.github/workflows/technical-doc-writer.lock.yml

refactor: replace hardcoded /opt/gh-aw/ paths with GH_AW_HOME constants #90

Workflow file for this run

.github/workflows/technical-doc-writer.lock.yml at 489d820

	#
Check failure on line 1 in .github/workflows/technical-doc-writer.lock.yml View workflow run for this annotation GitHub Actions / .github/workflows/technical-doc-writer.lock.yml Invalid workflow file (Line: 293, Col: 19): Unrecognized named-value: 'env'. Located at position 1 within expression: env.GH_AW_HOME \|\| '/opt/gh-aw', (Line: 295, Col: 27): Unrecognized named-value: 'env'. Located at position 1 within expression: env.GH_AW_HOME, (Line: 296, Col: 39): Unrecognized named-value: 'env'. Located at position 1 within expression: env.GH_AW_HOME, (Line: 297, Col: 38): Unrecognized named-value: 'env'. Located at position 1 within expression: env.GH_AW_HOME, (Line: 1350, Col: 19): Unrecognized named-value: 'env'. Located at position 1 within expression: env.GH_AW_HOME \|\| '/opt/gh-aw', (Line: 1478, Col: 19): Unrecognized named-value: 'env'. Located at position 1 within expression: env.GH_AW_HOME \|\| '/opt/gh-aw', (Line: 1557, Col: 19): Unrecognized named-value: 'env'. Located at position 1 within expression: env.GH_AW_HOME \|\| '/opt/gh-aw', (Line: 1657, Col: 19): Unrecognized named-value: 'env'. Located at position 1 within expression: env.GH_AW_HOME \|\| '/opt/gh-aw'
	# ___ _ _
	# / _ \ \| \| (_)
	# \| \|_\| \| __ _ ___ _ __ \| \|_ _ ___
	# \| _ \|/ _` \|/ _ \ '_ \\| __\| \|/ __\|
	# \| \| \| \| (_\| \| __/ \| \| \| \|_\| \| (__
	# \_\| \|_/\__, \|\___\|_\| \|_\|\__\|_\|\___\|
	# __/ \|
	# _ _ \|___/
	# \| \| \| \| / _\| \|
	# \| \| \| \| ___ _ __ _ __\| \|_\| \| _____ ____
	# \| \|/\\| \|/ _ \ '__\| \|/ /\| _\| \|/ _ \ \ /\ / / ___\|
	# \ /\ / (_) \| \| \| \| ( \| \| \| \| (_) \ V V /\__ \
	# \/ \/ \___/\|_\| \|_\|\_\\|_\| \|_\|\___/ \_/\_/ \|___/
	#
	# This file was automatically generated by gh-aw. DO NOT EDIT.
	#
	# To update this file, edit the corresponding .md file and run:
	# gh aw compile
	# Not all edits will cause changes to this file.
	#
	# For more information: https://github.github.com/gh-aw/introduction/overview/
	#
	# Reviews and improves technical documentation based on provided topics
	#
	# Resolved workflow manifest:
	# Imports:
	# - ../agents/technical-doc-writer.agent.md
	# - ../skills/documentation/SKILL.md
	# - shared/mcp/qmd-docs.md
	#
	# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"67e1c74f352e82212cf8a54d7bd16101c8d33f6ae6f827dd605c1e2eb55ece85","strict":true}

	name: "Rebuild the documentation after making changes"
	"on":
	workflow_dispatch:
	inputs:
	topic:
	description: Documentation topic to review
	required: true
	type: string

	permissions: {}

	concurrency:
	group: "gh-aw-${{ github.workflow }}"

	run-name: "Rebuild the documentation after making changes"

	jobs:
	activation:
	runs-on: ubuntu-slim
	permissions:
	contents: read
	outputs:
	comment_id: ""
	comment_repo: ""
	model: ${{ steps.generate_aw_info.outputs.model }}
	secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	repository: github/gh-aw
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: ${{ env.GH_AW_HOME }}/actions
	- name: Generate agentic run info
	id: generate_aw_info
	env:
	GH_AW_INFO_ENGINE_ID: "copilot"
	GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
	GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT \|\| '' }}
	GH_AW_INFO_VERSION: ""
	GH_AW_INFO_AGENT_VERSION: "latest"
	GH_AW_INFO_WORKFLOW_NAME: "Rebuild the documentation after making changes"
	GH_AW_INFO_EXPERIMENTAL: "false"
	GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
	GH_AW_INFO_STAGED: "false"
	GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]'
	GH_AW_INFO_FIREWALL_ENABLED: "true"
	GH_AW_INFO_AWF_VERSION: "v0.24.1"
	GH_AW_INFO_AWMG_VERSION: ""
	GH_AW_INFO_FIREWALL_TYPE: "squid"
	GH_AW_COMPILED_STRICT: "true"
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs');
	await main(core, context);
	- name: Validate COPILOT_GITHUB_TOKEN secret
	id: validate-secret
	run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
	env:
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	- name: Checkout .github and .agents folders
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	sparse-checkout: \|
	.github
	.agents
	sparse-checkout-cone-mode: true
	fetch-depth: 1
	- name: Check workflow file timestamps
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_WORKFLOW_FILE: "technical-doc-writer.lock.yml"
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs');
	await main();
	- name: Create prompt with built-in context
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_INPUTS_TOPIC: ${{ github.event.inputs.topic }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	run: \|
	bash ${GH_AW_HOME}/actions/create_prompt_first.sh
	{
	cat << 'GH_AW_PROMPT_EOF'
	<system>
	GH_AW_PROMPT_EOF
	cat "${GH_AW_HOME}/prompts/xpia.md"
	cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md"
	cat "${GH_AW_HOME}/prompts/markdown.md"
	cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md"
	cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md"
	cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md"
	cat << 'GH_AW_PROMPT_EOF'
	<safe-output-tools>
	Tools: add_comment, create_pull_request, upload_asset, missing_tool, missing_data, noop
	GH_AW_PROMPT_EOF
	cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md"
	cat << 'GH_AW_PROMPT_EOF'

	upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs).
	</safe-output-tools>
	<github-context>
	The following GitHub context information is available for this workflow:
	{{#if __GH_AW_GITHUB_ACTOR__ }}
	- actor: __GH_AW_GITHUB_ACTOR__
	{{/if}}
	{{#if __GH_AW_GITHUB_REPOSITORY__ }}
	- repository: __GH_AW_GITHUB_REPOSITORY__
	{{/if}}
	{{#if __GH_AW_GITHUB_WORKSPACE__ }}
	- workspace: __GH_AW_GITHUB_WORKSPACE__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
	- issue-number: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
	- discussion-number: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
	- pull-request-number: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
	- comment-id: __GH_AW_GITHUB_EVENT_COMMENT_ID__
	{{/if}}
	{{#if __GH_AW_GITHUB_RUN_ID__ }}
	- workflow-run-id: __GH_AW_GITHUB_RUN_ID__
	{{/if}}
	</github-context>

	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF'
	</system>
	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF'
	{{#runtime-import .github/skills/documentation/SKILL.md}}
	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF'
	{{#runtime-import .github/agents/technical-doc-writer.agent.md}}
	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF'
	{{#runtime-import .github/workflows/shared/mcp/qmd-docs.md}}
	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF'
	{{#runtime-import .github/workflows/technical-doc-writer.md}}
	GH_AW_PROMPT_EOF
	} > "$GH_AW_PROMPT"
	- name: Interpolate variables and render templates
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_GITHUB_EVENT_INPUTS_TOPIC: ${{ github.event.inputs.topic }}
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs');
	await main();
	- name: Substitute placeholders
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_ALLOWED_EXTENSIONS: ''
	GH_AW_CACHE_DESCRIPTION: ''
	GH_AW_CACHE_DIR: '/tmp/gh-aw/cache-memory/'
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_INPUTS_TOPIC: ${{ github.event.inputs.topic }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	GH_AW_MEMORY_BRANCH_NAME: 'master'
	GH_AW_MEMORY_CONSTRAINTS: "\n\nConstraints:\n- Max File Size: 10240 bytes (0.01 MB) per file\n- Max File Count: 100 files per commit\n- Max Patch Size: 10240 bytes (10 KB) total per push (max: 100 KB)\n"
	GH_AW_MEMORY_DESCRIPTION: ' Technical documentation library'
	GH_AW_MEMORY_DIR: '/tmp/gh-aw/repo-memory/default/'
	GH_AW_MEMORY_TARGET_REPO: ' of the current repository'
	GH_AW_WIKI_NOTE: "\n\n> GitHub Wiki: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)."
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);

	const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs');

	// Call the substitution function
	return await substitutePlaceholders({
	file: process.env.GH_AW_PROMPT,
	substitutions: {
	GH_AW_ALLOWED_EXTENSIONS: process.env.GH_AW_ALLOWED_EXTENSIONS,
	GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION,
	GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR,
	GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
	GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
	GH_AW_GITHUB_EVENT_INPUTS_TOPIC: process.env.GH_AW_GITHUB_EVENT_INPUTS_TOPIC,
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
	GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
	GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
	GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE,
	GH_AW_MEMORY_BRANCH_NAME: process.env.GH_AW_MEMORY_BRANCH_NAME,
	GH_AW_MEMORY_CONSTRAINTS: process.env.GH_AW_MEMORY_CONSTRAINTS,
	GH_AW_MEMORY_DESCRIPTION: process.env.GH_AW_MEMORY_DESCRIPTION,
	GH_AW_MEMORY_DIR: process.env.GH_AW_MEMORY_DIR,
	GH_AW_MEMORY_TARGET_REPO: process.env.GH_AW_MEMORY_TARGET_REPO,
	GH_AW_WIKI_NOTE: process.env.GH_AW_WIKI_NOTE
	}
	});
	- name: Validate prompt placeholders
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh
	- name: Print prompt
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh
	- name: Upload activation artifact
	if: success()
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: activation
	path: \|
	/tmp/gh-aw/aw_info.json
	/tmp/gh-aw/aw-prompts/prompt.txt
	retention-days: 1

