From 4b07b5f546e3c8c815fc842681d6b3840134e425 Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Wed, 27 May 2026 10:45:41 +0800 Subject: [PATCH] docs: regenerate website docs from source MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Run `node scripts/generate-docs.js` to sync website/docs/ with the current state of agents, skills, workflows, plugin.json, and marketplace.json. No source changes — generator output only. --- website/docs/reference/marketplace.md | 8 +- website/docs/reference/plugin-json.md | 4 +- website/docs/skills/overview.md | 2 +- website/docs/skills/prereq-check.md | 274 +++++++----------- .../docs/workflows/daily-repo-status-lock.md | 12 +- website/docs/workflows/git-ape-release.md | 40 ++- .../docs/workflows/issue-triage-agent-lock.md | 46 +-- website/docs/workflows/pr-validation.md | 8 +- website/docs/workflows/waza-agent-evals.md | 31 +- website/docs/workflows/waza-evals.md | 31 +- 10 files changed, 202 insertions(+), 254 deletions(-) diff --git a/website/docs/reference/marketplace.md b/website/docs/reference/marketplace.md index 984ffe2..65aa33f 100644 --- a/website/docs/reference/marketplace.md +++ b/website/docs/reference/marketplace.md @@ -17,12 +17,12 @@ The marketplace manifest configures how Git-Ape appears in the Copilot CLI plugi |-------|-------| | **Name** | git-ape | | **Owner** | Microsoft | -| **Version** | 0.0.1 | +| **Version** | 0.0.3 | | **Description** | Git-Ape — Intelligent Azure deployment agent and skill suite for GitHub Copilot. Onboard any repository with guided ARM template generation, security analysis, cost estimation, drift detection, and automated CI/CD pipelines. | ## Plugins -- **git-ape** v0.0.1: Intelligent Azure deployment agent system for GitHub Copilot. Provides guided, safe, and validated Azure resource deployments using ARM templates, with built-in security analysis, cost estimation, drift detection, and CI/CD pipeline integration. +- **git-ape** v0.0.3: Intelligent Azure deployment agent system for GitHub Copilot. Provides guided, safe, and validated Azure resource deployments using ARM templates, with built-in security analysis, cost estimation, drift detection, and CI/CD pipeline integration. - **ape-context** v1.0.0: Extension for git-ape that provides enhanced context management, allowing platform teams to set up a baseline for Engineering context, tools use & intent ## Full Source @@ -36,13 +36,13 @@ The marketplace manifest configures how Git-Ape appears in the Copilot CLI plugi }, "metadata": { "description": "Git-Ape — Intelligent Azure deployment agent and skill suite for GitHub Copilot. Onboard any repository with guided ARM template generation, security analysis, cost estimation, drift detection, and automated CI/CD pipelines.", - "version": "0.0.1" + "version": "0.0.3" }, "plugins": [ { "name": "git-ape", "description": "Intelligent Azure deployment agent system for GitHub Copilot. Provides guided, safe, and validated Azure resource deployments using ARM templates, with built-in security analysis, cost estimation, drift detection, and CI/CD pipeline integration.", - "version": "0.0.1", + "version": "0.0.3", "source": "." }, { diff --git a/website/docs/reference/plugin-json.md b/website/docs/reference/plugin-json.md index e484045..155b0fc 100644 --- a/website/docs/reference/plugin-json.md +++ b/website/docs/reference/plugin-json.md @@ -16,7 +16,7 @@ The plugin manifest defines the Git-Ape plugin metadata. The same manifest is co | Field | Value | |-------|-------| | **Name** | git-ape | -| **Version** | 0.0.1 | +| **Version** | 0.0.3 | | **Description** | Intelligent agent system for deploying any Azure workload through GitHub Copilot. Provides guided, safe, and validated deployments using ARM templates, with built-in security analysis, cost estimation, and CI/CD pipeline integration. | | **Author** | Microsoft | | **License** | MIT | @@ -33,7 +33,7 @@ The plugin manifest defines the Git-Ape plugin metadata. The same manifest is co { "name": "git-ape", "description": "Intelligent agent system for deploying any Azure workload through GitHub Copilot. Provides guided, safe, and validated deployments using ARM templates, with built-in security analysis, cost estimation, and CI/CD pipeline integration.", - "version": "0.0.1", + "version": "0.0.3", "author": { "name": "Microsoft", "url": "https://github.com/Azure/git-ape" diff --git a/website/docs/skills/overview.md b/website/docs/skills/overview.md index 9753a8b..228ab16 100644 --- a/website/docs/skills/overview.md +++ b/website/docs/skills/overview.md @@ -24,7 +24,7 @@ Skills are focused capabilities invoked by agents at specific stages of the depl | [Azure Rest Api Reference](./azure-rest-api-reference) | Look up Azure REST API and ARM template reference documentation for any resource type. Returns exact property schemas, required fields, valid values, and latest stable API versions. Use BEFORE generating or modifying ARM templates to ensure correctness. No Azure connection required. | ✅ | | [Azure Role Selector](./azure-role-selector) | Recommend least-privilege Azure RBAC roles for deployed resources. Finds minimal built-in roles matching desired permissions or creates custom role definitions. Use during security analysis or when configuring access for service principals and managed identities. | ✅ | | [Azure Security Analyzer](./azure-security-analyzer) | Analyze Azure resource configurations against security best practices using Azure MCP bestpractices service. Produces per-resource security assessment with severity ratings and recommendations. Use during template generation before deployment confirmation. | ✅ | -| [Prereq Check](./prereq-check) | Check that all required CLI tools are installed, meet minimum versions, and have active auth sessions. Shows platform-specific install commands for anything missing. | ✅ | +| [Prereq Check](./prereq-check) | Validate Git-Ape CLI tool installation (az, gh, jq, git), versions, and auth sessions. Shows platform-specific install commands for anything missing. USE FOR: check Git-Ape prerequisites, what do I need to install for Git-Ape, verify Git-Ape CLI tools, az: command not found, gh: command not found, jq: command not found, git: command not found, az missing, gh missing, jq missing, git missing, fresh machine setup for Git-Ape, dev container setup for Git-Ape, before running git-ape-onboarding, az login required, gh auth login, auth expired, not logged in, outdated az version, minimum az version, upgrade az. DO NOT USE FOR: Anything else. This skill is narrowly scoped to prerequisites checks for Git-Ape's CLI tools and auth sessions. Do not use it for any other purpose. | ✅ | ## Post-Deploy Skills diff --git a/website/docs/skills/prereq-check.md b/website/docs/skills/prereq-check.md index 680db90..af5ba61 100644 --- a/website/docs/skills/prereq-check.md +++ b/website/docs/skills/prereq-check.md @@ -1,7 +1,7 @@ --- title: "Prereq Check" sidebar_label: "Prereq Check" -description: "Check that all required CLI tools are installed, meet minimum versions, and have active auth sessions. Shows platform-specific install commands for anything missing." +description: "Validate Git-Ape CLI tool installation (az, gh, jq, git), versions, and auth sessions. Shows platform-specific install commands for anything missing. USE FOR: check Git-Ape prerequisites, what do I need to install for Git-Ape, verify Git-Ape CLI tools, az: command not found, gh: command not found, jq: command not found, git: command not found, az missing, gh missing, jq missing, git missing, fresh machine setup for Git-Ape, dev container setup for Git-Ape, before running git-ape-onboarding, az login required, gh auth login, auth expired, not logged in, outdated az version, minimum az version, upgrade az. DO NOT USE FOR: Anything else. This skill is narrowly scoped to prerequisites checks for Git-Ape's CLI tools and auth sessions. Do not use it for any other purpose." --- @@ -9,7 +9,7 @@ description: "Check that all required CLI tools are installed, meet minimum vers # Prereq Check -> Check that all required CLI tools are installed, meet minimum versions, and have active auth sessions. Shows platform-specific install commands for anything missing. +> Validate Git-Ape CLI tool installation (az, gh, jq, git), versions, and auth sessions. Shows platform-specific install commands for anything missing. USE FOR: check Git-Ape prerequisites, what do I need to install for Git-Ape, verify Git-Ape CLI tools, az: command not found, gh: command not found, jq: command not found, git: command not found, az missing, gh missing, jq missing, git missing, fresh