD2kSIo%YHAS$3*wgQb~%ew8tr(%6!hcARdO3uDM=arMKX1>Q=SQD$H3L$4hv z0j$uJF2>F8be$(vUrU>;&Q-m3D`ieC2K;pw!t|PS>9aiiak=xA@TMstaNGd29l%F< zMy7v&d&QCMl!u;__c(R`RZ!2SPp~BnK(>HmYcNr8qg%0vdAi(Cx7QCllL*km0?)}r zTm+O-1f-=YZ?`{CIoK}}VdAye1j~yZ6QNMWMRZCkhmgLCA$tWh(^lJf2<6=RetvV6 z_+ak<=m;W+*EEqok`1`}E(YurB$tv{zsQWf;wP`^$3UxIRX%RF^jm(>y-GjumQxux zAC5_YC1tkw!qnl=W&fo0^x9Pp%lf3z*+4ZwVho0lEDpgGe)R#@5SbY1pMOx5;T-gn za^X^F*hfN7BR+tU_UcDb8Pp5a6=HiC3JJ@sjLI5b{CHnCVPdK&NJ^m+Xb@s3s$f&%beCp|zLPy4d9wD7t$Av2%fP);BJazVO2Xn+x-|gef#h zn_#6lC3H}RFcATh?kLw#hW3JSbk&CFT9_#?QXh55$r&43BdL4f5( zz(<=Yxz~eQWFpV?04}7(agr@_6VSHe#IBNN+9ycP)lkHI*oTDQC@wB6TwbODrq?Q* z`rLHx@s7A*#bfP}eLZ0`?#sNA=G2!7l%igdK+ojTX+yo4Fw~fc^P+k=L`Vdxxa$rN z0Y0Hle@zxbCeG9V|&zkNG@DckL9>RVLypt{SdGws-_f4 zyh#pxb(Y(wW(k;q;g}neQGd43_ z>Y&(djO0Gl=l3J;(YF87kIw?X2Xm$X#6KGv3`Qc?c(Kl*`F1f2U1_N>z9$64l+ol; zZzk~@*R>W)pIf6JY>I1`Wzo~-Bs8?DLM{hZH66@E;AD@kq%f`H?m!Fq? zXfwxgYlxet6#t5-c7KaatLY2Pz*o~&LkMenq!tI>w+vC^3lo{4*0M$K@s{(5w@;}| z4du1msZ5gmDs-i7aW)5s{HVt01Qn8*U($Y>mE$XbKOA>s)ow|MGIWm@XW%h)#Un}q z`gLc;(JSQ7QIs$OqqHXP?JT-{1PMt>1d&uajGx!v2PHpP>1Ry+Od8(XF#nGI)# zT#7KcD%Wv}QGsCi11+d}`BxbV&zUFnB_TC7Q|do+d_&-{I?MSrov-mHogr8?SjyiO zZ#@;QA3VcIJ82T8!+QR%L{(DyrCAi!)kL1R_D?zNO&Pg>;zB_?yp^;3O%Lw53#5MC zMjOsNFxE*g*XiX3?v~q`RDZ}?qvwD+v8Z}Z>E6%-X3+`i;-y--Yqr;dJ_kb6?C|Cs`437wBZ;qhW) zOmy^Bsb*eN)UuG11&64^?X~>wRWJr2T1@EMLe&eL6ZzL3FS2FTc4wI@s-r~OW zdLMxb=6#@KjWUW?##lq2r&DD?0b;0O&sgAS)2+s$q1tP`yeX(r$S}G7`7;RBpW7TO zjo&=q`Y_Bgv(ar_b`;D`=ejc*O~UuxTvi%|-)2D(fZ)Ex#U!01@SH1tUUJWe8ujI` z%rN;a=j#uO+;XFW)%g*UoPwrYsjlbEBuJ?aqZ@kP2z<|v2;O~?3+kEjd56g*vO?Ek zKKMlmbcywv_lt;Q&^~C3f*>iAT2f~8EG)j1YI^C~TfC-pj9xxb4g7NX^Y|C7VT7w> zHQ6-#i)WoHm;aBlua2s+>$X=~q(eGH1nKVX4(SdF>F!P`DUt5(?(XK$T}MD#y8HL= z>b>LM`+L9l8{c0JhK$2=p1t=To7Rhne6rm#O3XdP`ee}jP|qmE;MX_odsnS z-%+X0HIX@D+bbLAP$5w(SfeN_uSnj9>w<74wtYrq#0-R$gC%dDB9-z|u^W?svE=rs zCa0rZLmM@OpuS}-V5oPA)6jWjBtaE5%YY4g`qphI7~7q9+1OLHTOB#R_wUZ0|2~ic zLVZ+Mqe715qm6IW1UmM8B4Yb+VtpKBpYEk7>vU2zrj-*mk@A;XKNHOqD63+=I-4>Y z{;r@;KGsjpmkBtR7Lz8Rmnk;q!6!p?+_F&hw2tB^H65zg7*aU?nwAmqY%pNrx#>Zt zEOC#c(Uq`V61xJo6wj8-4c3(E5Z)7?+rltzwU>4$#HNNa#-^t2N_ER4#^oc(`aBsMgnQngu4XD? zIf7}#QMCnvrDkdZXNq1D`KwUw!*Y&7^5QwVK2j?vspo&XsFwVpZOt zPjOc}j>z$ocb%-t;`8hj(a?oWutb8oQ5DD%$ZHyOJvfTdW{#Z2a!e7|k9}9p0q&L3 zm3*uMHCwzLw~MrE!>o<77Sk385;~n0;qvVfz}Kefwv#z*wc(@ZFjV6ZDK`P9Bc?s? z;>Zn_wFabfbJCUI90}G zR&oXq)0`~stJ_7Rq&7BT$U&>-pty1X2NS zwk!t$Cv8ro#GK4wYF#|Q*d=lDJq>8HpU{1pj3~xOBB0)@9J2=sICwUa@lT8>?F z)8{P1VWg;K=*Y&cjQ8cl^l6|d37A44^P8@A#{$kiz%f3l&JwI|x^%#2BcJ#!es^n1 zqMHswOFpe^<#Qa7G`o46s>#A+U}x~6;q$S61n1mz_AtKoPN~w)QFH11#VH1*nonrE z=2t?m>$g0EKw=@>u(Wbg^%gkG2YG=KC83?9LA+m! z+vXVMV6irc-v!2w47CiX%G}HE=fEC9u4h;(%89}*S|HUK;_htprZwWOIqP|0ndJ6- zGX_xh{yvQO{LFfr`PAA<>s%8-sb>3xbXAw>R9>cs>zRDWdhgD~ukw!yL3iB*Oq{|= z!VMfS_*H5jZ{LO#d;mjoqBPx}jm^$;d96bc@Sa8=xFP0naXh#~*|AI2;Y*Ix6lI|y zM4DoXkar36@#T9Ce=QM!)?~I8wA2vMl|xY?;}fhHkuSFLpc1Jgh78H*hj$O z=fKBwW*!Jb<0GAwht;*RVXm8Z5&`6Su3G`AiYc-ISHC7=&1MR=NR7jmYFuBln4y(A zwi<0{NTxsHy!UTz0?Yw1ZMX{%fHVqCslAwU9#S;#0xkwFviQdAQu#}_On|{?Tim;N zPN@QK6EEdXM9vlPCW7ngn#KR?2=K8X?P>WrzYDZ+A15M+vc(0#-}hlTbz%B^w0;6|vF9bKyw7TA`tf|S z`cv`TE2K7G5~B=H-Za;%4F#OybGT85gGj}_>B0}nfR)o} z+jl7H+}E(EI&BKdcx$Saf*k5C`)5;fa_U>bnG!d^??M~F&r?%lf8)Z&sn+6YvAmNl zn#-sRHJhu$WHCpxywrJrzs=!%2sm6D(^!HlrbbT+j367*kmDZaG3n*y zE>6@#2i+RQwgvlb#mF>IrO7rPuIV)x6T^1RtdgW+1-LvA6Zca}LRjJM0V6v?kAqw6)Gvu~lJ{R%?{S zBbzOrrQ~{x+Qj8}N5R9y&sjb7FTnmv>&^B=p63%E9d+4$I!H@T?O4J38s3~PWUJ~X z0psxyzR3m%-QD)aXCq??d`PhFo5=3}U_MK&lIXfRD$*PJ=HsUO#g8UGrz7XAO)8Z_ z5}T{*0Nd=HQLZB;+h6+s603L)iFHT_9akZ;u8r=c4c2SoACCNY7#LEh4KbL`)sjG= zEmovjABO;Q(c*G~mdbIL_ziSvrqTqk6^2(@0%i{AKfgHa&y{3+#bFxA*f^83<#Xzb zx3WwTdXXo4cX?Q7xbYelsrm;!^5NKn%OiJdB2_xtghYJ%<82sY3wA0|z=DrgD}`=b zO9ZYZ=K>BA34T)fWI%<)Kmm+c2Rgza!Pl?td23}x%Z=14Kmoh6aK39aeuN&dFkwJ$ zGCXTp$K?_|$o+k-p7JhDDw5?6fQ=O=@!nj&YuY|+ra?Ta+_2JKS~EiO!+r!Nr$O1ar0YH6 zUF;wk&+1$8V0=bfBLG`Vh2zd5s|9!+1eqQP*9Z9d*@TPUoEq(}x*wiUIFGG*DzzGG zW0s?@1yApXgu;)y1z8QgFxnAj@48K4Y9AJlq{-Lp;7?6>0t!@Rdycxr&WnG(Ry&D* z#IhNZaAP~Dlg*+&CsD1LPs-PK;dtjjC0ewnU*rfrJcygk4n_F!G8#!xyQ#IgZYn!+ zl_avxYUyq8B^hG~0IC_Uj1`gK0{}`&F3C}x0>x3ixln_@O4GGq05Sl2P%3|*OWwR* zu60MADIt)FK)@YWHJu>fc1fUAF3mip(dJIK3GM*R6ixZ?F4rzeBEh1rT6gF@kHINA zoR5Z#yKD>%jw1hS-`8&?YQ)N_HEyzO=u_UUpcz>hhw^dRPo8A>CC(v;eS?#eJ{#!) z(Uip4$&%%zp86Wbk`@#eYUgUuEPDUQh(+vK1RDFbk8pTNYHWv9ONxqsB|Y=`D5GE3 z8cz>C+)AmLkRf?qNzLSU0s;ONqsi?ko@WQnDz)f+;dxzwtChVnN%UXfF+KWA)n9IW z>`$mfx4?bqT+J-S0t)0#6YZzVyQA+E_BC-dNR)cCe{URLz8%96eO9|vj4kfIU1tpG4SEhg~$?r<2R!R)>a+||p2PpK> zWVQs0kro{%1)ARk#5&B^q%pZS>5@z^k2P6c*tx9*eyxHV{>~-c)D2D2LE^@(jj@E@_Y71PXgH5>Dlz=FB+fz{#6B!KO`x(;Esxc(69c{dyW{cty5iCs8rx z{*I0({w;b-ocYogj~Q)E=SqrI>Ptp4RI6`EQM+^b5Ual6m&7xR3)2f{B z8VM+J-$+9+S)Z7Yee_qlZ?Qs|LTqXfuLABg@c_z91mI?rX1-#xCh%u;Ck9cyp-T{2 zs0K#IDCa$K=M{Ryz_ImnRW+Knd3&6qQ>rgs$;UrO2Jg5sr2@Kc9Rawl`LIa}M#yV4 zkxe&YEV6BpShKFA3#~^&lrnwZ6Ea&;M6K^ z-I@wk5eJxu-PSmeg{|?A`4jYWo#Hx4cjR5j+pEkW%mci=CJEgEW;3-&&NeWT4$)_{ zIa#u1p|>8O)3*Ej?{cY(pZZ6U3uRkH8O6yXiRyx#a5CqpHf+QwYg$s5{{W4YgWRO_ z){laFi>>jJ&P;eu081{PPrG8e3p*TZ!4ACatdsMkV5Pt=|10f0E#~OCOiw(s zvAX(28kc(oF~OC9@Mb?y!MHUZ z11&0J#v~6L20?H?T?=Tx39~PLQ`=InXh;%fKea?VLbdO9P%YES6cmw~XTAe*rCywd zV$x6tUql--s9-}Gglk+_ob{1*y*2sf6b!kR#5JdRUev&J17Jio&PQGvm1ecbuaMO3 zY5Qh8L^M;ha)OVK+V0Zqw!>$y%QW-JWYQUy%mho5W@zl!WDhuO*9|C@>#`)xW^+($ z&6gwt9g(SdT271!F`>iWjdvjRCIXN3=~t;*TMy&5Rh;9_F=~-oV-wA7cK6+mm+cid zei;^pLP?I~(MmDiOu-vVNB;M4kyG^pz!O@Ry;9ph_8g7fml=v$bG<#En(ETJ=hdjW zhFo%qa|Ava33pKFRg^?BD`Kfe+xO?{B(e80g~6Wn;*g8K7rM$V3yOfdc&;QnZvESnnUa1tl5IWfL(GE)rDV;|LuN@D~IQ(5PrB0H-c;z1!Oba0*aobX(uPL;y-^e1WUt_{)i5CGyVEg-ls>TD*^!VKe~A;)-Io2T%~+slIW z&p%ImLpG_P?=Cji;6kOV!uKB26SvZaF%meFcYbm{d)nEXN#E@XOy8MO%s07Axv8rY zc#~H?SE?fr$$eUpHgj68*)9+zT&m119?OvZWlB+ww{ZOt6E`mb%kx&m+(yu9v+BJh z8HQXAka9AP`SmK1ml+Y_r{IuD%NQU@z-j@V%mP731koP@t{Q-$T}v9!cJ2T{DhU(h zI}}SJBgcKxfa&~j>$q6wN!~iQc!d&)4w%*`)_WN^rutIO_d-hHPZ^IW6q2Dv1T-X+ z7YTeJR}f||Dpbj?BQ`47A>@s_Q9Z zx#%cQb{g&6S0nMAZEWcn<{)JYj}dDiJ+jI1Kpg1I9X5kn473fjUfLX1Rk{hso5@Ey z$PUpar-H~9Mabp0-d0gn@##o^H_Lgp6egHDYmi?|pacofD{Fl2qujBd(ALCFX7YGS zwQ5BNfB2~GtI+hO3>UTe#?$HMRc??^jHugN*frH+$D#!EbLV`aCZ5@R>&GvWBXw0% z?C8Vq%8~jH1eyMF_jTgR0BDMFxlmT=;@Mudz^(&JM=?;+-Rh zZ%?4=h@;!@PpNnoPp^)a!T_pl2c1YdK-R9gl~0>2fl&tM2W+@b{Rtf6X-ebiVlc&b z-^#T8QnuaO3vd9;y>0rr$l3NdfPEXQU@5Ur3bW%zV{fU;>%qTGg@dgu9eXzt8${?4 zWs~bOb?wNAdLUevN%QgJZU7+5+Osn3@wJJ+QhWDHIN;qQ&{dEHYycl)HPcMU1fg+-~zQddx2gQ0nlAbtmQ#-Gl?p!IeM4B7Is4ViSp@2Q>(+# zbGAV-nkZ{AxhCUs&vzB^tVzPlr;~fvbVsNS`{BM?*06U4F300*%=+sX>8u&QfF8qw zS#P)LJ;*KMA?!)q_i{WhCw z0=N0WQ2#Wm+hkU&4>gIJ@>Pa|BRM|$F>w8Bp#tla2rETCif@4sGFknFGqnDN*8dV2 zo4v;vhhHw<3+2wF*(){(4>f|DeW%W7m{lLb^VJ%!jf9fFUcXicwud}E{z8+bJ3k5j z<{D?L8zLSo>D=3}8(@qs#t={fLJ2u-HR0I3B!NU<(~;lc{-@EIQdig9qhU z%$2Y-8V`-Se!1KsrI!A(5-y^~+nUvE!ScK+Zs+Q9K3X6@d@QA^p3EmAs!g1BB>5pQ zFP+Aj3MAR(rxJ1iMr$_F5@M7z7cw4iH;zldXhCYZSfd_o$cSjU8TQML;y*3UomxvOxbT{9b^mlmJQ_`QVZwjm#S4g{xl}n`?f*P%#e0eq6 z2NVIxPLXaoZLa%m+@P6y#7$2u^gGcACuUIiU6Cy&M45mK?Zz5?Zi?oL@AN+kXcV}}jUeL(!{>M7MzY8} zmx5g1`Wdyo*V`;hVr5kbDz*$=H!+KptCJjco73np+BwqMN;E~r^1S;v<)^)W=!vin zGoF-oy(B2fKE*{$H0C`y2y|+;vV~&&knPz#tE8;9!A^T9JXb!;?&iXmE1Nn*J;d;f z6-Gwpo^I4@-Av*B3Xg5a-)PvhZ-gU41g z0}SW%Pto?3U+YilOS}4J4hQ8qHP-92CAQhzQ-+{;e7NEp2k=6Z+821&K(dTt1WF2g zrta;FAFnr%Iq43aA0_UkzA=Z?`bM69s?tAfWDqcRAn7tvF*$u8ruVziV2`SfMFaIb^{X<4M#cWW#Ie zd!fPv)5l#1v)F!TZnSmo*KZWbNwl_lJy*9!Jte$Dg~$pO^Xo=Ffjyn!6Y;0fH`c=F zMki{`=XQMWj`GQSGs6I{Vc6KYu<^Lkr2>I$W6FJiE`|JdiPEOMT?|3#1DkY7ACg8Y zfi|4u*)Xd_PQu-NHdZ*>A=n8Z&jth<9hm5mJhvtTN!#O(eD0Sexf7|ZGPuL|Zj&$K zRFxpPU2ZRkgcbA0YV4W-ra7!P6XE;}DJ@#@X7=P8WR4;P&fVx%>C`lwli3#8Sh=hyWH}>loc@(Af>xF9w#T=T* zcYW}3p-p#R4lw*xL9_&4W(;%j^|{}-p2I%`YAAm9^noRHD) zisO4sf|4F$b6z7>-ZtC%qY3~7%>`J@lydI^zcd}%s6KQE2$=vX3QAn#sN?3 zT#qvezKX~y#eEs0CXzW7pkd1e@cPBF`xjNP$b@--lmYFQbY&;HyQh}0*DxymAA|VC zyC0~(-yz}4ZHs7;XWrAIxZ&J}xI@^5UH&H{w(l`93OK|DW%&jk<8qh!uy!o&K-n+E zJYkd<0PbaA0yb}Jsjg)W@F-8{o_~?J4lpD(n<~pjc1hH6i`MbtKz{&inH)qDboe}P zOJvBN$&iz-#<$6K^_X4%Lf-U;;rBtU_+5UELVnO80YJn4;Zd7x3pjdID}R5;uly+_ z&wtSelI94o{Gzm<@_hmMir0G-VJPKhlRqnkupf>TiUj{^8JHTA2*_;+m^Fw8KaVAC z88i~_K&VCiV|u6uW%0X2sqY-{z4m*qP;?i^4s68q*0SDD7fLxxy$F~Y+z46;
