From feac63885201c27be6e21e9bb929db5fb385944c Mon Sep 17 00:00:00 2001 From: Jeff Handley Date: Wed, 24 Jun 2026 21:40:26 -0700 Subject: [PATCH 1/3] Require environment input to pat_pool shared workflow. Improve docs. --- .github/aw/actions-lock.json | 5 ++ .github/workflows/release-notes.lock.yml | 32 ++++++++++-- .github/workflows/release-notes.md | 43 ++++++++++------ .github/workflows/shared/pat_pool.README.md | 56 +++++++++++++++++---- .github/workflows/shared/pat_pool.md | 5 +- 5 files changed, 114 insertions(+), 27 deletions(-) diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index aaf7a01a23..2ecec2fa05 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -30,6 +30,11 @@ "version": "v7.0.1", "sha": "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" }, + "github/gh-aw-actions/setup-cli@v0.79.8": { + "repo": "github/gh-aw-actions/setup-cli", + "version": "v0.79.8", + "sha": "c0338fef4749d08c21f8f975fb0e37efa17dda47" + }, "github/gh-aw-actions/setup@v0.79.8": { "repo": "github/gh-aw-actions/setup", "version": "v0.79.8", diff --git a/.github/workflows/release-notes.lock.yml b/.github/workflows/release-notes.lock.yml index daa5676b85..43f6fb5ded 100644 --- a/.github/workflows/release-notes.lock.yml +++ b/.github/workflows/release-notes.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"b508791275fd1a83470275305feee0d4f8442ccbab2e69d1bec2a4262d985a82","body_hash":"94ea6be1d4f7f6ff89b084e3c7cbdc638e8a302ca73ffdc7e0f26cfc19d7b100","compiler_version":"v0.79.8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.60"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"1ac50d05af8a41df548376b908a127e0d4d82d2589b558b9002a7d437249ef08","body_hash":"f32d23d2659eddb8f470fda77ea376ac9960c0aa39cb1ddb7ead8961d08ae888","compiler_version":"v0.79.8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.60"}} # gh-aw-manifest: {"version":1,"secrets":["COPILOT_PAT_0","COPILOT_PAT_1","COPILOT_PAT_2","COPILOT_PAT_3","COPILOT_PAT_4","COPILOT_PAT_5","COPILOT_PAT_6","COPILOT_PAT_7","COPILOT_PAT_8","COPILOT_PAT_9","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-dotnet","sha":"9a946fdbd5fb07b82b2f5a4466058b876ab72bb2","version":"v5.3.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"c0338fef4749d08c21f8f975fb0e37efa17dda47","version":"v0.79.8"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2","digest":"sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2","digest":"sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2","digest":"sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.25","digest":"sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa"},{"image":"ghcr.io/github/github-mcp-server:v1.1.2","digest":"sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c","pinned_image":"ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c"}]} # This file was automatically generated by gh-aw (v0.79.8). DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # @@ -899,7 +899,20 @@ jobs: AWF_REFLECT_ENABLED: 1 COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode - COPILOT_GITHUB_TOKEN: ${{ case(needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, 'NO COPILOT PAT AVAILABLE') }} + COPILOT_GITHUB_TOKEN: | + ${{ case( + needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, + needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, + needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, + needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, + needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, + needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, + needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, + needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, + needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, + needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, + 'NO COPILOT PAT AVAILABLE') + }} COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }} GH_AW_MAX_TURNS: ${{ vars.GH_AW_DEFAULT_MAX_TURNS || '' }} GH_AW_PHASE: agent @@ -1457,7 +1470,20 @@ jobs: AWF_REFLECT_ENABLED: 1 COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode - COPILOT_GITHUB_TOKEN: ${{ case(needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, 'NO COPILOT PAT AVAILABLE') }} + COPILOT_GITHUB_TOKEN: | + ${{ case( + needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, + needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, + needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, + needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, + needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, + needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, + needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, + needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, + needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, + needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, + 'NO COPILOT PAT AVAILABLE') + }} COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }} GH_AW_MAX_TURNS: ${{ vars.GH_AW_DEFAULT_MAX_TURNS || '' }} GH_AW_PHASE: detection diff --git a/.github/workflows/release-notes.md b/.github/workflows/release-notes.md index 2f92b34329..ff0c774b30 100644 --- a/.github/workflows/release-notes.md +++ b/.github/workflows/release-notes.md @@ -20,8 +20,8 @@ safe-outputs: draft: true max: 5 push-to-pull-request-branch: - title-prefix: "[release-notes] " - labels: [area-release-notes, automation] + required-title-prefix: "[release-notes] " + required-labels: [area-release-notes, automation] max: 5 add-comment: max: 20 @@ -47,21 +47,36 @@ on: type: string # ############################################################### -# Override COPILOT_GITHUB_TOKEN with a random PAT from the pool. -# Ensure this agentic jobs run from the isolated -# `copilot-pat-pool` environment where the PAT pool is available. -# This stop-gap will be removed when org billing is available. -# See: .github/workflows/shared/pat_pool.README.md for more info. +# Select a PAT from the pool and override COPILOT_GITHUB_TOKEN. +# Run agentic jobs in an isolated `copilot-pat-pool` environment. +# +# When org-level billing is available, this will be removed. +# See `shared/pat_pool.README.md` for more information. # ############################################################### imports: - - shared/pat_pool.md + - uses: shared/pat_pool.md + with: + environment: copilot-pat-pool environment: copilot-pat-pool engine: id: copilot env: - COPILOT_GITHUB_TOKEN: ${{ case(needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, 'NO COPILOT PAT AVAILABLE') }} + COPILOT_GITHUB_TOKEN: | + ${{ case( + needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, + needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, + needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, + needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, + needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, + needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, + needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, + needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, + needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, + needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, + 'NO COPILOT PAT AVAILABLE') + }} --- # Write Release Notes @@ -126,8 +141,8 @@ The shipped preview number is the **floor**. Everything above it may need work. #### b. What's building on main (VMR) ```bash -git clone --filter=blob:none https://github.com/dotnet/dotnet /tmp/dotnet -git -C /tmp/dotnet show main:eng/Versions.props | grep -E 'PreReleaseVersionLabel|PreReleaseVersionIteration' +git clone --filter=blob:none https://github.com/dotnet/dotnet /tmp/gh-aw/agent/dotnet +git -C /tmp/gh-aw/agent/dotnet show main:eng/Versions.props | grep -E 'PreReleaseVersionLabel|PreReleaseVersionIteration' ``` This tells you the milestone `main` is building (e.g., iteration `5`). @@ -136,10 +151,10 @@ This tells you the milestone `main` is building (e.g., iteration `5`). ```bash # Tags — each represents a shipped or finalized milestone -git -C /tmp/dotnet tag -l 'v11.0.0-preview.*' --sort=-v:refname +git -C /tmp/gh-aw/agent/dotnet tag -l 'v11.0.0-preview.*' --sort=-v:refname # Release branches — each represents an in-flight milestone being stabilized -git -C /tmp/dotnet branch -r -l 'origin/release/11.0.1xx-preview*' +git -C /tmp/gh-aw/agent/dotnet branch -r -l 'origin/release/11.0.1xx-preview*' ``` #### d. Build the milestone list @@ -175,7 +190,7 @@ Always regenerate — the content may have changed since the previous run. ```bash mkdir -p release-notes/11.0/preview/preview4 -release-notes generate changes /tmp/dotnet \ +release-notes generate changes /tmp/gh-aw/agent/dotnet \ --base v11.0.0-preview.3.26210.100 \ --head main \ --version "11.0.0-preview.4" \ diff --git a/.github/workflows/shared/pat_pool.README.md b/.github/workflows/shared/pat_pool.README.md index 3627a0c8f8..798892e9a4 100644 --- a/.github/workflows/shared/pat_pool.README.md +++ b/.github/workflows/shared/pat_pool.README.md @@ -2,7 +2,7 @@ Selects a random Copilot PAT from a numbered pool of secrets. This addresses limitations that arise from having a single PAT shared across all agentic workflows, such as rate-limiting. -**This is a stop-gap workaround.** As soon as organization/enterprise billing is offered for agentic workflows, this approach will be removed from our workflows. +**This is a stop-gap workaround.