machine setup for Git-Ape, dev container setup for Git-Ape, before running git-ape-onboarding, az login required, gh auth login, auth expired, not logged in, outdated az version, minimum az version, upgrade az. DO NOT USE FOR: Anything else. This skill is narrowly scoped to prerequisites checks for Git-Ape's CLI tools and auth sessions. Do not use it for any other purpose. ## Details @@ -25,213 +25,137 @@ description: "Check that all required CLI tools are installed, meet minimum vers # Prerequisites Check -Validates the local environment has the CLI tools and auth sessions needed to run Git-Ape skills. +Validate that the local environment has the CLI tools and auth sessions needed to run Git-Ape skills. Print platform-specific install commands and PATH-repair guidance for anything missing or version-stale. -## When to Use +## Quick Reference -- Before first-time onboarding (`/git-ape-onboarding`) -- When any Git-Ape skill fails with a "command not found" error -- When switching machines or dev containers -- When a user asks "what do I need to install?" +| Property | Value | +|----------|-------| +| Best for | First-time setup, `command not found` triage, dev container validation | +| Required binaries | `az` ≥ 2.50, `gh` ≥ 2.0, `jq` ≥ 1.6, `git` (any) | +| Required auth | `az login`, `gh auth login` | +| Shell | bash on macOS/Linux, PowerShell 7+ on Windows | +| MCP tools | None — runs locally via shell | +| Related skills | `git-ape-onboarding` (next step), `azure-validate` (deployment-time checks) | +| Side effects | Read-only — never installs or modifies anything | -## Required Tools +## When to Use -| Tool | Binary | Minimum Version | Purpose | -|------|--------|-----------------|---------| -| Azure CLI | `az` | 2.50 | Azure resource management, RBAC, deployments | -| GitHub CLI | `gh` | 2.0 | Repo secrets, environments, PR operations | -| jq | `jq` | 1.6 | JSON parsing in scripts and workflows | -| git | `git` | any | Version control (usually pre-installed) | +- Before first-time onboarding (`/git-ape-onboarding`) +- When any Git-Ape skill fails with `command not found` +- When the user reports a missing binary in their prompt (e.g., `az: command not found`) +- After switching machines, shells, or dev containers +- When the user asks "what do I need to install?" -## Reported Command-Not-Found Errors +## Rules -Before running checks, inspect the user's prompt for explicit missing-command -reports such as `az: command not found`, `command not found: gh`, or "jq is not -found". Track any matching binaries (`az`, `gh`, `jq`, `git`) as -**reported missing tools**. +1. **Run read-only** — never `brew install`, `apt-get install`, or any state-changing command. Print the commands; the user runs them. +2. **Trust user reports** — if the user reports a tool missing, treat it as ⚠️ even when this terminal can find it (different shell, PATH, container, or machine). +3. **Stop at first blocking failure** — do not continue to auth checks while any tool is ❌. +4. **Do not chain into other skills** — never auto-invoke `git-ape-onboarding`; tell the user to run it after `READY`. -A reported missing tool is actionable even if this terminal can find it. The -user may be in a different shell, PATH, dev container, or machine than the -agent. For each reported missing tool: +## Steps -- State what this terminal detected separately from what the user reported. -- Always include install/reinstall or PATH repair guidance for that tool. -- Always include verification commands, such as `command -v az` and - `az --version`. -- If this terminal finds the tool, explain that the likely issue is - shell-specific PATH/configuration drift and recommend reopening the shell or - reloading the shell profile after install/PATH changes. +| # | Action | Reference | +|---|--------|-----------| +| 1 | **Detect Platform** — `uname -s` / `uname -m` on bash, `$PSVersionTable.OS` on PowerShell → macOS / Linux (apt vs dnf) / Windows (PowerShell 7+) | inline | +| 2 | **Scan Prompt for Reported Missing Tools** — match `: command not found`, `command not found: `, ` is not installed` | inline | +| 3 | **Run Tool Check** — macOS/Linux: `bash scripts/check-tools.sh` · Windows: `pwsh -File