Bug test-writer agent #60

Workflow file for this run

.github/workflows/bug-agent-test.lock.yml at db2df01

	# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"68d5dc6771fcd70acba0d91459c1199d5ef9e221c98cfd39fa2c28e8817738b9","compiler_version":"v0.71.5","strict":true,"agent_id":"claude"}
	# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_APP_ID","GH_AW_APP_PRIVATE_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/create-github-app-token","sha":"1b10c78c7865c340bc4f6099eb2f838309f1e8c3","version":"v3.1.1"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/github-script","sha":"d746ffe35508b1917358783b479e04febd2b8f71","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"astral-sh/setup-uv","sha":"94527f2e458b27549849d47d273a16bec83a01e9","version":"94527f2e458b27549849d47d273a16bec83a01e9"},{"repo":"github/gh-aw-actions/setup","sha":"b8068426813005612b960b5ab0b8bd2c27142323","version":"v0.71.5"},{"repo":"pnpm/action-setup","sha":"f40ffcd9367d9f12939873eb1018b921a783ffaa","version":"f40ffcd9367d9f12939873eb1018b921a783ffaa"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.40","digest":"sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.40@sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40","digest":"sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40@sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.40","digest":"sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.40@sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6","digest":"sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
	# ___ _ _
	# / _ \ \| \| (_)
	# \| \|_\| \| __ _ ___ _ __ \| \|_ _ ___
	# \| _ \|/ _` \|/ _ \ '_ \\| __\| \|/ __\|
	# \| \| \| \| (_\| \| __/ \| \| \| \|_\| \| (__
	# \_\| \|_/\__, \|\___\|_\| \|_\|\__\|_\|\___\|
	# __/ \|
	# _ _ \|___/
	# \| \| \| \| / _\| \|
	# \| \| \| \| ___ _ __ _ __\| \|_\| \| _____ ____
	# \| \|/\\| \|/ _ \ '__\| \|/ /\| _\| \|/ _ \ \ /\ / / ___\|
	# \ /\ / (_) \| \| \| \| ( \| \| \| \| (_) \ V V /\__ \
	# \/ \/ \___/\|_\| \|_\|\_\\|_\| \|_\|\___/ \_/\_/ \|___/
	#
	# This file was automatically generated by gh-aw (v0.71.5). DO NOT EDIT.
	#
	# To update this file, edit the corresponding .md file and run:
	# gh aw compile
	# Not all edits will cause changes to this file.
	#
	# For more information: https://github.github.com/gh-aw/introduction/overview/
	#
	# Write a failing test that reproduces a confirmed bug (triggered by /bug-tdd)
	#
	# Secrets used:
	# - ANTHROPIC_API_KEY
	# - GH_AW_APP_ID
	# - GH_AW_APP_PRIVATE_KEY
	# - GH_AW_CI_TRIGGER_TOKEN
	# - GH_AW_GITHUB_MCP_SERVER_TOKEN
	# - GH_AW_GITHUB_TOKEN
	# - GITHUB_TOKEN
	#
	# Custom actions used:
	# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	# - actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
	# - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	# - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
	# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	# - actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	# - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
	# - actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
	# - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	# - astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9
	# - github/gh-aw-actions/setup@b8068426813005612b960b5ab0b8bd2c27142323 # v0.71.5
	# - pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa
	#
	# Container images used:
	# - ghcr.io/github/gh-aw-firewall/agent:0.25.40@sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504
	# - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40@sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280
	# - ghcr.io/github/gh-aw-firewall/squid:0.25.40@sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51
	# - ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c
	# - ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959
	# - node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f

	name: "Bug test-writer agent"
	"on":
	issue_comment:
	types:
	- created
	- edited

	permissions: {}

	concurrency:
	group: "gh-aw-${{ github.workflow }}-${{ contains(github.actor, '[bot]') && github.run_id \|\| github.event.issue.number \|\| github.event.pull_request.number \|\| github.run_id }}"

	run-name: "Bug test-writer agent"

