From 3feaa53abcbea4a4081c2fe30e16a6cf5dff1b46 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Jun 2026 08:55:56 +0000 Subject: [PATCH 1/3] Initial plan From aa36066b757f8bfdeba478ea2e9d2dcb2e1b5871 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Jun 2026 08:58:28 +0000 Subject: [PATCH 2/3] Expose apm-version as import input on shared/apm.md Co-authored-by: danielmeppiel <51440732+danielmeppiel@users.noreply.github.com> --- .github/workflows/shared/apm.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/shared/apm.md b/.github/workflows/shared/apm.md index 9e3a18256..e48de0922 100644 --- a/.github/workflows/shared/apm.md +++ b/.github/workflows/shared/apm.md @@ -66,6 +66,16 @@ # target: copilot # packages: # - microsoft/apm-sample-package +# +# 5. Pin a specific apm CLI version (newer than the action's default): +# +# imports: +# - uses: shared/apm.md +# with: +# apm-version: '0.20.0' +# target: copilot +# packages: +# - microsoft/apm-sample-package import-schema: packages: @@ -158,6 +168,16 @@ import-schema: so any apm.yml in the consumer repo is intentionally ignored -- this input is the sole target signal. + # apm CLI version (overrides apm-action's pinned default) + apm-version: + type: string + required: false + description: > + apm CLI version for apm-action to install (e.g. '0.20.0'). Omit to use + the action's pinned default. Pin explicitly for reproducibility. Applied + to both the Pack and Restore apm-action steps so the CLI version cannot + skew between packing and restoring. + jobs: apm-prep: runs-on: ubuntu-slim @@ -370,6 +390,7 @@ jobs: env: GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: + apm-version: ${{ github.aw.import-inputs.apm-version }} dependencies: ${{ steps.list.outputs.deps }} isolated: 'true' pack: 'true' @@ -450,6 +471,7 @@ steps: - name: Restore APM packages (all bundles) uses: microsoft/apm-action@v1.7.2 with: + apm-version: ${{ github.aw.import-inputs.apm-version }} bundles-file: /tmp/gh-aw/apm-bundle-list.txt --- From 4fab484dd1088a454a6d180bd11f0188d8cf021c Mon Sep 17 00:00:00 2001 From: danielmeppiel Date: Thu, 25 Jun 2026 08:05:28 +0200 Subject: [PATCH 3/3] Guard apm-version import default; fold panel + Copilot follow-ups The empty-string pass-through was the blocking finding from both the Copilot inline review and the APM review panel: when a consumer omits apm-version, gh-aw left `${{ github.aw.import-inputs.apm-version }}` verbatim in the lock, which evaluates to '' at runtime, and microsoft/apm-action resolves '' || 'latest' -- floating every non-opting consumer to the newest CLI, the opposite of the PR's stated "falls through to the action's pinned default" guarantee. Fix: give the import-schema apm-version input a `default` that mirrors the pinned action's apm-version default (0.12.4). gh-aw substitutes the schema default at compile time for omitting consumers, so an empty string is never forwarded and reproducibility is preserved. Verified by recompiling all three consumers (docs-sync, pr-review-panel, triage-panel), which now render `apm-version: 0.12.4` -- behaviourally identical to the prior implicit action default, but explicit and pinned. Also folds the remaining non-blocking panel follow-ups: - Reworded the misleading header comment ("newer than the action's default" -> "overrides the action's built-in default"). - Documented the accepted version format (bare semver; 'latest' floats; omit for the pinned default) in the schema description. - Added a CHANGELOG [Unreleased] entry and a consumer-facing section in docs/integrations/gh-aw.md so the input is discoverable. - Regenerated the three consumer .lock.yml artifacts the original PR left stale. addresses APM review panel follow-ups FU-1..FU-4 and Copilot inline on .github/workflows/shared/apm.md pack/restore steps Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/docs-sync.lock.yml | 2 ++ .github/workflows/pr-review-panel.lock.yml | 2 ++ .github/workflows/shared/apm.md | 18 +++++++++++++----- .github/workflows/triage-panel.lock.yml | 2 ++ CHANGELOG.md | 1 + docs/src/content/docs/integrations/gh-aw.md | 15 +++++++++++++++ 6 files changed, 35 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docs-sync.lock.yml b/.github/workflows/docs-sync.lock.yml index 89bb8e03d..f120ebdef 100644 --- a/.github/workflows/docs-sync.lock.yml +++ b/.github/workflows/docs-sync.lock.yml @@ -449,6 +449,7 @@ jobs: - name: Restore APM packages (all bundles) uses: microsoft/apm-action@b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd # v1.7.2 with: + apm-version: 0.12.4 bundles-file: /tmp/gh-aw/apm-bundle-list.txt - name: Checkout PR branch @@ -1089,6 +1090,7 @@ jobs: env: GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: + apm-version: 0.12.4 archive: "true" dependencies: ${{ steps.list.outputs.deps }} isolated: "true" diff --git a/.github/workflows/pr-review-panel.lock.yml b/.github/workflows/pr-review-panel.lock.yml index 943172723..26511e638 100644 --- a/.github/workflows/pr-review-panel.lock.yml +++ b/.github/workflows/pr-review-panel.lock.yml @@ -453,6 +453,7 @@ jobs: - name: Restore APM packages (all bundles) uses: microsoft/apm-action@b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd # v1.7.2 with: + apm-version: 0.12.4 bundles-file: /tmp/gh-aw/apm-bundle-list.txt - name: Configure Git credentials @@ -1119,6 +1120,7 @@ jobs: env: GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: + apm-version: 0.12.4 archive: "true" dependencies: ${{ steps.list.outputs.deps }} isolated: "true" diff --git a/.github/workflows/shared/apm.md