Conversation
8 tasks
… request shaping (Phase 4) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add AuthDefinition and RequestShape for provider-owned auth
Phase 4: Add AuthDefinition and RequestShape for provider-owned auth and request shaping
Mar 11, 2026
Contributor
|
@copilot lint go |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds support for richer inline engine provider configuration (auth strategies + request shaping) and threads those new settings through validation, strict-mode secret allowlisting, CLI secret discovery, and the workflow JSON schema.
Changes:
- Extend inline engine config parsing to capture
engine.provider.auth.*(asAuthDefinition) andengine.provider.request.*(asRequestShape). - Validate inline auth definitions and include their declared secret names in strict-mode
engine.envallowlists and CLI “required secrets” output. - Update the main workflow schema and add unit tests covering parsing/validation/allowlisting regressions.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/strict_mode_validation.go | Adds inline AuthDefinition secrets to the engine.env secret-override allowlist. |
| pkg/workflow/engine.go | Parses extended inline provider auth/request blocks into structured types. |
| pkg/workflow/engine_validation.go | Registers inline auth/request into the catalog and introduces auth validation. |
| pkg/workflow/engine_definition.go | Introduces AuthStrategy, AuthDefinition, RequestShape, and required-secret extraction. |
| pkg/workflow/engine_auth_test.go | Adds unit tests for parsing/validation and strict-mode allowlisting behavior. |
| pkg/workflow/compiler_orchestrator_engine.go | Wires auth-definition validation into the compilation pipeline. |
| pkg/parser/schemas/main_workflow_schema.json | Expands schema for inline provider auth and request configuration. |
| pkg/cli/workflow_secrets.go | Extracts inline auth secrets from workflow frontmatter for CLI secret reporting. |
| pkg/cli/engine_secrets.go | Converts AuthDefinition into CLI SecretRequirement entries. |
Comments suppressed due to low confidence (1)
pkg/workflow/engine_validation.go:170
case AuthStrategyBearer, ""treats bearer and unset strategy as requiring no fields. PerAuthDefinitiondocs, bearer should requireauth.secret, and empty strategy should only be accepted for the legacy "secret-only" case. Consider splitting these cases and (a) requiringSecretfor bearer, and (b) erroring when strategy is empty but OAuth-specific fields (token-url/client-id/client-secret/header-name) are set.
case AuthStrategyBearer, "":
// bearer strategy and unset strategy (simple backwards-compat secret) need no extra fields.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
pkg/workflow/engine_validation.go
Outdated
Comment on lines
+165
to
+170
| // api-key requires a header-name so the caller knows where to inject the key. | ||
| if auth.HeaderName == "" { | ||
| return fmt.Errorf("engine auth: strategy 'api-key' requires 'auth.header-name' to be set (e.g. 'api-key' or 'x-api-key').\n\nSee: %s", constants.DocsEnginesURL) | ||
| } | ||
| case AuthStrategyBearer, "": | ||
| // bearer strategy and unset strategy (simple backwards-compat secret) need no extra fields. |
There was a problem hiding this comment.
validateEngineAuthDefinition enforces header-name for the api-key strategy, but it does not require auth.secret to be set. This allows configs that pass validation but cannot authenticate at runtime. Add a check that auth.Secret is non-empty for api-key (and return a clear error).
This issue also appears on line 169 of the same file.
Suggested change
| // api-key requires a header-name so the caller knows where to inject the key. | |
| if auth.HeaderName == "" { | |
| return fmt.Errorf("engine auth: strategy 'api-key' requires 'auth.header-name' to be set (e.g. 'api-key' or 'x-api-key').\n\nSee: %s", constants.DocsEnginesURL) | |
| } | |
| case AuthStrategyBearer, "": | |
| // bearer strategy and unset strategy (simple backwards-compat secret) need no extra fields. | |
| // api-key requires a secret value and a header-name so the caller knows where to inject the key. | |
| if auth.Secret == "" { | |
| return fmt.Errorf("engine auth: strategy 'api-key' requires 'auth.secret' to be set.\n\nSee: %s", constants.DocsEnginesURL) | |
| } | |
| if auth.HeaderName == "" { | |
| return fmt.Errorf("engine auth: strategy 'api-key' requires 'auth.header-name' to be set (e.g. 'api-key' or 'x-api-key').\n\nSee: %s", constants.DocsEnginesURL) | |
| } | |
| case AuthStrategyBearer, "": | |
| // bearer strategy and unset strategy (simple backwards-compat secret) require a secret value. | |
| if auth.Secret == "" { | |
| return fmt.Errorf("engine auth: strategy 'bearer' (or unset) requires 'auth.secret' to be set.\n\nSee: %s", constants.DocsEnginesURL) | |
| } |
Comment on lines
127
to
+133
| if auth, hasAuth := providerObj["auth"]; hasAuth { | ||
| if authObj, ok := auth.(map[string]any); ok { | ||
| if secret, ok := authObj["secret"].(string); ok { | ||
| config.InlineProviderSecret = secret | ||
| } | ||
| authDef := parseAuthDefinition(authObj) | ||
| config.InlineProviderAuth = authDef | ||
| // Backwards compat: expose the simple secret field directly. | ||
| config.InlineProviderSecret = authDef.Secret | ||
| } |
There was a problem hiding this comment.