** As soon as organization/enterprise billing is available to the dotnet org, this approach will be removed from our workflows. ## Repository Onboarding @@ -19,9 +19,19 @@ gh extension install github/gh-aw --force gh aw --version ``` +### Environment + +Create an environment for the agentic workflows: + - _Configuring these settings requires repo admin permission_ + - https://github.com/dotnet/{repo}/settings/environments + - Recommended Name: **copilot-pat-pool** + - Recommended Deployment branches and tags: **Protected branches only** + +This environment is used for all agentic workflows, restricting agentic workflows to the repo's protected branches and preventing the workflows from accessing secrets defined for other environments. + ## PAT Management -Team members provide PATs into the pools for the repository by adding them as repository secrets with secret names matching the pattern of `_<0-9>`, such as `COPILOT_PAT_0`. +Team members provide PATs into the pool with secret names matching the pattern of `{pool-name}_{0-9}`, such as `COPILOT_PAT_0`. [Use this link to prefill the PAT creation form with the required settings][create-pat]: @@ -32,12 +42,30 @@ Team members provide PATs into the pools for the repository by adding them as re The **Token Name** _does not_ need to match the secret name and is only visible to the owner of the PAT. It's recommended to use a token name indicating the PAT is used for dotnet org agentic workflows. The **Description** is also only used for your own reference. -Team members providing PATs for workflows should set weekly recurring reminders to regenerate and update their PATs in the repository secrets. With an 8-day expiration, renewal can be done on the same day each week. +Team members providing PATs for workflows should set weekly recurring reminders to regenerate and update their PATs in the PAT pool. With an 8-day expiration, renewal can be done on the same day each week. + +## PAT Pool Secrets -PATs are added to repositories through the **Settings > Secrets and variables > Actions** UI, saved as **Repository secrets** and matching the `_<0-9>` naming convention. This can also be done using the GitHub CLI. +For a PAT pool that is specific to an environment, PATs can be added to repositories as **Environment Secrets** for the environment created above. _This requires repo admin permission_. + +* **Settings** > + * **Environments** > + * **copilot-pat-pool** (or other environment name) > + * **Add environment secret** (or edit your existing secret) + * Enter your secret name of `COPILOT_PAT_{0-9}` and paste in your PAT + +This can also be accomplished using the `gh` CLI, specifying the repo and environment arguments. ```sh -gh aw secrets set "_<0-9>" --value "" --repo / +# Register the PAT secret. This will prompt for you to paste the PAT. +gh secret set "_<0-9>" --repo / --env "copilot-pat-pool" +``` + +It's also helpful to record who owns each PAT within the pool. To capture which team member is associated with each PAT, a `_<0-9>_` "sidecar secret" can be added alongside the PAT secret to make the username for the PAT pool entry visible. This sidecar secret must have a non-empty value, but it's never consumed, so any value is sufficient. + +```sh +# Record a sidecar secret that presents who owns this PAT. +gh secret set "_<0-9>_" --body "" --repo / --env "copilot-pat-pool" ``` ## Workflow Output Attribution @@ -51,11 +79,17 @@ The [`pat_pool.md`](./pat_pool.md) workflow import defines a custom job with a ` ```yml # ############################################################### # Select a PAT from the pool and override COPILOT_GITHUB_TOKEN. +# Run agentic jobs in an isolated `copilot-pat-pool` environment. +# # When org-level billing is available, this will be removed. # See `shared/pat_pool.README.md` for more information. # ############################################################### imports: - - shared/pat_pool.md + - uses: shared/pat_pool.md + with: + environment: copilot-pat-pool + +environment: copilot-pat-pool engine: id: copilot @@ -72,16 +106,20 @@ engine: needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, - secrets.COPILOT_GITHUB_TOKEN) + 'NO COPILOT PAT AVAILABLE') }} ``` -The expression can be collapsed onto a single line if desired. `gh-aw compile` automatically wires `pat_pool` into the activation and agent jobs' `needs:` graph because of the `needs.pat_pool.` references within the `engine.env` property. +The `COPILOT_GITHUB_TOKEN` expression can be collapsed onto a single line if desired. `gh-aw compile` automatically wires `pat_pool` into the activation and agent jobs' `needs:` graph because of the `needs.pat_pool.` references within the `engine.env` property. ```sh gh aw compile --schedule-seed / ``` +### Specifying the environment + +The `environment` must be specified both to the `pat_pool.md` import and to the containing workflow to ensure both jobs access the PAT pool from the same environment. The `copilot-pat-pool` environment name is recommended as the isolated environment for agentic workflows that use the PAT pool. + ### Customizing the pool The import declares 10 optional inputs (`COPILOT_PAT_0` through `COPILOT_PAT_9`), each defaulting to `secrets.COPILOT_PAT_#` of the matching number. To point a workflow at a different pool of repository secrets, use the parameterized `uses`/`with` form when importing and pass the substitute secrets as the `COPILOT_PAT_#` inputs: @@ -101,7 +139,7 @@ The secrets passed