	agent:
	needs: activation
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	issues: read
	pull-requests: read
	env:
	DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
	GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg"
	GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}"
	GH_AW_ASSETS_MAX_SIZE_KB: 10240
	GH_AW_HOME: ${{ env.GH_AW_HOME \|\| '/opt/gh-aw' }}
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl
	GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json
	GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json
	GH_AW_WORKFLOW_ID_SANITIZED: technicaldocwriter
	outputs:
	checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success \|\| 'true' }}
	detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
	detection_success: ${{ steps.detection_conclusion.outputs.success }}
	has_patch: ${{ steps.collect_output.outputs.has_patch }}
	inference_access_error: ${{ steps.detect-inference-error.outputs.inference_access_error \|\| 'false' }}
	model: ${{ needs.activation.outputs.model }}
	output: ${{ steps.collect_output.outputs.output }}
	output_types: ${{ steps.collect_output.outputs.output_types }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	repository: github/gh-aw
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: ${{ env.GH_AW_HOME }}/actions
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- name: Merge remote .github folder
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_FILE: ".github/agents/technical-doc-writer.agent.md"
	GH_AW_AGENT_IMPORT_SPEC: "../agents/technical-doc-writer.agent.md"
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/merge_remote_agent_github_folder.cjs');
	await main();
	- name: Setup Node.js
	uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
	with:
	node-version: '24'
	cache: 'npm'
	cache-dependency-path: 'docs/package-lock.json'
	package-manager-cache: false
	- name: Create gh-aw temp directory
	run: \|
	bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh
	echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV"
	echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV"
	echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV"
	- name: Install QMD
	run: npm install -g @tobilu/qmd
	- name: Restore QMD index cache
	uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
	with:
	key: qmd-docs-${{ hashFiles('docs/src/content/docs/', '.github/agents/', '.github/aw/**') }}
	path: ~/.cache/qmd
	restore-keys: qmd-docs-
	- name: Register QMD collections
	run: \|
	qmd collection add "${GITHUB_WORKSPACE}" --name gh-aw --glob "docs/src/content/docs/,.github/agents/,.github/aw/**" 2>/dev/null \|\| true
	- name: Install dependencies
	run: npm ci
	working-directory: ./docs
	- env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	name: Build documentation
	run: npm run build
	working-directory: ./docs