	jobs:
	activation:
	needs: pre_activation
	if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/bug-tdd ') \|\| startsWith(github.event.comment.body, '/bug-tdd\n') \|\| github.event.comment.body == '/bug-tdd') && github.event.issue.pull_request == null \|\| github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/bug-tdd ') \|\| startsWith(github.event.comment.body, '/bug-tdd\n') \|\| github.event.comment.body == '/bug-tdd') && github.event.issue.pull_request != null)"
	runs-on: ubuntu-slim
	permissions:
	actions: read
	contents: read
	issues: write
	pull-requests: write
	outputs:
	activation_app_token_minting_failed: ${{ steps.activation-app-token.outcome == 'failure' }}
	body: ${{ steps.sanitized.outputs.body }}
	comment_id: ${{ steps.add-comment.outputs.comment-id }}
	comment_repo: ${{ steps.add-comment.outputs.comment-repo }}
	comment_url: ${{ steps.add-comment.outputs.comment-url }}
	engine_id: ${{ steps.generate_aw_info.outputs.engine_id }}
	lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }}
	model: ${{ steps.generate_aw_info.outputs.model }}
	secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
	setup-trace-id: ${{ steps.setup.outputs.trace-id }}
	slash_command: ${{ needs.pre_activation.outputs.matched_command }}
	stale_lock_file_failed: ${{ steps.check-lock-file.outputs.stale_lock_file_failed == 'true' }}
	text: ${{ steps.sanitized.outputs.text }}
	title: ${{ steps.sanitized.outputs.title }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@b8068426813005612b960b5ab0b8bd2c27142323 # v0.71.5
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/bug-agent-test.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "2.1.126"
	- name: Generate agentic run info
	id: generate_aw_info
	env:
	GH_AW_INFO_ENGINE_ID: "claude"
	GH_AW_INFO_ENGINE_NAME: "Claude Code"
	GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE \|\| 'auto' }}
	GH_AW_INFO_VERSION: "2.1.126"
	GH_AW_INFO_AGENT_VERSION: "2.1.126"
	GH_AW_INFO_CLI_VERSION: "v0.71.5"
	GH_AW_INFO_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_INFO_EXPERIMENTAL: "false"
	GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
	GH_AW_INFO_STAGED: "false"
	GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]'
	GH_AW_INFO_FIREWALL_ENABLED: "true"
	GH_AW_INFO_AWF_VERSION: "v0.25.40"
	GH_AW_INFO_AWMG_VERSION: ""
	GH_AW_INFO_FIREWALL_TYPE: "squid"
	GH_AW_COMPILED_STRICT: "true"
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs');
	await main(core, context);
	- name: Generate GitHub App token for activation
	id: activation-app-token
	uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
	with:
	client-id: ${{ secrets.GH_AW_APP_ID }}
	private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	repositories: ${{ github.event.repository.name }}
	github-api-url: ${{ github.api_url }}
	permission-contents: read
	permission-issues: write
	permission-pull-requests: write
	- name: Add eyes reaction for immediate feedback
	id: react
	if: github.event_name == 'issues' \|\| github.event_name == 'issue_comment' \|\| github.event_name == 'pull_request_review_comment' \|\| github.event_name == 'discussion' \|\| github.event_name == 'discussion_comment' \|\| github.event_name == 'pull_request' && github.event.pull_request.head.repo.id == github.repository_id \|\| github.event_name == 'pull_request_review' && github.event.pull_request.head.repo.id == github.repository_id
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_REACTION: "eyes"
	with:
	github-token: ${{ steps.activation-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/add_reaction.cjs');
	await main();
	- name: Validate ANTHROPIC_API_KEY secret
	id: validate-secret
	run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh" ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code
	env:
	ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	- name: Checkout .github and .agents folders
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	token: ${{ steps.activation-app-token.outputs.token }}
	sparse-checkout: \|
	.github
	.agents
	.claude
	.codex
	.crush
	.gemini
	.opencode
	.pi
	sparse-checkout-cone-mode: true
	fetch-depth: 1
	- name: Save agent config folders for base branch restoration
	env:
	GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
	GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
	# poutine:ignore untrusted_checkout_exec
	run: bash "${RUNNER_TEMP}/gh-aw/actions/save_base_github_folders.sh"
	- name: Check workflow lock file
	id: check-lock-file
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_WORKFLOW_FILE: "bug-agent-test.lock.yml"
	GH_AW_CONTEXT_WORKFLOW_REF: "${{ github.workflow_ref }}"
	with:
	github-token: ${{ steps.activation-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_timestamp_api.cjs');
	await main();
	- name: Check compile-agentic version
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_COMPILED_VERSION: "v0.71.5"
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/check_version_updates.cjs');
	await main();
	- name: Compute current body text
	id: sanitized
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/compute_text.cjs');
	await main();
	- name: Add comment with workflow run link
	id: add-comment
	if: github.event_name == 'issues' \|\| github.event_name == 'issue_comment' \|\| github.event_name == 'pull_request_review_comment' \|\| github.event_name == 'discussion' \|\| github.event_name == 'discussion_comment' \|\| github.event_name == 'pull_request' && github.event.pull_request.head.repo.id == github.repository_id \|\| github.event_name == 'pull_request_review' && github.event.pull_request.head.repo.id == github.repository_id
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_WORKFLOW_NAME: "Bug test-writer agent"
	with:
	github-token: ${{ steps.activation-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/add_workflow_run_comment.cjs');
	await main();
	- name: Create prompt with built-in context
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ runner.temp }}/gh-aw/safeoutputs/outputs.jsonl
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' \|\| '' }}
	# poutine:ignore untrusted_checkout_exec
	run: \|
	bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
	{
	cat << 'GH_AW_PROMPT_9a65b2ffb16830f8_EOF'
	<system>
	GH_AW_PROMPT_9a65b2ffb16830f8_EOF
	cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
	cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
	cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
	cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
	cat << 'GH_AW_PROMPT_9a65b2ffb16830f8_EOF'
	<safe-output-tools>
	Tools: add_comment(max:3), create_pull_request, add_labels(max:2), push_to_pull_request_branch(max:3), missing_tool, missing_data, noop
	GH_AW_PROMPT_9a65b2ffb16830f8_EOF
	cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_create_pull_request.md"
	cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_push_to_pr_branch.md"
	cat << 'GH_AW_PROMPT_9a65b2ffb16830f8_EOF'
	</safe-output-tools>
	GH_AW_PROMPT_9a65b2ffb16830f8_EOF
	cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
	cat << 'GH_AW_PROMPT_9a65b2ffb16830f8_EOF'
	<github-context>
	The following GitHub context information is available for this workflow:
	{{#if __GH_AW_GITHUB_ACTOR__ }}
	- actor: __GH_AW_GITHUB_ACTOR__
	{{/if}}
	{{#if __GH_AW_GITHUB_REPOSITORY__ }}
	- repository: __GH_AW_GITHUB_REPOSITORY__
	{{/if}}
	{{#if __GH_AW_GITHUB_WORKSPACE__ }}
	- workspace: __GH_AW_GITHUB_WORKSPACE__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
	- issue-number: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
	- discussion-number: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
	- pull-request-number: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
	- comment-id: __GH_AW_GITHUB_EVENT_COMMENT_ID__
	{{/if}}
	{{#if __GH_AW_GITHUB_RUN_ID__ }}
	- workflow-run-id: __GH_AW_GITHUB_RUN_ID__
	{{/if}}
	- checkouts: The following repositories have been checked out and are available in the workspace:
	- `$GITHUB_WORKSPACE` → `__GH_AW_GITHUB_REPOSITORY__` (cwd) [full history, all branches available as remote-tracking refs]
	- Note: If a branch you need is not in the list above and is not listed as an additional fetched ref, it has NOT been checked out. For private repositories you cannot fetch it without proper authentication. If the branch is required and not available, exit with an error and ask the user to add it to the `fetch:` option of the `checkout:` configuration (e.g., `fetch: ["refs/pulls/open/*"]` for all open PR refs, or `fetch: ["main", "feature/my-branch"]` for specific branches).
	</github-context>

	GH_AW_PROMPT_9a65b2ffb16830f8_EOF
	cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
	if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] \|\| [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] \|\| [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then
	cat "${RUNNER_TEMP}/gh-aw/prompts/pr_context_prompt.md"
	fi
	if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] \|\| [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] \|\| [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then
	cat "${RUNNER_TEMP}/gh-aw/prompts/pr_context_push_to_pr_branch_guidance.md"
	fi
	cat << 'GH_AW_PROMPT_9a65b2ffb16830f8_EOF'
	</system>
	{{#runtime-import .github/workflows/bug-agent-test.md}}
	GH_AW_PROMPT_9a65b2ffb16830f8_EOF
	} > "$GH_AW_PROMPT"
	- name: Interpolate variables and render templates
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_ENGINE_ID: "claude"
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs');
	await main();
	- name: Substitute placeholders
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' \|\| '' }}
	GH_AW_MCP_CLI_SERVERS_LIST: '- `safeoutputs` — run `safeoutputs --help` to see available tools'
	GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }}
	GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }}
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);

	const substitutePlaceholders = require('${{ runner.temp }}/gh-aw/actions/substitute_placeholders.cjs');