    l zh$NI>khtq*2jELxAlL3&^J&vemAfKMsZhxmn71fcsF3RryAg2h-?6RhApjV{t0FE| zSYaBuJaS-0$fZr?kIByww(bl>XP1Hea{b&c_T*VU>Q1A(xXioyrN}r_mw>A{NTO3! z`cu4PHG0HcY~;JYe)nvWdk(1NQEMED+>T!YTD$%aih1z~9$!K6s9&0FV6U9P-sO^R z>nHsb65mKE@rii6A8+#M`=3gIakPQyURgh#S0#|SZTND%w{QT4Bk_9P&W zw&b;0H@|8{+PPjNvcmeu1^iRj|Mx!u5x=8yymAY_(&u^iyq4LZ{NE4yZ+;?<`-446 z(FGU3LVUhpYk;wt|7JVI-vv z|3y@*(Jj{N>A<;|3b+Y!?hc#j7#zaxo_EU$hA-IbE}YeJRS?J%;aY*@;yrMxrqwZf zvFxXNKjk9xEz5Kqr9#~79yTlXl*8DWcSUpz%JJr+lk?^Qco)jqW+rz0)6!A<)C`qs zsof!9kXP{?XG7HXWj{qQGt> zR?WbMjgQiUyn1>(dg5kz3pDgNY^OTA4Gkxvu|fbAkr~D`8pX06UR$K^Ws;Nv->o%j z_nFn=)|wu*LB0t9N~vtXHbE3ZmNw?ENWTRgK{xunNSSTpGrb<*K zH`_9K&Yj}R89fBNuXpdu)Xz+Y3Tw6oqVknlB1#E7e;dt}k-vBIytk?r&_E9akN^e& zYBbn-IU`=jYsP*-deZd^ZRh8&mL&I1xW&=|&IEh}GdfwI`_TCBo0_}2w8?PX}V8lyC$@lXoL{swUH$!cqLcN-nUIe;6{ ztq2}Xy_*d6IO)YIut-#J@^!%o{jX>4&-P7&ONMw&3^0p|#)@HYXrvc(KuK`!L)!2# zzD%F_vPpU+DL}${W*%e z?@1aOj{n*;`IqBTAry^jtr|vqQ^jICnD$6wP(@0`B6rC6HIwjIZb4)bL>nKlh)B?J zQPZOOD1l2+KY)Cd^@q;JHgk1htD94H(o8YgDw6#e1PMJrxg_x##5wZW#>)~=%xQ8! zZt1_wDqX5mY=7y$`=z1`(yuwLVW`XDIZu{UHZRz5ERLUgO=qa2e@TiDm4Ue0JhpX1 z{$E}Ia^9S7zu03bwEdbKcYoSn*%j`oL5x@_ zi)@R;pe6;z%mQgdgbV8M8f@HK>Y(0R016GOX@d9 z|9^V&w-;v@x#hPoNZ9jCNz9?3atK-qQs4uegZBT5^5#fL*$@thOf(jT@@OeNC@Wpy zKigYZJ^%X3fG=2Z_$ttBfcL?k;BU57z?VOFy^Zm%n&5K@k-K%H6caVryFXVxRcqcp z`PbR=?fu!V<_A>o`x990CWk}?pa<=0#aZ`*I)M?8KVmhV^dm|plgWtVIsrmrg~+o|UrkjMc_?F%^Sv#nRlLKKR5HShatP0z&%7q0>O?HmBxGz^AkO_6=UfrHD% zs$~jE%#lz$vOpE+LjH^ubDek{wS$GiT0RT3K0V%f&py;KwDJL#rL>dU&MQVBjw2cp z2tq&y6JFjIJl63~}3cy#ec(sJtEBdSnm+2yEneq;S zT)pX{S*#@ay6?`u;p(21QsMKBaE*SE9EZIX4@L^@k)Kob7G`gI#rJgjT3_3P z*>aIzIf#a!U9&9M5!>8GdX){=VFPCNe0ZJhrzdawyY5-NAiwn@ouIse0-JIXt9Bef zN@!4`eRITS-Z1M>!h!|#?LCr(?7ArERR#V3DT^=EpOuHY%(9N(aw8bG4U}UKIc~kX zR0K49N~)`)sbQRsCgoju+c9!-ADgeZigwnI-eeog;1=2dOj(cd<9n**BBR$`sSESL z1T1d&faoS>G`&5;Fgt7V7FV<4q=BjXb9;Ow)Cj{GABmhmqVG$k<-(^#-)xu$K9vMG-B}&GA zkR9U&l5burf=!_7G#zNPlm&(`BoFyJN58i>9*Ta)h3S#+6UxRTD}3$iA7pYLFnGRJ zwjz07NS>a-wmR_ku~jx#DlQn+_G%+?yU@yi=Z4K_-NkJ^q#u~yLH^1B!!Tks{?|hF z$L?E43h%ZS3(SF#-rbf z8AZ=BQBtPP)WL5K^(8boci{wV7BCo?9<~G)>9j1RE?Jkprc`kGRAu$7#_(#oj!{nG zt!Efb_c*mxmdS>>D0C=9Q@LKOHCHMXB@j5gHwY9%AdtpkGM2B(gT*^GqEaHW@aVqy zwHj;JlD0y|`e_<_vBotFQOO}2Q*k}+W%?Bs{RSQSkZ3LuT}T#FBkz& z)qQs#j+4$ROfznQAB~@<6d&(h3q{WIUcTZTCm4KD9W)Pw0 zG}kN4R|u(Xk>;~y`4m%mVJyE$n~XSGmP*uhGL2>MCh$0P;wN~=fUIYtk*>XF9dEi= z3ebO_Mn|J2*eiJ`n#hobx+R&=t_7_@= z%x~A1IfixXooI^W+e&Cw5FCysl932FK8b9=$KN`dCzDX(k6LF@PIof7?m3v#2u|)V zR4bMfYSR=FjfGv*JeFQyz;2v_snpKSg}4kv5%WJ!zWPdCgd~>Jms${1viA`$)@VBgwX7F zxR0jMXm&K^dXR3bwmXz0_8^TGv6+*WKOEuvgFB0?vt(Cb8P{JZv8!x+QmBGh|xW3?^V^OKsy0XDrMvD zjdOyow^qD^pdBDpO*1C9RjxKw0@r9!A)Khgjhc#%>KOi zJDOqE($aemd&T925@&Hm<4%?ung@!gNQBd>z_i^a5~T9ZLF+^c+^O1uU2W)F5DGkM zgx3$Yr`gh_U4VtP1oPh{vv@zY%vw`bTQmNu865!6T=VXG$Lk$*X+*X!*!=iP@HbUJ z{p&xtLOklXj@w-TS5Ri_mI&|{r&O&BwM6$?O~HvsCLa&|pjbzedjC^#<^tK-qRz6) z$ZeCQ_GGEv8M*1n_pVU=Ohs~a&>wLt@a(guaH(R`*JKuV+KXQ+axmKI#Itu-2f3_Y zQlSKnXUym4MSrjlzC|)pF4UTcTLz4u!@kywa6+AK4axvrj+YY8!kd{wu$unnyJKD9 zym*})Q$@1d89QF@HHaAuSQH1liNY2gp5_UmPfW$?VY8GsXH4XS(}XW^U<5q@wd?Gb zW%ic~Ew+1Q0opX12<6sLz#U$(c=liiSh%Td&-?j+G(glggPh*;M3NyfRcT+Ju}Uuf zHj0ecLX46w<%7hp*MNxyRt@WKl(>@74NMgye=--l!~2NeU8le+gIaYG%^@Mo%ELH z3g_s5;P+uCFqtQbP;=JuC9tD!18&_4<-89TIT%B>BwYqgR=eg!?R8Fn`ddOe6htrC z>?mwY%E>BA(E|IYzW{$11CvHU94iyBJJI;bL;}V%Xtqe4R4NxRNJfBoR-N+#g47Db zW5UbBMNvS{c+sq~=1%Xr&fX6x{s9i}Lc8e#MR<#{SgZa?9{j`Cvruh<#EQggfvOQ;9_%USY{QXAnMpvm0l zCslFdZle92tzuDC+{ zzu{Tlq(HFC`(AM18=6S(_k!uvt6DR?vN5PM68ge%cBd^cgM?yod%z5nh`8f(oEgO3 zE?*327{SW)?Kpn#yH1w!W3E9>2HUi)3lWd2txX@p&6EkIMjT&LJ^naXw2Y z3$u50{S9j73$&H}g{{?h?}+<&o^xhw6cw+LVSzxRQ5<-)rI!mOOs@#?5lKB2E2Ve8 z@ft!8ydwXEn4DQ0N2iPzPgXZ>6{zA`ft0kYNEU8Siky+EUM7f{D}XPZI8&^gx60F8 ze44?66&x(kXwpADxM8XMYyKva_}I!cbpcHag80j9na-h!0-grVQQU`(2HVX5N1&J0 zGWi^63J#uTwd5+8x{o2HIvE*Ar)_bnw(rpyoW`ru}->&9(2X&eMl|FH2Yuu z$vMYWNgbC75lMNZDul707UrKQT26irc#YNPX9& zkj*TK(k7ryPZ5CG!EI4kCGG02v}%ppD9yNC_#@t(`7R#SaGU1}u%Ld49{IJ);c#Nz z{G5j?&M$P@X@S0COO5tLu`?7>?FIN)jE_{WJFop;S?2pQxVh(e(2t4h6?hZbw_fDw zb}3kAYZ5sClZFWrIX%e)Ala~kAQ=-hv5#yjMFN7(lCh=vR)AjMge`aS27h#_c)CjJ zPXo97Lo-E+d<7>oXFx|aFH3={7|e`fx;Z-ntc;@;&yO*IC2ZL_QKy)GkA(`S*vQXHc`Ug|-HMIDPiLFMLNR@jC+_l7Y;&d9XIud{xCl6*%Ut!=Xt1?u=M=cGFR7G@ zw&tDkkC@;)jxJ`X_=2Msu54zw^u|$=xQ&|j<^U3*6l_J=b&NpBnL;L=lJzOl+o8kw zmPgAx`lih9284ou8Udc>uxmTGK2T0&`L^FyA~ zw@vo{S&jZF!_gT3Ai}4bay^z;K-9y36ORhB-vZ?y@?^2$1I)ho!IFqMlK+U?{=t3G zu$6Fi+XP);W#a6A^*~dT*5md-yj_Y{?ufR&b)y4nu}aOqBBp_@mxw?3Z1{;p27FTbS)dNM98_lXk^E|2&4@q< zGQUST(|Kh zKjN74^jz6@?|ZQriz-~f zSO29eB`{>N8Ko%e>{#^Qr=%b4|C*X%_+z2PHaxNyGr#c*OBvuZHmjeeX>UwdYjxLF zN{#d3TGngd%tuwnRef3UA)h|l>uXZIg+a2etgwm&i0yIK9EZ*DRh(5lkTWJB)&I43X`Uo7!ywU4c=#-(a=1FAV!beVV`n%jesJ6Oc z?l*@v-d3tL1GK6oS3{t!pSj-8dcvFezoG1+u>Wv-*kVE?J23#Vtg6j6C}N@mYo15D zkUCh9K&&kTn+2^gbgSKGu0oR?ujA2)Rtm_xL{#4TfZ7f;S=D;d)FY-u+mj0&710Td z0KGrB|EnX=Id4IllkBw2kV&B>I)x$16-lsQJw@5$SwgdFo}Cm9N(tXrQO6UfJmo`P zRIQSRu1$oha{RSp@=bGSKTmgMz=Ps7h}&dG0#?R;*~ql1nD0qCS7hZ@z}Hcb>K@wi z-KuG}(8Hx7=&HN6lGzH5USX1va^Sd~3#3byeJNN$&24Cw%DS^fAzP?{WVWu)kn|1%5{ z>cOv0eC`N~p55f?GEjn=W7y;%xBn>)oMNrefuG&rjJxHX+r9Nfl6ep=gwoWV^rf+k zXwQb^@q*jRi#$c(h4b!o=f&fxO_`<%*0C3@5ZR2dw`T}ch`CjgK?*3D$Dh&AMW=S~ z9MJn&k&XlYEd?eglSOb*uJoP7T&dXAv(A~IcxqDx?Vi)*fV4-NGgPOLV5l!!SExB~ z)bZ@vwLZ-ab7e~z8r#!B{D7t`5VlQ@-aQ>qjVPC$CsYMnPqe(MHO2IVrCUGe?AFKS zNdXJj&|w2&%=jB*LT>5Uo?Eiin}^sFm-QE-5p3Bq&;}OknkhQ?tn@1-9A^dj^dQ>Q zDQg(}GW~E(dh58che=o@!m7jGIHR?YZWo~0;&g)j@#mDH5-{ZH{oeWECws5m4ZNV2 z0$=u#g2r_QzAHyo-8baH%+2f|1r_ReaA-J<3FO z;%$e7u90mFB{0I7D$xr2}khs^2 zUX-xqF|jP!>Xj%!-+^Cjar!gb3}C}%NC$BkYZ&Z~w;{4vO?O~y{+;q91peh%OXl^v zBeKU3#J!3KbZ_h`1E@~{9f$T$%RTJ@>t#=uOCX0`Cb!4!Svh^c^GzzTy3npSZx;l> zoZETC-<0t8wA=M#G*RpBqcAlT%BsZq)!lS&k?}2J_&m2tXgq;oCUp)>#3QjwKYO(k zS)<($ljbKQ3An7J*dRYmEs}ZfPQF+CX}np)5-Xie2J)OVf~uH4Db=Yi3oMsrOBYm> zi+%l7^ee6bIx1de-TBSyHw%*>ANoYI7_mgb;c1L!3RZb*i0%5bHhV>rATS10Y@~Dr z>Kb9OAlEKgU%)-NbaFGRNCH{?h4Y-%omv8`XC95`*007gqql27o8Q9Ez`S^wHnR(j zI)}_cL#a8)xianQL6{=VvEn-r?|LdBr-v}s$;s;jX3Z7NI;;9YxC7h3@&=~4IAa+4 zt@E3^yCXIW5@YT4jBo&&`L$9HR!N(}?oIgaXzcy~O2(qSH++-bWg^$vbwqh%hgn=u zBhO7X>N5AJ)i6gh9e5#hi6>VgV|BRRE5)j=Khq&I9m+P`mt@UpThO7h)#)E3jhbG; z!5aV#LxjVVWm_FrgruLPAy;*OO(ua*;nl=(-`6wG0~kc?r;ndHqC191LVdZtjr7v< zbg)JT6LO29V}7g0$!b=>0?;n)uf>E^9#^y3CVuv65zeS~u!QR9cZ z4{#=$u4|8Ei||+IJFC@^U453cMC>-=gD+l}JXu*Cwm`Ek0No`GAsQ!Lz|4|Iz+19* zFxegiuKyWce>y+(ENHec+VurGvXrVE_t++5sJ$&l%il}I7uIDU=XG1Nad@3HOWsy) z8F=j@xePmSgO0`*9rrDFW!v3HSjNG(p-l|nbI#9Wj=GU=bu;Z)-X9$~lNhd~+z@mv zpKg!CwuW!j+wC#mSrfOQdmjQ2mc?eRdwUF@?Oct`92a1FrrEqatE|r=IjE1nmMVpH zSUcdMYPJ8hgh=kI)Ptw~auO1l<>n5nedZo$J!bOwX+reTKD9H+hXG4aa z+us&~J%8yF65!;13BA+59DC+zR=*@`P2as`7PZ7)}CJXaGr5#tm+ z==J%DAtA;@KOWq!UP{HD9+e_d_7)dn-ogBf*(I0Fy&1hE{TK$@G)BuWKx7BluY5BK z5}X$H>tSI7*?xE*1@s)@I~;G1bn|RoZ9GJ1TO8T#*AYC1hJDl^rJrt(B<{QCIP>Hp zpq!F01(d&;=$^~4B#q;70HD5fDx3s|e8o0Fl;)<<5Mtwbz~ejJd-Gxrl~cj}47I&lOsJxFHbaWFs4 zjj~|&ht4qIRdg5Y$QT`pKp)ubIOQf8OPOo#wQ^2%Sfd3XGC-H8503GJ*W}n}iqe*q zE$mikY;o>~gT=~TwGApFHYx*65e>q0V?55^-@vG#pWZQ*!Kyi=gp%J ziD&0?F!s{TiM7nbE;Rj`LoHj$>pBOn_Qpvhy!r_dt&jVT`$&?@LN`>0Sr~cAwx4qy zf{=fy%pn95v7e9F*B?@gG{xL#CdzqV?y~vhjU|+3oin(}YN^U+$TP&w0(KxpI<=wj zT&^nR>Qskp1ZCf5%hd&*S%5V?;7A?jQzJd>9sQNWlCmFHLW(if8cn}nn*0&b*du!- z&-8qw>$~gF_d_sp$;EAJ|7W?>ibNMy&}BB#a&+jv!0NyWC(q@4b})Qc7;u0l`ByGw zdY-dD%Z868Qk6H2&6-;68xJkjT8e;@m=$_Q{xXt@WPRHz_;o?`{;Rqnb9owIVR&xi zjjp^6>C$D1tL4%I_2B@OPeLyHzN^jI^Xx%?SD%0ka{t zObYYNH&6;k3_Z9_xb|h*e2Q*CIUov{Jz~5LLdFv|l8g3>!yf41?yabxYFdwcE zN2;9nCkNwXbU#Pg0D{?ocGL$B`*53P*#TXgl)urp@eBS@;|sbC*MHOmG-M5a1Eg4~ zhhAY4O972MZuvG0BHstAM%=NCS{|p_8d6ww9MpIFQx_VN<(};=3h(+I?LOuOosJ}J zVs^EL+jMbP)ap~7jivA=p0=cF!tn52$f)Jt@fvjs8bp3UY!?|CZjet;_wtx-8dFbz z%15AU%c|OFlUU}$8Axf2Bf)2bMoXe~l-)jb(X0p1krQ>Gea{|SIi3n0!1Ll&4A3^#BSD12 zBuL)neY1&cG#Doo;&8MW0^qQPT~=vE!>S5PmlMv@`v%i3_RFOR-Y1mB|wXblXIk%*t-hMkvoheVv>x}lKGZd!_8 zwBw8;**{!}1#GY_r19LD%%$->yKgKY&gD;m4Q@HlmaBJ7r-0)9#;7XB&XL!)#f4N}tG-O?S> z-QC^sUA(^g+i^VO>@l7npyJJa@Sf5mj@-n7An-t{6gHSYT=1 zM0pM&zf!AJMB4h5Uy7*umJCj$>aRu0u@#Vi=~Z*KGb=Lsd2UE`v`bHYTi%sjOPd_% zK#s6){>{#s=1fya9?GAOjXA!y+voqqhHXsBO-+3T$;j8CLq#LyepLPGVLh4!Piwge zEmaCk9{t*m(#RN7S29oAYWoUz^U|C31;;JEcd>^D=K6qU(NKIt0tg`lZ~MM@KNa!> z=~B{I)8dE zf>s$cvvYzD@|2Tj++_DqEC&+wk5H$+gz%l=l$%(7PIaBXdm>-%Xc}pG)|(x{rF7yQ zEDrZ8)%@go8n|%~m7Sy^WH4ZRIqW}h1BYxR!^q)n_opU@;2JHLQ5+9f^Gc|!hOp%Q zz8fAz7_(>%zQ;@r52R)a1YpN#VdJIu9Nh;+Q@ierW)r^N-c0F)?|Y4Wth11L7aNFw zttnn8sIT?41~TY}PG&olwvSZUma&D3!!=6g7mw_|ie_2`G9@A+k#FofH{MnmTWe0Sr?@VGdsuky zYpP`k1|1k59io(8Qu1ATGBw_mDCiRkaJG%GIKBuv0LTV9Wq6+5RBv?2%g14Ws4*#m zN<3}1lV;n@eGgh2oyVYGVed>)t*$bo<7~}$fKzPkd~KvFHG=frvq_!~%C(&yl@c0S zGAYkE)4(qFU&TW7p;vgzcC4)+m&=wN#mn*h{}i%K#>O^Zlni3v5t5pxV(#JrZm9s! z8crGzC`bB{jdbW3;WTDy2By|pB4$*zlle%oFwf#xcaUVc_eF zE5~rk8=J4Yh_pE!#sk3@YJ^kCShf}kMqUSMrTpw}(~-1lnVP^D9!O%C&@JE1L8|1@ z$;iCavH_h3wa`rC=g%I4ch9Jkl#;=U6bsLsnhGgCZVBn-9OYU1!|-1NuL z3uf!F_&ECzX*1AK&8A|>P%9-_NC{f!OpMLG0uA4(?vaiS&_QKt+}!+CjZr&@-I5o; zBlAZs)n;A(cUaa64b0qzeX*3`&WR5Us;<4M`f(BAkSfPh!?>H8Q~XoCp82JEHgREP zy#q0be@vrRXt&2DRww*%g*cJRb0r+;Zk_aH_Ek{zt$ky-cN3@ItxyvA)vEQjNFXv5 z0bu1WeX(5TUo{d^iLHejjz6S!Ty}13HkTFB5iSd@waI-GsIbX=)F9?abc6LeL1X^k~d*QYLR&dhh2~A#s?Jr7sELF_@W+O3vXrTY|Bl z_aQqeQ@9&kY#=kEph4z>ne7$rWl(uDMLX{`=-%jOE4}15AD^XGL#I|rGYQaQ%Cj7oc0Tm*&=0gtM*rrcK{5u%5;(+h0Iwf)-S%bnA6t>Ii2sK zM0gGVf%`8y_|WO2eHP$%0DZfKVYvJdtqPLOfb$qd`)shHixJf7)Nt@A@8TPpFn0`+ zq(5pc%RvBiQZmZ0$1ol)bfj5p*QXd&<-?J7W7gb+zBrLK%Koh=8y`cd=%6;IP74Ko z!(k9B6KOG~tg9D)uQ*3H2+6`Fd?rtACOPXsKvRm8;O!S@;q+d zAH=-{ZRqx{_V(cC1$?-E*s^tVYu7U&Eo1b>wHsD;yFS4-R``meUPgZpj-!M{V4$K^ z>g($%G&{m}O&D$~VMp~mrJcMYnog4>z|xtB@30tY+*8~Q`L;C~4k>|87u1{E_m8_#UdsGn`ctF-*Ned4q|}QWMf2qf&>Lv^G*(Q{ zOM;AmJf^`9+VqKuUP#>Qu8QQPklrEot75Sw8LW%VxWsS!6V-7@igL>~T|@d{7ySg6 znz?DemIsWU_nyrz$;kQTy5>d~udAg}P5!=tL+6k1(xnE8BqqI9z|#CglRJBz0K!DM znar#!olkR!xSY+3b3hfcCdvca$SY;ws?qbUXWZL`7)y+sGo_fCveQxWW+`+Cz)W3x zJcNJnHt+!jqnE^B4V3No6gE_p_aI6punl_$NPmm<0RT6*obrd)A=;dZh8y(S;2l&1&zFUFsBXyb{U z1()1k3ol)4@Yrh<&k&*s8c!?Vxa^)pnc(2MmIN6$>N zr?5{uo}v+9A0xQDyI)0s4q*2hgLAJKm@IBz){;V?yH(uP%1*i80 zx{>aLwKwT0c_rlQ1-S0+>)jooC2*{qlXurXhVLStt3KZ{hbbdNMJot#VVA%v;afBR zrsZpq7jQ>#cjvI2&;3m1V)9RgsENM|Q4=DgyN;ufn>O7~m0qU4>mBFn6C6sYdL*f{A4=-~u0rbn6PjknU+ zAMSt{O%tq0SqnL?J`Cy)bx%K~m}5_@C?#xgI)prRTWkFqL?6)b{p|%XtI>DD{$|PS zfTYtG|73z=RNeVS^DkJVTZ!-=j@JtvGhYMmWE%G#-Hs3c$X{QxDII4D5%VM~%ogxI zhbpZYlt{S8RD~#&|l50L&4|%|Ojn|nwcX-SK{O}bx z=I9@*RX%z0fOpei>vxEd-dr4FRM;)O_!h_Iw&*TpH~3B4EX8%XB`BG<9YjZ|x@)Yk zL-A$6{n|%9 zWo1NNTxu}%qG%@_qa+}=wYrefR(*ct$SOv@-Da-!rtqNE90Au()$OFg+nVm#DM0E65Mbb|>_Fbf~ zUw$keb#Lb1v#sQ73`94Ex+J~thqQ~H7Ut@%Z`g^>tn?