When engine.provider.auth is present, ExtractEngineConfig always sets InlineProviderAuth to a non-nil (possibly empty) AuthDefinition. That makes downstream code treat auth as “explicitly configured” even when the user provided {} or only unknown keys. To avoid surprising overrides, consider only setting InlineProviderAuth when at least one recognized field is non-empty, or have registration/validation treat an all-zero AuthDefinition as nil.
| auth.Strategy = AuthStrategyAPIKey | ||
| } | ||
| def.Provider.Auth = auth | ||
| // Keep legacy AuthBinding in sync for callers that still read def.Auth. |
There was a problem hiding this comment.
registerInlineEngineDefinition sets def.Provider.Auth whenever InlineProviderAuth is non-nil, but only updates the legacy def.Auth bindings when auth.Secret != "". For OAuth client-credentials this leaves the previous/built-in def.Auth in place, which contradicts the “keep legacy AuthBinding in sync” comment and can cause legacy callers to read the wrong secret. Consider clearing def.Auth when an AuthDefinition is provided (even if Secret is empty), or mapping OAuth refs into def.Auth with appropriate roles.
Suggested change
| // Keep legacy AuthBinding in sync for callers that still read def.Auth. | |
| // Keep legacy AuthBinding in sync for callers that still read def.Auth. | |
| // When an AuthDefinition is provided, always reset legacy bindings to avoid | |
| // leaking stale secrets from existing engine definitions. | |
| def.Auth = nil |
pkg/cli/workflow_secrets.go
Outdated
| // Get engine-specific secrets only (no system secrets, no optional) | ||
| // System secrets will be added separately to avoid duplication | ||
| return getSecretRequirementsForEngine(engine, true, true) | ||
| reqs := getSecretRequirementsForEngine(engine, true, true) |
There was a problem hiding this comment.
The comment says this call returns “engine-specific secrets only (no system secrets, no optional)” and that system secrets are added separately, but getSecretRequirementsForEngine(engine, true, true) includes system and optional secrets. Either update the comment to match behavior or change the arguments (and rely on getSecretsRequirementsForWorkflows for system secrets).
Suggested change
| reqs := getSecretRequirementsForEngine(engine, true, true) | |
| reqs := getSecretRequirementsForEngine(engine, false, false) |
pkg/workflow/engine_auth_test.go
Outdated
Comment on lines
+359
to
+366
| require.NotNil(t, def, "built-in engine %s should be in catalog", tt.engineID) | ||
|
|
||
| // Provider.Auth should be nil for built-in engines (they use AuthBinding only). | ||
| assert.Nil(t, def.Provider.Auth, | ||
| "built-in engine %s should have no Provider.Auth (uses legacy AuthBinding)", tt.engineID) | ||
|
|
||
| if tt.wantAuthSecret != "" { | ||
| require.Len(t, def.Auth, 1, "engine %s should have exactly one AuthBinding", tt.engineID) |
There was a problem hiding this comment.
require.NotNil doesn’t interpret format strings; passing "built-in engine %s..." will not substitute tt.engineID. Use require.NotNilf (or build the message with fmt.Sprintf) to keep failure output clear.
Suggested change
| require.NotNil(t, def, "built-in engine %s should be in catalog", tt.engineID) | |
| // Provider.Auth should be nil for built-in engines (they use AuthBinding only). | |
| assert.Nil(t, def.Provider.Auth, | |
| "built-in engine %s should have no Provider.Auth (uses legacy AuthBinding)", tt.engineID) | |
| if tt.wantAuthSecret != "" { | |
| require.Len(t, def.Auth, 1, "engine %s should have exactly one AuthBinding", tt.engineID) | |
| require.NotNilf(t, def, "built-in engine %s should be in catalog", tt.engineID) | |
| // Provider.Auth should be nil for built-in engines (they use AuthBinding only). | |
| assert.Nil(t, def.Provider.Auth, | |
| "built-in engine %s should have no Provider.Auth (uses legacy AuthBinding)", tt.engineID) | |
| if tt.wantAuthSecret != "" { | |
| require.Lenf(t, def.Auth, 1, "engine %s should have exactly one AuthBinding", tt.engineID) |
pkg/workflow/engine_definition.go
Outdated
| // this AuthDefinition. Returns an empty slice when Auth is nil. | ||
| func (a *AuthDefinition) RequiredSecretNames() []string { | ||
| if a == nil { | ||
| return nil |
There was a problem hiding this comment.