	// Call the substitution function
	return await substitutePlaceholders({
	file: process.env.GH_AW_PROMPT,
	substitutions: {
	GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
	GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
	GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
	GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
	GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE,
	GH_AW_IS_PR_COMMENT: process.env.GH_AW_IS_PR_COMMENT,
	GH_AW_MCP_CLI_SERVERS_LIST: process.env.GH_AW_MCP_CLI_SERVERS_LIST,
	GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED,
	GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND
	}
	});
	- name: Validate prompt placeholders
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	# poutine:ignore untrusted_checkout_exec
	run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_prompt_placeholders.sh"
	- name: Print prompt
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	# poutine:ignore untrusted_checkout_exec
	run: bash "${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh"
	- name: Upload activation artifact
	if: success()
	uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	with:
	name: activation
	include-hidden-files: true
	path: \|
	/tmp/gh-aw/aw_info.json
	/tmp/gh-aw/aw-prompts/prompt.txt
	/tmp/gh-aw/github_rate_limits.jsonl
	/tmp/gh-aw/base
	if-no-files-found: ignore
	retention-days: 1

	agent:
	needs: activation
	runs-on: ubuntu-latest
	permissions:
	contents: read
	issues: read
	pull-requests: read
	env:
	DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
	GH_AW_ASSETS_ALLOWED_EXTS: ""
	GH_AW_ASSETS_BRANCH: ""
	GH_AW_ASSETS_MAX_SIZE_KB: 0
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	GH_AW_WORKFLOW_ID_SANITIZED: bugagenttest
	outputs:
	checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success \|\| 'true' }}
	effective_tokens: ${{ steps.parse-mcp-gateway.outputs.effective_tokens }}
	has_patch: ${{ steps.collect_output.outputs.has_patch }}
	model: ${{ needs.activation.outputs.model }}
	output: ${{ steps.collect_output.outputs.output }}
	output_types: ${{ steps.collect_output.outputs.output_types }}
	setup-trace-id: ${{ steps.setup.outputs.trace-id }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@b8068426813005612b960b5ab0b8bd2c27142323 # v0.71.5
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	trace-id: ${{ needs.activation.outputs.setup-trace-id }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/bug-agent-test.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "2.1.126"
	- name: Set runtime paths
	id: set-runtime-paths
	run: \|
	{
	echo "GH_AW_SAFE_OUTPUTS=${RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl"
	echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/config.json"
	echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/tools.json"
	} >> "$GITHUB_OUTPUT"
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	fetch-depth: 0
	submodules: true
	- name: Setup Node.js
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
	with:
	node-version: '24'
	package-manager-cache: false
	- name: Setup Python
	uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
	with:
	python-version: '3.12'
	- name: Create gh-aw temp directory
	run: bash "${RUNNER_TEMP}/gh-aw/actions/create_gh_aw_tmp_dir.sh"
	- name: Configure gh CLI for GitHub Enterprise
	run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh"
	env:
	GH_TOKEN: ${{ github.token }}
	- env:
	GH_TOKEN: ${{ github.token }}
	ISSUE_NUMBER: ${{ github.event.issue.number }}
	REPO: ${{ github.repository }}
	name: "Gate check - require prior pipeline state"
	run: "set -euo pipefail\nfail() {\n echo \"::error::$1\"\n echo \"### Gate failed\" >> \"$GITHUB_STEP_SUMMARY\"\n echo \"$1\" >> \"$GITHUB_STEP_SUMMARY\"\n exit 1\n}\n\nISSUE_JSON=$(gh api \"repos/$REPO/issues/$ISSUE_NUMBER\")\nIS_PR=$(echo \"$ISSUE_JSON\" \| jq -r 'if .pull_request then \"true\" else \"false\" end')\n\nif [ \"$IS_PR\" = \"true\" ]; then\n PR_BODY=$(gh api \"repos/$REPO/pulls/$ISSUE_NUMBER\" \| jq -r '.body // \"\"')\n\n if [[ \"$PR_BODY\" != \"AGENT_TEST_COMPLETE\" ]]; then\n fail \"Cannot run /bug-tdd here: PR has no AGENT_TEST_COMPLETE marker.\"\n fi\n if [[ \"$PR_BODY\" == \"AGENT_FIX_COMPLETE\" ]]; then\n fail \"Cannot run /bug-tdd: fix already applied (AGENT_FIX_COMPLETE present). Test revision after fix is unsupported.\"\n fi\n\n REQ=$(gh api \"repos/$REPO/issues/$ISSUE_NUMBER/comments\" --paginate \\\n --jq '[.[] \| select((.user.login == \"infrahub-bug-pipeline[bot]\" or .user.login == \"github-actions[bot]\" or .user.login == \"claude[bot]\")\n and (.body \| contains(\"AGENT_REVIEW_VERDICT: TEST_CHANGES_REQUESTED\")))] \| length')\n if [ \"$REQ\" = \"0\" ]; then\n fail \"Cannot run /bug-tdd: no TEST_CHANGES_REQUESTED verdict from reviewer to act on.\"\n fi\n exit 0\nfi\n\nANALYSIS=$(gh api \"repos/$REPO/issues/$ISSUE_NUMBER/comments\" --paginate \\\n --jq '[.[] \| select((.user.login == \"infrahub-bug-pipeline[bot]\" or .user.login == \"github-actions[bot]\" or .user.login == \"claude[bot]\")\n and (.body \| contains(\"AGENT_ANALYSIS_COMPLETE\")))] \| length')\nif [ \"$ANALYSIS\" = \"0\" ]; then\n fail \"Cannot run /bug-tdd: no AGENT_ANALYSIS_COMPLETE comment from analyst. Run /bug-analyze first.\"\nfi\n"
	- uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9
	with:
	version: latest
	- run: uv sync --all-groups
	- uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa
	with:
	version: 10
	- run: cd frontend/app && pnpm install --frozen-lockfile
	- run: cd frontend/app && pnpm exec playwright install chromium