<)eLU)!&*Y4o4))SGFw)cUpW54j?-J2C7>NvJX7-3X2g zCvSXkGd%|vjDzws>&Hf2WM*m=*_i&V&3nt$Rvg}Sc2gSQJ5Ro z`1HdYmW+*hji=`%*SiMlBI7TjOYCb1JNXGgb^IHGzKay%TaK$h8h0ClLws}}ejA^8 z^sD3-ow_sao-2WR^;hPM_2w7q`vYFqbVo;VkLRuG>v1Y;hRbJ3e4J((_g3eTFRo$S zK5xQG=sAD@;hRt7i`&_yL96jS9#c~f0@vwSWVeuR&O=WHx<8^6dJiZCWFdqVeJ_}6 z?3q5UQvLuyEhLn9)^0g^Ve`&IO`1ld<17GM!>wnH2INPOgmq4WH(1EbsLV!rNEpK<#>PYP9E7 zA6ZBihkedymXy;uVbRj3u`JTJhn~aZ2v0x5d{wa0 z`^JYc$l+%B^7xahg!YLg(7hR}3b(XJ{+se8qT(7s#}Z^>{X~Dmdi6nC`$x=jM(x3{ z3^{WA#9YWLkAo~Up?6Mu$yZ2mIeM9ljtdJU=ouD~fqP9(jn1n%sy=#nMapFs^s`Bv z<$=$xjF;-PXQ{gnZmeC8!2%T2e^6f)D7qdAC{LBhJU88*eQ+D;V#0K`@CEWcpw){n zsa(Y^WVs_aB?TnETgH<)bf9qC@9$KpjE2WG1wks+M}1s|Y3eP6FGIvfglG$D^YpR7Sm%cDG=Xn$k*z;#z^{FcZrWA>fVwB$L`Ca&4P;6$#| z9{VLXiWR@5qInp;eULH#ONe!-Gm~3@cX;Q`vGdYl{_Xm_n~630KAf~`%ijXRjVNie zRfn(&1&S@OhIs*-Lp)NNE~n+D`2w*eb$`Q3?*se1j^m7ICMbUB9vSo#EKTzce_)bn zaOa(eflHAAMAuXxfRp9?4>7kZdW>S}XEbQR#(+|o+{<7XmNLd1Q9YI{r=(i9@`MJ+ z<2o1tdQC;i$rp~F?=UE(%2SFG3qMx8mBDJ<*MYcpb+>(eT)f5}DzH6S|CusJZrUMe z0Mr|HYdy{_mo@~F=0!?=+HSMIFU88&{}$iyN)%Dw1v8BtiO_C4j_`qQW~vcF`f;}T zokW&g^qwN;6uuFi4K>xs{$RR9^ecdH$$tQihNL%9qX`@17?@)1KeLw$P9#i^5!8{`NDIQNzOB2<8Del zP=NC<4fw910;eO5mcBNsh7qrw{?PF!3c45{MBZc`F`V0(q&&o1%3g6FP3DuC>29^E zw}OWaaM2&2^ZHXe*YfP3ps+so*KQ}j%BTw);N62Nn-7gRtbnBY_lLZMm8xRYPI=T<4L6U1l_ zIU{KbeMsR5UgDC^B~%d)nbgn`fazW9OVp05m3iaNvm+x2e+v0! z71|=z0`Z5vD7tAQ&^Ix56Ao)$^ufRH5>xd=XzQ>SXkESwnfjKs?sFDh;xh%$mc2m->n&-9&Gb3+Bk&gmwED1mFh zvW{!=akJp#`gn?3B%eO~@xju~;prv4h5Jb^1PdB}w%|r6QY}c;C!}C2i zoiA1QrvsVYk<^10hruho_SBwE%njZFsQtaI-5Q^0UncpDw)LY@L$K5h2jUIh7%MzI z8br@>zP#+z&7XUaa{A6@oCdM_bl#z?x1P|HfZG2QD|aj#NHCe*+r^T+Yz4AVQc}*g zl%B^c6~M`nlW_l}2*~24)faBgrq!F>wtI{9DCEkgBzwS$n%}rTg8TBXAO12jEhTnO zRHEJQoCeP)%zT2WIcW>(650-zvolw-l`4@>_by|xW^O_oKSla4rMB^Bip9PY#WHqC zFJVz6zG_o+`M!~>Nl4#P+BuV@{Y3m+RdsXaM9Cyo0I*($JyENV#t5o{m6LxG*UF|l zj_#~l^g(S17VCt1VZQ3_;=c*yRO*Lho5Y3?DAxD9zS7ii;4$uIF{LPX)lX+8iC-@H z(&yk-tP{!mN`HM+JztFtaxqZ=wLyC$UwV7^uUKx5krP6q1T3VB&z9R<5Gf_U(lSabe&J z<{|D}cS;>luYLP2;JNI$W59&0tlA`>?wE-L8t}^7ao2Q}y0B#(=nJHJ3sL;Nx z8A)|ga=}7Ali`BMnGVq0bp+z=p|&S@jCPE%4>cA@;XF`x^&8FR@`_`~Wm|TixoI@D z(?ItTcU;bGoESUhys}e6Rm+maB=Hrq-syZS9zm5{XLH#@li?tOeOy4lHu_P~MgC*KQ;P;4@#pu0V{egTQ3|avr>%MM(2C=-UlBI=17u1M@vU=+ERD_Q1fFm?S`gSEb~oPy}G-y zyevWHQpbV1hcsd2*{5LQ@3HSG3Vc`czN50sEBgM(=BhVjssL}EfNyWG!=cxaQjIO= zT8z%IQ0wcx_|kMpBhFf{9DgLFbKy=NG;l>frBTSJ!wcbboBDb&H;O-pnY2>5nHmg8r`SNN3B}!IUAZ zJ#juK&7z>KFYDT{J@Pw&2A&%)hW>X&VEH*Z%KUxVUstzGVPviA9k;_uf{6-YSR>@V z0cTukC~xwZmhzd!{fZbLH@y2kJk4@n{a7hP^E*R3Kbte(u_uF}u!)-Fa=Q$0W{RzF z?h@?z(bUjbg~}Z(BOS9a+IfAxQ$~x=wKrE9-CB&@?Y0vWx};8LH57MrF|gF-6cV_+ zdBJHrg$NLJPpqK%VtZ@~rS|FKL25elB%w;P`3#8lnw%Kua2&K+dJ4M$DOb>;IL({1 z9*s#MeTHzZrje|fs){KNw0Y-xD4l*BvC16GRyz5tw(=Qzo!inLRpeI@+(<{<^-1Q4 zf^Lx1C1NbO@u6m}os(@oUptrbj>Xu1H+GxNkq^_w8Pc=fpJerhUm|6HUYF5FpDJ{H zS2eTxE*`CL_Zd0m(gs=Gy@tTNu1Qe9ybwy2}rVi8Kc>W!`m_N>?lFxeU|qq!&sYutPOOqSn6?i}9w zwJEME3I_8cyTR2_dz#P-(H3vTRXVz@Mk>v;4`-6>F6G(e6VVzRN39o%ynWy7$?)*3 z*u!H6Zu49M4gD1%tu@+y#Lz?U5CAB zpU{weY}9Ap?>sne3s7xbb3LU#r(sa)u)62AUJD${l*mV*p0j5*7*>-hMqU&m^_rlc=)~h#i8jKxlPI;R&5={40?XeKePZiiPf5F zm6T2U_6vu+p9m3QxYpbF-JuO=yYe2E%DEx>X9`v&W)m1*s6;DDek!%T`NGQsHp1!V zl@9j$xxc#Q-QZq%l}_y)wuXI^zSWFU41$bot=oRX8LbrA%lLzO>;%cz`-Sh9mUb`j z#P!e9X=ltGI$$r6pDPi(X~Dnwh`Eu`F5}iAsNKZ$%~ZY;pPP#r~ta+RkCI;F&0Hc#rumZT?5l|Mq!NgHe==F9;X1 zM@O8oS~;EE^4v#e)QZCMI^s2{$0IlnR0~Q^uD5U{Ex!swJ^+AHp`gx%&Rlo9_dsM8 zJ-sJeLAs!S-!=+nM&J?j4n`4~=kx#)BlsFTCB^*<4GA}Ow+Hv{@BjJW7ti4*Mv+K7 zeRMvjNa|GzJxL&Y47V68xc~+Al@xVLkfSh%MsbO({N3w9MPTgr2$NpEQ=8ovWOnaE zG+Yp;OKPT%*xr8(rH5;kheB=E{nV2>_u>&0qu(RXgP4)2ESi76OTVZ?+1U!gE!z2! zY4F2O><&JrlV_145VU78<#^5oT;^>_;*)_-_jgX`Eqe{eHA!>1DB9S~xq2rXRg-$x ztr1)yd_6Zx{0GkYcK!^K-vSgg|4$n5pWwkSQ0d_L;X7--1wy{9T3ST_36_@5$|Z;hoGg_ z;9V91Ztz4Xp+|!DT2-V9sE;0_!cjo&a@wSfejYP^ca>!$hR0`TLxqW=|M>C4-~RLS z_1lZzM-qCUk6_HhSg+YwNZ9~E#H;K5M%L$DVK1#YU~vM$|9>O$Wnkg%bciBS3+Nb7 zDds6}aXzO*A?8g>Vz^65z;`{JV)eh?DUBc((-FVF+K%A8-A-24i-3pLLHxQsZa#Pm zdtQF^QY=13!+y~VM-C$Y{9)DUJo`FbdH;h8vTro%0;ExjpU6lW+mB%U`??3S_t%op z&=y|MLMxh1_E6wmc>?t?m;dJn)&BR-el^Em(en5*i)>0p^Y%Xn;$H{lU%rO>@cU;; zrhYKiD}%|BT=%~Ek2UkJ>*t?e^K+p6wNp_tHBg0Z0h_G_?r{#(fAQ;reUbQk5eDva zCc}d@h}<{zL;nAM&%Xx34(_j=I-MNE@t9JpQV6zAtMfn3kpJylpry96<&E0xG4{5z z6CbS1GIoa-wEwm}{`q?UzHPqn8~r|)PLi~855|KCRE zpMUxavF%o+V>A!mJqUc{!%T3@Ugfr3wwvR_n>a+iQeE%BC``?>Z z1pA*0>KWWukr3kH$R4G#vLpwfju^Q$`enuAtuFFk%3+`#Q5-~NnKze5@AH(4Q>0c? zdu}Z@hs;k_x-f!1cPq)t#!nQdA}#YjXCbh^vE3({t#OcOIi9f|@VlnWev;FpR4`a! z%0;DA5Fc^ahlqS<0Vf4@zR&lA*zG3NY_>s)q5cHDK9Z5FErghX1tCE8>woOMe|+o7 z`qv~M6zyUCs7XY{5FQ!rFSC?9;>35i>^!JT{2)4^vNI7$j%XVOLOr~wlN}Q*mv@(+&WUOch6ij;yA}K?T8ATE zg#i@TTn<2Nx1<@o_6J{{xxSA8ZO9qz)j+j`#pd9PQ42Tq9<2G|$9lV@EiX))uF$a zF&S<%mLN3PJg7PD)ZM^ZFXj9hrrbElQ!_T@D04n5@1Vg|96Szn@rV3elIsNg}a)q z)RY5}DUw;TBihb&6EbY+K`k(W?T%#jNl0rZm99DfaoRaCM~p%L_uMI3r2>L7n_tf0 zZH>^h(CVaTVWPa;QO*3G29pRcL~FXGpAm8m18*n!uC@L|>3vMv9|hWfyuo~3f4^s{ zrdo$D`t}YoSTbxqG_=U(8nEIG zG90NocxF+2OpHxj>WinNJlvxk((C&kJJ%Hzlo*8Jvo)G81n4?p8W&H$ek1$2k2qU% z&UB(pzmkV5mo*5x@AJ{&!;3$jU<1F;4X1t_5)aXb%Tou9r`vy^nNB{9L;Yq|N$7&N z-swH?fJZcIs=;B`MhAhMqCRAC2c?@Rfwl?j&Ka#ac6-HdIqU6VXTswYjBTyxNTvBo zlhG)!zgrcf0fIxn`Z@OI@@X(> zzYT1&q)-bM?Za}NB4RI&OV8#nc_N@d1UUk7fIV|cdXFONzVA@3A^QVC5HswX4MMbG z2Bif9kfyqvr^$0aO7psNaT;bG;7*;Ixz?C^lVMLIn0?ko+_QX(zVM^M6Y#mZPnB(Nyxx@8goaym#4Gwk z*u{TB{yTi-ndaJ&c*v;nV&+_62WK1*XamYYHN|l|KQPMms|{jw$Q78|UcrlRO}E*q znCohm$CqP(OOryk%dG0n=IX@meK8Nj!e5@|zPDQID3woeXI{Thfh0S2)G7aY;+#{atRk zN<2q#x!rLZG8ohNNWW_sbCrQcaH+CFAHTa;J&d?!l<~C(xdGCqqf-+X`@z{2py$l3 zwJbhqYmrvr_G`iTP@vhkIBJh3N^+CrcK2)Qmg3jm0Hx@H7-qcpB5&(CRi%>&L#w(Q zH}fU#gU8B4qJpQUX_o+}cb~xJMsm7$EDr}H?bbI}4#}h)YK|7J04ves&gF)ILOOn8 zx7265^_Jf3&(84s`JQ&(4*s>;%kxNF{Al48aNMHMtZCw@_=d8IJQy=t+H*^}eN77??5tK6Y4@bKlQ;g{}WYG76E=#4RYqg$l z4~<#6A29ykH36tMCla&jWe7= z-g^yoi5_zu30vNzE3T&H>G1h%Ht|>{FFSg>G1}N{gP>0*%?J#gRMKvj9(O>a$5%;w zbKsYB+)LI-di5|>md`1Een5*pEiyOJ>{k+(68#oUe*wfmIctHJ$7zq7)A1yRMEUJo z&U_OEYK0S(s`&<8Y*t{Wo!)5H_pJNm?0%#?lES(o-d`yhWiC~PnN-PF%?q+NR$|M= z3CJ>QvsKzpeC+UUFFB^_RySeKQ@jv{GYO~tcJ~|84>2f*fyO>kmqFimm1)Kwj^)%u z@C0r*mOhI48bS|Zbi@ORa>m(b1K+*6BX50W0R(n)f(1Em0h3?mda-dxMmM#A*79*r zw5i#(je69tjhxNJ@$?6GwY9O`u^a8#-ehe^hICx^t+*T3P)TEWkZOgIxWnEv#pfvr%K?L^dX+uS~`@wnuPGyi;E=w+HO~7D}2XER~R`n5SJ{8>#A&` zf49NDi^-BNFP%oIfO;R%JS}r)a{kwqyjMt%F@{$}rkB^W_UQNWGAV9`#{0#HWV54K zl{8V3?j(jnA(PqxNf*J7=B{hU9JG`_#oYQE=O}H#Ev$2rhuSe4%YQZxm;u9OxXk6G zRgQeV7+lDGNn8>^hY#`@p{ac1OB852=k5-r<%X9)-3}?d@gn~4@$D6d{Nc?dLYdyA z)o#N`B{S^G^6MPM{I{z;QOVI7C38rgEh?w$JWl5UsjTg|iE=kPxwKbSr7we?o9_|h zvzcaqE_&Q{Xrfx{)lPx(Ht0N?!t_-W6I@>NdV%E(>b@-|D;;Zwhefxpv- z0XpOe8YSdULs^e8Uw!OMHT342$F)aXfP9^_Uc*h~XD?7%|OLVXjNtMu->)W%3Qv*KKL(9>>*C0cVVzFju;hPXF~sLWKUvKxJ;?cq zh|5e9?YGRADN7NM``LKWDX%3{eWT|TKRtYPzhkvWc3p<+{oVO98aE}ui}>o}awoy3 zb~=lMk6@5CKEDyRc)mwm+A2+O3yW+SCYV-Q5%zv2Zf>Ut4fi^`Z=UfK96kL=&&RFZc^m+i1KU*?JwNu}PO+;2bl%^jRs#{_0`pGy<1L0`-p9~eX{hM_K|<7bQd0oX<~ zJ!x?_tc4j-dy0)Wq4x6s8~3Y*QA%NDb{i9X_O2PR*_ zRBS>p^R!t9iVcYtj0gf(C8m=#LEl+Er$ekhkB3k)71drh&7j{VPaYn@->lN)wJISIMo)oonjj1gi7d&pWhAVOLmTr;F{hWL~ z9K*)13(5Q8YsD=&1aokU+|`?v^RCu3U%H&*{T3ZbSV@~Lp&~Ltgsn|BZk#%a-p;DJZIY9@}-u6B|f=yr@Yu-1xC}$f`v0^%X>||AB6Lu^`N%9`O=z}^6TYs!dIn8Y;2KG z<$4j-dQHWA+0ZC@wd5Qv3eV#`M!@w!uU#aN2Lr;pJr;|{9ys%+L*2gq{sAhG&(^TT zx$oPD>2GInQT zxyA2HrqTeZYX6D;+%|`&3&30+iN@}fCd5IXE~&iR`&|IgE)?~q)RS6v72HsE@J{R84)nZL^@drg;{j!OjZ;;*b@l{9oqJ} z+o$+!#R{>yBFI_rP~E?t1gMkDe3a&G{H|17vN(FUk4gRM!eYQsXB~Zd(9oXw2@hFw zJZRw&4#+n+HPlkgcU;RaRACuLDCPG1A#}|a@y;ZdNF?5`XWh|_q@szCWy12v3lI#H z+_#k!j$p5Vxc3Ku2~jn04BYxoyiBM(iK0ob)~G|;%|QCh!@HlbJi%(ECXegZlVMw- zbi4gd1R_|~8?t?6+;KKlF;xg>8QEqzw+C6t8qi1Gg@C?WWVO&z4t3ET)MRWD@n~v+ z{I<&sbE|8&~wHy>KfgG-JjPhmneDFu%qVKPpI{0FgY>skPp`IRni0X|k!@P!V`=ll&Q8uylk;O8L%0EeMxKa98=~VTg;hJE!fYfijxQ$)HBafI+mwq4^8@jq9{VFAJB+ z%PLPGlRHTBO3t6Imw33+eKzZtE)tD_iv3)`Q9``g^c+RhA`#Zx%f|` zc?GAs^ur*`Xf6GmqD@UjIs>Y&k-81PlVknN>$*Z7eC1tih~~IUoWXz(FYPh-8sA1Xk4i_Tf^feQ`T9J zuBn10i$IB&!Fj!D96JZxkR!=Qm^H)aA<52l&*qnF&v&eG zGW8}<0x;1!U`H}RM(GR5_R-2?qZnK)))mT8rYgK{{lhzJ>p%@@`ALC)~ z+~@p;_|p7vNS~-}cOpC2zs0gGHkO*GvR*R8t-4NeElDIK(PC0x*+7>~N6m3{V6h5i zt`;&+AX$57bqgb;jI3E|r|wgvQ(i(skooE*G>7N1p=f}jDU$Yjui64?|2*WFoRp)b47)!CuxY`*7Y@SSm32pIbc{XWZxM$9rualfi!?|LP%cky7uzN zZMNd3FP)6I$%-e5=NO+Rcw39rTth-IkFj=WwsjKg{kp#$-&$4CR9^)yLH7sPS1S{i z7&dQI)g0oZOowXsANlaF@%C!B>CyOD?EGBzspfepmAHi(wT~H_Ia&phhuGKrj zlE(UYjLwG>;6EtdKbm$LnRJON_0?2)4D~qf)T@mAp3y9G)M~z|Q{Wm%Fu#poxE7NP ze4WPd^4gLKMt5)ECa}ioynqBz^T3|6hsq6T!rZ;xsai%=%=^UddAibIEebS4$#@Yr zEgELnf!MPF<_&ylxc;){nz^g@HMp7PDf%w`N_Xgb?Dl3HTDW2Z4P7-XXVa4MS|&@^ zX@^(Vy?9LkXh7RCX}iL-J-mKR2=fQ{kN<_^LpAPb3juENSM6>~$q5K@sD5(TZj~)A z;|JIpq~8BjOLwFzt*l98w5}kbGZYLD{7F1?N_?l>$%1dryLGJwhdmwjX^9;{)&!z| zLR^&(Z31Z~&ZJZ9;ad!upe;G@gf_#kZ4X8@yDREjU0_tg!-9)_dcPb}Q4pwN^V;pj zeNn4O&hF)tE5LWC72or#CRT=D?3FyDR3bijLq;FcfT(D?R>H60cz4k9N`Z}@Y&_QC zO6Mdcl~V8mq(un^l>MTtaBT*miBECpOILbaTGTI9sJ<<#EDYmA&ON|kTMVTh>D4n* zahrLy#4*vg+h*D8PBjl(;(D_!{RMqG55IYTvUcFx{z7sK(w#x_M`C3Yv^@A6+MJrt zurA!jD9|XT|ezX2*#91KIWmamdTYynX>$n z*F>&Q=&-%5Z&@mxJ5Z+XP=J6q*Kj1J_)0HgmRpe;CETk`&BgI1-jLnU`<;l38!$#CX%mp-vA}A@VckG?=3HI)7)IGKHfS(m9AK}$NtJ} z(+2cfB|`xu4E_tEV%>ZIvX5?hyVE<4#`{nby6nSF2jH4h6LY3z) z4s$3jL%;F)&o}N@QIFTe7{JVpr0o3%_Kg3lX54N&8O(e z^}OBdNdS5n8A6`Hvh)SB&-v+;9Ldf3yxX{I zNIo)TS#e-xs^iWj@F&fE5fDOZ0=@vI2kUoTxw22Rp_)8;viHM5w9uFPEq~&*5|5#E z?Z$La&u6whMbEenBn1FALXsCWO_ipLL~yI~}zCwMUA zYA>)l5MUk<>^5CDxJ9B=LH<7^IlgQUg&+q^xotjwv4b}m4#$m!