diff --git a/.gitattributes b/.gitattributes index 8cb883acf0..67f728166e 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,3 +3,5 @@ # patch files need lf line-endings, even on Windows *.patch text eol=lf *.sh text eol=lf + +.github/workflows/*.lock.yml linguist-generated=true merge=ours diff --git a/.github/agents/agentic-workflows.agent.md b/.github/agents/agentic-workflows.agent.md new file mode 100644 index 0000000000..cd376c5b1b --- /dev/null +++ b/.github/agents/agentic-workflows.agent.md @@ -0,0 +1,196 @@ +--- +description: GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing +disable-model-invocation: true +--- + +# GitHub Agentic Workflows Agent + +This agent helps you work with **GitHub Agentic Workflows (gh-aw)**, a CLI extension for creating AI-powered workflows in natural language using markdown files. + +## What This Agent Does + +This is a **dispatcher agent** that routes your request to the appropriate specialized prompt based on your task: + +- **Creating new workflows**: Routes to `create` prompt +- **Updating existing workflows**: Routes to `update` prompt +- **Debugging workflows**: Routes to `debug` prompt +- **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt +- **Creating report-generating workflows**: Routes to `report` prompt — consult this whenever the workflow posts status updates, audits, analyses, or any structured output as issues, discussions, or comments +- **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt +- **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes +- **Analyzing test coverage**: Routes to `test-coverage` prompt — consult this whenever the workflow reads, analyzes, or reports on test coverage data from PRs or CI runs +- **CLI commands and triggering workflows**: Routes to `cli-commands` guide — consult this whenever the user asks how to run, compile, debug, or manage workflows from the command line, or when they need the MCP tool equivalent of a `gh aw` command + +Workflows may optionally include: + +- **Project tracking / monitoring** (GitHub Projects updates, status reporting) +- **Orchestration / coordination** (one workflow assigning agents or dispatching and coordinating other workflows) + +## Files This Applies To + +- Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md` +- Workflow lock files: `.github/workflows/*.lock.yml` +- Shared components: `.github/workflows/shared/*.md` +- Configuration: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/github-agentic-workflows.md + +## Problems This Solves + +- **Workflow Creation**: Design secure, validated agentic workflows with proper triggers, tools, and permissions +- **Workflow Debugging**: Analyze logs, identify missing tools, investigate failures, and fix configuration issues +- **Version Upgrades**: Migrate workflows to new gh-aw versions, apply codemods, fix breaking changes +- **Component Design**: Create reusable shared workflow components that wrap MCP servers + +## How to Use + +When you interact with this agent, it will: + +1. **Understand your intent** - Determine what kind of task you're trying to accomplish +2. **Route to the right prompt** - Load the specialized prompt file for your task +3. **Execute the task** - Follow the detailed instructions in the loaded prompt + +## Available Prompts + +### Create New Workflow +**Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/create-agentic-workflow.md + +**Use cases**: +- "Create a workflow that triages issues" +- "I need a workflow to label pull requests" +- "Design a weekly research automation" + +### Update Existing Workflow +**Load when**: User wants to modify, improve, or refactor an existing workflow + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/update-agentic-workflow.md + +**Use cases**: +- "Add web-fetch tool to the issue-classifier workflow" +- "Update the PR reviewer to use discussions instead of issues" +- "Improve the prompt for the weekly-research workflow" + +### Debug Workflow +**Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/debug-agentic-workflow.md + +**Use cases**: +- "Why is this workflow failing?" +- "Analyze the logs for workflow X" +- "Investigate missing tool calls in run #12345" + +### Upgrade Agentic Workflows +**Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/upgrade-agentic-workflows.md + +**Use cases**: +- "Upgrade all workflows to the latest version" +- "Fix deprecated fields in workflows" +- "Apply breaking changes from the new release" + +### Create a Report-Generating Workflow +**Load when**: The workflow being created or updated produces reports — recurring status updates, audit