	# Cache memory file share configuration from frontmatter processed below
	- name: Create cache-memory directory
	run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh
	- name: Restore cache-memory file share data
	uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
	with:
	key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
	path: /tmp/gh-aw/cache-memory
	restore-keys: \|
	memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-
	# Repo memory git-based storage configuration from frontmatter processed below
	- name: Clone wiki-memory branch (default)
	env:
	GH_TOKEN: ${{ github.token }}
	GITHUB_SERVER_URL: ${{ github.server_url }}
	BRANCH_NAME: master
	TARGET_REPO: ${{ github.repository }}.wiki
	MEMORY_DIR: /tmp/gh-aw/repo-memory/default
	CREATE_ORPHAN: false
	run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Checkout PR branch
	id: checkout-pr
	if: \|
	(github.event.pull_request) \|\| (github.event.issue.pull_request)
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs');
	await main();
	- name: Install GitHub Copilot CLI
	run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest
	env:
	GH_HOST: github.com
	- name: Install AWF binary
	run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1
	- name: Determine automatic lockdown mode for GitHub MCP Server
	id: determine-automatic-lockdown
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
	GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
	with:
	script: \|
	const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs');
	await determineAutomaticLockdown(github, context, core);
	- name: Download container images
	run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine
	- name: Write Safe Outputs Config
	run: \|
	mkdir -p ${GH_AW_HOME}/safeoutputs
	mkdir -p /tmp/gh-aw/safeoutputs
	mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
	cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF'
	{"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]},"upload_asset":{"max":0}}
	GH_AW_SAFE_OUTPUTS_CONFIG_EOF
	- name: Write Safe Outputs Tools
	run: \|
	cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF'
	[
	{
	"description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"body": {
	"description": "The comment text in Markdown format. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation. CONSTRAINTS: The complete comment (your body text + automatically added footer) must not exceed 65536 characters total. Maximum 10 mentions (@username), maximum 50 links (http/https URLs). A footer (~200-500 characters) is automatically appended with workflow attribution, so leave adequate space. If these limits are exceeded, the tool call will fail with a detailed error message indicating which constraint was violated.",
	"type": "string"
	},
	"integrity": {
	"description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").",
	"type": "string"
	},
	"item_number": {
	"description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). Can also be a temporary_id (e.g., 'aw_abc123') from a previously created issue in the same workflow run. If omitted, the tool auto-targets the issue, PR, or discussion that triggered this workflow. Auto-targeting only works for issue, pull_request, discussion, and comment event triggers — it does NOT work for schedule, workflow_dispatch, push, or workflow_run triggers. For those trigger types, always provide item_number explicitly, or the tool call will fail with an error.",
	"type": [
	"number",
	"string"
	]
	},
	"secrecy": {
	"description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").",
	"type": "string"
	},
	"temporary_id": {
	"description": "Unique temporary identifier for this comment. Format: 'aw_' followed by 3 to 12 alphanumeric characters (e.g., 'aw_abc1', 'aw_Test123'). Auto-generated if not provided. The temporary ID is returned in the tool response so you can reference this comment later.",
	"pattern": "^aw_[A-Za-z0-9]{3,12}$",
	"type": "string"
	}
	},
	"required": [
	"body"
	],
	"type": "object"
	},
	"name": "add_comment"
	},
	{
	"description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"body": {
	"description": "Detailed PR description in Markdown. Include what changes were made, why, testing notes, and any breaking changes. Do NOT repeat the title as a heading.",
	"type": "string"
	},
	"branch": {
	"description": "Source branch name containing the changes. If omitted, uses the current working branch.",
	"type": "string"
	},
	"draft": {
	"description": "Whether to create the PR as a draft. Draft PRs cannot be merged until marked as ready for review. Use mark_pull_request_as_ready_for_review to convert a draft PR. Default: true.",
	"type": "boolean"
	},
	"integrity": {
	"description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").",
	"type": "string"
	},
	"labels": {
	"description": "Labels to categorize the PR (e.g., 'enhancement', 'bugfix'). Labels must exist in the repository.",
	"items": {
	"type": "string"
	},
	"type": "array"
	},
	"repo": {
	"description": "Target repository in 'owner/repo' format. For multi-repo workflows where the target repo differs from the workflow repo, this must match a repo in the allowed-repos list or the configured target-repo. If omitted, defaults to the configured target-repo (from safe-outputs config), NOT the workflow repository. In most cases, you should omit this parameter and let the system use the configured default.",
	"type": "string"
	},
	"secrecy": {
	"description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").",
	"type": "string"
	},
	"title": {
	"description": "Concise PR title describing the changes. Follow repository conventions (e.g., conventional commits). The title appears as the main heading.",
	"type": "string"
	}
	},
	"required": [
	"title",
	"body"
	],
	"type": "object"
	},
	"name": "create_pull_request"
	},
	{
	"description": "Upload a file as a URL-addressable asset that can be referenced in issues, PRs, or comments. The file is stored on an orphaned git branch and returns a permanent URL. Use this for images, diagrams, or other files that need to be embedded in GitHub content. CONSTRAINTS: Maximum file size: 10240KB. Allowed file extensions: [.png .jpg .jpeg].",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"integrity": {
	"description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").",
	"type": "string"
	},
	"path": {
	"description": "Absolute file path to upload (e.g., '/tmp/chart.png'). Must be under the workspace or /tmp directory. By default, only image files (.png, .jpg, .jpeg) are allowed; other file types require workflow configuration.",
	"type": "string"
	},
	"secrecy": {
	"description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").",
	"type": "string"
	}
	},
	"required": [
	"path"
	],
	"type": "object"
	},
	"name": "upload_asset"
	},
	{
	"description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"alternatives": {
	"description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
	"type": "string"
	},
	"integrity": {
	"description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").",
	"type": "string"
	},
	"reason": {
	"description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).",
	"type": "string"
	},
	"secrecy": {
	"description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").",
	"type": "string"
	},
	"tool": {
	"description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.",
	"type": "string"
	}
	},
	"required": [
	"reason"
	],
	"type": "object"
	},
	"name": "missing_tool"
	},
	{
	"description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"integrity": {
	"description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").",
	"type": "string"
	},
	"message": {
	"description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').",
	"type": "string"
	},
	"secrecy": {
	"description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").",
	"type": "string"
	}
	},
	"required": [
	"message"
	],
	"type": "object"
	},
	"name": "noop"
	},
	{
	"description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"alternatives": {
	"description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
	"type": "string"
	},
	"context": {
	"description": "Additional context about the missing data or where it should come from (max 256 characters).",
	"type": "string"
	},
	"data_type": {
	"description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.",
	"type": "string"
	},
	"integrity": {
	"description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").",
	"type": "string"
	},
	"reason": {
	"description": "Explanation of why this data is needed to complete the task (max 256 characters).",
	"type": "string"
	},
	"secrecy": {
	"description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").",
	"type": "string"
	}
	},
	"required": [],
	"type": "object"
	},
	"name": "missing_data"
	},
	{
	"description": "Validate repo-memory files are within configured size limits before the workflow completes. Call this after writing files to memory to check that the total size is within limits. Returns an error if files are too large, with guidance on how to reduce memory size so the memory can be saved successfully.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"memory_id": {
	"description": "Memory identifier to validate. Defaults to 'default' if not specified.",
	"type": "string"
	}
	},
	"required": [],
	"type": "object"
	},
	"name": "push_repo_memory"
	}
	]
	GH_AW_SAFE_OUTPUTS_TOOLS_EOF
	cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF'
	{
	"add_comment": {
	"defaultMax": 1,
	"fields": {
	"body": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"item_number": {
	"issueOrPRNumber": true
	},
	"repo": {
	"type": "string",
	"maxLength": 256
	}
	}
	},
	"create_pull_request": {
	"defaultMax": 1,
	"fields": {
	"body": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"branch": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"draft": {
	"type": "boolean"
	},
	"labels": {
	"type": "array",
	"itemType": "string",
	"itemSanitize": true,
	"itemMaxLength": 128
	},
	"repo": {
	"type": "string",
	"maxLength": 256
	},
	"title": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"missing_data": {
	"defaultMax": 20,
	"fields": {
	"alternatives": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"context": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"data_type": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	},
	"reason": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	}
	}
	},
	"missing_tool": {
	"defaultMax": 20,
	"fields": {
	"alternatives": {
	"type": "string",
	"sanitize": true,
	"maxLength": 512
	},
	"reason": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"tool": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"noop": {
	"defaultMax": 1,
	"fields": {
	"message": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	}
	}
	},
	"upload_asset": {
	"defaultMax": 10,
	"fields": {
	"path": {
	"required": true,
	"type": "string"
	}
	}
	}
	}
	GH_AW_SAFE_OUTPUTS_VALIDATION_EOF
	- name: Generate Safe Outputs MCP Server Config
	id: safe-outputs-config
	run: \|
	# Generate a secure random API key (360 bits of entropy, 40+ chars)
	# Mask immediately to prevent timing vulnerabilities
	API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${API_KEY}"

	PORT=3001

	# Set outputs for next steps
	{
	echo "safe_outputs_api_key=${API_KEY}"
	echo "safe_outputs_port=${PORT}"
	} >> "$GITHUB_OUTPUT"

	echo "Safe Outputs MCP server will run on port ${PORT}"