b/.github/workflows/shared/apm.md index e48de0922..c194c8f8a 100644 --- a/.github/workflows/shared/apm.md +++ b/.github/workflows/shared/apm.md @@ -67,7 +67,7 @@ # packages: # - microsoft/apm-sample-package # -# 5. Pin a specific apm CLI version (newer than the action's default): +# 5. Pin a specific apm CLI version (overrides the action's built-in default): # # imports: # - uses: shared/apm.md @@ -172,11 +172,19 @@ import-schema: apm-version: type: string required: false + # MAINTENANCE: this default MUST mirror the apm-version default shipped + # by the pinned microsoft/apm-action ref used in the Pack and Restore + # steps below. gh-aw substitutes this value at compile time when a + # consumer omits apm-version, so an empty string is never forwarded to + # apm-action (an empty apm-version floats the action to 'latest', the + # opposite of the pinned default). Bump this in lockstep with the action. + default: '0.12.4' description: > - apm CLI version for apm-action to install (e.g. '0.20.0'). Omit to use - the action's pinned default. Pin explicitly for reproducibility. Applied - to both the Pack and Restore apm-action steps so the CLI version cannot - skew between packing and restoring. + apm CLI version for apm-action to install, as a bare semver tag (e.g. + '0.12.4'); pass 'latest' to opt into floating to the newest release. + Omit to use apm-action's pinned default. Applied to both the Pack and + Restore apm-action steps so the CLI version cannot skew between packing + and restoring. jobs: apm-prep: diff --git a/.github/workflows/triage-panel.lock.yml b/.github/workflows/triage-panel.lock.yml index 44f074dc2..1b5ed147a 100644 --- a/.github/workflows/triage-panel.lock.yml +++ b/.github/workflows/triage-panel.lock.yml @@ -463,6 +463,7 @@ jobs: - name: Restore APM packages (all bundles) uses: microsoft/apm-action@b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd # v1.7.2 with: + apm-version: 0.12.4 bundles-file: /tmp/gh-aw/apm-bundle-list.txt - name: Configure Git credentials @@ -1187,6 +1188,7 @@ jobs: env: GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: + apm-version: 0.12.4 archive: "true" dependencies: ${{ steps.list.outputs.deps }} isolated: "true" diff --git a/CHANGELOG.md b/CHANGELOG.md index df7106e6d..73c571d55 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +- The shared gh-aw workflow `.github/workflows/shared/apm.md` exposes an optional `apm-version` import input that pins the apm CLI version for both the pack and restore `microsoft/apm-action` steps (so the two cannot skew), surviving `gh aw update` without hand-editing the vendored file. Omitting it falls through to the action's pinned default via a gh-aw schema default, so non-opting consumers stay reproducible instead of floating to `latest`. (#1842) - `apm audit` now surfaces unmanaged files in governance directories as a single enriched report: each finding states a factual reason (`not tracked in apm.lock.yaml`), a lazy primitive-type tag (`[type: skill|agent|instruction|mcp]`), and a deny-conflict note (`matches deny rule ()`) when the path matches the policy's own `dependencies.deny` / `mcp.deny`. A new `unmanaged_files.exclude` policy key suppresses known harness-managed paths, and a symlink guard prevents following links out of the workspace. This is drift / divergence visibility, not supply-chain-attack prevention. (closes #1775) (#1793) - Azure DevOps is now documented as a first-class marketplace authoring host: a `marketplace.sourceBase` of `https://dev.azure.com/{org}/{project}/_git` composes relative package sources and preserves the `dev.azure.com` host through to the consumer (authenticated with `ADO_APM_PAT`). The end-to-end authoring -> consume path is pinned by a hermetic test. (closes #1010) (#1810) - `apm install --target antigravity` and `apm compile -t antigravity` add diff --git a/docs/src/content/docs/integrations/gh-aw.md b/docs/src/content/docs/integrations/gh-aw.md index 2488c19d6..76ee1d66c 100644 --- a/docs/src/content/docs/integrations/gh-aw.md +++ b/docs/src/content/docs/integrations/gh-aw.md @@ -63,6 +63,21 @@ The APM compilation target is automatically inferred from the configured `engine Packages are fetched using gh-aw's cascading token fallback: `GH_AW_PLUGINS_TOKEN` -> `GH_AW_GITHUB_TOKEN` -> `GITHUB_TOKEN`. +**Pinning the apm CLI version (optional):** + +By default the import installs the apm CLI version that the pinned `microsoft/apm-action` ships. To install a specific version instead -- for example to opt into a newer CLI for a packaging fix -- set the optional `apm-version` input. It is threaded into both the pack and restore steps so the version cannot skew between them, and it survives `gh aw update` (no need to hand-edit the vendored `shared/apm.md`): + +```yaml +imports: + - uses: shared/apm.md + with: + apm-version: '0.20.0' + packages: + - microsoft/apm-sample-package +``` + +Use a bare semver tag (e.g. `'0.20.0'`). Pass `'latest'` to opt into floating to the newest release; omit the input entirely to keep the action's pinned default. + :::note[Isolated install by default] `shared/apm.md` invokes `microsoft/apm-action` with `isolated: true`. Only the packages listed under `packages:` are installed -- any host-repo primitives under `.apm/` or `.github/` (instructions, prompts, skills, agents) are ignored and pre-existing primitive directories are cleared. To merge host-repo primitives with imported ones, use the [apm-action Pre-Step](#apm-action-pre-step) approach below, which leaves `isolated` at its default of `false`. :::