{l*2V z>F7v=+&`1$or5>H-W*XuZXM>jKPWR9_GI_x(4I6ov3zcqudk%5RW46YxTPl3wn7zeb(Z2 z8E7FLHt>EF|2DSG5mJFdG!c@c6u@0Lu~P`hVkem#5>ams8f%?1cCUh34d=zJR~Cqt zj?E_F9=r1v$V)kfjyiO8%Nf4XC_y}YlVQ?pxSI&f#p7+&RK3i`%Fsp&RD{&kRK^Of zW#bk2#2r);0`j>{RWIhUHFAR&5gmA869zm_M>hs^?I6PT29^c4Q=^(yy|Q_BscjNb z#@ZJ%Q|SSu(*w>8d)*9CgItp(HIf67nGdVU(6jQ>u*PgQPk72?&0Q5D& zz$@{Z#}7%GiKXyG_I|^!ekePI!&S|^=j&N+8Sb>|EFo5_-Pr{$JY+M@ z{l_7hGO`4g6=jWm_1EWZxU-N=hQs(pP1m`RYm!?66Y1n+hD6bk{Ngvd({~T*wb>Mk#LM;8P;1!|)AIM3n+6 z&uqTDI@@53?AS0Xfn4m!=J46pR6*Nt$W^@S56^=n*Q?ly{Ry$_Gh%W}yG-=!gwa>> zUKWO{thFe3gV7*d{$!^({=i0^tvw$CXs~EJi8QE^$-DN`I+8g5E@-8p_CnFQdDwE3*-XAx7TNE zGhE%n5&;@EHk6*x^a}1T1M!!cU~g}Av6?%A<3x36^e~g2QXaQHTiyIhF(GI_idU|{ zWl#N_klQAvwI4l)&48p%F~M;v<_DC$ao3$Rn`*IhG09k9thLe4A0#mB4o!8{Zm#k* z&oOCKJ(oH{DC_I)kf2fMJsV`M)Zi-dl=7)vms%_38+2AKSU*UzQBk}k6kX0mHSpasugv<|~JD{-H`+-FlOZ-&uLL^;c=%P4P|Gm$A7FM&$bNUZ;F+$b7$VhnX zsf1j1#{GXY1J+)wY;$=yFc}mQ&1SjQcNR~QwA>RY=6#gXk#Jhg$8J^$9QejqdQ_@w zJe%{z)@Zz4THc2PwVCkS&&PiVkWzU5u8+>2EUG+^e{zg%F3J%6tUsG#>Rt|cMJ&(m zP!~+V#9FPr$|`_G*^(K}Ra6|eqx(ST$)HgaU*m#R{i#3PQ5l{MfSxi#r!NCX{VgDe zJ<&8mthq|5Gu32DGT)a8uGctN&87tNA2DBZ)s7)7PPd61doL|lv*aq#VhRdjIcx%g z|Gl_oo^twSoY#R=T%{~13njFlw(1Uf7R#5k`XoZz;tQKJQFjk}11az1=8^+OgA=&M zd?Iiqf>J6Z1p#{~616~6W!=v=je56rY0vfG+~4BX42n3KK_XQI*;=+l)UY_64b#5S z*XlLG;uVX+3kF&=w6PR4nKK-A*OV#kW|c6c?eX;f1kU#}Rh9`)Ew>67Y8&k>46b-L z%}L_ly@AlMRU@*S&!rJmBNQnxuNj6G0_rSbNG$L&iB_4sS|t>QLBSf zj6gCY2|fM?#s}){ZytcieFaJn9^f^8fcL0W?fcGCxl1}yprEccNsX}(a%rybD54>o z8`YPkdtCue0Saob15gnjjL2pt@V^^VGndU#lKYVI7XFoXbM!_!wq^>WZbz;~GL@&b zlZqMUT`zOQ$trmShow&CG(Aw!_zQU3dPP?!^mDsV1P-g0jHLc#DB$FDyaO>;{}g1a zZEL?P(C6VVPe|ib;O5B`Ww$Dk)-c!1YcG8n`ZY5^Ax%W3lpAw#J0N7rygu@SV$T^v zW=~4JYna$CQZM5n&wg;qM9~P#f?Bblpsr7_idPD`RYanSc`5L7cg&%bKV8L;^yyZvbS2RmuZ{eS(C2Yi zvD${IUHRwhbm5eNgu2R++XaX_g?}xFn!lFAO!)3?H6oA?%8=FPHOT#c)V*a?l+<~+{h+>dSFw%=~t>LD1|>8>oL69FzfaL5nmct(e#;Oj)c`zhtT=#*kpFH=lIe5~vn8TZ<5BDOof;<#1%(SRyeC<2X0_S- z-`>Bn%YiV@_Sl|NOnXNnX?vvG%vg~%K-On%S5wsLegz`Z&w=BXJCq0lSN}(Usf>R} z{^_*7oaAVY?F3mKDVwEeb}js?ldaAbc+^rMlT~XFL6tzkRjnA*8{A;vV(%t{jsKR?#QslD4f?Ny==gSwR$Roov83jKuN2!=}t zPq`f_h#ffK)d%VoJ2QIMOqO4P&g?U{-dYBNeWx+kBHy-r>w4Y|CpTBYl-LUTm{un5 z3X7@G5$myZmxTLIiQ07Q0iTzk4V!ehmp9g>v$V$`!2xBL@j95%^k?o?F4+vXeAMx8MQ zG;}o{1+`$IK-Q2Nr(+SIRhV7aP!3GnT(%2;J1>2r*VE*7zbWyr=v5O=HdEA1Z{58k z_;}3zsvq}?ASsyV{7AC;z}obB5C7yv~OH4 z0D-tOWw6HXFh_*Yi|+ymPreuUtlCRTd&gT--09r51In?hGV%Pw*jKF~B)&VeLJV0K z97a963y7+H@XLJ0JXL&5JUPurIqy}utj9EX0VKqOYdvlM4s2h$9go(HJNlJy_D5Ir zz2}bYsg9GFox1*fm{-Prf|n0+c2sgk*`2o$htYfU7ctDb`a8!*jZ>F4>m!yTo;TuM zT+1#llDP3v(HJ)D`eVZbucFPW2IN{QXmI-SXc^b_hjDj{`tQ1Ke;jY2!4;`$R=BUT zjE73Dg?i~RRkd!y($%tUSA4x!pkB9%t%LOA4X&~Mj7!L77EGyaPYP3e4_mTLncp8{ zx;!04Y&H3Yv7hLkteS)xcdevY^J8A^`t1uI%rx8;fgyzQf(2z*>N!drC!IuGH7ho4 z@P_~&a;3ibmHiU4yrZ6He(<;Md0TZ^zZA+d&z(u5W5d?k(?=M#-P;&vR~uGuw-9AD zQn{XKnfW1 zTMG8W*_Ma0H)4ucx})*dbe(zoB$NNQ^*ILJ{k9pKCyl3HU>49T0iaxRl*YSdPE(Wf9(GI`r)p7HYvK<~Uf-)}QHg&Xi$5P7dZo22OjJI|0_|8Fv6`KFM{q9MNPye#T+A%C3Mi1oq>{IH*FLn%{MO`kVZ z1C?8Dj!4j;RD{?S1z+Uw)IQ$$wF7+G!~^C3n|% z-sU>ifadYSx1(lMVl zjc@8y@<%m}+eW>OHa&3S%etKHt}`@cRl|5eN_#J0^MQ`UR%%7yUI)&T9*k>DRE2f! z4ltpklw5Z<-d99LR$PDl1P2BJqw<*g<87puVy2cDo*y#$BuUabH4?jb5z5_RcosaK z14H;V+dj>yUOI0cy;%bdryg#5km!_YJKzQIwd?S-!f!mCQajsaJ+@TyrPuGeg4gr& zw&?l}4#wUWuB>mTBKymF@aMZZ&scSn!xpIxR?5n z#Wvo>J9IQZ7&P%rj{xDLgR{d;Nk_9`qicRHI*-SiXkJ*m`6**FV~#>iKA)0SbwY*svfFhMsf(o7dvD(0;I4WQ z@O&*yswxY59p8aP&wMmd)wd!!Sp|*>{5+X}%`BhDW2@|3Cx$#ijH(u>XC6D517)(; zVd)p|keA+qbKSp&CDKl6I!?uCvoimR2eGY@dHuW_+2JBTg-_dy-n1^iB;hufgg9+P z$Qqb0`wo@uXRXCEpDpW(dfOsQy!QJsmbey+sG+dqm1Cr}olOrq1)o2ITFz5ejQXW> z@swoG1V{4yBhRv_JyahM)sg=qE`u@251AyMN-!}7M-mJ}y$Y5T#mH6+jKx?2_lsNB zMyzcXf_wVCz$4nHcdV;Hclix&*xWHMksjMra8h^ms2sD;xFZ(K6UnWtHo-1%Q&K zTJSFJA%3?U5eG~X>E#u8w273Hj`7t0z>V3}TFZF`MP7fe^AkLz1qQPFc^Xw(b%RpS zQ;7MI)*AQIy|@bZRpHLv{M|%bqLE4D{xYk)!mcb$&mSLg>oW2A?tTDV2YEP5&Y*B1 z;;NgdL{9HyL4@&l8#$%upUTji__0{PO_V|+6PrKb+qJMy;1e|yKG@+%LaF|gS=giB zbMF^(!tZ2jSm5WLeE{5k1_40`^rWvL3Idf~q${V*1k*!v_8rI5ZeW|IgP07#r8_9~ zz_8OHy{o??z+9IuNiC+b`doFn@0y)NNXk>t^*&*=uj_W(aErhVg)5&f3_t@eKY>r94K>+t500=3-@+@Q;BOB|WAQ1PweG#^kuyp11LZZ##_qgk$?KW2BZBPa#(sdgMe&rpswQ=fE1 zGJ2Hs@wAgtSaV&`Zg777SICA<&kTx)RmrM?=a+vOXowXQ74|0S5FmTj8^RI~#uVZNL_oR3=0TU3yH9wnu~ZmU{DgHI4gS0(h*o zEPh&In{*$G7EE7$nEour{yaxJ7Yxlsj`W2!Gw86feR#Hex;Vf?0?DW^LB84<^O|`& z{7YNTsAK-xdp9L0K){-jyJ#=G+I^%+KlM|VFc1BW)r0}eNyhmIoV7m>qrsewT=y}9 z;R1KOM&7AI5^jYq)y=US^y7?TqpocBOF*-2ZXC~M3-=h~H`NCge;OxxdDAE+jl_3l zAH=WS7}L1u3Rh^$FX@XS)Y1Cb3ppqe2_{Q7BViUK7L6h%tZ(L9pZK+uE)#}H^Ec=L zZf5+gXY~2DuS(k4}f zk=>?|7^bVNCrQS8QLFKhRbi`5RmIoNN2GYH8m*M5a?jR*$)PTWD{rZ7K7TCfWAhf4 zukGjsIz}_(ZoQ$qa`|UUUB5f)q&Hrz9YHhvM&9hPJJT8qHDJp>&1xlePR?wZ!?q&&7r$TuQ$7=4MI7o{l{gw~MbG zpbNnkvqDzOTr{Xyt1n#GZAzg~1~*;otrr}4{=hnH;DmU64JFv-EgEnxXn->{m(crp zfJ5)x{OY!^oh{5x1?6lytAKq*|HL8tROdF2X%s$a5O4kH;CHy+Mj=(`NB zmHF0&dU?ou1amr9R_#<^_m0P@^>`n!sMgh{1P%i( zQU>EWJsx@#*>TFGuu1P1;xvxWgPs@gv4sZzDk*w)eBPsp>0;}~tig|b%CnYQRjLEC z^8t9N4fbFNoJ^A&Cunv$UhmPYmf&TMl!uGP6K7dO*wXpurc(34z=?9xpIG^2Zo_Ng zHJs{bF-+)Dx$-SP>Zqs&0-}#t3AbeIy+DFp14stTW=2B_A$ z74zz*57SpDY2UWlh$i;FBhP-q;h|9Hqm3N)%nsIb6hKEoqX@~VjrzENh}?N!FwY=1jaI~%hQK8 z9nRSfXz3nlGOKo)^hCtvd9o!xoQ*44R5qkDv4GBf(R~;q`u`^8{##s9>rX5a8i1Fq zAO_ZYXy9JFn&swrS;!4KBsbNcL)P@dyM0)4$+Ahq#)_d_O8_{gCml+F*O*R*)cpD9 zuJ&4kP@xgcxJM>lFL?F?hsrnkh*c9v?p#0{D1NwfIaR%5rD_B!*o*0hF>2*&Eiat7 zNp!-AwyT`Y4s*0AwG!>$0w0%hM~O|1wtu=^Sq^v<;GhDV(1X3e2_l1YLp5JD+=>q) z&4p4EfK;)%(mT{IrMYTpk^ja`@ZcuL6WykelUCEd-nfg0k}k`=RO4F z63~3gox^U9#G54zsOZhV$-}spG=bI+VL4d^P9tw`k7k8vy@dg`bGPX(r<@ZJn*}N! z&`n%4(PlR~=Bz8W1Tbbks*c?k6VC4Mp?cf3%C;{PpzizHhl5P z=rowLzg*ML{k(%ovJOLhZ&d@SpRjQi2DK+t>bSWJ=vMi3&Zp9-%O*0{x4&R8%3}ER zX%`j>SayoeEhmld5GrbJ+%uppUv28eX8cSqmn0541jC6*;O|)N;fQQXs89lp=FG;n z#ShC^gp)fC2GAZQ5Om$j13(`quH0OHyt=wAtDTmuzQ>*I*r&xsD|FCyyxd8YC><7}9!|P;4s>6-shc%<=gx zLU9Fge(P$c+Q(b)<2A02SX+E^Zoy@7p1Y6!w}|kom4D;Ub>*S~_ii+HhM7fxH1V)8 zDKa^Y@X;Y?V!B#|S4Rh2ULGS$jW=V3UnW_e+J^5hm3-HD5v{4(Rk@^lwNmA?zK;1Dd!+#C}%V_)EUp`4ZN--Z;}Z8 z(UVZY^D8(AWP1bz*QLa~pJwQ)n3Nf1YV?)h_-aJ`gR}{c^ufh{EX1U$jNg*0yI-D8 z?T7Uv5HDDB#x?po%L{9i9+T{Z${eHBh6_Jj3 zZ5zkKz06T`j%Fn#ljhT{s$2Pbj^zbc7IR@;vBTw&PSGo18#i4mjeCa;b$4lOM7ZpW z38~M0r71{t<35KBW$SxL&xTPu+X=OMyHItK+9K|x5LjDvfngI0qby0!fGa(U(r{s| z7L1yfFG>}AkK?NgZX3F6;XN6+Wof8B6le3rH84 ze=hr9l>=K=?o(xnU$Ryc>EV+B68yJKnzQ@gd9Z?JugE*5gD3`-&t^erR8HkX-1LN~ z30nj1FJCIw-48LiT=UOq{{xm&1j>yl;B{x81Wap)UL6rqh!+EsTyWZ z;N~Q4(Z_swLw;c@uQxH|G!3A)Tb=Z1*=vzKXUl4s+h(#&|9E9#=Va2fx{TdsT53Mo zx%i${XK_M~ROa{cRs1=Rob!w!iSwLlQZ+{Oi}BKc`O{@NdkU=ZOJoKIiw2Z6O0n>l^f0(~5`BIc{pMuL_f6T>zd~^!g>VD9EQN{7|)s;Ku_)bY=*xlIxai)tfV!^0^ zAg9lNNeTh{gTSAr=#SBuXW>u5F{SN^GZT{*%r1KC(lIQeHc{OoJfYW)Gmf5Ly;T3l zQ`KK4rD5T13w3L98G71N!xv!i4jA9;a#M)uRJujG>5@ zqItMUsNi+uemT*2$Dk~!RS<_sFSeZWn>Z?;@{nxS)Z!ZUC zcjNimb(xmSotrT{wp3C{4AEn%Ldlbrs58m8-mWm{jz(0Mhv*!6^7mef*=Iz_4Xb0DklHj>eRsx_$w zT2|ys&$~0S?liFIwsGO}$U!dHkiX&SaBjf_c|BtIxjerW;zYZ2Qp}QHnz6N~IRK}M zF>nt&0W#?26wg+dgC=ZA_;uJx+=&`sc?4Qx(N1+Ni>iA0rdMqjFgG=x^Jkrfsg*Q-A}Db&fj*Br0J6K+cx@L6pV~j z4ij@R2W|!7kuU3Qj&)R9pU#iB%(o3pn`_b_MY^q6t*o)(NQp=qS<>K*uPA@pk3Y)% zSrJ^HsNd<`a6UdU<0+zi>ZARx8{HucC$^nl0u3u3=AH6QNDF>ePqf#cw1)8-G4RlT z+M%A2LdB||NELsI?RXD?HmjgkoW)CVc}A#`|4s?duyQQ99>o0CCM;&rXlbQll^{$D z@K`_m?gUFrU-Q4nT!1iuO8BP>`;ik3=g0?eIX0z}K|7{D?v}N7a=o6uijTj)!%Np@ z`A(YN`=coWUAfAj_aFhHI%*W9yaQWFnq_!b7JlFcK$Qd7m8KGHh1@>s8ywB{isG+k z3A0JNC+fV2Uw~Q9Q2uh+-n_uy^21^4@Ob5!&5bQw z)EfLfY0&c@2mOApvLDU9wOh;?9-1A@$CT$VaZMr#()JzcsND^#hEQi2jSVO?-|s#3MtQ=DgK}H!DIe-=tw{IHDBYozq8!8)(?9f@FF5p4 z3oOqr{(5YB^}FED2XQ%p{-#?OB1$N%|<@k{JF!02!L?ar&%+)s;1D|sdh&H+aPCh7nA5`X;)Hp8FmE|PIy0rT#S zt>!B#%U=&0|M|sK&VTI{Qya6I&Y<*j5BP5Uf4!@}z9je}_WmDyOm$ZJ8J zKfeC2e)QHI@;?>lF)Hhw`w3tvkZsse3H^QR`EPuaf4|5!TzU;n)q@MlSVB}N^0mbh6` zECk*U{xgjDx38cY{achEa@Z;@z~786?wj+MQ2&3f=2v6?UY?qKY;wF}z*0&(%D(@% z$J~GZ?5#gwB8h9X|6e15en`)NSrw^3`BVgtkLO-6{wIv8Od|T%)zC1jsoIRHo4`Jm zmf{yLWo=OB`H%~_{xV7dT1y}ax0Ny;EzKUru+u{{o>XkmP00|ts!YS9Z`enBCOOyq zL-A$Q-5Zxw`&0>`Klt}TWClz+$TT0#HxFnD#ZAzWj2jR_JLioC&J;O%S$Am)d`4pS z?P<^a)EKSG+WOXJwu=fR%i!rFp@4d_lpi1`l`%Syi6KhxIv(6Zlv1~lhQg)#@=Sm3 zwP$|-Xyl7Bes|PwSYCMp4`WEKKi!O1FdGMyo0PfcfO(aXFmj>HbKxgOxQtE~u7a=c z6wFZvxNURJha?;TyG~V zFsLn+6&B7`(&^d=Oo7$Pl8$7!%s<9te+*&PonwBl+Q7SSP9Dj)RPhqxSW=)^=ILlRrT1<+r>O7JQ zXCs}~H5?$k0uPF{;VcS|D$hu+Ptr~UT2*#^17iD&w4Se@zQZ{I?OgxuWk7N;i`>8k zXo+0coeHii*`{6IJOW+!26oRx9=IYf8Zce{BBcO44$y`it*s3)k4_ds>+i0D|SW8q+G{1k8%xGG*dk!TI-t?d(l7fI#TDF{E-I zvfqT}dNgh_%*oV1sb|%tFY-V!x)aaR2xhvkYBrKuM!5w=ddi?Ri=vqd@7~3`+KI@+ zJtYa;e43S}`^mc6` z$p}7ushnkX7uxXh`lj_g-M#Z5npHRECQg4-t-PED{aI7QiDdkB7c2b_YLsI>3=$?R z_b@bk(|@UO*ku3uzuHDZZyS|Q{z!X>VGW7pHOCY=0(sK3wc#8>gqAkbwE?Z;+Fsm4 zyR-B8*W;n!S`-3 zr$T?W*)Q_XhomTz$<$y)pS&yRaPp>1z~iSP?X$L;aTOQgo;f*6cQ9bl0gw#x0>LN| zp&a!e?%65?i=cG%H@GuhTjRXP6gs!|^!&xsLh#ws>b1yWr|^|qlRPNfgFOTvs`YSY zow{v}f{GPDrYe`eHFYGDjnS*GfACrREm0EztA_XuALl8PZa(@A_(L&ERt&URU!Lf9 zv(5bW!MM|~0Y*$c&_Vz*wPM&-_@mbd6@4K1A4t}TZ++%HDXFXjuvV$qElw06ry!ANYJHZ?0q)l9lk_M)A`9u%{YZpWx4o=?u75LTtH=NWh>`>z7lxihP6>!tp<6}1a^Wk%y94qUuY81R z(Ph%L@6{xoWP77mZ?2vntxBd0ae3adXEGY9I#EI`P{?H=1444{+km;24|~nF3TkW% z=%84LxL4}|wLNCS?2t;8?+^T4i5B_crn2oO=)L;B!PbF8=53>cFs7Lh>sP*JZ<)eOfjo-1ot*@P&2>lRRlNq6M#3?K}i>k*5K(CZE<&(WNT9;=dBB$ z<65w9zTT&cm)5=Lv4m_(mCbkMuu$)nU=8OXzriNz+I}bxX35?R3*fEP5%zfkD+2wHp!