	- name: Start Safe Outputs MCP HTTP Server
	id: safe-outputs-start
	env:
	DEBUG: '*'
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
	GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json
	GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	run: \|
	# Environment variables are set above to prevent template injection
	export DEBUG
	export GH_AW_SAFE_OUTPUTS_PORT
	export GH_AW_SAFE_OUTPUTS_API_KEY
	export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
	export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
	export GH_AW_MCP_LOG_DIR

	bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh

	- name: Setup MCP Scripts Config
	run: \|
	mkdir -p ${GH_AW_HOME}/mcp-scripts/logs
	cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF'
	{
	"serverName": "mcpscripts",
	"version": "1.0.0",
	"logDir": "${GH_AW_HOME}/mcp-scripts/logs",
	"tools": [
	{
	"name": "qmd-query",
	"description": "Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores.",
	"inputSchema": {
	"properties": {
	"min_score": {
	"default": 0.4,
	"description": "Minimum relevance score threshold (0–1)",
	"type": "number"
	},
	"query": {
	"description": "Natural language search query",
	"type": "string"
	}
	},
	"required": [
	"query"
	],
	"type": "object"
	},
	"handler": "qmd-query.sh",
	"timeout": 60
	}
	]
	}
	GH_AW_MCP_SCRIPTS_TOOLS_EOF
	cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF'
	const path = require("path");
	const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
	const configPath = path.join(__dirname, "tools.json");
	const port = parseInt(process.env.GH_AW_MCP_SCRIPTS_PORT \|\| "3000", 10);
	const apiKey = process.env.GH_AW_MCP_SCRIPTS_API_KEY \|\| "";
	startHttpServer(configPath, {
	port: port,
	stateless: true,
	logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs"
	}).catch(error => {
	console.error("Failed to start mcp-scripts HTTP server:", error);
	process.exit(1);
	});
	GH_AW_MCP_SCRIPTS_SERVER_EOF
	chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs

	- name: Setup MCP Scripts Tool Files
	run: \|
	cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF'
	#!/bin/bash
	# Auto-generated mcp-script tool: qmd-query
	# Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores.

	set -euo pipefail

	set -e
	qmd vsearch "$INPUT_QUERY" --files --min-score "${INPUT_MIN_SCORE:-0.4}"


	GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF
	chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh

	- name: Generate MCP Scripts Server Config
	id: mcp-scripts-config
	run: \|
	# Generate a secure random API key (360 bits of entropy, 40+ chars)
	# Mask immediately to prevent timing vulnerabilities
	API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${API_KEY}"

	PORT=3000

	# Set outputs for next steps
	{
	echo "mcp_scripts_api_key=${API_KEY}"
	echo "mcp_scripts_port=${PORT}"
	} >> "$GITHUB_OUTPUT"

	echo "MCP Scripts server will run on port ${PORT}"

	- name: Start MCP Scripts HTTP Server
	id: mcp-scripts-start
	env:
	DEBUG: '*'
	GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_port }}
	GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_api_key }}
	run: \|
	# Environment variables are set above to prevent template injection
	export DEBUG
	export GH_AW_MCP_SCRIPTS_PORT
	export GH_AW_MCP_SCRIPTS_API_KEY

	bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh

	- name: Start MCP Gateway
	id: start-mcp-gateway
	env:
	GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}
	GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }}
	GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}
	GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-start.outputs.api_key }}
	GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-start.outputs.port }}
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
	GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' \|\| '0' }}
	GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	run: \|
	set -eo pipefail
	mkdir -p /tmp/gh-aw/mcp-config

	# Export gateway environment variables for MCP config and gateway script
	export MCP_GATEWAY_PORT="80"
	export MCP_GATEWAY_DOMAIN="host.docker.internal"
	MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${MCP_GATEWAY_API_KEY}"
	export MCP_GATEWAY_API_KEY
	export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
	mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
	export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288"
	export DEBUG="*"

	export GH_AW_ENGINE="copilot"
	export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15'

	mkdir -p /home/runner/.copilot
	cat << GH_AW_MCP_CONFIG_EOF \| bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh
	{
	"mcpServers": {
	"github": {
	"type": "stdio",
	"container": "ghcr.io/github/github-mcp-server:v0.32.0",
	"env": {
	"GITHUB_HOST": "\${GITHUB_SERVER_URL}",
	"GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN",
	"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
	"GITHUB_READ_ONLY": "1",
	"GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
	}
	},
	"mcpscripts": {
	"type": "http",
	"url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT",
	"headers": {
	"Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}"
	}
	},
	"safeoutputs": {
	"type": "http",
	"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
	"headers": {
	"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
	}
	}
	},
	"gateway": {
	"port": $MCP_GATEWAY_PORT,
	"domain": "${MCP_GATEWAY_DOMAIN}",
	"apiKey": "${MCP_GATEWAY_API_KEY}",
	"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
	}
	}
	GH_AW_MCP_CONFIG_EOF
	- name: Download activation artifact
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: activation
	path: /tmp/gh-aw
	- name: Clean git credentials
	run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh
	- name: Execute GitHub Copilot CLI
	id: agentic_execution
	# Copilot CLI tool arguments (sorted):
	timeout-minutes: 10
	run: \|
	set -o pipefail
	touch /tmp/gh-aw/agent-step-summary.md
	# shellcheck disable=SC1003
	sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.1 --skip-pull --enable-api-proxy \
	-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent technical-doc-writer --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 \| tee -a /tmp/gh-aw/agent-stdio.log
	env:
	COPILOT_AGENT_RUNNER_TYPE: STANDALONE
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT \|\| '' }}
	GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg"
	GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}"
	GH_AW_ASSETS_MAX_SIZE_KB: 10240
	GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
	GH_AW_PHASE: agent
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_VERSION: dev
	GITHUB_API_URL: ${{ github.api_url }}
	GITHUB_AW: true
	GITHUB_HEAD_REF: ${{ github.head_ref }}
	GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	GITHUB_REF_NAME: ${{ github.ref_name }}
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
	GITHUB_WORKSPACE: ${{ github.workspace }}
	GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_AUTHOR_NAME: github-actions[bot]
	GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_COMMITTER_NAME: github-actions[bot]
	XDG_CONFIG_HOME: /home/runner
	- name: Detect inference access error
	id: detect-inference-error
	if: always()
	continue-on-error: true
	run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Copy Copilot session state files to logs
	if: always()
	continue-on-error: true
	run: \|
	# Copy Copilot session state files to logs folder for artifact collection
	# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
	SESSION_STATE_DIR="$HOME/.copilot/session-state"
	LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"