summaries, analyses, or any structured output posted as a GitHub issue, discussion, or comment + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/report.md + +**Use cases**: +- "Create a weekly CI health report" +- "Post a daily security audit to Discussions" +- "Add a status update comment to open PRs" + +### Create Shared Agentic Workflow +**Load when**: User wants to create a reusable workflow component or wrap an MCP server + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/create-shared-agentic-workflow.md + +**Use cases**: +- "Create a shared component for Notion integration" +- "Wrap the Slack MCP server as a reusable component" +- "Design a shared workflow for database queries" + +### Fix Dependabot PRs +**Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`) + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/dependabot.md + +**Use cases**: +- "Fix the open Dependabot PRs for npm dependencies" +- "Bundle and close the Dependabot PRs for workflow dependencies" +- "Update @playwright/test to fix the Dependabot PR" + +### Analyze Test Coverage +**Load when**: The workflow reads, analyzes, or reports test coverage — whether triggered by a PR, a schedule, or a slash command. Always consult this prompt before designing the coverage data strategy. + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/test-coverage.md + +**Use cases**: +- "Create a workflow that comments coverage on PRs" +- "Analyze coverage trends over time" +- "Add a coverage gate that blocks PRs below a threshold" + +### CLI Commands Reference +**Load when**: The user asks how to run, compile, debug, or manage workflows from the command line; needs the MCP tool equivalent of a `gh aw` command; or is in a restricted environment (e.g., Copilot Cloud) without direct CLI access. + +**Reference file**: https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/cli-commands.md + +**Use cases**: +- "How do I trigger workflow X on the main branch?" +- "What's the MCP equivalent of `gh aw logs`?" +- "I'm in Copilot Cloud — how do I compile a workflow?" +- "Show me all available gh aw commands" + +## Instructions + +When a user interacts with you: + +1. **Identify the task type** from the user's request +2. **Load the appropriate prompt** from the GitHub repository URLs listed above +3. **Follow the loaded prompt's instructions** exactly +4. **If uncertain**, ask clarifying questions to determine the right prompt + +## Quick Reference + +```bash +# Initialize repository for agentic workflows +gh aw init + +# Generate the lock file for a workflow +gh aw compile [workflow-name] + +# Trigger a workflow on demand (preferred over gh workflow run) +gh aw run # interactive input collection +gh aw run --ref main # run on a specific branch + +# Debug workflow runs +gh aw logs [workflow-name] +gh aw audit + +# Upgrade workflows +gh aw fix --write +gh aw compile --validate +``` + +## Key Features of gh-aw + +- **Natural Language Workflows**: Write workflows in markdown with YAML frontmatter +- **AI Engine Support**: Copilot, Claude, Codex, or custom engines +- **MCP Server Integration**: Connect to Model Context Protocol servers for tools +- **Safe Outputs**: Structured communication between AI and GitHub API +- **Strict Mode**: Security-first validation and sandboxing +- **Shared Components**: Reusable workflow building blocks +- **Repo Memory**: Persistent git-backed storage for agents +- **Sandboxed Execution**: All workflows run in the Agent Workflow Firewall (AWF) sandbox, enabling full `bash` and `edit` tools by default + +## Important Notes + +- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/github-agentic-workflows.md for complete documentation +- Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud +- Workflows must be compiled to `.lock.yml` files before running in GitHub Actions +- **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF +- Follow security best practices: minimal permissions, explicit network access, no template injection +- **Network configuration**: Use ecosystem identifiers (`node`, `python`, `go`, etc.) or explicit FQDNs in `network.allowed`. Bare shorthands like `npm` or `pypi` are **not** valid. See https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/network.md for the full list of valid ecosystem identifiers and domain patterns. +- **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself. +- **Triggering runs**: Always use `gh aw run ` to trigger a workflow on demand — not `gh workflow run .lock.yml`. `gh aw run` handles workflow resolution by short name, input parsing and validation, and correct