Docstring says RequiredSecretNames returns an “empty slice” when the receiver is nil, but the implementation returns nil. Either adjust the comment or return []string{} to match expectations and avoid ambiguity for callers/tests.
Suggested change
| return nil | |
| return []string{} |
Contributor
|
@copilot apply comments |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
…on/RequestShape PR Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
All 6 reviewer comments applied in 70de7ef:
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
This was referenced Mar 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Non-standard backends (OAuth client-credentials, custom header injection, URL path templates, body injection) currently require bespoke Go engine implementations. This PR introduces declarative
AuthDefinitionandRequestShapetypes so these can be expressed in workflow frontmatter data.New types
AuthDefinition— three strategies with required-field validation:api-key: requiresheader-nameoauth-client-credentials: requirestoken-url,client-id,client-secret,header-namebearer: no extra fields requiredRequestShape—path-template,query(static params),body-inject(JSON key injection)ProviderSelectionextended withAuth *AuthDefinitionandRequest *RequestShape.Example frontmatter
Changes
engine_definition.go—AuthStrategyconstants,AuthDefinition,RequestShape,ProviderSelectionextension,RequiredSecretNames()methodengine.go—InlineProviderAuth/InlineProviderRequestfields onEngineConfig;parseAuthDefinition()/parseRequestShape()helpers;ExtractEngineConfigupdated;InlineProviderSecretmarked deprecated (backwards-compat preserved)engine_validation.go—validateEngineAuthDefinition()with per-strategy field checks;registerInlineEngineDefinitionpopulatesProvider.Auth/Provider.Requestcompiler_orchestrator_engine.go— wiresvalidateEngineAuthDefinitioninto the compilation pipelinemain_workflow_schema.json—auth.strategyenum, OAuth fields,requestobject with path/query/body-injectstrict_mode_validation.go—getEngineBaseEnvVarKeysnow includesAuthDefinition.RequiredSecretNames()so auth secrets are allowed inengine.envengine_secrets.go—secretRequirementsFromAuthDefinition()converts anAuthDefinitiontoSecretRequiremententriesworkflow_secrets.go—getSecretRequirementsForWorkflowincludes auth-binding secrets for inline engine definitionsengine_auth_test.go(new) — 30 tests: per-strategy validation, missing-field errors, unknown strategy, strict-mode secret inclusion, backwards-compat, built-in engine regressionWarning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/infocmp -json GO111MODULE 86_64/node infocmp(http block)/usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name /usr/bin/git -json GO111MODULE es/.bin/node git rev-�� --show-toplevel go /usr/bin/gh ithub/workflows GO111MODULE ache/go/1.25.0/x--show-toplevel gh(http block)/usr/bin/gh gh repo view owner/repo patc�� --show-toplevel go /usr/bin/git -json GO111MODULE h git rev-�� --show-toplevel go /usr/bin/git ck '**/*.cjs' '*git GO111MODULE ache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha test/concurrent-image:v1.0.0 go /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git rev-�� --git-dir go /usr/bin/git -json GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha ithub-script/git/ref/tags/v8 GOPROXY /home/REDACTED/.npm/_npx/b388654678d519d9/node_modules/.bin/prettier GOSUMDB GOWORK 64/bin/go prettier --ch�� scripts/**/*.js l /usr/bin/git tierignore npm 64/bin/go git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go 0/x6�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha user.name Test User /usr/bin/git -json GO111MODULE _modules/.bin/sh--show-toplevel git rev-�� --show-toplevel X6mK9KE/Es5JHOhsremote.origin.url /usr/bin/git on' --ignore-patgit GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/gh .js' --ignore-pagit GO111MODULE util.test gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq /usr/bin/gh -json GO111MODULE ache/node/24.14.--show-toplevel gh(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel -dwarf=false ache/node/24.14.0/x64/bin/node go1.25.0 -c=4 -nolocalimports git t-11�� k/gh-aw/gh-aw/.github/workflows/archie.md test@example.com /usr/bin/git -json GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha 64/bin/go sh /usr/bin/git npx prettier --wgit go 64/bin/go git conf�� --get remote.origin.url /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git '**/*.ts' '**/*.git GO111MODULE ode git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD af47297c go env -json GO111MODULE k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha st-1169195833/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile k/gh�� g_.a GO111MODULE 0/x64/bin/node GOINSECURE GOMOD erignore ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq .object.sha -json GO111MODULE Name,path,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x--jq env 4640-38454/test-2969700969 GO111MODULE 7720636/b413=> GOINSECURE GOMOD GOMODCACHE node(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --wriGOINSECURE node 64/bin/go prettier --check 64/bin/go sh -c npx prettier --wGOSUMDB go modules/@npmcli/run-script/lib/node-gyp-bin/sh -json