	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	GITHUB_TOKEN: ${{ github.token }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Checkout PR branch
	id: checkout-pr
	if: \|
	github.event.pull_request \|\| github.event.issue.pull_request
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs');
	await main();
	- name: Setup Node.js
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
	with:
	node-version: '24'
	package-manager-cache: false
	- name: Install AWF binary
	run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.40
	- name: Install Claude Code CLI
	run: npm install -g @anthropic-ai/claude-code@2.1.126
	- name: Determine automatic lockdown mode for GitHub MCP Server
	id: determine-automatic-lockdown
	uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
	env:
	GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
	GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
	with:
	script: \|
	const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
	await determineAutomaticLockdown(github, context, core);
	- name: Download activation artifact
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: activation
	path: /tmp/gh-aw
	- name: Restore agent config folders from base branch
	if: steps.checkout-pr.outcome == 'success'
	env:
	GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
	GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
	run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_base_github_folders.sh"
	- name: Download container images
	run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.40@sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40@sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280 ghcr.io/github/gh-aw-firewall/squid:0.25.40@sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51 ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
	- name: Generate Safe Outputs Config
	run: \|
	mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
	mkdir -p /tmp/gh-aw/safeoutputs
	mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
	cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_a3a18c233f6528f1_EOF'
	{"add_comment":{"max":3},"add_labels":{"max":2},"create_pull_request":{"allowed_base_branches":["stable"],"base_branch":"stable","draft":true,"max":1,"max_patch_files":100,"max_patch_size":1024,"protect_top_level_dot_folders":true,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","DESIGN.md","README.md","CONTRIBUTING.md","CHANGELOG.md","SECURITY.md","CODE_OF_CONDUCT.md","CLAUDE.md","AGENTS.md"]},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_to_pull_request_branch":{"if_no_changes":"warn","max":3,"max_patch_size":1024,"protect_top_level_dot_folders":true,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","DESIGN.md","README.md","CONTRIBUTING.md","CHANGELOG.md","SECURITY.md","CODE_OF_CONDUCT.md","CLAUDE.md","AGENTS.md"]},"report_incomplete":{}}
	GH_AW_SAFE_OUTPUTS_CONFIG_a3a18c233f6528f1_EOF
	- name: Generate Safe Outputs Tools
	env:
	GH_AW_TOOLS_META_JSON: \|
	{
	"description_suffixes": {
	"add_comment": " CONSTRAINTS: Maximum 3 comment(s) can be added. Supports reply_to_id for discussion threading.",
	"add_labels": " CONSTRAINTS: Maximum 2 label(s) can be added.",
	"create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. PRs will be created as drafts.",
	"push_to_pull_request_branch": " CONSTRAINTS: Maximum 3 push(es) can be made."
	},
	"repo_params": {},
	"dynamic_tools": []
	}
	GH_AW_VALIDATION_JSON: \|
	{
	"add_comment": {
	"defaultMax": 1,
	"fields": {
	"body": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"item_number": {
	"issueOrPRNumber": true
	},
	"reply_to_id": {
	"type": "string",
	"maxLength": 256
	},
	"repo": {
	"type": "string",
	"maxLength": 256
	}
	}
	},
	"add_labels": {
	"defaultMax": 5,
	"fields": {
	"item_number": {
	"issueNumberOrTemporaryId": true
	},
	"labels": {
	"required": true,
	"type": "array",
	"itemType": "string",
	"itemSanitize": true,
	"itemMaxLength": 128
	},
	"repo": {
	"type": "string",
	"maxLength": 256
	}
	}
	},
	"create_pull_request": {
	"defaultMax": 1,
	"fields": {
	"base": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	},
	"body": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"branch": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"draft": {
	"type": "boolean"
	},
	"labels": {
	"type": "array",
	"itemType": "string",
	"itemSanitize": true,
	"itemMaxLength": 128
	},
	"repo": {
	"type": "string",
	"maxLength": 256
	},
	"title": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"missing_data": {
	"defaultMax": 20,
	"fields": {
	"alternatives": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"context": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"data_type": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	},
	"reason": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	}
	}
	},
	"missing_tool": {
	"defaultMax": 20,
	"fields": {
	"alternatives": {
	"type": "string",
	"sanitize": true,
	"maxLength": 512
	},
	"reason": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"tool": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"noop": {
	"defaultMax": 1,
	"fields": {
	"message": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	}
	}
	},
	"push_to_pull_request_branch": {
	"defaultMax": 1,
	"fields": {
	"branch": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"message": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"pull_request_number": {
	"issueOrPRNumber": true
	}
	}
	},
	"report_incomplete": {
	"defaultMax": 5,
	"fields": {
	"details": {
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"reason": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 1024
	}
	}
	}
	}
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_safe_outputs_tools.cjs');
	await main();
	- name: Generate Safe Outputs MCP Server Config
	id: safe-outputs-config
	run: \|
	# Generate a secure random API key (360 bits of entropy, 40+ chars)
	# Mask immediately to prevent timing vulnerabilities
	API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${API_KEY}"

	PORT=3001

	# Set outputs for next steps
	{
	echo "safe_outputs_api_key=${API_KEY}"
	echo "safe_outputs_port=${PORT}"
	} >> "$GITHUB_OUTPUT"

	echo "Safe Outputs MCP server will run on port ${PORT}"

	- name: Start Safe Outputs MCP HTTP Server
	id: safe-outputs-start
	env:
	DEBUG: '*'
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
	GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/tools.json
	GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/config.json
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	run: \|
	# Environment variables are set above to prevent template injection
	export DEBUG
	export GH_AW_SAFE_OUTPUTS
	export GH_AW_SAFE_OUTPUTS_PORT
	export GH_AW_SAFE_OUTPUTS_API_KEY
	export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
	export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
	export GH_AW_MCP_LOG_DIR

	bash "${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh"

	- name: Start MCP Gateway
	id: start-mcp-gateway
	env:
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
	GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
	GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
	GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	run: \|
	set -eo pipefail
	mkdir -p "${RUNNER_TEMP}/gh-aw/mcp-config"

	# Export gateway environment variables for MCP config and gateway script
	export MCP_GATEWAY_PORT="8080"
	export MCP_GATEWAY_DOMAIN="host.docker.internal"
	export MCP_GATEWAY_HOST_DOMAIN="localhost"
	MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${MCP_GATEWAY_API_KEY}"
	export MCP_GATEWAY_API_KEY
	export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
	mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
	export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288"
	export DEBUG="*"

	export GH_AW_ENGINE="claude"
	MCP_GATEWAY_UID=$(id -u 2>/dev/null \|\| echo '0')
	MCP_GATEWAY_GID=$(id -g 2>/dev/null \|\| echo '0')
	DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null \|\| echo '0')
	export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.6'