	if [ -d "$SESSION_STATE_DIR" ]; then
	echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
	mkdir -p "$LOGS_DIR"
	cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null \|\| true
	echo "Session state files copied successfully"
	else
	echo "No session-state directory found at $SESSION_STATE_DIR"
	fi
	- name: Stop MCP Gateway
	if: always()
	continue-on-error: true
	env:
	MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
	MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
	GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
	run: \|
	bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
	- name: Redact secrets in logs
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs');
	await main();
	env:
	GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
	SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
	SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
	SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Append agent step summary
	if: always()
	run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh
	- name: Copy Safe Outputs
	if: always()
	run: \|
	mkdir -p /tmp/gh-aw
	cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null \|\| true
	- name: Ingest agent output
	id: collect_output
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_API_URL: ${{ github.api_url }}
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs');
	await main();
	- name: Parse agent logs for step summary
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs');
	await main();
	- name: Parse MCP Scripts logs for step summary
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs');
	await main();
	- name: Parse MCP Gateway logs for step summary
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs');
	await main();
	- name: Print firewall logs
	if: always()
	continue-on-error: true
	env:
	AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
	run: \|
	# Fix permissions on firewall logs so they can be uploaded as artifacts
	# AWF runs with sudo, creating files owned by root
	sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null \|\| true
	# Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
	if command -v awf &> /dev/null; then
	awf logs summary \| tee -a "$GITHUB_STEP_SUMMARY"
	else
	echo 'AWF binary not installed, skipping firewall log summary'
	fi
	# Upload repo memory as artifacts for push job
	- name: Upload wiki-memory artifact (default)
	if: always()
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: repo-memory-default
	path: /tmp/gh-aw/repo-memory/default
	retention-days: 1
	if-no-files-found: ignore
	- name: Upload cache-memory data as artifact
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	if: always()
	with:
	name: cache-memory
	path: /tmp/gh-aw/cache-memory
	# Upload safe-outputs assets for upload_assets job
	- name: Upload Safe Outputs assets
	if: always()
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: safe-outputs-assets
	path: /tmp/gh-aw/safeoutputs/assets/
	retention-days: 1
	if-no-files-found: ignore
	- name: Upload agent artifacts
	if: always()
	continue-on-error: true
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: agent
	path: \|
	/tmp/gh-aw/aw-prompts/prompt.txt
	/tmp/gh-aw/sandbox/agent/logs/
	/tmp/gh-aw/redacted-urls.log
	/tmp/gh-aw/mcp-logs/
	/tmp/gh-aw/mcp-scripts/logs/
	/tmp/gh-aw/sandbox/firewall/logs/
	/tmp/gh-aw/agent-stdio.log
	/tmp/gh-aw/agent/
	/tmp/gh-aw/safeoutputs.jsonl
	/tmp/gh-aw/agent_output.json
	/tmp/gh-aw/aw-*.patch
	if-no-files-found: ignore
	# --- Threat Detection (inline) ---
	- name: Check if detection needed
	id: detection_guard
	if: always()
	env:
	OUTPUT_TYPES: ${{ steps.collect_output.outputs.output_types }}
	HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
	run: \|
	if [[ -n "$OUTPUT_TYPES" \|\| "$HAS_PATCH" == "true" ]]; then
	echo "run_detection=true" >> "$GITHUB_OUTPUT"
	echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
	else
	echo "run_detection=false" >> "$GITHUB_OUTPUT"
	echo "Detection skipped: no agent outputs or patches to analyze"
	fi
	- name: Clear MCP configuration for detection
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	rm -f /tmp/gh-aw/mcp-config/mcp-servers.json
	rm -f /home/runner/.copilot/mcp-config.json
	rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
	- name: Prepare threat detection files
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
	cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null \|\| true
	cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null \|\| true
	for f in /tmp/gh-aw/aw-*.patch; do
	[ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	done
	echo "Prepared threat detection files:"
	ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	- name: Setup threat detection
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	WORKFLOW_NAME: "Rebuild the documentation after making changes"
	WORKFLOW_DESCRIPTION: "Reviews and improves technical documentation based on provided topics"
	HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs');
	await main();
	- name: Ensure threat-detection directory and log
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	mkdir -p /tmp/gh-aw/threat-detection
	touch /tmp/gh-aw/threat-detection/detection.log
	- name: Execute GitHub Copilot CLI
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	id: detection_agentic_execution
	# Copilot CLI tool arguments (sorted):
	# --allow-tool shell(cat)
	# --allow-tool shell(grep)
	# --allow-tool shell(head)
	# --allow-tool shell(jq)
	# --allow-tool shell(ls)
	# --allow-tool shell(tail)
	# --allow-tool shell(wc)
	timeout-minutes: 20
	run: \|
	set -o pipefail
	touch /tmp/gh-aw/agent-step-summary.md
	# shellcheck disable=SC1003
	sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.1 --skip-pull --enable-api-proxy \
	-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 \| tee -a /tmp/gh-aw/threat-detection/detection.log
	env:
	COPILOT_AGENT_RUNNER_TYPE: STANDALONE
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT \|\| '' }}
	GH_AW_PHASE: detection
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_VERSION: dev
	GITHUB_API_URL: ${{ github.api_url }}
	GITHUB_AW: true
	GITHUB_HEAD_REF: ${{ github.head_ref }}
	GITHUB_REF_NAME: ${{ github.ref_name }}
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
	GITHUB_WORKSPACE: ${{ github.workspace }}
	GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_AUTHOR_NAME: github-actions[bot]
	GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_COMMITTER_NAME: github-actions[bot]
	XDG_CONFIG_HOME: /home/runner
	- name: Parse threat detection results
	id: parse_detection_results
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs');
	await main();
	- name: Upload threat detection log
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: detection
	path: /tmp/gh-aw/threat-detection/detection.log
	if-no-files-found: ignore
	- name: Set detection conclusion
	id: detection_conclusion
	if: always()
	env:
	RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
	DETECTION_SUCCESS: ${{ steps.parse_detection_results.outputs.success }}
	run: \|
	if [[ "$RUN_DETECTION" != "true" ]]; then
	echo "conclusion=skipped" >> "$GITHUB_OUTPUT"
	echo "success=true" >> "$GITHUB_OUTPUT"
	echo "Detection was not needed, marking as skipped"
	elif [[ "$DETECTION_SUCCESS" == "true" ]]; then
	echo "conclusion=success" >> "$GITHUB_OUTPUT"
	echo "success=true" >> "$GITHUB_OUTPUT"
	echo "Detection passed successfully"
	else
	echo "conclusion=failure" >> "$GITHUB_OUTPUT"
	echo "success=false" >> "$GITHUB_OUTPUT"
	echo "Detection found issues"
	fi