*l#5URfZFN0Deg^(L{oVQBtyzYG7{NonV{ z>}L87$}E-A?zx{ZQnHDPA0x~O>q$(TH(;WBQ~ih-kapBop?V@D{~8r)QS?9G92uon zYYQvtz0a>+-1m7Eh14|_r>8{dI$|z5e7?LQ?qm|KvjB2;di~XzG^6n`yjmWpNLu(r zhN05@I|mdg&`O z5CB?CL1#x>Kk~WOdJu&6u| zL-jgXc?^KNA{Oh%Otg{_&8usMBEHw!C-a8v@VrVaGi{$9-2UtWt~{r0LsB>gM@LBrM#HiYKq2 z$6MOf_RIMzxvYbrZ?OCrS67fmr^ZRU%Wv|x(mX3ALRLE|TET8<`~ZM_IPN_v%j@?b z!o|Sb-}Zpl_atxXC)7BkW_gn*6ZJj^+>M+PIHwO>BX0tj_%(TF$RyxQU6W`Q_W4 zh4UA-siM7~T^6jCiDnt}J$;eYjzL>fH3b6ph!D5#<@gm7Fd)QG^aZ0u)?R|8q=-Q@mk{Rz9x8dcp}{VoW!nD4*4Q>z6Q zD_h~b``@;Lu(!5%{kvS|TQSa#ck6Gww)G+F?jxHryVD)pi75bo?7d_O+rAJC2j!7m+J{-H z>64U)+a1W1D?{^ zc6IbRO~dM7uRKfQGQ`Iq=70OBaqOk{W1V#~r&uXMjup>ku$d#4(^f(bRxwuh?|XSqg2R4KG6c+S7ckxl1ByDQxpEpqG=tflUk!tEb9;-7 zr8c`be718mWS3{(;xSUd)3Fnb(;j2VE#zq`(300->9Jhx@Iwt^c%B6~4*jQ(2ujym zF-YWF9xg^xX!2jaYVrDrMb7sbjAF{28_m|~*+ZOU2?e?q!Lt_e=2v(txd#bC`95rtX4?JLmTeg&vvWm?fv|& zI_%1w)N;C5WuNg~Mom;`0E~&rR zR9IJZ#>CvkCcwTp`qPu~The1*Pg=*8+0WLWU!j~GEkGHBU=?0}u2@=fQ(4*(c`?Va^*S^in6dTnBb-eYEsYQzg!Q2@u4)12i_RT!*UscivN>vY=ZoTa2ixUdvK*BxK>^o`H(gE#{`#pfq9puJ+dY9Q zIfGybd7jVeU@ppHM^YE|bgY{XTzb)@b9bJ;v_#3M5%BQy?-vl_vPuS(z}CQ{GRv^9_}FWTWU9K#=MEBvg7?l*Kg8E5d}C_ z!qWSVJ}Cz}QPdJnImeP@3?LWM#qqeuad`(c(_Rf4cMl~;vn!C3RECvV^hfP2bucGs zU!9!=&zLxUX_Z4#@}!wY(wk8oEzh?;iV0Gg?zR~X%{nf#dxB4%2F$CkkwI*G3s59u zLDnTx(2;u%kf{AkV659LTgfds*o}7UN0#rZ?8=;U_ca<_o93MtrSP%=)$*oWQy1F+ z1HMvX-ZT3i<^b#&pmE9|M(JeZZ*m+)mGsWPo++kdmst%r7T|ukV52)@PbU0WS?S+9 zk9j=%I4wE<{rO_7w6D{!P|aLhP=RIJ+MO?&1=&_|S1T~Ho_FyACdspPLC7@cx7L%H zv^U;~lXDa5GK(pl;pL6h$R`jd3rEZH6Fzc{DRch(U}BCKr;V|U;#`#yVvLnhiJEC( zHaR4D@us9Lgd|p#MHkG7Xi?P9Yps0pJR)cpir*hHHiL)t_}u3MgUE?$SDC7Lk-*G}VA=G*{U5_IDjPbz~>SZHu4 zF%}uVgVnmc{E>4+AHFU8FANHK$&<=$$RqScEl-EKcT&ef@7Huw%ff-3kD~zK7SfmBS%5AGF5P9NHGO=txhMWOl+3O;eASr3h6yt}!Y8Io` zW6e91Z?{=D6NOT&jYC;4PoXyxYSJ|ro7zO`>Px-Uf1zR!@qaw|QaoPxtoauKt9Jfy znQ5eN%v>FB@^D!dvj<*dkh{86-P021$zqpu=ijGpd!GU)Yvt-c#aA+Sb@Mw%eAduP z;DEyLRekM`x+wNe!+K3x7{p3!kNgPy=7rX#JHpk<)Mgtg`hb6^N0Klf{x9}aI0%9Kr>`7QQf5Q%m7>@ZW8RXY_>Or)(3&DBtmRqKqq zOdO#d4E@(kOtNni*cB31W+W+u{sA^EoWW+(T^c9Q*_`+^*^KicL7cU9X^c(VL?Ai> z#r}F|d$Ail6J~v(pcK!U8>0j+E*V`*oR7`b4wvx;PduMxX7JiUEPWU{9^Czsqcavt z0EHW9U|+RQ)Ea5V&L^W!0bpF>KWXb9l(CARrsdq z_)AGx>e5bc{v|Kn1d&`~bk_zs=6r8{!I69g+%-Pe*u?`dRb#fcNJV}KoYr0Avav~C z&ranaE<9tEgX4gc<%%$@`*Bx5`Om_Fq3QR?QFaRYm8hiC!B^vxwUOc ze}PFo=}wlKN>`tKqLBkF`($(*u6({FGtH6K+I2N{;ujVv?54F%$o3p;@^{Wuay3UO z)s{-R^&LH4)>WN~o)Rq6dM(xRg>em`R#v-!HdJG=5F8m=TR)0 zuTx7d7SSTW5Ggiyq1`ep4daEzaC*9EW?f02ugDla$J4jxS1sfh$G_L`x|9h`@NZaX z-MZBu$QL{Do)ZGn!m{KpM#4+`^Sq7gjimdvcw*On5~Ar!uY?yT$h_t~bZgGbaG5r? zZYeOKH@j~B-m(%?-uS(xsx0-2xZ&0*+}if2w|CsWcPmj~nS9G*X}=13ywNMm&jEpO zAkhL$V6Sgko!a!M#O5lbiKF0B@9l=Kf3dFR!XDcnf1c4@JjEmd5rc_ncyhmWF3C3c z*Bl64g)V8hzL>;qT^&n{IwsJ4`O31UXQb%33iUSXt6O(6aCe3=9ydyxggr8PI+O6D z3p+|wwtDU->a3<^mCpo-iHbZ{CapePA{lBWu_RnKR;1Jt<@(v3!3ITesaqCaxz19v z=RzZUB2~J{y$%}m=)Su+AFQyMwP`zHNz^2)`-Iw(5gS}92)w&)j+E_kQ5F?;Q?4zN zR~i%%5L)<|7)P5AVJF`IZusW8KTfmB@Vgvt-7A)eHoTw9AWX$u%fKZ zq#LgpsL;LEJIW;^k{r!*eQ)5BM(^(!w#N?2)18XX|;n zCgioIR(SjqM&HfZa;?25(UMs$wJ5ck(c%K4hTha#6S;dl^Nm%6N>Zg(l4VFXx?B`V zpm6AG*Oc?nAJf3cIH=M7^75p1-B$&i>${psE*fVPwHJ| zbSz!U+WbNLi0L&w2y^*Zu0$M9OY}NqtI*@Uo+gZFRwG(stA_4N@Eq**5wy!=bm~R5 zQ6hRHha)NOv3r}E4si~?u0>JeBvr6QRgafp{TEwOv8SFh4HCjo#0y{Uz(ks#^~RT* zF|Xa+4iVfYHp;N?oxfBxG}^vZIvGZ=U$_W>H?Nk(7OTxCzgatvX-bZ^*}29G*{n7> zfpi2+5j^Ffh<(T9$(6l6@~Q4v$>eCAR-BiqwK=|_*b~+*b8rj5H z0L#SW+3DLUGC21L64RyBQf1?x%bvj7M0{$~csR?x?>stnEE~l|w|9OpA)Vyrbp0kJ zc#?vev7q*BVtpz6b6d@JEvLGEbD6SPoKa1zBP4?qiGgOV>WJ~U0XpshPZX5u7%VOm zMck?owq#GBUB>=+>)z9^$sY@>{IQdhIpvf;ezf+@f7NGDXVaqexY20b017adnOMWZ zR)}9qG{TjWdS8FHGtCPe*p-n%SW?p)FNQ~v_oUxr5V5~R&pkPx>ocM5it1`NW!qjE zH$Nw{vH74TzM5azxHoGJZ7u4)R{{AV>ag`QcI7H;Yr%4)^e29wAbLz1M+vlrauwZ6 z7P>KU{!rRT(O7t*u|4Api{ij1I_YOpX-D<~pVb)(%DtRWKBJ{G#hS2+v5p1>lq_i+ zuVfl&Kb)odoZ{8+yKwiJe)OV&k+Hj>Nt~pHqKv$>4$jSYTP?z02JCk*U&vknj_ZNnFU5iQcCfeE+HN;+q?iUaj>e}YKWX5E)Ja+%vI4w>0<11__Ymjg&hpx> z1jJOWgkZ+spJ=cf{Xbq!jfyaMY+s<~RMNa`u8rR{aOvb)W6{a%op1}^Rc%3F%yxMyWO!z(a&Aw$F`7TU z_GBkbZs>W|VF)VacKyD1uV=y+mMSf6H;>I=kJFV zJEQbi5)<7=PELU#9k&hq+T)(DAMb;+oUYVwyUKoUUotR{s^(IkdJM z6;%!1cEe(?`6gEvi;}D#Mf4KfWQ*}kKUTM1KV!7EC^=L$BfCsW6!h?QJx_vuel1h} zoz>`!mO%HJtms=UgimDDUGrbCYP0cTAL5@TzFL{F$nyG%#*0HWonUwCmRY9y$5!-} zXq65FmUYAU4eW)Mlci`!Z#bnJI#nM}ZWjg>5l6Lw8$3;QAT`=wJc4_=ziTzcYgR10 zmXaf`d>B1sH?QUiuEP8Ay`J(hu04;aQr?ZeFT;w`Blk|bEavSFIr~-QyEo`?#d)je z607Ku_cg>dVnkx0(tM6`oA%<(NMVki5Xfn$Mr?o}a@t+Lq+m4GPGXM6MJ;#;cjK&C zEye4JR;-tz;CL>HH`u(CMO>@z;v?*|*MvlTF)`M1o#M<=@#$xbHOLp;M&HM2|J?4F zDG{%prgC%XB2P9LcsNVPf~fac}52`Fecr5_7C|a%9@C zLPOSJmcu^5tfW+~;l=9GGVe6>Cw$k9pTe#4Y^g)js?=80e_b)a!OmHJe3wgq-Af#) zS6;i}!{V5ZC3Nw|t3E%NiO6E(40Tp9Wx}~6kILw0dJCKDspC&-ro!KMq&jyX+c0_) zqc}MsS2ZssP2z1_3M_$(?DmME^X&?`LbGW1(ez$wB%TJo#=!4y;E`G_bM^L_b4QNx zz%*{jg;Xwz#3?;8P~Z@swDsFrLFr@n&P1m5XM&EmaKj8FQmkcTEWiKSS5UpAYh(@$ ziK3=YaS$%F3}DLzqs z#9)6^$5XKoUw~~D`(>_InpKcs9ETaqGaKuSQ9DvxVgE3DAei-Fl0Z`6)pSc%vM1fQ zam(Y5%95d}D?+pi!Z_@r(PX!k^4~dT`cubrn~rhmdS1HeQ{>!DfY;rpa zAWtGG%7VCUPBxrZ&9){;Y#?k$ryfI=+H^}y;KNih&H4D`-J9*UCp%E;qXSRB@be=q z0bxD^HK-YUcrMM7mM4~du{|v;XsqtC_k+67*~)yoN1cRuD8x>GZ{fN9b=|c1k0}vM z2z%Q!b(kRjG(l_4RuMEbDV+dOI%J?bAYr(<8h5Nec0jJf>$DKx0Wlcmy30aHIE@Q& zeV$oW-Ty%o4PG&A<>#+m2e)>H3-)*Ei*4kUuEpCsQV*Booai^wv}L8ZaM|g4j$IuJ zo)jjYFEv7u9u&KBVeMQMiezEDTh0Cu^Zb%6L;>uKuYhE}H6&~-)>%q@uGxhJDk+{xPI|6f!!!))5w{{ z=qs5l?{*dZYStqqvd(pjpqeNazg6aEMO50`ms`t_)>Fnscfqt{N{o4Gci7d^WM9r! zVIX3VjDEJR5|>+d<@PJykpUQ^>-PE^!UMe=QtrjinocX5&!~<($$8o5LYq~Bw84e& zThMUv+pOIm=qmU&Ijb;@H5pn9Io&fjk^dZ-n_tB;m+#(X+?$AZo*w1pM7Y4u61Gmn z`q<6nKnOA-AW*|jk8JgTPF1eoHn*R0{j~cE>p{>-9?EQ-=4?Mp2`y%ZJ2mX|sK(!G zE_uQJ^k|ubK4pS??=8$dGZs6^yiMCW0ek&@e030y{DvlC`GA9ZHj*#6cHMTVGq)gQ zY)XH5%I?>c{r2T!NaGvm*Tu2ON3J#+%~o0h^hd9k4YbCU%>>viUFPmR--e&5Z&jXB zSufyDXZs!myNwhhD^KAPmDyc%LWlVhIV7s-4{(qf5|`fg7~~8v}LV8!>cAk`$MBesO=^yT7^3_ zND_?#bZ9a<`5aqjw6rup57QH-`4ftR#t zR@8b;xRJKVSq-{wfSVQ{>P`bU5`O~s+}5)AP2Q|#)RQ$|_AgH;5s!GWq9Z|> z#$xjAVbx|}Ryj6HG>zs-#KZ7u37$4yz*&RT9wyI+OASkA9dy_>!Cu%7r2Btl!rQHs zU3;0-;bc-%Ngo1t7bhmuv?$XiG*(M=A`#z)9eWC9-I*0>ramR%aIy#$s7ps87z?WD zunA~_eeMk;`XxQGdPleFZTOfEVb?CZ7wqt&lFYo7+Eh6{u!_`2jFS3v zu)H7^5uy$y(Xk~{ceP&dCt=s4>;>a{eh8SpeDm&j zpV=o|gIRK6W2__L&*l=-zg*y%N7W>i+uliJbjHVNED6np_-Cr$-SUo<4Ji!5MWcQZ zbn%A4J2v+%6He_bL>ZET2obeC^`wFZKACiXfXMVMt@n<>c3`p?wxkeLFBmPC^l%{m zH7}D<5#yU046oBnJa*U9OaFSRsOr`wy6*W0I#qC*Q%kRe=CI1`z|GJ}g_R{+7v0Um zPDoV27f}S>?dD#Q*z0YE$(k92liWsU#q$(fpP{T2GMu9LL+-}Sdr%iq{_EwoFF|Q^B~`r2Zpp4;)Ia~Kdr}WTeiU5@?bSyiJ#JB4(*S_Uq)eyPgXA0PM0^s zlI&R){X1~y>cgH(#C^!}@h(tziFk=PEJE0J1*9|WjpzCvl&;%ETtyT-ibElH=jm>v z6RK$xA6X1P&+mAZWk8pQ&2ktaEWY-E4rb>tDPfZ0=DFYrd(GAw#*K7^80aD#c!_KN z>)uKsV}FTrB+XKjs)uc~6IuG)($f?ib=^1EwH`=TJ3isYX73v~d2S&2j@pq{X*)KJ zk#Bsf3fVoX6INamtc^>~OK0ju2aZ1ZX_dQ@iYPB^nVjC9_jD9vL^%p}79&L~t1KRt zS!U=M)~j8@1zGVu2Kb+x+k6f>YDWF(RwI7qwc!p5wmpk?lv;bR=BXoUt3D}!anWdGbVfq&GAppq7GGVGn6K1b}K-_mOQWq=s@{rKTSM%m0ewA4G6 zN^eo?Hv$={tu9WKN(YCXx)PD@(hj0?St%Y?Rz7X%NgY%pafMw)$T$-ps|AQ{6BEa5 zFcGhvaa_jEG2soU1(W z8*jy1PXAK;)%Jc{<)AI zcdY(d;EM@GR(r{$gAZq09u!v^^rBFBzIP+gxKE=Shwt+0ddy{10928&Y34#m>jbFQ z(<5YKPm-22?m zbN`-m-ahYm!Eg57Yp?#UwRQo8h#3-xkb5=KpT^@!u}SbozB@u2?2kUFLP5^v4Mx%= zBl~e{g|b{u0y7(7lE|-iC8d0OI6MI} zp!*Is?Y;`^&#u;Oq_*5)(O^`#$VxS*c#&hn61T;YB00e`IvsW2^`Sys=*P%4SL4IQ z9*}ln%#dpY8Bb=ijq2~%gd*PgYVICW>r&@V6tYxF_AAuM^Tgydq{-cA8u5A*hU4Vf zFF{+UiTz@>;XF^ z%&9v)rp$HGZMpfyy|)SPF^i@4dx*Phwq36PL+RR<=E=^@CYANk{3i5Ppj#7DV(`&& zmz*Nvp>`4B@{4n1H9qh!eKJdX{SjoIhQ=Z)^(+(Emb95&qmF9a0O>f z>2y>H*}}>gVT+}%KGJb@*)v^&$pc-a?A1E%h-vUmbi-HoYzEHC?i%5iC2*xi!VU`0Q8%98R;^;Yei)g9ba#XfxZ7t|h$HSXRmwv)n* z(?ar{pzIHNLGSvpaJ`Rz)4a>iSU-krq~_kl$`U6O6>w9WWK@JW$n*@d`@}|+iblrp ztB)xZ=VAE}pRF)%g4%i^>E)>6ZV5}uXF)&;P$r_*KV666fb#JmV!yt&%%acJIycR^ zeO%7Y-dXDWB`~$gHsLpFB_=-EeYehRpvE~=xN;V0(NRXmsnJgNWUFpu*>AjhrB~Bn z-O2G@^Na~C#DqrL%^nt{IK^q{`4%=LtLjf6CdIdL$+z{1{oAj}NDH6JCbyaj?pL|JhtOkhzTe;@e(OW)6 zcb~;4$V!6BJ>fo&;fK{C?NkTgJs%>=Ao1LSs^YDz#IfJF)It0df=KeRtsC(^PV>#B zfW1W2p_3*J5E>0a_D@n!!)j&q-TzDXQzb@!!ep4Gsnj=LE z^jn+7Cyqlrk`gadKi`47#jb1+qv3lSWaKcSUsiB-gNb4xO z(R%JUWtm@4w`<$>dQ(pAWkGG^$;S6zVe%|Ao*xfCC(82i9r~*hFjc-B9sVx+6hMJ!Eyj{8|QxrCeqo^e%w%b6oY{axOhYvB-V%`Y+b7@zzXqJ z<=JMVd8UhXC;cV8BgO2)w^Ai&JhB9q7D;V4D#`bCT%=|!44@5)jx1fD?fMjf2-PUh zh4ui)!(lsB!lzI4=&-4wJ{O}7lw<{k@AWf-r-ceksI#QGbE)4(wFQ2Og&giT;b;nO zNeYx~ScS0r0Mc(Qi1riOd#Nx7dwJGI>#5kJ@^1XXqS zbmtgO`&M&ZXn*S-3c@;oEJMM5j?kP%tih*W?UJd-=KOWjQy(F}j^VjhU*s){jxyk_ z>xB3t#OURpguD<-sc0YdnWBIf(yF-tP+MQ{H&Wm7l{+yMeR%e86Bz zF#aYs-$`7lD6`x1WJXg#LltADoh|~+R7WZPI!g61KA-rcC0dGAlQye?SAw}RPiNko zI-xB_1k4NX$~qQrS`%ELZ4<;7Xj_RimR9FCAOh@tgp-|M+cM-Pc9_-?8Qskm|I9{l zwJy#}`z;PoNU&MD;2C|W&|OhN1nsqP7Re^s3LWKMc7mR+7gQ=@5})CkgU>O!KKLn0 zG+4{Y^NmSorHkSE&qTp$Fwf~GkXOf>%a|L_kXf(UDcyUmBYoX+c=)C7bQ(T)EvhJK z1meMJs3ovUU)I$t=qEA}a-X;*jdWyeJmg$|K1pZm5l(EO?k@By8j;&8u(#hIC`KLF z8nL*9NgeHa#Jl>2UI^5Pd!H`Vaj=GM#}Bav!mW-C)wN)b|Eb^v&FnMOszt@OP|^ z!cA)1iXEPT4c($V)FU+)V1gDuD6ECzNmsS{vIV1!H2%@ymtDU~5kC&2HE_6j#@kL~ zreHj3I0&a>Q}`?v;WxcIPb{nZm)>o^UpG!Y&b7Kve(ZSe)TSM+GY`UfF{pwKy-N?| zg6oVbd^^_dp@%zCs?S+R{T!$ZONlJ^Y?>nW!P*i#`B;oQ>^-2i9*88=X>)v2I9};T z)#vq$6UQkf8^^EOc4(Qw-^Ac`MI0xSX7Zq1cU|L&8E144GJRVJh&k6PP&%&ISf;KV zMW0qfT_b#nwla?J`h@diG|VK&a+@KM$hL8UNelmq7p3Yk>gBqUlOKF1A1)nQ8fuRb z_0s!wePwl;aj+UcH`)WO(0`?M-4A~;!