scripts/check-tools.ps1` | [scripts/check-tools.sh](https://github.com/Azure/git-ape/blob/main/.github/skills/prereq-check/scripts/check-tools.sh), [scripts/check-tools.ps1](https://github.com/Azure/git-ape/blob/main/.github/skills/prereq-check/scripts/check-tools.ps1) | +| 4 | **Present Status Table** — pass/fail with found vs. minimum version | See [Status Table](#status-table) | +| 5 | **Show Install / PATH Repair** — only for ❌ and ⚠️ entries, scoped to platform | [references/install-commands.md](https://github.com/Azure/git-ape/blob/main/.github/skills/prereq-check/references/install-commands.md) | +| 6 | **Check Auth Sessions** — only if Step 4 reports all tools ✅ | See [Auth Checks](#auth-checks) | +| 7 | **Emit Verdict** — exactly one of READY / TOOLS MISSING / REPORTED MISSING / AUTH MISSING | See [Outputs](#outputs) | -## Execution Playbook +### Status Table -Run the steps below in order. Present results as a table. Stop at the first blocking failure. +`scripts/check-tools.sh` emits TSV rows of `toolstatusfoundminimum`. Render them as: -### Step 1: Detect Platform +| Tool | Status | Found | Required | +|------|--------|-------|----------| +| az | ✅ / ⚠️ / ❌ | x.y.z | 2.50 | +| gh | ✅ / ⚠️ / ❌ | x.y.z | 2.0 | +| jq | ✅ / ⚠️ / ❌ | x.y | 1.6 | +| git | ✅ / ❌ | x.y.z | any | -```bash -OS="$(uname -s)" -ARCH="$(uname -m)" -echo "Platform: $OS / $ARCH" -``` +Status mapping: -Map the result for install instructions: +- `OK` → ✅ +- `OUTDATED` or `MISSING` → ❌ +- Reported missing in Step 2 but `OK` in this terminal → ⚠️ with note `reported missing by user` -- `Darwin` → macOS -- `Linux` → Linux (check for `apt-get` vs `yum`/`dnf` to narrow distro) -- `MINGW*` / `MSYS*` → Windows (git-bash) +### Auth Checks -### Step 2: Check Each Tool +macOS / Linux (bash): ```bash -# --- az (Azure CLI) — required, minimum 2.50 --- -if command -v az &>/dev/null; then - AZ_VER=$(az version --query '"azure-cli"' -o tsv 2>/dev/null) - echo "az: $AZ_VER" -else - echo "az: NOT FOUND" -fi - -# --- gh (GitHub CLI) — required, minimum 2.0 --- -if command -v gh &>/dev/null; then - GH_VER=$(gh --version 2>/dev/null | head -1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') - echo "gh: $GH_VER" -else - echo "gh: NOT FOUND" -fi - -# --- jq — required, minimum 1.6 --- -if command -v jq &>/dev/null; then - JQ_VER=$(jq --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+[a-z]*') - echo "jq: $JQ_VER" -else - echo "jq: NOT FOUND" -fi - -# --- git — required (usually pre-installed) --- -if command -v git &>/dev/null; then - GIT_VER=$(git --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') - echo "git: $GIT_VER" -else - echo "git: NOT FOUND" -fi -``` - -### Step 3: Present Results - -Show a table with pass/fail status: - -| Tool | Status | Found Version | Minimum Required | -|------|--------|---------------|------------------| -| az | ✅ / ❌ | x.y.z | 2.50 | -| gh | ✅ / ❌ | x.y.z | 2.0 | -| jq | ✅ / ❌ | x.y | 1.6 | -| git | ✅ / ❌ | x.y.z | any | - -Mark a tool ❌ if it is missing OR below the minimum version. - -### Step 4: Show Install Commands and PATH Repair Guidance - -Show install commands for any tool that is missing, outdated, or reported by -the user as "command not found", matching the detected platform. If a reported -tool is present in this terminal, frame the guidance as reinstall/PATH repair -rather than claiming the user's report was wrong. - -**macOS (Homebrew):** +az account show --query "{name:name,id:id,tenantId:tenantId}" -o table 2>/dev/null \ + || echo "❌ Not logged in to Azure. Run: az login" -```bash -brew install azure-cli # az -brew install gh # GitHub CLI -brew install jq # jq -brew install git # git (if missing) -``` - -**Ubuntu / Debian:** - -```bash -# az — Microsoft repository -curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash - -# gh — GitHub repository -(type -p wget >/dev/null || sudo apt-get install wget -y) \ - && sudo mkdir -p -m 755 /etc/apt/keyrings \ - && out=$(mktemp) && wget -nv -O"$out" https://cli.github.com/packages/githubcli-archive-keyring.gpg \ - && cat "$out" | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \ - && sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \ - && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \ - && sudo apt-get update && sudo apt-get install gh -y - -# jq -sudo apt-get install -y jq +gh auth status 2>/dev/null \ + || echo "❌ Not logged in to GitHub. Run: gh auth login" ``` -**RHEL / Fedora:** - -```bash -# az -sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc -sudo dnf install -y azure-cli +Windows (PowerShell 7+): -# gh -sudo dnf install -y gh +```powershell +az account show --query "{name:name,id:id,tenantId:tenantId}" -o table 2>$null +if (-not $?) { Write-Output "❌ Not logged in to Azure. Run: az login" } -# jq -sudo dnf install -y jq +gh auth status 2>$null +if (-not $?) { Write-Output "❌ Not logged in to GitHub. Run: gh auth login" } ``` -**Windows (PowerShell with winget):** +## Outputs -```powershell -winget install Microsoft.AzureCLI -winget install GitHub.cli -winget install jqlang.jq -``` +A single chat message containing: -> **Windows note:** Git-Ape skills require a BASH shell. Install [Git for Windows](https://gitforwindows.org/) and use git-bash. +1. **Status table** from Step 4. +2. **Install / PATH repair commands** for ❌ and ⚠️ entries — pulled from [references/install-commands.md](https://github.com/Azure/git-ape/blob/main/.github/skills/prereq-check/references/install-commands.md), scoped to the detected platform. +3. **Auth status** (Azure subscription + GitHub user) from Step 6, only when all tools ✅. +4. **Final verdict** — exactly one of: + - `✅ READY` — all tools installed, versions OK, auth sessions active. Render the handoff chip from `## Next` so the user can click into onboarding. + - `⚠️ TOOLS MISSING` — list what to install. Do not continue. + - `⚠️ REPORTED MISSING` — this terminal finds the tool but the user reported it missing. Print install / PATH repair + verification block. + - `⚠️ AUTH MISSING` — tools OK but `az login` and/or `gh auth login` required. -**PATH verification and shell refresh (all platforms):** +## Error Handling -```bash -command -v az && az --version -command -v gh && gh --version -command -v jq && jq --version -command -v git && git --version -``` +| Error | Cause | Fix | +|-------|-------|-----| +| `az --version` hangs | Stale telemetry / extension cache | `az config set core.collect_telemetry=false`; reinstall if persistent | +| `gh auth status` says "not logged into any hosts" | No GitHub session | `gh auth login --web` | +| `az account show` returns `Please run 'az login'` | Expired or missing session | `az login` (use `--use-device-code` in headless shells) | +| User reports missing tool but this terminal finds it | Different shell / PATH / container / machine | Treat as ⚠️ REPORTED MISSING — print install + PATH repair, do not contradict | +| `jq --version` starts with `1.5` | Below minimum (1.6) | Upgrade via platform package manager | +| `check-tools.sh: Permission denied` | Script not executable | `chmod +x .github/skills/prereq-check/scripts/check-tools.sh` | +| `check-tools.ps1 cannot be loaded because running scripts is disabled` | PowerShell execution policy | Run via `pwsh -File scripts/check-tools.ps1` (bypasses script-block policy), or `Set-ExecutionPolicy -Scope Process RemoteSigned` | +| `pwsh: command not found` on Windows | PowerShell 7+ not installed | `winget install Microsoft.PowerShell` — Windows PowerShell 5.1 also works but ship `pwsh` for parity | -If a command is installed but still not found in the user's shell, close and -reopen the terminal, then reload the shell profile (`source ~/.bashrc`, -`source ~/.zshrc`, or equivalent) and run the verification commands again. +## Constraints -### Step 5: Check Auth Sessions +**Always:** -Only run this step if all tools passed Step 3. +- Print install commands; let the user run them +- Detect platform before printing recipes +- Honor user-reported missing tools even when this terminal finds them +- Stop at the first blocking failure +- Verify with `command -v ` + ` --version` after suggested fixes -```bash -# Azure CLI session -az account show --query "{name:name,id:id,tenantId:tenantId}" -o table 2>/dev/null -if [[ $? -ne 0 ]]; then - echo "❌ Not logged in to Azure. Run: az login" -fi - -# GitHub CLI session -gh auth status 2>/dev/null -if [[ $? -ne 0 ]]; then - echo "❌ Not logged in to GitHub. Run: gh auth login" -fi -``` +**Never:** + +- Run `brew install`, `apt-get install`, `winget install`, or any state-changing command +- Require git-bash on Windows — use the PowerShell script (`scripts/check-tools.ps1`) instead +- Auto-invoke `git-ape-onboarding` after