via `with:` must match the secrets referenced in the consumin engine: id: copilot env: - COPILOT_GITHUB_TOKEN: ${{ case(needs.pat_pool.outputs.pat_number == '0', secrets.MY_TEAM_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.MY_TEAM_PAT_1, ..., secrets.COPILOT_GITHUB_TOKEN) }} + COPILOT_GITHUB_TOKEN: ${{ case(needs.pat_pool.outputs.pat_number == '0', secrets.MY_TEAM_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.MY_TEAM_PAT_1, ..., 'NO COPILOT PAT AVAILABLE') }} ``` This approach aligns with GitHub's documented guidance for [passing secrets][passing-secrets] between workflows, where the `pat_pool` job returns a PAT number and the `case` statement acts as a secret store to look the PAT secret up based on the selected number. diff --git a/.github/workflows/shared/pat_pool.md b/.github/workflows/shared/pat_pool.md index 855e7badda..429151d3e9 100644 --- a/.github/workflows/shared/pat_pool.md +++ b/.github/workflows/shared/pat_pool.md @@ -3,7 +3,7 @@ description: Agentic workflow import to integrate the Copilot PAT Pool jobs: pat_pool: - environment: copilot-pat-pool + environment: ${{ github.aw.import-inputs.environment }} needs: [pre_activation] runs-on: ubuntu-slim outputs: @@ -69,6 +69,9 @@ jobs: echo "copilot_pat_number=${PAT_NUMBER}" >> "$GITHUB_OUTPUT" import-schema: + environment: + type: string + required: true COPILOT_PAT_0: type: string required: false From e9cc69050ca7c930fc53b9629775bc9dd883dc50 Mon Sep 17 00:00:00 2001 From: Jeff Handley Date: Thu, 25 Jun 2026 01:58:00 -0700 Subject: [PATCH 2/3] Fix lint errors --- .github/workflows/release-notes.lock.yml | 2 +- .github/workflows/release-notes.md | 2 +- .github/workflows/shared/pat_pool.README.md | 20 ++++++++++---------- .github/workflows/validate-pat-pool.yml | 20 ++++++++++---------- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/release-notes.lock.yml b/.github/workflows/release-notes.lock.yml index 43f6fb5ded..0b11f5f703 100644 --- a/.github/workflows/release-notes.lock.yml +++ b/.github/workflows/release-notes.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"1ac50d05af8a41df548376b908a127e0d4d82d2589b558b9002a7d437249ef08","body_hash":"f32d23d2659eddb8f470fda77ea376ac9960c0aa39cb1ddb7ead8961d08ae888","compiler_version":"v0.79.8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.60"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"61f2355f64e623c5c0b953e2ae8ed5e85bd0f5914616aa8fba88162d3b1e7b35","body_hash":"f32d23d2659eddb8f470fda77ea376ac9960c0aa39cb1ddb7ead8961d08ae888","compiler_version":"v0.79.8","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.60"}} # gh-aw-manifest: {"version":1,"secrets":["COPILOT_PAT_0","COPILOT_PAT_1","COPILOT_PAT_2","COPILOT_PAT_3","COPILOT_PAT_4","COPILOT_PAT_5","COPILOT_PAT_6","COPILOT_PAT_7","COPILOT_PAT_8","COPILOT_PAT_9","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-dotnet","sha":"9a946fdbd5fb07b82b2f5a4466058b876ab72bb2","version":"v5.3.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"c0338fef4749d08c21f8f975fb0e37efa17dda47","version":"v0.79.8"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2","digest":"sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2","digest":"sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2","digest":"sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.25","digest":"sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa"},{"image":"ghcr.io/github/github-mcp-server:v1.1.2","digest":"sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c","pinned_image":"ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c"}]} # This file was automatically generated by gh-aw (v0.79.8). DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # diff --git a/.github/workflows/release-notes.md b/.github/workflows/release-notes.md index ff0c774b30..c33ea6ad05 100644 --- a/.github/workflows/release-notes.md +++ b/.github/workflows/release-notes.md @@ -63,7 +63,7 @@ environment: copilot-pat-pool engine: id: copilot env: - COPILOT_GITHUB_TOKEN: | + COPILOT_GITHUB_TOKEN: | ${{ case( needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, diff --git a/.github/workflows/shared/pat_pool.README.md b/.github/workflows/shared/pat_pool.README.md index 798892e9a4..c7968401c2 100644 --- a/.github/workflows/shared/pat_pool.README.md +++ b/.github/workflows/shared/pat_pool.README.md @@ -22,10 +22,10 @@ gh aw --version ### Environment Create an environment for the agentic workflows: - - _Configuring these settings requires repo admin permission_ - - https://github.com/dotnet/{repo}/settings/environments - - Recommended Name: **copilot-pat-pool** - - Recommended Deployment branches and tags: **Protected branches only** +- _Configuring these settings requires repo admin permission_ +- `https://github.com/dotnet/{repo}/settings/environments` +- Recommended Name: **copilot-pat-pool** +- Recommended Deployment branches and tags: **Protected branches only** This environment is used for all agentic workflows, restricting