#nm&>(nNy}ps0+&mKKR(?y%QmiglZ%)LGAySuz z2eCRHOb8B*Y-OpHcKzwS`m^1XcLB7b%S!FU&cq~h(=c$asTSG6lAJ^BG{I1lP#O&G zvIT{8y?qiVY4|o`*Z7MLn?vsgzf_%h@xI$RuPmYSS3%PSOaHzlD+v3%W5o8|0+Cf$9kxliiW+*ZnBnzu5L>ib-^&|A$^;bp`BW4$HR7hbq@=!oX9 zS&pX4F6?ThIcG@VuFeOEwwN>cNahcajhG&rL#85ec}qS$L1!ST7_$lXZ>A5N)ln z08?wx2?040WUew@&85rdS46cm#s3ziF7gXp9eK6rNEIxlVO2c6Om&eWi6Gt{#Xq>| zSa7l?8vx)8-h>#O;n31WHzJcsC=Ycte##(wsR<%M>-sar9FxT#GCj%u?}BZk_ZNF_71t?B)gl zK#M-@enl2aDG5EfZq+-I_?%djiNK{b-#@5>)@Eq8?k3IKGwa|UnWr#;U~iotTy1_@ zC40Sq3-DAeXvYo%8?+z1h}BBk%d6B|3Bd==K(&w}@PPtiNV3QBM2+Rz5`@8#MJ|bC zymsrDvS}Sa`?(Q&l2%l9(7;qz7v!sfwngg4TIfV)RRwel$M_nfDf|Z(fe_=q+{uXa zKu>hd9TOeTg&qK$aMBAcgCsnuIPI;r+xU*B-U^s1yd(3I*o7bKd6cc$D$Os&@+s8h-eo+n5rY&V_u_>n@nsB4;{vm$wBTs2;=8(x|`H zSGd$0t)@#UDNafYGvG_hJe^?%Y+79cF~JsSFjS4~!t)yxuQPXqLLX&tE1!{sytj}PSgo3OX69)gkztc+g^D}v3-r;ft859TVZH0T zoahAWa!!+{@IVQpUL~C$F38y?^&L0jg9t(oAHuGH2@Fm!I74#*&7q;?t5D{!_Q#TF zUemZp2WqBGG;yF|IISs!-|@@=()6mPvog_0#CA$aeLp_U$PQV#;(ufbq`8)w)wmdY z#ES@5Dp`$2AY)Uk`4iW_4+InPc_0_ZSmIme;N7 z@TZBumQ_cpv?h%vKEH4ysqhZkzWZ;WUck%CJF2>iPo)N5mvmW!F95+&2mJVScPU^-T3p%`CjY3paw(^P-OHt9^Vtqoykf$`gt3A6FK@MJ?Ua5e60uv(t8_Gy zXOna^lJTe(JG@S=O_lv_$^7F~gQK9+t5SQJ!QMs5NEV5c*lp#;H#fg>7URadC9bIZ zw8?ZaQWN{0lnqU6UW8n1f$@)BhAm&di*U9189PpE-BAB#@@*W?$g>59w?o?zosj8< z%vb_~lTu$dibaJS$*Du|Y3!b2NTO^+MtL|&eX#9B+jTkwxtU<+`t7rjQVvm)krs>W zk2|g6jWKCTl8sjLTy05rNgBI=6ba*ZySe!nv9IO@=i8F0C_6l>8q06{JTw$JTO102 z*%*mUI;DT}MAiZo3+(e?LDr65f5{enRQ1YNPg6nljcqaka1)ycP+k$)VCK7fh{sJ3 z1ofP2iM{2Vys9%R|y8k|I|MqZS<;Z)y1*C&ND7op>L%)Ivd44zvE zh|!XVh7A`UpfZj0D?3RAYw;5M zXo%h87veW=QEV-*+H&mAjH7Oi=(Z%C3cvl)>RUIxh59|NS3>J~{4ldNQWeMZC|Zr7 zruc)?`0a(>%@^^zJ#0_5+o_*u0Y4-YskqK+x_-sxWLH}n-BYwzm=LQEBoCHWL6Th= z1;A|o&)P*Ek0Xr*H)=EwX{s$O3^ITCZkrBe_|C=JqSKU)zw5bD5ACeIvj*N*eOHJ2Nlg01PIru=XPd4$ZJu!8 zHz~?YwnBt|$u}y#UFG@ZETa=W;Za_+u$mD$)o{=&h?oppPMAW3`v8Ub1+nGbHf>t% z0tJo|K2ek{H>NAjOdk3mfT9=XAN*~$(SiIl{N&L6t*JtY0mHG~@%~!4mz;}LQNVTA zlrUFreT8#ti9HiKpLJofrs9h62Mm&$dzR7_77I^Lf_f}tZJ}E)1LIGvU~+>U`u>^y zM+YD%z~J)?2>Ut$lAW>U394x!F4K=&9SR5*op$tWk~L^a1}Yfybc^IB=?!2${4r&C zIVqI-M2R)I5;mJA_9?Y0=nDAgjk6`Cx^L_6$Y1tkWVe0^tru)86l6rICUlA6a7)B} zM^2gBaoX$9c2TS0aL4%H+6i|Z`Idy_;CBYSWMwlzS0gU4ku%OeAtEq<+zqN?D_h9i`jxREK3-g4qD6B>GV zKJA*Z+OrnRRN`q%hBN@#X_>b%xi{nLd6r&3eWUY*KUFxmYqhYxp`*{16n;@%Z2YL#?d*8Qd z*BN~N^43(E#ivstTf=5ySL_0g@Hk&UZ=P@Lanrw#V46(38rj$WK|7LmX|?wq$8b2S zH|d6n5pJVf>(+0+zGmDx`tEqNZ4^PZ8}oWam3}VA-V#Cg^*SFF2|hNg_pyLd6qArsSd*HhMb;r`ag9aT7dIc>b&~0HcA9vN z8-}A!|E~QjRhSU+P|GP$w~37_tQuDB)+HeIDeYGmQdgi?EAr`<<75T(TXj!{LB}uE z-nhG*!d!Dv1Po2;p+`R3PaMeKoA259T2~@^t!u1jA5>DAGg^(m4~~Cj8ha2C)AE)~ z>=XYb9<&pMJ}84yxb0blyD8*h)!fT9dn2b-A6+A4yO=ee5=JA;oXN$82xOl%*2XyT zjN8#JI~?PpO>rz^3z0*vmpDL~)q16q3N$kwfTI=zDFM6q1- ztXb*BS-6+MxH)QWxE!b*C*h|TU`%B|5? ziZoRjlfKsAkKwk`lTNpz*F; zp5FsxnRK|J#w0Y)%3o0xu@+` zMtXM*Si*!{&}pcrV86|w^v-$;$&2CX$alzJF*OF16j$`@B5LRo50F=|aO0nJZu$iY zE!-*+!RL0ZemHe-=$+fc5HR#L1e8zt0@+T$EAICQ9+fMg{sqYqahlg&y?VuiGRM zr>{f8d7c~3RhrT}O5bg4A#~C$=RHmqR*SJO4atMg5)^zjAFrkk;9>7d9H8q;nVg3- zi_gf!C+PiZzciTyZZbfuC-mh3`oZ<3c*sWk^4xpsZ>q7N+Q+-3deo2U~et=y3 zVLsS8?Z{i;{jlr8Ng)>gm_edCX9dSMenoIpK7m{mN+wFm*rNYvAz}m52g%NZIh-t= z^rSL>3?rbAq$W0gl+J6B0pU8`I?uq$)Ov9MS{pD9PWmBfWWxU<}A8D z9Gec+JmOrcKwGvWDqN&vEwfUU1u;P~{Vvo2n9e=Hg(?YJAi|gPvI4{~{(KTYU{p+i8Pqh;S zy!`=jHkOoTeYrs|Fc5YqieG(HVX%(Ybo|)uFEkY+CVr+9u=lkMXGV$tOd(yff#wA86{c5nJi z)Z<$yQ2AW(*}nIo1=%~jtNe!g#rEuxSLWK?BxXa1?Y=xJR4bWvBX$%%R>`k{|9Jn7 z8?vuoHWYe}?@2B&fX`L7lcBlv?g+jYHr$BEO;uSCblsspRU#`^$A!tZ_Eiv>Sy4+> zb}QafRTo41#iWyapXRQVwQW@|Yk|n0P8#AJ?6oT_n|!+CL|b)kS$4A9vFvqV86-Wj3GI0SDgJF5%8KiqVmp_JnEYXit^TIZUVKot2!mn$0&$&hhcD^{3Wq zU~rva3P^UC$l0@%GXQwa9#uEVZ|8LxO>)`TVPO~(In%2!o33(L)QF%3DtVk+%k9>C zKv^N6$wxJ%Yh+Wb+7AgllHCS(;8_d=c!-Wbox9JqZP)HLl>OD`aAO52iaXR>y^&gX zx`p1}4fm(bk>v+;I=CPucjhK_hCSBf8e>^TV8S;1o?nwz?80@dUIkY~nZLW_jW^lp zv6}ofj+pin3-E*h20R9e4B4l{$tsylkC5?&a5wd1S2tj**(}K}%+{U&D59#S>+IZI zSV0@fETgDtxd%%SVss?eE-i@=T3r^cL>>Mj%u!Lx4uNQ~$H~K*Exo9Rmd5 z-zQIugkqhX8(Q($rq?Lnv+SHKM)qAZUq4&Xg>MO3@rI>|z~dUEoXnPlSaxRg_hh1@ z3R|Ocf$~6dfl24V@yJJ9zzYWOFxYtjXAq*o;`gN9=|S+p>>+@j4-*I?l9Vh*hxg_4 zHOg*Rel-Fiv|JC)ho5R%Jp_vx__KFZ?;ec7vhu-GkKJYx-e?q-Pv%JV!Bt&w$KD(+ zPSXf1J_Lqg3mOPNgA!U49^$Z#4}Y)SieGm$I;&bIo$<;UOkT3 z2o?NT$W?8aVm6$muvl4Y1BURiP&ow)Aipy(Y#AMee6t#e(X^ti5?zdA8Mf`>!r*#~ z!qcW>!t~A)W>=qyF6 zDg)ErRT(5gLw%IC5H&*tFODgymsyR#QFHo?r=sXXVLNtYmM^hGvjTv))E(`Tmi3F_ z`9dO-47HgvIOQVzNW&7Jnw>bg479s%8Y8pAuKS=KH#j5J5Kx&k2npK9U-3IT8t$r5?=W%;~ zN>By6Ut|Zg(Bv+J3U`(#t!fd<--Z(wEMe-RPiGh-T6YV^H#gP`Yo#p8mX^1E{**LnhnjAL*|3;)CFH?bO<`dbzgMc4_j)?2@S}`GI&)wzKcySl0dQ8Df3-S*Q|kQ6>3drECl) z57aFlqFYk?vY2A?a6QpUZ*+sBqV*$&CvF|>9g*v@2|wa!`#NkgRc@ZU9`TF*^oqVh z9k~s1SdV3$)Js z*!s@@WVDxoa5@vfmCM>|!80@k1i-5r2?TQi>7E_|toADw;H+0<9e0n@>^5I=>aV9) zEzpE$Map8YJ$v`wcZp$a$zSJ-s_nmZHpX}|xB>LUaiP`%fHpYKfk^>_?-j-PvCT$sU125G|6soGbZw6@k z(>neZ*o=y#A9M2rd?ZTG{oqf+pBA^@_(xT)(4+%{Qu9ICeCJm9C{+bIt^2v;I#1qA zyRC2X_f3+g6)}cTQ<$e?v=F>M*!qcM;iG3I`B;F4%PYP6#BpkSX0m++&|(A`S)G z=_V73hu?kUv5uYo8dMV|;szO%9*J*L27Hod%+%66DXf-yZ&oKnS>ityhgTWSUe9qy zBe(Kr!AS=h1OtgE8}DN1O`k3cF!YYSVl`^fX;L=k8R)BaWbyi(1PxxNjBwY(Pp~wO zcScLmm~sKK0EEnsCkiX(UO?iD%VXNDYtyX$I{Dqbrxo1v@RlD&P`%Vr8@a)Ts1Z+Td-!k@sYzh7U2!=?rtZw z8+X3mvt4btdBdAQmkO!a;$w}g76Y@i>H7|tZ^kT^+ViuUsrR&iHpl#eo0F1SM!(D4 zXh+|z!yUF8f(lquIzD5(kXm z)Nt?d^bPx%e-o{fdGqu>uPDwOiRzItQe?INh7TC+C2FE2pTZVCRPA(VrU_>hTxw&G*AX|-7=+L7P{3-h6T=N9w;VD4eC906-)}s;VwnCUVepC{-+qj8~K!@O<_W>g+cqi+qOj$&ztu1th0k# zdajU3Ag91;k8UXogh$@1eVbi%=GOoR(7oVybo6ySJv>(IpqA5TUh@*OV6i(lHf?#bl1?KF);H6$IEx& zugA#Zt;kHuR{21jK_av7D)x|?`@zUbb$lLkS%KTl&4IC?8T*nd>sh9TQ!(l@eL71< z1R7CC5f}Zi#DAa1@Wsrhz5F?^>Me--!Rl-if$%$r_0f^qyC*RNCDNSLik}dE>ji^f z@x2R{HX2%5h03sAAF*z9c(R=HgSM{WK2EBX(|2O+XPS`W$qt z=fUS^MUz62`>ed(1=VvIdg(V^k#2P05-!q6KNSHZ%Mo5KXtcnhvvcN{*53K>P8)T; zfD>G~Uy>N-VDvh?Y-}bVtxSlK*Z(-d@hg0$HeRDuBY!S~vH(-^V%n??b9yE4le=adIZS_mwplIyx`vD=rb zam{tzb>GA{lExApyy^GXR;^9Azs6@C2#X7E&o+7O6`Nt|j}pe%*RDh&N^mx8Uf&>X zM-5OL8c)ekqAbc`kEyop;2kV%#8C@x$zTDro+pxPOxMI$B757z<7mA1^Wsy*lL@aA zFT4Q?2pwA2+=nxMgb16 zS$6XQG+qBK3Ec_MM_@j%9?&0Wb-*!Mag`+17n?;rDzI)z^2_XXRk&s)gTv%anoq3n zdRp>t9^RVsGt$n?#7XzQ3A^vHE>p3{3adIZLE_Ee)(#g4Yy=oIPQg6)oM)_FUqUL^ zR5^l8yDEUfrI*G}MEC23i@e#ySw{nhD~09JfkH_ zjvd>u87iW<3%2rxZyuN#ny*zwS_}eDyJc;L3L*v%cF-0qU+mOv7SBiDY4=c;5>u}x z8t^wG=mGMY3--6OictO2BxX;NuPb@r5{{I~sDO3*Nu zAmW4NlJId9fBHoj=!`{c_bbXucGMz;V^0ACflg>Wv;I~E#8THfec|~c&aBL9Q8S(5 zYZg(BnmkR;)91qk*0@%8`1$8o7lyyliHmE(JPu4*nLF#(b2mF33XKk?aqfd;MOHv(zxrOCFCOsiK z{Ot8{D@&}1ueX)MMU+h!bZsUc)Y{4`P2IX|s+IS-XsXr0<^ZqzVVY{=`$zK&fd&UP zgM;EOda6_56{`{F0ok0cpFzvPY%=$yYDL2aU9oeo@AKr#>=!3+YL;^xW<5!24Wle< z+762NY9?5_7|B7ns1!#E_84tUenO=IHvJWow-#<@Do^nW`qL;VLNE;P^(T?4he93$ zYdkV5#KZ+;>oeL88x?P4O*B=3s;hJFMz1?OMDr7wG<}_GZ=vC@zj5e3Osp(1?!C3! zsju;FUtJ9H?sFRNPP|neuJIYiWToBjVXK4+)oyA#-I@ICW9npf>I?zSDLATW^9i5h z(su`~^n`Gx;!L^ZROd29X^tWvpo)zL|LKlqr{9EUkLu?B?qExEYF^jNc=J@dICUZ8 zJP(+?Ku6XY5YkQtg{Mu+iH0eY?vvz1fXFr79*@+hmx$?@c*yM{2pL{y#koARTYCaz zXk`A>y5J7(SfE58n904z%YB;r)H(kznMTc zLkD*sBi99lmukOF#PZ;%!1<&{hqInq3|hT1oHqz{P^XD|q&&29f_EdQ0Vs0Ae#riw z+4O|%bkk$5<$Z&c0ka!-?V;AT_9KXUSn-c9!vIoS_N^fHpxs^YW&0t z2A=7+lZ|eLfyC8J?QzJk;lfv)3ek+NuSQ&1UlLs-%96Tx;E}%qUi$qn;Z%~_?n8%V^%dX5R6bGmEAyDiI_ z7UY(F3|POp>OOp)G+YR=Qw?=qNkk1(oc4u&WVc9g=3eoOSiPbACs2_Ie0?9*gx2LmUYtkDSSk6$UUJdjT zsNi9;<|YLax&owqHrT+{rDpwUU$35SCUpO($w9cBl-vEP+!yXiWA*8v+3<4nN= z>P_9zYr+uPjvZ~|nU0NZ8yCrs6B0u+zjQcg9amrE^kuWG2(?}R>u4g^!bFf20y~Q$ z{9rX5(^qAkZ0t8R!`<@1!$&}MCA}l2*7l&@-O1N=@wKJu8X<87XyRjTLVw3#kvS05 z8cDjVOJa&#!^Xp}Uh5M%efK+BY4L_A<`~aYbVz5b6$&F`+g|{2T6@CfpaEyaSv@jr zH(q-(j|JdH)=oJZ!H|gn5M+XCh zeNJ-CM(of7jZ_5M!g+OjG$cvXHUKd>h^_y&lBBkh;N;QUZ6(-hUQp>Lu=V}dFi@Cd zqWf2s&4X`W>w#2Ae($q&s)I8$?XtV9u`I26udYvU4cMRa(`P$H}0YF zYB$ywZ(y$+SJms_oV8C}x?(t0fR_@66{WedC(A8J&0{aiJR3PnDssUf-@|ZDcG_rNoVUXp>gE<&!_;KRG~RgHOYbXt z&0Y?VvAHbkd-g*s*A4?(^kT_gxwsGvqyfyOz%bB%_|vQV^3ZWiR|$+H>p|is6gQw> z{`~*{{VVX8OOp&<^Fuh}0MrudwW0Xir7l1HPKbL!<-Pa%AfE?l<5j1C~tjx-4U+eD^v|_vbo5m)JvM*?)1qlxLT8d8YYs_$r1jH(#_!|C{gLUNRaF z6Haf;Yv6pb%j|L&K=I$+-<4}4FE6xkVTLjz2OY2=wLm@YAKCK%-r*zIW#8cnI;}7n zV~`FaZxsDAgFbI!yhvk#x=$1jijY11DzuNUT}sN|Um_#(Wevyc;1(%N03Cgs0eJcF zpD%FfGHn(M(zc$)G!!HEL)-o&bpQ8sSG?FR_o?I)IOPB04*tVTo9%1=OcJ6jqDvkV z!}S5JVRVFjo!-BZg)HMs+2hMJ!y<^c^0TaO4-ok0eZr|Pmzy#2Jtn3DSXxwHj^l3$ z@)s-6U0ivjXHEnrw&-jpV*M9_P#<)m0JnVO{X1naav-QxLHIu|=}&(uV_>oXBAv=7 zjhS~acKa6h?^}QR=l{V7%KVq7>m)5tz0n5}2Px|`{|jOsgkLU4YbP!o5D6UbrUJ{Y zzZZdvMe9W`@{@}K_n>b(4p zJ@)ls)ED3uWaqA{{+sXEE=#V|oEx7G&mIBRq%-K#KWn2D5t0jQvTk6Rb<<`SP%01L zFR%U!jz09ipr$NYjughovN4FK{2K=2zToEya!VRE5JuN-Sx1Zqa7-ne9`}FQ~!I{&zCO0 zi$3z5Um ze-`trI475uiv>@G2_p#6;dJuH2rwVJ@e<7|}RF^u_*3?Jt zA;tjR(a{5f*1vbD0ArtJdnpOgEFZ=3lK=yhRTBXEXTgIrTrMZF?B_zn0vwO|6h0m)n>!W_lmjx#d(_Ol-A8K)&_Qy6?)hXoidL)VM;n zA6^G;A+ZrJ@1i&8Z~6JkH5J)QN!azV$ZFW@>Bo;I-|_p0Z-Ds8{nEo3YlF%Y&M(HN zuD=)#y!Ow;e6US;LCpjX%QkHwwF4y zGo4r@9W#AX>64erzxl57QW8{>e&h3f0@h32rJwm192R!D-0^ox_=^PKc)|e!3jfHL zz(1V*<*fMrf90&Gu@{>18s|{(da9LpoQt0xjeX=Z=}j=hXPd()MftnfWLnlQMhsJ1 zbJT}?Rl1gCRMum9a_O~}aGLW(&y*qO1?OicO2G5%9}iYOo+f@5mgqS`Tk$zD& zlf8S+Ii3}+@w;ewu%gIpFs;aJGA+<-vNX`F+&a=08xQnnji!A4QfApA!k$+Ed{(+H zt9?ecqkqzzZ8kW(h68hmBRT}k#4z49`e3ltkdyR z#gbu|#x_^Wlfi4wUCTYnxn#$MM!X~MN*e!c1hcsR;(-V(xVjL)17&*OC}w}P$=tra zo#9fh6J#tCO%=~k`c1>S;q?fKa^uyjINh1pb!bz2qTTe^)u+j=Db~MNx{ovqQ+8sH zwfkbuEJhIx3Q0sSYBW~}_Lgqj96fy-hm8O6bOHQkk$jLBX5{D;$&7csq?U4B9Y${q z0&=db$6d2Ikn^P6moJm^O@g}ec0|vI-S#ESXrXK>%i zsnbFH%$KHZVieh^cOjYSlm;**zxd9IGua=t=JUkAJiaFr+d{M$rPo(0rA;g75%D9d zh2Syu6j;SVqbw_G>=5fJ&XY&i@MUm79fB%-8A;oHdcO!X7B>g8Yb#Y8+Omf{l@?fJ z@UL6P9dVYFX@WoKlt;fXWIip08Q&=B?RjfM+$>mT)db3h+u~gPqs5Q7beSUiTVz`> z?!nia!