run-tracking for agentic workflows. Use `--ref ` to run on a specific branch. +- **CLI commands reference**: For a complete guide on all `gh aw` commands and their MCP tool equivalents (for restricted environments), see https://github.com/github/gh-aw/blob/v0.72.1/.github/aw/cli-commands.md diff --git a/.github/mcp.json b/.github/mcp.json new file mode 100644 index 0000000000..b953af2639 --- /dev/null +++ b/.github/mcp.json @@ -0,0 +1,11 @@ +{ + "mcpServers": { + "github-agentic-workflows": { + "command": "gh", + "args": [ + "aw", + "mcp-server" + ] + } + } +} \ No newline at end of file diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml new file mode 100644 index 0000000000..0ae42f6f5c --- /dev/null +++ b/.github/workflows/copilot-setup-steps.yml @@ -0,0 +1,26 @@ +name: "Copilot Setup Steps" + +# This workflow configures the environment for GitHub Copilot Agent with gh-aw MCP server +on: + workflow_dispatch: + push: + paths: + - .github/workflows/copilot-setup-steps.yml + +jobs: + # The job MUST be called 'copilot-setup-steps' to be recognized by GitHub Copilot Agent + copilot-setup-steps: + runs-on: ubuntu-latest + + # Set minimal permissions for setup steps + # Copilot Agent receives its own token with appropriate permissions + permissions: + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v6 + - name: Install gh-aw extension + uses: github/gh-aw-actions/setup-cli@bc56a0cad2f450c562810785ef38649c04db812a # v0.72.1 + with: + version: v0.72.1 diff --git a/.github/workflows/lint-code-base.yml b/.github/workflows/lint-code-base.yml index 779a667ec2..ccef8f51d7 100644 --- a/.github/workflows/lint-code-base.yml +++ b/.github/workflows/lint-code-base.yml @@ -25,7 +25,7 @@ jobs: uses: github/super-linter@v6 # https://github.com/github/super-linter env: DEFAULT_BRANCH: main - FILTER_REGEX_EXCLUDE: eng/common/.*|eng/readme-templates/.* + FILTER_REGEX_EXCLUDE: eng/common/.*|eng/readme-templates/.*|\.github/agents/.*|\.github/workflows/shared/pat_pool\.README\.md|\.github/workflows/triage\.md GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_ALL_CODEBASE: false VALIDATE_MARKDOWN: true diff --git a/.github/workflows/shared/pat_pool.README.md b/.github/workflows/shared/pat_pool.README.md new file mode 100644 index 0000000000..3627a0c8f8 --- /dev/null +++ b/.github/workflows/shared/pat_pool.README.md @@ -0,0 +1,187 @@ +# PAT Pool + +Selects a random Copilot PAT from a numbered pool of secrets. This addresses limitations that arise from having a single PAT shared across all agentic workflows, such as rate-limiting. + +**This is a stop-gap workaround.** As soon as organization/enterprise billing is offered for agentic workflows, this approach will be removed from our workflows. + +## Repository Onboarding + +To use Agentic Workflows in a dotnet org repository: + +1. Follow the instructions for [Configuring Your Repository | Agentic Authoring | GitHub Agentic Workflows][configure-repo]. Use `gh aw` **v0.71.5 or newer**, which supports the agent job dependencies required for this implementation. +2. Copy the `pat_pool.md` and `pat_pool.README.md` files into the repository under `.github/workflows/shared`. +3. Merge those additions into the repository and then follow the instructions for the PAT Creation and Usage below. + +**Install or upgrade the `gh aw` CLI and check the version** + +```sh +gh extension install github/gh-aw --force +gh aw --version +``` + +## PAT Management + +Team members provide PATs into the pools for the repository by adding them as repository secrets with secret names matching the pattern of `_<0-9>`, such as `COPILOT_PAT_0`. + +[Use this link to prefill the PAT creation form with the required settings][create-pat]: + +1. **Resource owner** is your **user account**, not an organization. +2. **Copilot Requests (Read)** must be the only permission granted. +3. **8-day expiration** must be used, which enforces a weekly renewal. +4. **Repository access** set to **Public repositories** only. + +The **Token Name** _does not_ need to match the secret name and is only visible to the owner of the PAT. It's recommended to use a token name indicating the PAT is used for dotnet org agentic workflows. The **Description** is also only used for your own reference. + +Team members providing PATs for workflows should set weekly recurring reminders to regenerate and update their PATs in the repository secrets. With an 8-day expiration, renewal can be done on the same day each week. + +PATs are added to repositories through the **Settings > Secrets and variables > Actions** UI, saved as **Repository secrets** and matching