	GH_AW_NODE=$(which node 2>/dev/null \|\| command -v node 2>/dev/null \|\| echo node)
	cat << GH_AW_MCP_CONFIG_1cf780a8c43df901_EOF \| "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
	{
	"mcpServers": {
	"github": {
	"container": "ghcr.io/github/github-mcp-server:v1.0.3",
	"env": {
	"GITHUB_HOST": "$GITHUB_SERVER_URL",
	"GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN",
	"GITHUB_READ_ONLY": "1",
	"GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
	},
	"guard-policies": {
	"allow-only": {
	"min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
	"repos": "$GITHUB_MCP_GUARD_REPOS"
	}
	}
	},
	"safeoutputs": {
	"type": "http",
	"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
	"headers": {
	"Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY"
	},
	"guard-policies": {
	"write-sink": {
	"accept": [
	"*"
	]
	}
	}
	}
	},
	"gateway": {
	"port": $MCP_GATEWAY_PORT,
	"domain": "${MCP_GATEWAY_DOMAIN}",
	"apiKey": "${MCP_GATEWAY_API_KEY}",
	"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
	}
	}
	GH_AW_MCP_CONFIG_1cf780a8c43df901_EOF
	- name: Mount MCP servers as CLIs
	id: mount-mcp-clis
	continue-on-error: true
	env:
	MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
	MCP_GATEWAY_DOMAIN: ${{ steps.start-mcp-gateway.outputs.gateway-domain }}
	MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/mount_mcp_as_cli.cjs');
	await main();
	- name: Clean credentials
	continue-on-error: true
	run: bash "${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials.sh"
	- name: Audit pre-agent workspace
	id: pre_agent_audit
	continue-on-error: true
	run: bash "${RUNNER_TEMP}/gh-aw/actions/audit_pre_agent_workspace.sh"
	- name: Execute Claude Code CLI
	id: agentic_execution
	# Allowed tools (sorted):
	# - Bash
	# - BashOutput
	# - Edit
	# - ExitPlanMode
	# - Glob
	# - Grep
	# - KillBash
	# - LS
	# - MultiEdit
	# - NotebookEdit
	# - NotebookRead
	# - Read
	# - Task
	# - TodoWrite
	# - Write
	# - mcp__github__download_workflow_run_artifact
	# - mcp__github__get_code_scanning_alert
	# - mcp__github__get_commit
	# - mcp__github__get_dependabot_alert
	# - mcp__github__get_discussion
	# - mcp__github__get_discussion_comments
	# - mcp__github__get_file_contents
	# - mcp__github__get_job_logs
	# - mcp__github__get_label
	# - mcp__github__get_latest_release
	# - mcp__github__get_me
	# - mcp__github__get_notification_details
	# - mcp__github__get_pull_request
	# - mcp__github__get_pull_request_comments
	# - mcp__github__get_pull_request_diff
	# - mcp__github__get_pull_request_files
	# - mcp__github__get_pull_request_review_comments
	# - mcp__github__get_pull_request_reviews
	# - mcp__github__get_pull_request_status
	# - mcp__github__get_release_by_tag
	# - mcp__github__get_secret_scanning_alert
	# - mcp__github__get_tag
	# - mcp__github__get_workflow_run
	# - mcp__github__get_workflow_run_logs
	# - mcp__github__get_workflow_run_usage
	# - mcp__github__issue_read
	# - mcp__github__list_branches
	# - mcp__github__list_code_scanning_alerts
	# - mcp__github__list_commits
	# - mcp__github__list_dependabot_alerts
	# - mcp__github__list_discussion_categories
	# - mcp__github__list_discussions
	# - mcp__github__list_issue_types
	# - mcp__github__list_issues
	# - mcp__github__list_label
	# - mcp__github__list_notifications
	# - mcp__github__list_pull_requests
	# - mcp__github__list_releases
	# - mcp__github__list_secret_scanning_alerts
	# - mcp__github__list_starred_repositories
	# - mcp__github__list_tags
	# - mcp__github__list_workflow_jobs
	# - mcp__github__list_workflow_run_artifacts
	# - mcp__github__list_workflow_runs
	# - mcp__github__list_workflows
	# - mcp__github__pull_request_read
	# - mcp__github__search_code
	# - mcp__github__search_issues
	# - mcp__github__search_orgs
	# - mcp__github__search_pull_requests
	# - mcp__github__search_repositories
	# - mcp__github__search_users
	# - mcp__safeoutputs
	timeout-minutes: 60
	run: \|
	set -o pipefail
	touch /tmp/gh-aw/agent-step-summary.md
	(umask 177 && touch /tmp/gh-aw/agent-stdio.log)
	printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.40/awf-config.schema.json","network":{"allowDomains":[".githubusercontent.com","anthropic.com","api.anthropic.com","api.github.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","cdn.playwright.dev","codeload.github.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","files.pythonhosted.org","ghcr.io","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","lfs.github.com","objects.githubusercontent.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","playwright.download.prss.microsoft.com","ppa.launchpad.net","pypi.org","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","sentry.io","statsig.anthropic.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com","www.googleapis.com"]},"apiProxy":{"enabled":true,"models":{"auto":["large"],"deep-research":["copilot/deep-research","google/deep-research"],"gemini-flash":["copilot/gemini-flash","google/gemini-flash"],"gemini-pro":["copilot/gemini-pro","google/gemini-pro"],"gpt-4.1":["copilot/gpt-4.1","openai/gpt-4.1"],"gpt-5":["copilot/gpt-5","openai/gpt-5"],"gpt-5-codex":["copilot/gpt-5codex","openai/gpt-5codex"],"gpt-5-mini":["copilot/gpt-5mini","openai/gpt-5mini"],"gpt-5-nano":["copilot/gpt-5nano","openai/gpt-5nano"],"gpt-5-pro":["copilot/gpt-5pro","openai/gpt-5pro"],"haiku":["copilot/haiku","anthropic/haiku"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash"],"opus":["copilot/opus","anthropic/opus"],"reasoning":["copilot/o1","copilot/o3","copilot/o4","openai/o1","openai/o3","openai/o4"],"small":["mini"],"sonnet":["copilot/sonnet","anthropic/sonnet*"]}},"container":{"imageTag":"0.25.40,squid=sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51,agent=sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504,api-proxy=sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280,cli-proxy=sha256:3e7152911d4b4b7b97beef9d3d7d924ff7902227e86001ef3838fb728d5d514c"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
	# shellcheck disable=SC1003
	sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --tty --env-all --exclude-env ANTHROPIC_API_KEY --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
	-- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null \| tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" \|\| true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] \|\| [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null \|\| echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/claude_harness.cjs claude --print --no-chrome --mcp-config "${{ runner.temp }}/gh-aw/mcp-config/mcp-servers.json" --allowed-tools Bash,BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__safeoutputs --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 \| tee -a /tmp/gh-aw/agent-stdio.log
	env:
	ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	BASH_DEFAULT_TIMEOUT_MS: 60000
	BASH_MAX_TIMEOUT_MS: 60000
	CLAUDE_CODE_DISABLE_FAST_MODE: 1
	DISABLE_BUG_COMMAND: 1
	DISABLE_ERROR_REPORTING: 1
	DISABLE_TELEMETRY: 1
	GH_AW_MCP_CONFIG: ${{ runner.temp }}/gh-aw/mcp-config/mcp-servers.json
	GH_AW_MODEL_AGENT_CLAUDE: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE \|\| '' }}
	GH_AW_PHASE: agent
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	GH_AW_VERSION: v0.71.5
	GITHUB_AW: true
	GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
	GITHUB_WORKSPACE: ${{ github.workspace }}
	GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_AUTHOR_NAME: github-actions[bot]
	GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_COMMITTER_NAME: github-actions[bot]
	MCP_TIMEOUT: 120000
	MCP_TOOL_TIMEOUT: 60000
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	GITHUB_TOKEN: ${{ github.token }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Stop MCP Gateway
	if: always()
	continue-on-error: true
	env:
	MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
	MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
	GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
	run: \|
	bash "${RUNNER_TEMP}/gh-aw/actions/stop_mcp_gateway.sh" "$GATEWAY_PID"
	- name: Redact secrets in logs
	if: always()
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/redact_secrets.cjs');
	await main();
	env:
	GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
	SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
	SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
	SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Append agent step summary
	if: always()
	run: bash "${RUNNER_TEMP}/gh-aw/actions/append_agent_step_summary.sh"
	- name: Copy Safe Outputs
	if: always()
	env:
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	run: \|
	mkdir -p /tmp/gh-aw
	cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null \|\| true
	- name: Ingest agent output
	id: collect_output
	if: always()
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_API_URL: ${{ github.api_url }}
	GH_AW_COMMAND: bug-tdd
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/collect_ndjson_output.cjs');
	await main();
	- name: Parse agent logs for step summary
	if: always()
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_claude_log.cjs');
	await main();
	- name: Parse MCP Gateway logs for step summary
	if: always()
	id: parse-mcp-gateway
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_mcp_gateway_log.cjs');
	await main();
	- name: Print firewall logs
	if: always()
	continue-on-error: true
	env:
	AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
	run: \|
	# Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
	# AWF runs with sudo, creating files owned by root
	sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null \|\| true
	# Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
	if command -v awf &> /dev/null; then
	awf logs summary \| tee -a "$GITHUB_STEP_SUMMARY"
	else
	echo 'AWF binary not installed, skipping firewall log summary'
	fi
	- name: Parse token usage for step summary
	if: always()
	continue-on-error: true
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_token_usage.cjs');
	await main();
	- name: Print AWF reflect summary
	if: always()
	continue-on-error: true
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/awf_reflect_summary.cjs');
	await main();
	- name: Write agent output placeholder if missing
	if: always()
	run: \|
	if [ ! -f /tmp/gh-aw/agent_output.json ]; then
	echo '{"items":[]}' > /tmp/gh-aw/agent_output.json
	fi
	- name: Upload agent artifacts
	if: always()
	continue-on-error: true
	uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	with:
	name: agent
	path: \|
	/tmp/gh-aw/aw-prompts/prompt.txt
	/tmp/gh-aw/mcp-logs/
	/tmp/gh-aw/agent_usage.json
	/tmp/gh-aw/agent-stdio.log
	/tmp/gh-aw/pre-agent-audit.txt
	/tmp/gh-aw/agent/
	/tmp/gh-aw/github_rate_limits.jsonl
	/tmp/gh-aw/safeoutputs.jsonl
	/tmp/gh-aw/agent_output.json
	/tmp/gh-aw/aw-*.patch
	/tmp/gh-aw/aw-*.bundle
	/tmp/gh-aw/awf-config.json
	/tmp/gh-aw/sandbox/firewall/logs/
	/tmp/gh-aw/sandbox/firewall/audit/
	/tmp/gh-aw/sandbox/firewall/awf-reflect.json
	if-no-files-found: ignore