@K?6*s--5)%F|p9M(bjnSkm1 z?E_G;uO!m_)Vcex9&MQ@NdIL_MQoNE`#zDEABT@LPtZLP7pTvJ7IMU7wi&W1NyH%L z*m>g^}p#F$~}`FNwyTvmjd?9`lEr_Zl?`f<@?d?@)T~P9srFmG-n1}0(Ab~N z@kLr{G4a9#uha7^cqEeGJno6-8x&j-(BhX6Pf===>_T!KLY?X5U3KB!ICBH`jG2#<} z5>Q0|%{2MuJ5$6C;WeTU_1Hv>=A@p(+@w(f)zLHTS}(U1ASd^`-&j>`H|9vUIX3WY zmeJ+T@T#-9Z}@cln4*@!N*^#c60hZR`wxPN|KlQ_nn@{EmJ~IQW^nND{H^An#H0cuq0^(H_@0u&5JzJ%P*z8j-cgM1y= z+bWmvb5Rb7jVQP&)^WDDR}yYCD6!^+U2O6xlfc3oa>Os?q4P;nh-AY z5im*VSKW|3VP3J)+ynW8It#Rb4AcWMAi?{2u4uPd_$P?xjL*H5<6!7JS9x>Zl`EpA zk}qE<+j!*yypv_(1L_#}udR-eYk*8Q_Ves-|~>zj~ zYA&NlCiH`8AhMUNPmCz}=c{vF78wP+_0zss^`GVq+cuq25$eH4_0Qb+yGSjsi-mpLGMYh+M5zjl4IfeU} zR6_`@`ZzEP;0wJa;MR%!MfapR1p+!~_YDLzH4)(NN;%u>eT$?GAy<;*PPi7|i-4r> zHf8pG&u*1T=+4^~+pYxk*?;y5mH(=92w!Z7EX4#p8lF;RVMID?FOmwau$Q~zB0FX} z4nm~)=M8*xeYTzL@x$_f-bD?fn27;A&f#|m{Fw>ChYQ&2irChI59X0$k9nJc#f=KL zA!k3RyT4dzH(t3Sn3wS9DDjQ-#fjyl@1yV10YqmfdDaCyoriZL)8Vz=V45UmA_VR! z%yP;?#h+la2^RhA2#tV@)W3+$LT|Y~&oAkn%+ZC3HGC|8eqNc*giHpuaxwZGl7N)SyCn2XHpktb!5Q_0sX@7Mp-_O|J( z!JqFY;?kjuBx%)ob>TtXP;>=4N!_-fmGDzS5oI}%gQ(*VoiG)(Uts`+D!oS)#0*d?Df5EX<-+R0%xQ<`*~T5LrzGg?A4e zr;SWT&bvLLx2qbC-(L`3y?(o05hpoc?b#t59qx6LZ@PMQgy4R9ua$bxP|G!i`9Af-#MTgClmg5R zoev)?ghUuTwnM6$xp)6Zk;vf3OSKIHt0SKG+WMtsepTfvK%c=jGI{w@Ld0V zNAs6?4Vx#Gsw)_FPRG)DNOuwff+Lg_LmV+<;-YIf;%loGjnbTT{~cb(1+crbEVXptwf?=-I7v+3Nw* zBS&?uv>gsq&Xw>uem`G4J~_ss6B1dqvSV>f)8g$YE(#)+65ZK;oO@er*osx zYhsY5I|%|TeKAQ3$uyY?9-l0Pv{ngUqF;s@6)K`&Xt@UD!HEz-NX2v zBY>63lofM&T7d}O7^cxAG~{DH$$Y#ptP9jDNplXU@M(U3!9}Jo`zM?4b?ef+v44B^ zDLe_2{6{F6%0+47cpj9EjXZ9np}kS;in4^)xo#-}y&ks;D_II5I~fA-)k&k_SI=Ti zg5!8iLXY=L`g-Kbh9mgATp{OY)yK*R$mzsNaxSyW)549%Gd0e8{Ym^s&WmpjTF7;Q zhi+SM@G@0%RAp&6P8f~wba7bZ-4T}k{^&)>y`5jj@0)R$=8+hrKW4Pg2{Fp~-CV7??UsZ!=|pnjUtXvY>otm4VvUmi1@oJpo#{;ljcO|EI7kkB74T`jKTQ zTaxS|gizM(r0i=%_GC+A-x)g*S&|}qB|BrwZU|*xLX2IL-PpHbF!SDcf6w!K-$zgW z@VP(CJ=eL;b7#9zTio8cnejS8lHN0Fe27~HE|&*BwcmaAjY{{$j>qouh?sFbXpN_A`+@iV#;9e| z77@aKX|_Xpz{c*5N{XHlu)yRIYW0Jmernr$l6G-_tfT|hJ=`N%xX?TmWo9XU-RpRz zljbpe&`SH&89WL9HuzeMjHl%5B`@ob*55`+!&0m_q^j)MkL*rx?d!#uf)K|tX-{t0 z5C8f5qikyN-_ykD#;t|j7v9Z>i*t{A*z7trsOt{+C$~!>(iXq`7NKQqPI*&*)s}1G zaqX2KpQEU3_DWN)*u2rsu(?JE#?)_-xqLAzIiz7Lb$i^p;c=0b3-)b-sm}2Q0)Cjy z&O7CU!efbsOPig%eIIwP3N5_uYyvy;16yPsQuCzH3V3f{6>|K}ywky5l&BIrjXj#8 zT^e`k;kr>8@!l6WcVhM?!k+#$ER(Nh9k(1ofJ|0t+yIX9)DoF;2G1lNWB?)I*#fZW ztaAxN$fyIKa?D5)v~li{+*m7?Bhv!buRHX>1gS%%ut8$8Kcu{v7Ja|?Ew!I}DX!TaMFy)}iWf2UAFO9ci=h=VutQBTG*9Und)*JwN+FlBLkqe!K0p6f0-01; zIr?B{1!C}yWBfp>AzLjuOL+L{zWf)qN^2Oz#BN>klmp`ZmlQw@-q z2i=0GZ2da27M`h$Q@SN6QF^Hf$TdH)t0!iOeFkTYmfI(aCE8va*9%ZzvFSR$THrX6 zVbm1YqM9ZwrmFRQFMEpA7 z;QPF(?VA#}S>DudjB2+6wa-iCpyuvg8U)D4zqLR`NAK=Y zoBHLF4yk-jF1{+hs%2F$r`IcV*Q%xS5(Zqwk?x6+@00 z>zWz_YB4~CvRfx+bul3v)%8n);CFmZhMD=gY>| z#@#io9(Hby$7QQ(@gEr7>j$t52r?sT?Y8#j7Mx4R$Jg~bnmmGS%q7Q;%;!T(BWe~~ zkk0Y+Q~C2!OPzcT{OUKtduj8FpmRN``6hm|R6D@-xF(46<|ucw4svKKe#j45SUI@v zG1+I9NJX&%tep~CX?fP@Vz(WMnj~Cis@eD{N0yH>Z+aCtsx?uqp`(L4f2|&?4m;fB zrqGgFw1tex>Zd^xCU!x5=a02X8H=eEEvcUmvGuoi@TgYskdq@lXLoUMK;jakv6imYz!bni8>RYNUN7^&<|kn+Dp?Ji{TE8gM!E%7 zwc^1EBTFq8A!a#C-#@sA?l5`BtR9iwxkZ1D`8+7ibD6^2*pjWMg$Thfj;$~x$d6_a z55>SfeZx*`+~GXr;ebA-uTK0G);Vtcu}()fjKS%R_rVH6_JwZ$LCTcZLE*DTeCmsG zHz00UkFeC{DM{3%N~-%(J7TTi5fCRr0=YK6f*Jq}zpwbV;Xya)n7w`;C4RcdF(Nep zMXO?Ze>D`ZSdkFdLM3FN>xVFWYlY07FWsaITI~>RlUBY0+-%}9cUUMNNlRDf!hN&+ z9TBd=Z;~M(MFLWg;~6f!>t5^Ed5(*=L+KAz60`wgFbMx~yET=ZV57^=chKIOz&5vq zs_FhM-=Fo6?S3SWb4vWkXlZ&?A_;GqqowEyaO#)Bas-T0T|z(nJD0qbe8b+MOP*GS z*RNR6FpCatS<_}`7^+K1)V_4&%7P6tM~ zx3eW&T(LMAnteR`F%6;@H#7X!WeG#gHYGXPLlQckl?x3K2UiTJi|4rX zr~`lG;apy4r)n~W*u*PnY!#%2O4(fV!XBiz;?e6GSP_Zm{YwIPHu+V*=CiQHm!qw| zLP_B8{Tp>IPvx-0;R@szG2&o#Ks(i^KfI);x>Fyu;*vKC?j6nivJ%D!IV5r$8krAG z04}358_ZA;Yy1S9@%6m3pfx;I$vPz6*}zoDbwNVQ;9f7>)K^s3GvUkVFUV+S6CrS9 zyak`V7Y2yJx-a?aJ=;EfSGw}6plXd6;RLZrc5Iv60z;1+wzLb&hmsn961X6M?MZqK z>M2kC<|K!<7d}{U`kF@&Au>zFW{O#Vh_BUw>jt<<=`-9%yjs5s?3Fz>UPN7sv`wRA zJ&ZR5c_a+=P^Q!+_=dpiqN%FPJb@iw2@mSCDbl(x%}b@cmO@6%?OWwgf5|VMGi>8q z{rxm#@oCLM_#4(?t!H}X22vs#JJ+E)r##nTaaU0hPtQ?H6VHh{80s8ic-idjeaDS+ z_(s&>xGee3Lx6Z9=q-$ik}2H2+)PSffp>0(SM;ZAq;>KkekPg%_2 za#?9NUE>%Z?Z@4BOsRJ#>^bQDQ+yDwU#=Lg3H31_{_q#`Z5bUeE7!jeWseFZtiNA> z)Lqn@;{p{aVeMF{&etot#G?Y|^B-#@JOHPT^{#-)5e4y7bRoSv&+#R(z8tA6d`UuG zZUZzpjE5UXll2(NBQ{*@J+~0ltVvk+{h|Oog?XHA~QDOM4akg={lJDRG1t>lOic0Qs!$Y(` zb>hVZF$bLc$1jWI0Is`-dMcUT85+H!<+)L|FpW==T`}=;1aY+pF2!r6| zjZ^#4a?@An#J_ot$61M1VUmj4#HU1IX_W+-2}bDq{#+aSyjx`1{49sXtV8I5>H~cC z;tZVK7{7HGUQdb?+honyK)U=csrd55=7$0GxA3*H-pH6BkahW&VP>OdACh0zW4wX` zE!eNBOhtyvf`~=prgErG!8RIPRBK`n0}2vRwTm!%kL42Q78<74SuHIz^LS+=bHyX2+3?go7en)FO#?TVq1={gkF?+V{$we=B4hN51=Kuc+ zEXFf(kqcTcP9xvB&h~TkLtNhVfVcsg5DyQJ&Lj_2jpvNw&hYa6c07bMWWh`yHFCjP zCv)XRB?&31Hxe?|%U8c}*9$32=$*ZU{>dc5+9_f;O278NAz}rM_V!w>obfvL##Q>ht&zDZ^PS(^vmn+D=SBoM}$-|%RlBY(#Peg#{_fK^fAj-pfcggQn^#qZEIw2WOMUR83o;sA^UAgYYqf zeW>J)9}C&37_|NlkmZ+Hh%hd zn$J7ceBP!}`V|~FX=;2+m)6so;B{crzTA*0By}n%ZW3iuz3zfML~XdYw6@Ly_eg99 zt4q$en_@fY_VW(_Loc!)y{^FIQfD$}H=lZ-Bzh!QMp&?0Hw-tA@sE*yfG&ruu%Y}= zjM5h?=1IxOI%NqpVxFj5+}q2>&PwcOYfC?Uxo#@$-=67=JukgGh3(aD5MdQlIYgPQ zEaYG`e9?zA;PfeM22&d&q+mPA@qodjLl5rX?a)IRgJoIu{)NsA^_RrrV(a#U98+JL zWM{=xx}mn)lH{-EJ*?S);?SY*mGjuu=I+uMP;hV|Y9kBt`ab8$VFk*gSic*Fg++R7O4W?M&mYiXSN)>XcTX$|6ii>4Bn^hM~`g&*KH)y*56G~3tB~XyK zYAzHHVdHb-@(M42Clg@TTK);yy&=1?nHQ`vX?<1Pyx3BDudfJ!=n;{cXk=x*Z`t_v zj>D+jW<@2#P1A-AZ>%rBY?X;?Q}|jO37yFX)WP0_1vTz#J+8Ir@3*TjAX!CZs7j}- zqB5JoB&vOd*XRZ%CFN$;dD2ZJcAX}>Q#4&-%-_MoHP1e^bj*GuXdQ#`+pm=)Ezf=d zg&n=+=0i=5r4ET5#+8SYms$}{P;E8rVN+P!nsEy9ld zmH?gfTU=g>{U-FVv@TQWrPung==5u5P-g zb~dR9n%-wb66faaWDGYDAyF|ELOPmy4Gx<8r1ssE^q9C-`33I$F?bS2;}4>n&kI4nW_yhel8Slx`7j#XddM0|)xSnXdb4t2caM<4eU7+E zyF7v+ywF#(K~q!fwxn`pdHF+E@ zO)H8nkSG=M$qJYXx(lnILVG1KeTK(&qK@SZVsuQFcuzpI>ZLIJlkt~wxonu(ZK@E8 z5af%cnA9DjzMXJ$5#y=qiV9s5??pC$<%I>8Uuq0#w&c*Abnnr{k4Q}g2inoq^7*un z+7BGYhiQ*uMR+RJd+jO>?O_ukJp&p2J5>a4X+x!tvZePCnUbca)A$H)32z1`-=gHu z?~pZE<>5hPwn7tjDcrP^qgRyA`Rl2ay8Xs zf=AC(U`vJgUKo3Sj3?VZV&ij_8Nm?e`-V?j$%Q;OodHIs&X&qDq zL6z{ln9!w?vFdrBrUEw1hv8=RwRwPgebFiG5na>X1P;aRdODUQ6xNnjG@>o+Fu7bv z$#{fdOK(t|bZOfDj6v&@56K=%-K!LM>q~cN#ShZRJd!m99}}u-`n{8*@ZsDoPLMW^=52CJP^k|U#{=)%|@Xd8=;+0ZNee}4AAoUNbb zXA<3|knC9}&8I+&V-Oqkj)O@>G8>HviivS0V8#+=ILI)9AK0I*=VnxpiLHMz?$H3q zE3TNB*vzlul{=1@MTNlAj=hKftP*R~dT zwx7>OD)%RFPTnNaN7ge>SB&d0$SqwZhb#}?z9wyx;IaA6XRRJ{vq<8I(Ym|@s1pdcH$2v8+Iu8c-PuRX4Q$s!n|AT9ogAsRmdHH+UL-n0M z9J0^HNa?|mm_2~#4d$~Bcq{m49hjS&Pv)!>`lHKeGCm1?mPVy$bcC;o%DNKoNMkl^ z*7{Lto4c-GWcydaWPbTr%>KOTD^&U>4)(}@oKn9PxT(l~lA%%U#CFuosPA!hot)z+!Y0&mY(kOYq_jz`CL)*j{1Z03jA#J z!Q)P)*+GH^JOsu4!#>`q8XXlZDeyuG`ds5L@W zI#y~qIXY4@o4ILXC+sl7lA0=h4}RCQe$3vbg0q5`WD-+q791HB-F}Jkk%+M1GJl@v zZqoiF(iS(l>*O16A77t7)2uvXsko zUywF{E9}(ptfcbim=ff`cN(d)5B*=qw}<{lf!A42fQKWatNH^`mHWbX+N!dTs`v=A zDUO|Mz=B1h;hzc25}URsJ{d1|=gxIH;c_pk0)xpX@^aJ)Tq?h&s7=r>7Z#Qmy4_se zU1`czS}!yjBa`2~d!r|8x07c8s~hn_JVn?JI@6z(paOqW{NH4~Lg8*>E(j1pXUVlX zo_YL!6qsCw8H96!3W9|SuVkxu7mIBSvqdDmPpOc*x2tUEfQt~byO^saTnG;iuJu01 zEX!|AzT&&zPXM6vK(p=da*3Q%5XgxM@3=$-WO3o~Oh3Hv5VA@SNO3{exgVcsK4k~Q z4}#~edAOq5D^`rz@pw=0-d7c~ztQBF%6{ZvQkzX*yL$^Ok-)&QYZNa$q;&Kvso;@r<0M_t+2Uy4Ih6*n9h*|44JT#TRl5`t#-r{FVt$No zyRJgcNKwKlOMo!gTyJ~v*?xpK!^+juMK1M+j^3!kt8H-IEu#xgBn8$NzG!m}OzN0o z-+y*apiKp6U6&P}ajCwjUso2o$0_~!a7kn5J>3h%Lj zV%mTdFL-@p!)Z}4qe?#eY)YM0!EE#9Zn)dZyr<%2lB+%%4(@F71JckFU<$I8><7v`dy@S8EJt#zrG*)t`L6p9NM2HZ+TaY++g@+W zu^k;kJgoYhtDZ+4ui_;N4h}=%MOLTDkTvD3r~GmMhok&~#vij_rd(**Q5Q|Ot zRM>Nic*w0$q})yfCCuygGB2~fVw8@^#2{%5MHR~6c2)%wa6L5sN$GA|n(mn+IRH?k z4>MicRs1JzvSyfFl03DtqxO!V`@j)MD(tA-*!<|}31fZhju>h&dN zQ2N}`(qdfCs!47k^bJ*KysH1JP)YIo=qj4$lS3n{v`u^kIj<~LmRxu*!XYF5_08kW z#VAYYTpm|9W2EUn`#rbNl<<>chxbRktf`0J8E$uaKB zJi^684D{DjltY~g!GLY52bB`m=beeO4GN(o(!*u>R z{&BrGI8VCI87PEh+CeH^cXm}~@21jLUh7j4B|9EXB|w^{%1oFxL0D)ew89{XjyjpS zQjiU9!8_D|V{SgpZzli3VQqD5=pr1MOnasC<5HeQ1o6sv8U|-^VR?6HK&X+98m<^l zg9E+h_s;#p#4W08XQrJpJ*Qd{#V%}Z5ghv#ZB6~sE277kn#^W8s!1J(rkJGVi_%RM zAEW@miq6Say&!RO<64u9Pt+IfqJA9_5z&8vNxO!md1sw;D>Db0=C>A^l&3792C*Ab zeJf=)BnY3CKobzab_aR#;=Q+KaV9{Gk_5oY*0Y>F@Fvv>yq9eUUhysiPu zTpOu?b>^pW_6uxW&Y=u!qP(%qJgy!N)$p@1PyM0GchSyZdwB8+LnztB7*B!c3)Go{ z?~6>0xL*n!;^(f`xP~IARZ4C0*h&A1xiS?*C#Ey9d)+36 z0~jrV#_Wt`!HZL7@;FPE7ioPy3knsRc(OARxUp!;;6A4h0fXwxGX^fWyD4vb3)JYt z3HUfUdmfR!d-v{^|Am%1bStb64pb+OMbP#trFJUchDTg*sJhC3D5^jVNAQC6pyA2TL?5=4kDVs_C(syiw z7H~>rKS$R?h3ue016kSJpWzMnVOHoZld>ySP*bSk^%q62mpX{oe4U(PX^2ebe4RSQ zzexX6cPILkxpHb%`iGhqs%-$@)3y@BUu|o9@s8TxqN*aZKe9eQztGIpGmG)!4$G@n z+~-$9kT=$$lTtL}q8+1vpR+Y~c6Q2{()mE4nPz)?dm;YHYhPY%Zk*6#E<3!XF8(Y6UfJ@+fg%;F_!964K!=K_r=PE5^Z zmWcY1xG`XAiLTdwwzcKJLjr*s?Nr~i+E_jzR|oYAb*20wTGdbB>yO#j(rW;gVHD^? z)&#TUP<=09i!mMKY}t7zV(j-s>4;^^|CvP;(s>J;$JklH!!PDDjun5uGSEQc%YM01 zJ8MiBsklKb@X{4suFdm)M@?^|1(`&&i@|MDVp6MW-=u75K8U2TpeJg&;)jAioq z1T3e-dli@VCoezP7CxwZzsXGCl8>yu6&zn<#@=-WSS@Zaw%EUuM6@L$E4LxLC18Pz z(ZR~+bl=^29-zE6dyb?*KyE=);Px z*-#?yi|$BVzO5`$zV4B+LB6{-H=weWJ@l7mvdpS^VIL5c1c=|}G*YMe@c#Pt);c2q zY86^f+bD=6TrWQ^4pgX^;9ikE7wCvj%n5>1{G?r7iV217m)hKrIudy6dTTZ6l87*^ z_gK152}0^Ori{aV!qE+7P0Eykpldy-_Ek_`&WWTsyGy6?B;s=6qRW$rQk|a6XMttr zr*$o|aN*<<=}l|ZX>pj;cbGl_^9GsBE3r2HgP$~w=J=-t&L$dd{-^X0dmyhq`2n!8 z_T&`PfNMM&g2D5kT$QS}0lNUByQqt9lSf5!yoJEsj*S<5Kl5CborOP104 zQ$w%JPG4#!i(Z;OZfP&m>GD}&=D+{utaTz?@3(B@b9U}4-|=Odd49(!{#O9aTc>GZ zqigJVjTQjGh8{}bKlSJ_?