the `_<0-9>` naming convention. This can also be done using the GitHub CLI. + +```sh +gh aw secrets set "_<0-9>" --value "" --repo / +``` + +## Workflow Output Attribution + +Team members' PATs are _only_ used for the Copilot requests from within the agentic portion of the workflow. All outputs from the workflow use the `github-actions[bot]` account token. Issues, PRs, comments, and all other content generated by the workflow will be attributed to `github-actions[bot]`--not the team member's account or token. + +## Usage + +The [`pat_pool.md`](./pat_pool.md) workflow import defines a custom job with a `pat_number` output. Consuming workflows need two additions to their frontmatter to import this job and use the PAT number to override the `COPILOT_GITHUB_TOKEN` passed to the workflow's agent job. + +```yml +# ############################################################### +# Select a PAT from the pool and override COPILOT_GITHUB_TOKEN. +# When org-level billing is available, this will be removed. +# See `shared/pat_pool.README.md` for more information. +# ############################################################### +imports: + - shared/pat_pool.md + +engine: + id: copilot + env: + COPILOT_GITHUB_TOKEN: | + ${{ case( + needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, + needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, + needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, + needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, + needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, + needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, + needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, + needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, + needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, + needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, + secrets.COPILOT_GITHUB_TOKEN) + }} +``` + +The expression can be collapsed onto a single line if desired. `gh-aw compile` automatically wires `pat_pool` into the activation and agent jobs' `needs:` graph because of the `needs.pat_pool.` references within the `engine.env` property. + +```sh +gh aw compile --schedule-seed / +``` + +### Customizing the pool + +The import declares 10 optional inputs (`COPILOT_PAT_0` through `COPILOT_PAT_9`), each defaulting to `secrets.COPILOT_PAT_#` of the matching number. To point a workflow at a different pool of repository secrets, use the parameterized `uses`/`with` form when importing and pass the substitute secrets as the `COPILOT_PAT_#` inputs: + +```yml +imports: + - uses: shared/pat_pool.md + with: + COPILOT_PAT_0: ${{ secrets.MY_TEAM_PAT_0 }} + COPILOT_PAT_1: ${{ secrets.MY_TEAM_PAT_1 }} + # Unspecified inputs default to `secrets.COPILOT_PAT_#` lookups +``` + +The secrets passed via `with:` must match the secrets referenced in the consuming workflow's `case` expression that overrides `COPILOT_GITHUB_TOKEN`--both sides need to agree on which secret backs each `COPILOT_PAT_#` slot. Update the `case` expression accordingly: + +```yml +engine: + id: copilot + env: + COPILOT_GITHUB_TOKEN: ${{ case(needs.pat_pool.outputs.pat_number == '0', secrets.MY_TEAM_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.MY_TEAM_PAT_1, ..., secrets.COPILOT_GITHUB_TOKEN) }} +``` + +This approach aligns with GitHub's documented guidance for [passing secrets][passing-secrets] between workflows, where the `pat_pool` job returns a PAT number and the `case` statement acts as a secret store to look the PAT secret up based on the selected number. + +## Design / Security + +There are several details of this implementation that keep our workflows and repositories safe. + +1. **Secrets adhere to existing trust boundaries.** The pool of PAT secrets is + provided to a dedicated step within the `pat_pool` job. That job runs + after `pre_activation` and contains only the trusted checkout and action + steps--no untrusted context or input is within scope. The + `select-pat-number` action only references the secret values to determine + which are non-empty, filtering the secret numbers to those with values. +1. **The `pat_pool` job emits only a number, never a secret.** Its sole output, + `pat_number`, is the 0-9 index of the selected PAT (or empty when the pool + is empty). The actual secret materializes only later, in the activation + job's `engine.env` mapping, where the `case()` expression resolves the + number to the matching secret. This follows GitHub's guidance for + [passing secrets][passing-secrets] between jobs or workflows, with the + `case` statement acting as a very simple secret store. +1. **The `select-pat-number` action does not require any permissions.