	conclusion:
	needs:
	- activation
	- agent
	- detection
	- safe_outputs
	if: >
	always() && (needs.agent.result != 'skipped' \|\| needs.activation.outputs.lockdown_check_failed == 'true' \|\|
	needs.activation.outputs.stale_lock_file_failed == 'true')
	runs-on: ubuntu-slim
	permissions:
	contents: write
	issues: write
	pull-requests: write
	concurrency:
	group: "gh-aw-conclusion-bug-agent-test"
	cancel-in-progress: false
	outputs:
	incomplete_count: ${{ steps.report_incomplete.outputs.incomplete_count }}
	noop_message: ${{ steps.noop.outputs.noop_message }}
	tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
	total_count: ${{ steps.missing_tool.outputs.total_count }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@b8068426813005612b960b5ab0b8bd2c27142323 # v0.71.5
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	trace-id: ${{ needs.activation.outputs.setup-trace-id }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/bug-agent-test.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "2.1.126"
	- name: Generate GitHub App token
	id: safe-outputs-app-token
	uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
	with:
	client-id: ${{ secrets.GH_AW_APP_ID }}
	private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	repositories: ${{ github.event.repository.name }}
	github-api-url: ${{ github.api_url }}
	permission-administration: read
	permission-contents: write
	permission-issues: write
	permission-pull-requests: write
	- name: Download agent output artifact
	id: download-agent-output
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Setup agent output environment variable
	id: setup-agent-output-env
	if: steps.download-agent-output.outcome == 'success'
	run: \|
	mkdir -p /tmp/gh-aw/
	find "/tmp/gh-aw/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
	- name: Process no-op messages
	id: noop
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_NOOP_MAX: "1"
	GH_AW_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_NOOP_REPORT_AS_ISSUE: "true"
	with:
	github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs');
	await main();
	- name: Log detection run
	id: detection_runs
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
	GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
	with:
	github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_detection_runs.cjs');
	await main();
	- name: Record missing tool
	id: missing_tool
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_MISSING_TOOL_CREATE_ISSUE: "false"
	GH_AW_MISSING_TOOL_TITLE_PREFIX: "[missing tool]"
	GH_AW_WORKFLOW_NAME: "Bug test-writer agent"
	with:
	github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/missing_tool.cjs');
	await main();
	- name: Record incomplete
	id: report_incomplete
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
	GH_AW_WORKFLOW_NAME: "Bug test-writer agent"
	with:
	github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/report_incomplete_handler.cjs');
	await main();
	- name: Handle agent failure
	id: handle_agent_failure
	if: always()
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_WORKFLOW_ID: "bug-agent-test"
	GH_AW_ACTION_FAILURE_ISSUE_EXPIRES_HOURS: "168"
	GH_AW_ENGINE_ID: "claude"
	GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
	GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
	GH_AW_ENGINE_API_HOSTS: "api.anthropic.com"
	GH_AW_CODE_PUSH_FAILURE_ERRORS: ${{ needs.safe_outputs.outputs.code_push_failure_errors }}
	GH_AW_CODE_PUSH_FAILURE_COUNT: ${{ needs.safe_outputs.outputs.code_push_failure_count }}
	GH_AW_SAFE_OUTPUTS_APP_TOKEN_MINTING_FAILED: ${{ needs.safe_outputs.outputs.app_token_minting_failed }}
	GH_AW_CONCLUSION_APP_TOKEN_MINTING_FAILED: ${{ steps.safe-outputs-app-token.outcome == 'failure' }}
	GH_AW_ACTIVATION_APP_TOKEN_MINTING_FAILED: ${{ needs.activation.outputs.activation_app_token_minting_failed }}
	GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }}
	GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }}
	GH_AW_GROUP_REPORTS: "false"
	GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
	GH_AW_MISSING_TOOL_REPORT_AS_FAILURE: "true"
	GH_AW_MISSING_DATA_REPORT_AS_FAILURE: "true"
	GH_AW_TIMEOUT_MINUTES: "60"
	with:
	github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_agent_failure.cjs');
	await main();
	- name: Update reaction comment with completion status
	id: conclusion
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
	GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
	GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
	with:
	github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs');
	await main();
	- name: Invalidate GitHub App token
	if: always() && steps.safe-outputs-app-token.outputs.token != ''
	env:
	TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }}
	run: \|
	echo "Revoking GitHub App installation token..."
	# GitHub CLI will auth with the token being revoked.
	gh api \
	--method DELETE \
	-H "Authorization: token $TOKEN" \
	/installation/token \|\| echo "Token revoke may already be expired."