}>0eybq;1-yOT>qu|`D|1HQ_gNu8b?VR_&eEDj~aklf( zzT<3)@%J|cE|Z_e(CPiYh^s)##-M%C;ZM>rhn+GMdcTGJaaW*Az3k(3XT-+81{Ls* z=cmp?ZJ^N}d*HV6UDO#ONcp!MXFpv!6^`=D?3?vtGQY=@DSx)D{oPN+gi|1aa@?)v zJg$el;hKH&rLH&IRyq)t17udEZ}}c;#`bgh{vOhgH`AB`|sP8lRmG z{`F2kz^NTfzLKtRto+&R`|p=!Xz^Rv?_u)Y?kc~0IrIMQ zH>JUQ*t-uJA@fJ) z`QFfdMurGTdVi2`TKxln1ilDJy)t3x>&O#Gf!O|3K=pJb>9t-hM<%pXao0xOz6VUiggK3awXJAopOmFIJ7+YO10@x&aM5epxN+Jn{!dfiIF)TBwLH-` zi1Q)r)fvmB{*%_n@hW!I+D$7oBBBZWJ0qUl=2LROLny^L$-cuC@2ZqY6PVil9>v+; z{3e_C4_a@cF4q1C?uI1mXCS+m`*`VOt6tK=L%6<=+GQ!OMfgmcug$UK7CIuAKL{sv zobCF5>z|nuhomtboV;ljISGS4(!J^4i%--P_i=tkm8h;?l+Dnam9;sMT~b>k(EAT@ zLNO*FmDE_pRM+rkKJB=iBTq215!JBs-7nD>;VnanoaFI*Ph36KCGODvratf={P}Vd zSB%(4yZ4Q2B3qoBire+7!cgXM<@F>=+#0Jr6^7VF^3RPzv-c-!&XrTKTC&QD?Dwyfu6f?AM8?U$DBm0Ce3U~bJ_wB=9s zMywyeT=yzn3YF#p)Kf%JZBK9gYd>TN@IXxh0qSo-Rm9{WwH;0j|Nil7MC2jV{R49* zE+#-dVxH-m$eG#lUm!*vbWYY2)TR?CqY21!TCo4i;r=u3e|w@neT*qAmYFHWxH)sFd7-r%Cd88!OR@v6@K}}m23YXx2 zO7Y+A-~i=1!T?1IPzak0Ib*!w&c8?xyf;${d_S+Wm%W+U_YE%q`mg(0d+yx7i%$fI&k^vI6J+rc5UfIiXf*J@ zd-so*Uv&dwj2yZ?rNg}qJl$rlJFXA@3z#rR1K&%3ne^JL!s9p57Eh`F-GYPx3$h*< zc+UgsVwC}QZ<90qA@Dv1EOe0oH1i5*h*a`s((fi1PY34JZNMNR`?PQ4wgaZb;m|_$ zk3Rk%i+#=^LvG^Pn" +gh aw secrets set GH_AW_WRITE_PROJECT_TOKEN --value "" +``` ## How it works @@ -34,16 +73,11 @@ ProjectOps combines two capability layers: Let's look at examples of these in action, starting with the [Project Board Summarizer](#project-board-summarizer) (read-only analysis), then moving to controlled write operations with the [Project Board Maintainer](#project-board-maintainer) example. -### Project Board Summarizer +## Examples -Start with a regular project review that summarizes changes, flags blockers, and suggests updates without applying changes. - -Our project board might look like this: +### Project Board Summarizer - - - Example GitHub Projects board used for Project Board Summarizer - +Let's start with a simple agentic workflow that reviews project board state and generates a summary without applying any changes. ```aw wrap --- @@ -55,8 +89,8 @@ permissions: actions: read tools: github: - toolsets: [default, projects] github-token: ${{ secrets.GH_AW_READ_PROJECT_TOKEN }} + toolsets: [default, projects] --- # Project Board Summarizer @@ -73,7 +107,14 @@ Return only: Read-only. Do not update the project. ``` -Running this workflow generates a concise summary of project status. We can find this in the GitHub Actions agent run output: +Our project board might look like this: + + + + Example GitHub Projects board used for Project Board Summarizer + + +Running the agentic workflow generates a concise summary of project status. We can find this in the GitHub Actions agent run output: Workflow summary output generated by Project Board Summarizer @@ -81,9 +122,8 @@ Running this workflow generates a concise summary of project status. We can find ### Project Board Maintainer -Let's write an agentic workflow that applies changes to a project board, starting with issue triage. - -This workflow runs on new issues, analyzes issue content and context, and decides whether to add the issue to the project board and how to set key fields. +Let's write an agentic workflow that applies changes to a project board based on issue content and context. +This workflow will run on new issues, analyze the issue and project state, and decide whether to add the issue to the project board and how to set key fields. ```aw wrap --- @@ -95,29 +135,46 @@ permissions: actions: read tools: github: + github-token: ${{ secrets.GH_AW_READ_PROJECT_TOKEN }} toolsets: [default, projects] - github-token: ${{ secrets.READ_PROJECT_GITHUB_TOKEN }} safe-outputs: update-project: - project: https://github.com/orgs/ORG/projects/123456 + github-token: ${{ secrets.GH_AW_WRITE_PROJECT_TOKEN }} + project: https://github.com/orgs/my-mona-org/projects/1 max: 1 - github-token: ${{ secrets.WRITE_PROJECT_GITHUB_TOKEN }} add-comment: max: 1 --- # Intelligent Issue Triage -Analyze each new issue and decide whether it belongs on the portfolio board. +Analyze each new issue in this repository and decide whether it belongs on the project board. Set structured fields only from allowed values: - Status: Needs Triage | Proposed | In Progress | Blocked - Priority: Low | Medium | High - Team: Platform | Docs | Product -Post a short comment explaining your routing decision and any uncertainty. +Post a short comment on the issue explaining your routing decision and any uncertainty. ``` +Once this workflow is compiled and running, it will automatically triage new issues with controlled write operations to the project board and issue comments. + +Let's create a new issue to see this in action: + + + + Workflow summary output generated by Project Board Maintainer + + +The Project Board Maintainer analyzes the issue content and context, then decides to add it to the project board with specific field values (for example, Status: Proposed, Priority: Medium, Team: Docs). +It also posts a comment on the issue explaining the decision and any uncertainty. + + + + Workflow summary output generated by Project Board Maintainer + + ## Best practices In production, keep the loop simple: issue arrives, agent classifies and proposes/sets fields, safe outputs apply allowed writes, and humans review high-impact changes and exceptions. @@ -129,4 +186,9 @@ In production, keep the loop simple: issue arrives, agent classifies and propose - Keep single-select values exact to avoid field drift. - If you only need simple event-based transitions, prefer [built-in GitHub Project workflows](https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/using-the-built-in-automations). -References: [Authentication (Projects)](/gh-aw/reference/auth-projects/), [Safe Outputs Reference](/gh-aw/reference/safe-outputs/), [Projects & Monitoring](/gh-aw/patterns/monitoring/), and [IssueOps](/gh-aw/patterns/issue-ops/). +## Related documentation + +- **[Project Token Authentication](/gh-aw/patterns/project-ops/#project-token-authentication)** +- **[Safe Outputs Reference](/gh-aw/reference/safe-outputs/)** +- **[Projects & Monitoring](/gh-aw/patterns/monitoring/)** +- **[IssueOps](/gh-aw/patterns/issue-ops/)** diff --git a/docs/src/content/docs/reference/auth-projects.mdx b/docs/src/content/docs/reference/auth-projects.mdx deleted file mode 100644 index 3a8e0682f18..00000000000 --- a/docs/src/content/docs/reference/auth-projects.mdx +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: Authentication (Projects) -description: How to authenticate GitHub Projects operations in agentic workflows -sidebar: - order: 651 ---- - -import { Card, CardGrid } from '@astrojs/starlight/components'; -import Video from '../../../components/Video.astro'; - -Project operations require additional authentication since the default `GITHUB_TOKEN` lacks necessary permissions for the Projects API. You can authenticate using either a Personal Access Token (PAT) or a GitHub App token. - -## Using a Personal Access Token (PAT) - -1. Create the PAT - - **For User-owned Projects**: - - Create a [classic PAT](https://github.com/settings/tokens/new) with scopes: - - `project` (required for user Projects) - - `repo` (required if accessing private repositories) - - **For Organization-owned Projects (v2)**: - - Create a [fine-grained PAT](https://github.com/settings/personal-access-tokens/new?name=GH_AW_PROJECT_GITHUB_TOKEN&description=GitHub+Agentic+Workflows+-+Projects+authentication&contents=read&issues=read&pull_requests=read) (this link pre-fills the token name, description, and repository permissions) with: - - **Repository access**: Select specific repos that will use the workflow - - **Repository permissions**: - - Contents: Read - - Issues: Read (if needed for issue-triggered workflows) - - Pull requests: Read (if needed for PR-triggered workflows) - - **Organization permissions** (must be explicitly granted): - - Projects: Read & Write (required for updating org Projects) - - **Important**: You must explicitly grant organization access during token creation - -2. Add the token to repository secrets - - ```bash wrap - gh aw secrets set MY_PROJECT_TOKEN --value "YOUR_PROJECT_PAT" - ``` - -3. Configure in your workflow frontmatter - - ```yaml wrap - safe-outputs: - update-project: - github-token: ${{ secrets.MY_PROJECT_TOKEN }} - - tools: - github: - toolsets: [default, projects] - github-token: ${{ secrets.MY_PROJECT_TOKEN }} - ``` - -## Using a GitHub App - -Alternatively, you can use a GitHub App for enhanced security. See [Using a GitHub App for Authentication](/gh-aw/reference/auth/#using-a-github-app-for-authentication) for complete setup instructions. Once set up, reference the app token in your workflow using `app:` on safe outputs and tools. - -## Using a magic secret - -Alternatively, you can set the magic GitHub Actions secret `GH_AW_PROJECT_GITHUB_TOKEN` to a suitable PAT (see the above guide for creating a suitable PAT). This secret name is known to GitHub Agentic Workflows and does not need to be explicitly referenced in your workflow. - -```bash wrap -gh aw secrets set GH_AW_PROJECT_GITHUB_TOKEN --value "" -``` - -