a `READY` verdict +- Silently drop a reported-missing tool because this terminal finds it +- Continue to auth checks while any tool is ❌ +- Recommend `sudo` on macOS (Homebrew handles non-root install) -### Step 6: Summary +## Next -Present a final verdict: +After a `✅ READY` verdict, render this line verbatim so the chat surface turns it into a clickable handoff: -- **✅ READY** — All tools installed, versions OK, auth sessions active. Proceed with any Git-Ape skill. -- **⚠️ TOOLS MISSING** — List what to install. Do not proceed until resolved. -- **⚠️ REPORTED COMMAND NOT FOUND** — This terminal can find the tool, but the user's shell reported it missing. Provide install/PATH repair guidance and verification commands before proceeding. -- **⚠️ AUTH MISSING** — Tools OK but user needs to run `az login` and/or `gh auth login`. +> Next: **@Git-Ape Onboarding** — or run `/git-ape-onboarding` to start setup. -## Agent Behavior +VS Code Copilot Chat renders `@AgentName` mentions and `/skill-name` slash commands as clickable chips — the user clicks once to dispatch. Do not auto-invoke (Rule 4). -1. Run Steps 1–5 by executing the commands in the terminal. -2. Present the results table and install commands (if needed). -3. If the user reported "command not found", do NOT omit install/PATH guidance just because this terminal finds the tool. -4. Do NOT install anything automatically — show the commands and let the user run them. -5. If everything passes and no command-not-found issue was reported, tell the user they're ready and suggest next steps (e.g., `/git-ape-onboarding`). +For deployment-time validation of an Azure project, use `azure-validate` instead. diff --git a/website/docs/workflows/daily-repo-status-lock.md b/website/docs/workflows/daily-repo-status-lock.md index ee7e4eb..c1a72b0 100644 --- a/website/docs/workflows/daily-repo-status-lock.md +++ b/website/docs/workflows/daily-repo-status-lock.md @@ -118,7 +118,7 @@ _Inherited from repository defaults_ # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 -# - github/gh-aw-actions/setup@v0.72.1 +# - github/gh-aw-actions/setup@v0.75.4 # # Container images used: # - ghcr.io/github/gh-aw-firewall/agent:0.25.41 @@ -166,7 +166,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -417,7 +417,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -998,7 +998,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1142,7 +1142,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1351,7 +1351,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} diff --git a/website/docs/workflows/git-ape-release.md b/website/docs/workflows/git-ape-release.md index 8cf02c4..d16a417 100644 --- a/website/docs/workflows/git-ape-release.md +++ b/website/docs/workflows/git-ape-release.md @@ -373,7 +373,7 @@ jobs: # shellcheck disable=SC2086 vsce publish --packagePath "$VSIX_FILE" --no-dependencies $FLAG - - name: Update CHANGELOG.md on main + - name: Bump version files and update CHANGELOG.md on main if: steps.ver.outputs.prerelease == 'false' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -382,11 +382,29 @@ jobs: run: | set -euo pipefail - # Always work against the tip of main so the changelog stays current, - # even when this run was triggered by a tag push from an older commit. + # Always work against the tip of main so the bump + changelog stay + # current, even when this run was triggered by a tag push from an + # older commit. (On tag-push the earlier "Commit version bump" step + # is skipped, so plugin.json / marketplace.json on main would + # otherwise stay at the previous version.) git fetch origin main git checkout -B changelog-update origin/main + # Re-apply the version bump against the fresh main tree so the same + # commit lands the version-bearing files AND the changelog entry. + PLUGIN_JSON="plugin.json" + MARKETPLACE_JSON=".github/plugin/marketplace.json" + PLUGIN_NAME=$(jq -r '.name' "$PLUGIN_JSON") + + jq --arg v "$VERSION" '.version = $v' "$PLUGIN_JSON" > "$PLUGIN_JSON.tmp" + mv "$PLUGIN_JSON.tmp" "$PLUGIN_JSON" + + jq --arg v "$VERSION" --arg name "$PLUGIN_NAME" ' + .metadata.version = $v + | .plugins |= map(if .name == $name then .version = $v else . end) + ' "$MARKETPLACE_JSON" > "$MARKETPLACE_JSON.tmp" + mv "$MARKETPLACE_JSON.tmp" "$MARKETPLACE_JSON" + DATE=$(date -u +%Y-%m-%d) # Strip