	echo "Token invalidation step complete."

	detection:
	needs:
	- activation
	- agent
	if: >
	always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' \|\| needs.agent.outputs.has_patch == 'true')
	runs-on: ubuntu-latest
	permissions:
	contents: read
	outputs:
	detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
	detection_reason: ${{ steps.detection_conclusion.outputs.reason }}
	detection_success: ${{ steps.detection_conclusion.outputs.success }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@b8068426813005612b960b5ab0b8bd2c27142323 # v0.71.5
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	trace-id: ${{ needs.activation.outputs.setup-trace-id }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/bug-agent-test.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "2.1.126"
	- name: Download agent output artifact
	id: download-agent-output
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Setup agent output environment variable
	id: setup-agent-output-env
	if: steps.download-agent-output.outcome == 'success'
	run: \|
	mkdir -p /tmp/gh-aw/
	find "/tmp/gh-aw/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
	- name: Checkout repository for patch context
	if: needs.agent.outputs.has_patch == 'true'
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	# --- Threat Detection ---
	- name: Clean stale firewall files from agent artifact
	run: \|
	rm -rf /tmp/gh-aw/sandbox/firewall/logs
	rm -rf /tmp/gh-aw/sandbox/firewall/audit
	- name: Download container images
	run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.40@sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40@sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280 ghcr.io/github/gh-aw-firewall/squid:0.25.40@sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51
	- name: Check if detection needed
	id: detection_guard
	if: always()
	env:
	OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }}
	HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
	run: \|
	if [[ -n "$OUTPUT_TYPES" \|\| "$HAS_PATCH" == "true" ]]; then
	echo "run_detection=true" >> "$GITHUB_OUTPUT"
	echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
	else
	echo "run_detection=false" >> "$GITHUB_OUTPUT"
	echo "Detection skipped: no agent outputs or patches to analyze"
	fi
	- name: Clear MCP Config for detection
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	rm -f "${RUNNER_TEMP}/gh-aw/mcp-config/mcp-servers.json"
	rm -f /home/runner/.copilot/mcp-config.json
	rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
	- name: Prepare threat detection files
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
	cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null \|\| true
	cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null \|\| true
	for f in /tmp/gh-aw/aw-*.patch; do
	[ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	done
	for f in /tmp/gh-aw/aw-*.bundle; do
	[ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	done
	echo "Prepared threat detection files:"
	ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	- name: Setup threat detection
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	WORKFLOW_NAME: "Bug test-writer agent"
	WORKFLOW_DESCRIPTION: "Write a failing test that reproduces a confirmed bug (triggered by /bug-tdd)"
	HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/setup_threat_detection.cjs');
	await main();
	- name: Ensure threat-detection directory and log
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	mkdir -p /tmp/gh-aw/threat-detection
	touch /tmp/gh-aw/threat-detection/detection.log
	- name: Setup Node.js
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
	with:
	node-version: '24'
	package-manager-cache: false
	- name: Install AWF binary
	run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.40
	- name: Install Claude Code CLI
	run: npm install -g @anthropic-ai/claude-code@2.1.126
	- name: Execute Claude Code CLI
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	continue-on-error: true
	id: detection_agentic_execution
	# Allowed tools (sorted):
	# - Bash
	# - BashOutput
	# - ExitPlanMode
	# - Glob
	# - Grep
	# - KillBash
	# - LS
	# - NotebookRead
	# - Read
	# - Task
	# - TodoWrite
	timeout-minutes: 20
	run: \|
	set -o pipefail
	touch /tmp/gh-aw/agent-step-summary.md
	(umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
	printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.40/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","anthropic.com","api.anthropic.com","api.github.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","cdn.playwright.dev","codeload.github.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","files.pythonhosted.org","ghcr.io","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","lfs.github.com","objects.githubusercontent.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","playwright.download.prss.microsoft.com","ppa.launchpad.net","pypi.org","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","sentry.io","statsig.anthropic.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com"]},"apiProxy":{"enabled":true},"container":{"imageTag":"0.25.40,squid=sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51,agent=sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504,api-proxy=sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280,cli-proxy=sha256:3e7152911d4b4b7b97beef9d3d7d924ff7902227e86001ef3838fb728d5d514c"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
	# shellcheck disable=SC1003
	sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --tty --env-all --exclude-env ANTHROPIC_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
	-- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null \| tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" \|\| true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] \|\| [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null \|\| echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/claude_harness.cjs claude --print --no-chrome --allowed-tools Bash,BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite --debug-file /tmp/gh-aw/threat-detection/detection.log --verbose --permission-mode bypassPermissions --output-format stream-json --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt${GH_AW_MODEL_DETECTION_CLAUDE:+ --model "$GH_AW_MODEL_DETECTION_CLAUDE"}' 2>&1 \| tee -a /tmp/gh-aw/threat-detection/detection.log
	env:
	ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	BASH_DEFAULT_TIMEOUT_MS: 60000
	BASH_MAX_TIMEOUT_MS: 60000
	CLAUDE_CODE_DISABLE_FAST_MODE: 1
	DISABLE_BUG_COMMAND: 1
	DISABLE_ERROR_REPORTING: 1
	DISABLE_TELEMETRY: 1
	GH_AW_MODEL_DETECTION_CLAUDE: ${{ vars.GH_AW_MODEL_DETECTION_CLAUDE \|\| '' }}
	GH_AW_PHASE: detection
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_VERSION: v0.71.5
	GITHUB_AW: true
	GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
	GITHUB_WORKSPACE: ${{ github.workspace }}
	GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_AUTHOR_NAME: github-actions[bot]
	GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_COMMITTER_NAME: github-actions[bot]
	MCP_TIMEOUT: 120000
	MCP_TOOL_TIMEOUT: 60000
	- name: Upload threat detection log
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	with:
	name: detection
	path: /tmp/gh-aw/threat-detection/detection.log
	if-no-files-found: ignore
	- name: Parse and conclude threat detection
	id: detection_conclusion
	if: always()
	continue-on-error: true
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
	GH_AW_DETECTION_CONTINUE_ON_ERROR: "true"
	with:
	script: \|
	try {
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs');
	await main();
	} catch (loadErr) {
	const continueOnError = process.env.GH_AW_DETECTION_CONTINUE_ON_ERROR !== 'false';
	const msg = 'ERR_SYSTEM: \u274C Unexpected error loading threat detection module: ' + (loadErr && loadErr.message ? loadErr.message : String(loadErr));
	core.error(msg);
	core.setOutput('reason', 'parse_error');
	if (continueOnError) {
	core.warning('\u26A0\uFE0F ' + msg);
	core.setOutput('conclusion', 'warning');
	core.setOutput('success', 'false');
	} else {
	core.setOutput('conclusion', 'failure');
	core.setOutput('success', 'false');
	core.setFailed(msg);
	}
	}