** It + reads only the `COPILOT_PAT_#` environment variables passed to it and writes + only to `GITHUB_OUTPUT`. The job that hosts it sets `permissions:` to the + workflow defaults (no elevated scopes). +1. **The implementation uses supported Agentic Workflow extensibility hooks.** + Defining a custom job inside an [imported workflow file][imports] is + supported by `gh aw compile`. gh-aw automatically + wires `pat_pool` into the activation job's `needs:` graph based on the + `needs.pat_pool.outputs.pat_number` references in `engine.env`. The + [secret override][secret-override] capability supplies the `COPILOT_GITHUB_TOKEN` + value via `engine.env` rather than the default secret of the same name. + +Each of the references below contributed to the design and implementation to ensure a secure and reliable design. + +## Known Issues + +The `pat_pool` import integration requires that the workflow's compilation results in a `pre_activation` job. If nothing in your workflow definition produces a `pre_activation` job, a compilation error will be received. + +```text +✗ Failed workflows: + ✗ .md + +.github\workflows\.md:1:1: error: failed to generate YAML: failed to build and validate jobs: job dependency validation failed: job 'pat_pool' depends on non-existent job 'pre_activation' +``` + +To work around this, add `on.permissions: {}` to your workflow, which forces a no-op `pre_activation` job to be generated. + +```yml +on: + permissions: {} +``` + +See: [Activation 'needs' does not incorporate jobs in engine.env expressions (github/gh-aw#30790)](https://github.com/github/gh-aw/issues/30790) + +## References + +- [Agentic Workflows CLI Extension][cli-setup] +- [Agentic Authoring][configure-repo] +- [Authentication][authentication] +- [Agentic Workflow Imports][imports] +- [Custom Steps][steps] +- [Custom Jobs][jobs] +- [Job Outputs][job-outputs] +- [Engine Configuration][engine] +- [Engine Environment Variables][engine-vars] +- [Update agentic engine token handling to use user-provided secrets (github/gh-aw#18017)][secret-override] +- [Case Function in Workflow Expressions][case-expression] +- [Passing a secret between jobs or workflows][passing-secrets] + +[cli-setup]: https://github.github.com/gh-aw/setup/cli/ +[configure-repo]: https://github.github.com/gh-aw/guides/agentic-authoring/#configuring-your-repository +[authentication]: https://github.github.com/gh-aw/reference/auth/ +[create-pat]: https://github.com/settings/personal-access-tokens/new?name=dotnet%20org%20agentic%20workflows&description=GitHub+Agentic+Workflows+-+Copilot+engine+authentication.++Used+for+dotnet+org+workflows.+MUST+be+configured+with+only+Copilot+Requests+permissions+and+user+account+as+resource+owner.+Weekly+expiration+and+required+renewal.&user_copilot_requests=read&expires_in=8 +[imports]: https://github.github.com/gh-aw/reference/imports/ +[steps]: https://github.github.com/gh-aw/reference/frontmatter/#custom-steps-steps +[jobs]: https://github.github.com/gh-aw/reference/frontmatter/#custom-jobs-jobs +[job-outputs]: https://github.github.com/gh-aw/reference/frontmatter/#job-outputs +[engine]: https://github.github.com/gh-aw/reference/frontmatter/#ai-engine-engine +[engine-vars]: https://github.github.com/gh-aw/reference/engines/#engine-environment-variables +[secret-override]: https://github.com/github/gh-aw/pull/18017 +[case-expression]: https://docs.github.com/actions/reference/workflows-and-actions/expressions#case +[passing-secrets]: https://docs.github.com/actions/reference/workflows-and-actions/workflow-commands#example-masking-and-passing-a-secret-between-jobs-or-workflows diff --git a/.github/workflows/shared/pat_pool.md b/.github/workflows/shared/pat_pool.md new file mode 100644 index 0000000000..f79e07280c --- /dev/null +++ b/.github/workflows/shared/pat_pool.md @@ -0,0 +1,117 @@ +--- +description: Agentic workflow import to integrate the Copilot PAT Pool + +jobs: + pat_pool: + needs: [pre_activation] + runs-on: ubuntu-slim + outputs: + pat_number: ${{ steps.select-pat-number.outputs.copilot_pat_number }} + steps: + - id: select-pat-number + name: Select Copilot token from pool + env: + COPILOT_PAT_0: ${{ github.aw.import-inputs.COPILOT_PAT_0 }} + COPILOT_PAT_1: ${{ github.aw.import-inputs.COPILOT_PAT_1 }} + COPILOT_PAT_2: ${{ github.aw.import-inputs.COPILOT_PAT_2 }} + COPILOT_PAT_3: ${{ github.aw.import-inputs.COPILOT_PAT_3 }} + COPILOT_PAT_4: ${{ github.aw.import-inputs.COPILOT_PAT_4 }} + COPILOT_PAT_5: ${{ github.aw.import-inputs.COPILOT_PAT_5 }} + COPILOT_PAT_6: ${{ github.aw.import-inputs.COPILOT_PAT_6 }} + COPILOT_PAT_7: ${{ github.aw.import-inputs.COPILOT_PAT_7 }} + COPILOT_PAT_8: ${{ github.aw.import-inputs.COPILOT_PAT_8 }} + COPILOT_PAT_9: ${{ github.aw.import-inputs.COPILOT_PAT_9 }} + RANDOM_SEED: ${{ github.aw.import-inputs.random_seed }} + shell: bash + run: | + # Collect pool entries with non-empty secrets from COPILOT_PAT_0..COPILOT_PAT_9. + PAT_NUMBERS=() + POOL_INDICATORS=(➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖) + + for i in $(seq 0 9); do + var="COPILOT_PAT_${i}" + val="${!var}" + if [ -n "$val" ]; then + PAT_NUMBERS+=(${i}) + POOL_INDICATORS[${i}]="🟪" + fi + done + + # If none of the entries in the pool have values, emit a warning + # and do not set an output value. The consumer can fall back to + # using COPILOT_GITHUB_TOKEN. + if [ ${#PAT_NUMBERS[@]} -eq 0 ]; then + warning_message="::warning::None of the PAT pool entries had values " + warning_message+="(checked COPILOT_PAT_0 through COPILOT_PAT_9)" + echo "$warning_message" + exit 0 + fi + + # Select a random index using the seed if specified + if [ -n "$RANDOM_SEED" ]; then + RANDOM=$RANDOM_SEED + fi + + PAT_INDEX=$(( RANDOM % ${#PAT_NUMBERS[@]} )) + PAT_NUMBER="${PAT_NUMBERS[$PAT_INDEX]}" + POOL_INDICATORS[${PAT_NUMBER}]="✅" + + echo "Pool size: ${#PAT_NUMBERS[@]}" + echo "Selected PAT number ${PAT_NUMBER} (index: ${PAT_INDEX})" + + # Emit a markdown table of the pool entries to the step summary + echo "|0|1|2|3|4|5|6|7|8|9|" >> "$GITHUB_STEP_SUMMARY" + echo "|-|-|-|-|-|-|-|-|-|-|" >> "$GITHUB_STEP_SUMMARY" + (IFS='|'; printf '|%s' "${POOL_INDICATORS[@]}"; printf '|\n') >> "$GITHUB_STEP_SUMMARY" + + # Set the PAT number as the output + echo "copilot_pat_number=${PAT_NUMBER}" >> "$GITHUB_OUTPUT" + +import-schema: + COPILOT_PAT_0: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_0 }} + COPILOT_PAT_1: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_1 }} + COPILOT_PAT_2: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_2 }} + COPILOT_PAT_3: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_3 }} + COPILOT_PAT_4: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_4 }} + COPILOT_PAT_5: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_5 }} + COPILOT_PAT_6: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_6 }} + COPILOT_PAT_7: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_7 }} + COPILOT_PAT_8: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_8 }} + COPILOT_PAT_9: + type: string + required: false + default: ${{ secrets.COPILOT_PAT_9 }} + random_seed: + type: number + required: false + description: >- + A seed number to use for the random PAT number selection, + for deterministic selection if needed. +--- diff --git a/.github/workflows/triage.md b/.github/workflows/triage.md new file mode 100644 index 0000000000..496a6e49af --- /dev/null +++ b/.github/workflows/triage.md @@ -0,0 +1,55 @@ +--- +description: > + When an issue is opened, analyze it and post a structured + triage comment using the triage skill. + +on: + issues: + types: [opened] + skip-bots: [github-actions, copilot] + +permissions: + contents: read + issues: read + +safe-outputs: + add-comment: + +imports: + - shared/pat_pool.md + +engine: + id: copilot + env: + COPILOT_GITHUB_TOKEN: | + ${{ case( + needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, + needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, + needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, + needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, + needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, + needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, + needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, + needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, + needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, + needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, + secrets.COPILOT_GITHUB_TOKEN) + }} +--- + +You are an automated triage agent for this repository. + +## Your Task + +When this workflow is triggered by a new issue, triage it using the `triage` skill. + +## Important Overrides for Automated Mode + +Since you are running as an automated workflow (not interactively with a human): + +- **Always post the triage comment.** Do not ask for confirmation — this is an + automated workflow and there is no human to confirm. Use the `add-comment` + safe output to post the comment. +- **Never apply labels or milestones.** Only post the triage comment. A human + will decide whether to apply the recommended labels and milestone. +- **Never close, lock, or assign the issue.**