	conclusion:
	needs:
	- activation
	- agent
	- push_repo_memory
	- safe_outputs
	- update_cache_memory
	- upload_assets
	if: (always()) && (needs.agent.result != 'skipped')
	runs-on: ubuntu-slim
	permissions:
	contents: write
	discussions: write
	issues: write
	pull-requests: write
	concurrency:
	group: "gh-aw-conclusion-technical-doc-writer"
	cancel-in-progress: false
	env:
	GH_AW_HOME: ${{ env.GH_AW_HOME \|\| '/opt/gh-aw' }}
	outputs:
	noop_message: ${{ steps.noop.outputs.noop_message }}
	tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
	total_count: ${{ steps.missing_tool.outputs.total_count }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	repository: github/gh-aw
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: ${{ env.GH_AW_HOME }}/actions
	- name: Download agent output artifact
	id: download-agent-output
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Setup agent output environment variable
	if: steps.download-agent-output.outcome == 'success'
	run: \|
	mkdir -p /tmp/gh-aw/
	find "/tmp/gh-aw/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV"
	- name: Process No-Op Messages
	id: noop
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_NOOP_MAX: "1"
	GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs');
	await main();
	- name: Record Missing Tool
	id: missing_tool
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs');
	await main();
	- name: Handle Agent Failure
	id: handle_agent_failure
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_WORKFLOW_ID: "technical-doc-writer"
	GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
	GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
	GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }}
	GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }}
	GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }}
	GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📝 Documentation by [{workflow_name}]({run_url}){history_link}\",\"runStarted\":\"✍️ The Technical Writer begins! [{workflow_name}]({run_url}) is documenting this {event_type}...\",\"runSuccess\":\"📝 Documentation complete! [{workflow_name}]({run_url}) has written the docs. Clear as crystal! ✨\",\"runFailure\":\"✍️ Writer's block! [{workflow_name}]({run_url}) {status}. The page remains blank...\"}"
	GH_AW_PUSH_REPO_MEMORY_RESULT: ${{ needs.push_repo_memory.result }}
	GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }}
	GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }}
	GH_AW_REPO_MEMORY_PATCH_SIZE_EXCEEDED_default: ${{ needs.push_repo_memory.outputs.patch_size_exceeded_default }}
	GH_AW_GROUP_REPORTS: "false"
	GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
	GH_AW_TIMEOUT_MINUTES: "10"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs');
	await main();
	- name: Handle No-Op Message
	id: handle_noop_message
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }}
	GH_AW_NOOP_REPORT_AS_ISSUE: "true"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs');
	await main();
	- name: Handle Create Pull Request Error
	id: handle_create_pr_error
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs');
	await main();

	push_repo_memory:
	needs: agent
	if: always() && needs.agent.outputs.detection_success == 'true'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	concurrency:
	group: "push-repo-memory-${{ github.repository }}"
	cancel-in-progress: false
	env:
	GH_AW_HOME: ${{ env.GH_AW_HOME \|\| '/opt/gh-aw' }}
	outputs:
	patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }}
	validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }}
	validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	repository: github/gh-aw
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: ${{ env.GH_AW_HOME }}/actions
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	sparse-checkout: .
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Download wiki-memory artifact (default)
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	continue-on-error: true
	with:
	name: repo-memory-default
	path: /tmp/gh-aw/repo-memory/default
	- name: Push wiki-memory changes (default)
	id: push_repo_memory_default
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_TOKEN: ${{ github.token }}
	GITHUB_RUN_ID: ${{ github.run_id }}
	GITHUB_SERVER_URL: ${{ github.server_url }}
	ARTIFACT_DIR: /tmp/gh-aw/repo-memory/default
	MEMORY_ID: default
	TARGET_REPO: ${{ github.repository }}.wiki
	BRANCH_NAME: master
	REPO_MEMORY_ALLOWED_REPOS: ${{ github.repository }}.wiki
	MAX_FILE_SIZE: 10240
	MAX_FILE_COUNT: 100
	MAX_PATCH_SIZE: 10240
	ALLOWED_EXTENSIONS: '[]'
	with:
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs');
	await main();