GO111MODULE 64/bin/go go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build1867720636/b374/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/access_log.go /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/actionlint.go /hom�� ath ../../../.pr**/*.json ../../../**/*.js--ignore-path 64/bin/go --ignore-path ../../../.pretti-atomic 64/bin/go go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/pre�� 460e3d6785efcd1c--check node /hom�� ath ../../../.pr**/*.json ../../../**/*.js--ignore-path 64/bin/go --ignore-path ../../../.pretti-o x_amd64/vet go(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/gh-aw-test-runs/20260311-054640-38454/test-748860494/.github/workflows(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel node /usr/bin/git run format:pkg-json /sh git rev-�� --show-toplevel go /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 7720636/b375/vet.cfg GOINSECURE GOMOD GOMODCACHE node(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha */*.ts' '**/*.json' --ignore-path ../../../.prettierignore GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD(http block)/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha */*.ts' '**/*.json' --ignore-path ../../../.prettierignore GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE l6/IGdKXXwcPBp3tfjGI4Fl/NJWfngN-2Zmz4c1IjGwO(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE a7/uvoaxXZ6SdsIYvttU1Rk/W9HY2-8hHZU_--iy4qps(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path "prettier" --wriGOINSECURE sh 64/bin/go "prettier" --chesh bash 64/bin/go sh -c npx prettier --wGOSUMDB go 64/bin/go -json GO111MODULE x_amd64/cgo go(http block)https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md/opt/hostedtoolcache/node/24.14.0/x64/bin/node /opt/hostedtoolcache/node/24.14.0/x64/bin/node --conditions node --conditions development --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js --stdout in/feature-branc--verify git conf�� --local --get k/gh-aw/node_modules/.bin/git k/gh-aw/gh-aw/nonode git ules/.bin/git git(http block)https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md/tmp/go-build1867720636/b383/cli.test /tmp/go-build1867720636/b383/cli.test -test.testlogfile=/tmp/go-build1867720636/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true **/*.ts **/*.json --ignore-path node /hom�� --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro/opt/hostedtoolcache/node/24.14.0/x64/bin/npx 64/bin/go /bin/sh(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha "prettier" --wriGOSUMDB go 64/bin/go rror GO111MODULE 64/bin/go go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha "prettier" --wriGOSUMDB go 64/bin/go rror GO111MODULE 64/bin/go go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha "prettier" --wriGOSUMDB go 64/bin/go ow.json --ignoregit GO111MODULE 64/bin/go go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha "prettier" --wriGOSUMDB go 64/bin/go ow.json --ignoregit GO111MODULE 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha "prettier" --wriGOSUMDB go 64/bin/go ow.json --ignoregit GO111MODULE run-script/lib/nlog.showsignature=false go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha cp .github/aw/actions-lock.json pkg/workflow/data/action_pins.json; \ echo "��� Action pins syngit GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1569528037/.github/workflows GO111MODULE tions/setup/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env hub/workflows GO111MODULE n-dir/sh GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go "prettier" --chenode bash 64/bin/go node /opt�� prettier --write 64/bin/go !../../../pkg/wogo --ignore-path ../../../.pretti-json go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go --check scripts/**/*.js 64/bin/go node /opt�� prettier --write /node !../../../pkg/wogit --ignore-path ../../../.prettilog.showsignature=false go(http block)/usr/bin/gh gh workflow list --repo owner/repo --json name,path,state 86_64/node -json GO111MODULE ceutil.test git 0/x6�� --show-toplevel ceutil.test /usr/bin/git ck '**/*.cjs' '*git GO111MODULE /opt/hostedtoolc--show-toplevel git(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build1867720636/b383/cli.test /tmp/go-build1867720636/b383/cli.test -test.testlogfile=/tmp/go-build1867720636/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true **/*.ts **/*.json --ignore-path node /hom�� --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro/opt/hostedtoolcache/node/24.14.0/x64/bin/npx 64/bin/go /bin/sh(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE sh 64/bin/go "prettier" --chesh bash 64/bin/go sh -c npx prettier --wGOSUMDB go modules/@npmcli/run-script/lib/node-gyp-bin/sh -json GO111MODULE 64/bin/go go(http block)https://api.github.com/repos/test/repo/usr/bin/gh gh api /repos/test/repo --jq .default_branch --show-toplevel go /usr/bin/git uTQsPOmzn GO111MODULE ache/node/24.14.--show-toplevel git rev-�� --show-toplevel ortcfg /usr/bin/git g/envutil/envutigit g/envutil/envutirev-parse ache/go/1.25.0/x--show-toplevel git(http block)If you need me to access, download, or install something from one of these locations, you can either:
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.