	pre_activation:
	if: "(github.event_name != 'issue_comment' && github.event_name != 'pull_request_review_comment' \|\| contains(fromJSON('[\"OWNER\",\"MEMBER\",\"COLLABORATOR\"]'), github.event.comment.author_association)) && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/bug-tdd ') \|\| startsWith(github.event.comment.body, '/bug-tdd\n') \|\| github.event.comment.body == '/bug-tdd') && github.event.issue.pull_request == null \|\| github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/bug-tdd ') \|\| startsWith(github.event.comment.body, '/bug-tdd\n') \|\| github.event.comment.body == '/bug-tdd') && github.event.issue.pull_request != null)"
	runs-on: ubuntu-slim
	outputs:
	activated: ${{ steps.check_membership.outputs.is_team_member == 'true' && steps.check_command_position.outputs.command_position_ok == 'true' }}
	matched_command: ${{ steps.check_command_position.outputs.matched_command }}
	setup-trace-id: ${{ steps.setup.outputs.trace-id }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@b8068426813005612b960b5ab0b8bd2c27142323 # v0.71.5
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/bug-agent-test.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "2.1.126"
	- name: Check team membership for command workflow
	id: check_membership
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_REQUIRED_ROLES: "admin,maintainer,write"
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs');
	await main();
	- name: Check command position
	id: check_command_position
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_COMMANDS: "[\"bug-tdd\"]"
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs');
	await main();

	safe_outputs:
	needs:
	- activation
	- agent
	- detection
	if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
	runs-on: ubuntu-slim
	permissions:
	contents: write
	issues: write
	pull-requests: write
	timeout-minutes: 15
	env:
	GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/bug-agent-test"
	GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
	GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
	GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens }}
	GH_AW_ENGINE_ID: "claude"
	GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
	GH_AW_WORKFLOW_ID: "bug-agent-test"
	GH_AW_WORKFLOW_NAME: "Bug test-writer agent"
	outputs:
	app_token_minting_failed: ${{ steps.safe-outputs-app-token.outcome == 'failure' }}
	code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
	code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
	comment_id: ${{ steps.process_safe_outputs.outputs.comment_id }}
	comment_url: ${{ steps.process_safe_outputs.outputs.comment_url }}
	create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
	create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
	created_pr_number: ${{ steps.process_safe_outputs.outputs.created_pr_number }}
	created_pr_url: ${{ steps.process_safe_outputs.outputs.created_pr_url }}
	process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
	process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
	push_commit_sha: ${{ steps.process_safe_outputs.outputs.push_commit_sha }}
	push_commit_url: ${{ steps.process_safe_outputs.outputs.push_commit_url }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@b8068426813005612b960b5ab0b8bd2c27142323 # v0.71.5
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	trace-id: ${{ needs.activation.outputs.setup-trace-id }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Bug test-writer agent"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/bug-agent-test.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "2.1.126"
	- name: Download agent output artifact
	id: download-agent-output
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Setup agent output environment variable
	id: setup-agent-output-env
	if: steps.download-agent-output.outcome == 'success'
	run: \|
	mkdir -p /tmp/gh-aw/
	find "/tmp/gh-aw/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
	- name: Download patch artifact
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Generate GitHub App token
	id: safe-outputs-app-token
	uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
	with:
	client-id: ${{ secrets.GH_AW_APP_ID }}
	private-key: ${{ secrets.GH_AW_APP_PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	repositories: ${{ github.event.repository.name }}
	github-api-url: ${{ github.api_url }}
	permission-administration: read
	permission-contents: write
	permission-issues: write
	permission-pull-requests: write
	- name: Checkout repository
	if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') \|\| (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	ref: stable
	token: ${{ steps.safe-outputs-app-token.outputs.token }}
	persist-credentials: false
	fetch-depth: 1
	- name: Configure Git credentials
	if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request') \|\| (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'push_to_pull_request_branch')
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	GIT_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Configure GH_HOST for enterprise compatibility
	id: ghes-host-config
	shell: bash
	run: \|
	# Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
	# GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
	GH_HOST="${GITHUB_SERVER_URL#https://}"
	GH_HOST="${GH_HOST#http://}"
	echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
	- name: Process Safe Outputs
	id: process_safe_outputs
	uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_API_URL: ${{ github.api_url }}
	GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":3},\"add_labels\":{\"max\":2},\"create_pull_request\":{\"allowed_base_branches\":[\"stable\"],\"base_branch\":\"stable\",\"draft\":true,\"max\":1,\"max_patch_files\":100,\"max_patch_size\":1024,\"protect_top_level_dot_folders\":true,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"DESIGN.md\",\"README.md\",\"CONTRIBUTING.md\",\"CHANGELOG.md\",\"SECURITY.md\",\"CODE_OF_CONDUCT.md\",\"CLAUDE.md\",\"AGENTS.md\"]},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"push_to_pull_request_branch\":{\"if_no_changes\":\"warn\",\"max\":3,\"max_patch_size\":1024,\"protect_top_level_dot_folders\":true,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"DESIGN.md\",\"README.md\",\"CONTRIBUTING.md\",\"CHANGELOG.md\",\"SECURITY.md\",\"CODE_OF_CONDUCT.md\",\"CLAUDE.md\",\"AGENTS.md\"]},\"report_incomplete\":{}}"
	GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }}
	GITHUB_TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }}
	with:
	github-token: ${{ steps.safe-outputs-app-token.outputs.token }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs');
	await main();
	- name: Invalidate GitHub App token
	if: always() && steps.safe-outputs-app-token.outputs.token != ''
	env:
	TOKEN: ${{ steps.safe-outputs-app-token.outputs.token }}
	run: \|
	echo "Revoking GitHub App installation token..."
	# GitHub CLI will auth with the token being revoked.
	gh api \
	--method DELETE \
	-H "Authorization: token $TOKEN" \
	/installation/token \|\| echo "Token revoke may already be expired."

	echo "Token invalidation step complete."
	- name: Upload Safe Outputs Items
	if: always()
	uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	with:
	name: safe-outputs-items
	path: \|
	/tmp/gh-aw/safe-output-items.jsonl
	/tmp/gh-aw/temporary-id-map.json
	if-no-files-found: ignore

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug test-writer agent #60

Workflow file

Bug test-writer agent #60

Uh oh!

Workflow file for this run