agentic workflows to the repo's protected branches and preventing the workflows from accessing secrets defined for other environments. @@ -48,11 +48,11 @@ Team members providing PATs for workflows should set weekly recurring reminders For a PAT pool that is specific to an environment, PATs can be added to repositories as **Environment Secrets** for the environment created above. _This requires repo admin permission_. -* **Settings** > - * **Environments** > - * **copilot-pat-pool** (or other environment name) > - * **Add environment secret** (or edit your existing secret) - * Enter your secret name of `COPILOT_PAT_{0-9}` and paste in your PAT +- **Settings** > + - **Environments** > + - **copilot-pat-pool** (or other environment name) > + - **Add environment secret** (or edit your existing secret) + - Enter your secret name of `COPILOT_PAT_{0-9}` and paste in your PAT This can also be accomplished using the `gh` CLI, specifying the repo and environment arguments. @@ -94,7 +94,7 @@ environment: copilot-pat-pool engine: id: copilot env: - COPILOT_GITHUB_TOKEN: | + COPILOT_GITHUB_TOKEN: | ${{ case( needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, diff --git a/.github/workflows/validate-pat-pool.yml b/.github/workflows/validate-pat-pool.yml index 7eb8268a9d..2a506b3ec9 100644 --- a/.github/workflows/validate-pat-pool.yml +++ b/.github/workflows/validate-pat-pool.yml @@ -40,7 +40,7 @@ jobs: id: pat0 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_0 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_0 }} shell: bash run: | # copilot --prompt "Say OK" @@ -50,7 +50,7 @@ jobs: id: pat1 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_1 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_1 }} shell: bash run: | # copilot --prompt "Say OK" @@ -60,7 +60,7 @@ jobs: id: pat2 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_2 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_2 }} shell: bash run: | # copilot --prompt "Say OK" @@ -70,7 +70,7 @@ jobs: id: pat3 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_3 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_3 }} shell: bash run: | # copilot --prompt "Say OK" @@ -80,7 +80,7 @@ jobs: id: pat4 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_4 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_4 }} shell: bash run: | # copilot --prompt "Say OK" @@ -90,7 +90,7 @@ jobs: id: pat5 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_5 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_5 }} shell: bash run: | # copilot --prompt "Say OK" @@ -100,7 +100,7 @@ jobs: id: pat6 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_6 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_6 }} shell: bash run: | # copilot --prompt "Say OK" @@ -110,7 +110,7 @@ jobs: id: pat7 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_7 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_7 }} shell: bash run: | # copilot --prompt "Say OK" @@ -120,7 +120,7 @@ jobs: id: pat8 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_8 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_8 }} shell: bash run: | # copilot --prompt "Say OK" @@ -130,7 +130,7 @@ jobs: id: pat9 continue-on-error: true env: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_9 }} + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_PAT_9 }} shell: bash run: | # copilot --prompt "Say OK" From 39d5d9113b8820889a027a9da03f615becf0477c Mon Sep 17 00:00:00 2001 From: Jeff Handley Date: Thu, 25 Jun 2026 23:10:13 -0700 Subject: [PATCH 3/3] Fix markdown lint errors --- .github/workflows/shared/pat_pool.README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/shared/pat_pool.README.md b/.github/workflows/shared/pat_pool.README.md index c7968401c2..14403ce399 100644 --- a/.github/workflows/shared/pat_pool.README.md +++ b/.github/workflows/shared/pat_pool.README.md @@ -22,6 +22,7 @@ gh aw --version ### Environment Create an environment for the agentic workflows: + - _Configuring these settings requires repo admin permission_ - `https://github.com/dotnet/{repo}/settings/environments` - Recommended Name: **copilot-pat-pool** @@ -49,10 +50,10 @@ Team members providing PATs for workflows should set weekly recurring reminders For a PAT pool that is specific to an environment, PATs can be added to repositories as **Environment Secrets** for the environment created above. _This requires repo admin permission_. - **Settings** > - - **Environments** > - - **copilot-pat-pool** (or other environment name) > - - **Add environment secret** (or edit your existing secret) - - Enter your secret name of `COPILOT_PAT_{0-9}` and paste in your PAT + - **Environments** > + - **copilot-pat-pool** (or other environment name) > + - **Add environment secret** (or edit your existing secret) + - Enter your secret name of `COPILOT_PAT_{0-9}` and paste in your PAT This can also be accomplished using the `gh` CLI, specifying the repo and environment arguments.