	safe_outputs:
	needs:
	- activation
	- agent
	if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true')
	runs-on: ubuntu-slim
	permissions:
	contents: write
	discussions: write
	issues: write
	pull-requests: write
	timeout-minutes: 15
	env:
	GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/technical-doc-writer"
	GH_AW_ENGINE_ID: "copilot"
	GH_AW_HOME: ${{ env.GH_AW_HOME \|\| '/opt/gh-aw' }}
	GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📝 Documentation by [{workflow_name}]({run_url}){history_link}\",\"runStarted\":\"✍️ The Technical Writer begins! [{workflow_name}]({run_url}) is documenting this {event_type}...\",\"runSuccess\":\"📝 Documentation complete! [{workflow_name}]({run_url}) has written the docs. Clear as crystal! ✨\",\"runFailure\":\"✍️ Writer's block! [{workflow_name}]({run_url}) {status}. The page remains blank...\"}"
	GH_AW_WORKFLOW_ID: "technical-doc-writer"
	GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes"
	outputs:
	code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
	code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
	comment_id: ${{ steps.process_safe_outputs.outputs.comment_id }}
	comment_url: ${{ steps.process_safe_outputs.outputs.comment_url }}
	create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
	create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
	created_pr_number: ${{ steps.process_safe_outputs.outputs.created_pr_number }}
	created_pr_url: ${{ steps.process_safe_outputs.outputs.created_pr_url }}
	process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
	process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	repository: github/gh-aw
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: ${{ env.GH_AW_HOME }}/actions
	- name: Download agent output artifact
	id: download-agent-output
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Setup agent output environment variable
	if: steps.download-agent-output.outcome == 'success'
	run: \|
	mkdir -p /tmp/gh-aw/
	find "/tmp/gh-aw/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV"
	- name: Download patch artifact
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Checkout repository
	if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request'))
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	ref: ${{ github.base_ref \|\| github.event.pull_request.base.ref \|\| github.ref_name \|\| github.event.repository.default_branch }}
	token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	persist-credentials: false
	fetch-depth: 1
	- name: Configure Git credentials
	if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request'))
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	GIT_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Process Safe Outputs
	id: process_safe_outputs
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_API_URL: ${{ github.api_url }}
	GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{\"draft\":false,\"expires\":48,\"labels\":[\"documentation\"],\"max\":1,\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"reviewers\":[\"copilot\"],\"title_prefix\":\"[docs] \"},\"missing_data\":{},\"missing_tool\":{}}"
	GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs');
	await main();
	- name: Upload Safe Output Items Manifest
	if: always()
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: safe-output-items
	path: /tmp/safe-output-items.jsonl
	if-no-files-found: warn

	update_cache_memory:
	needs: agent
	if: always() && needs.agent.outputs.detection_success == 'true'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	env:
	GH_AW_HOME: ${{ env.GH_AW_HOME \|\| '/opt/gh-aw' }}
	GH_AW_WORKFLOW_ID_SANITIZED: technicaldocwriter
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	repository: github/gh-aw
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: ${{ env.GH_AW_HOME }}/actions
	- name: Download cache-memory artifact (default)
	id: download_cache_default
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	continue-on-error: true
	with:
	name: cache-memory
	path: /tmp/gh-aw/cache-memory
	- name: Check if cache-memory folder has content (default)
	id: check_cache_default
	shell: bash
	run: \|
	if [ -d "/tmp/gh-aw/cache-memory" ] && [ "$(ls -A /tmp/gh-aw/cache-memory 2>/dev/null)" ]; then
	echo "has_content=true" >> "$GITHUB_OUTPUT"
	else
	echo "has_content=false" >> "$GITHUB_OUTPUT"
	fi
	- name: Save cache-memory to cache (default)
	if: steps.check_cache_default.outputs.has_content == 'true'
	uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
	with:
	key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
	path: /tmp/gh-aw/cache-memory

	upload_assets:
	needs: agent
	if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'upload_asset'))
	runs-on: ubuntu-slim
	permissions:
	contents: write
	timeout-minutes: 10
	outputs:
	branch_name: ${{ steps.upload_assets.outputs.branch_name }}
	published_count: ${{ steps.upload_assets.outputs.published_count }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	repository: github/gh-aw
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: ${{ env.GH_AW_HOME }}/actions
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	fetch-depth: 0
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Download assets
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: safe-outputs-assets
	path: /tmp/gh-aw/safeoutputs/assets/
	- name: List downloaded asset files
	continue-on-error: true
	run: \|
	echo "Downloaded asset files:"
	find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls
	- name: Download agent output artifact
	id: download-agent-output
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Setup agent output environment variable
	if: steps.download-agent-output.outcome == 'success'
	run: \|
	mkdir -p /tmp/gh-aw/
	find "/tmp/gh-aw/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV"
	- name: Push assets
	id: upload_assets
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}"
	GH_AW_ASSETS_MAX_SIZE_KB: 10240
	GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg"
	GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes"
	GH_AW_ENGINE_ID: "copilot"
	GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📝 Documentation by [{workflow_name}]({run_url}){history_link}\",\"runStarted\":\"✍️ The Technical Writer begins! [{workflow_name}]({run_url}) is documenting this {event_type}...\",\"runSuccess\":\"📝 Documentation complete! [{workflow_name}]({run_url}) has written the docs. Clear as crystal! ✨\",\"runFailure\":\"✍️ Writer's block! [{workflow_name}]({run_url}) {status}. The page remains blank...\"}"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs');
	await main();

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

refactor: replace hardcoded /opt/gh-aw/ paths with GH_AW_HOME constants #90

Workflow file

refactor: replace hardcoded /opt/gh-aw/ paths with GH_AW_HOME constants #90

Uh oh!

Workflow file for this run

GitHub Actions / .github/workflows/technical-doc-writer.lock.yml