the heading + install footer from release-notes.md to get just @@ -428,27 +446,27 @@ jobs: } > CHANGELOG.md fi - if git diff --quiet CHANGELOG.md; then - echo "CHANGELOG.md unchanged; skipping commit." + if git diff --quiet CHANGELOG.md plugin.json .github/plugin/marketplace.json; then + echo "No version or changelog drift on main; skipping commit." exit 0 fi git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git add CHANGELOG.md - git commit -m "docs(changelog): add entry for $TAG" + git add CHANGELOG.md plugin.json .github/plugin/marketplace.json + git commit -m "chore(release): bump to $TAG and update changelog" # Push directly to main. If the push fails (someone else moved main), - # fall back to opening a PR so the changelog still lands. + # fall back to opening a PR so the bump + changelog still land. if ! git push origin HEAD:main; then echo "Direct push to main rejected; opening a PR instead." - BRANCH="changelog/${TAG}" + BRANCH="release/${TAG}" git push origin "HEAD:$BRANCH" gh pr create \ --base main \ --head "$BRANCH" \ - --title "docs(changelog): add entry for $TAG" \ - --body "Automated changelog update for [$TAG](https://github.com/${{ github.repository }}/releases/tag/$TAG)." + --title "chore(release): bump to $TAG and update changelog" \ + --body "Automated post-release update for [$TAG](https://github.com/${{ github.repository }}/releases/tag/$TAG): bumps \`plugin.json\` + \`.github/plugin/marketplace.json\` to \`$VERSION\` and appends the changelog entry." fi ``` diff --git a/website/docs/workflows/issue-triage-agent-lock.md b/website/docs/workflows/issue-triage-agent-lock.md index f3b4d2c..b9182a8 100644 --- a/website/docs/workflows/issue-triage-agent-lock.md +++ b/website/docs/workflows/issue-triage-agent-lock.md @@ -75,8 +75,8 @@ _Inherited from repository defaults_ Click to view full workflow YAML ```yaml -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"40b67e893db0afd989c3507892420575b4825b4b1e695c2878bf00c422a62aad","compiler_version":"v0.72.1","strict":true,"agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"v0.72.1","version":"v0.72.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.41"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.41"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.41"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6","digest":"sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b87d30f0e6dfd42fbdc898c7bee5db51b0c988a7124831508d49c98c3e999c90","compiler_version":"v0.72.1","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"bc56a0cad2f450c562810785ef38649c04db812a","version":"v0.72.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.41"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.41"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.41"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6","digest":"sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -120,7 +120,7 @@ _Inherited from repository defaults_ # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 -# - github/gh-aw-actions/setup@v0.72.1 +# - github/gh-aw-actions/setup@9f050961da586148d135e113d8bb025185cdf2b8 # v0.75.4 # # Container images used: # - ghcr.io/github/gh-aw-firewall/agent:0.25.41 @@ -167,7 +167,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@9f050961da586148d135e113d8bb025185cdf2b8 # v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -265,20 +265,20 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_9222edcd22652df7_EOF' + cat << 'GH_AW_PROMPT_a1c0370ef2dd6d34_EOF' - GH_AW_PROMPT_9222edcd22652df7_EOF + GH_AW_PROMPT_a1c0370ef2dd6d34_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_9222edcd22652df7_EOF' + cat << 'GH_AW_PROMPT_a1c0370ef2dd6d34_EOF' Tools: add_comment, add_labels, missing_tool, missing_data, noop - GH_AW_PROMPT_9222edcd22652df7_EOF + GH_AW_PROMPT_a1c0370ef2dd6d34_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" - cat << 'GH_AW_PROMPT_9222edcd22652df7_EOF' + cat << 'GH_AW_PROMPT_a1c0370ef2dd6d34_EOF' The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -307,14 +307,14 @@ jobs: {{/if}} - GH_AW_PROMPT_9222edcd22652df7_EOF + GH_AW_PROMPT_a1c0370ef2dd6d34_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_9222edcd22652df7_EOF' + cat << 'GH_AW_PROMPT_a1c0370ef2dd6d34_EOF' {{#runtime-import .github/workflows/shared/mood.md}} {{#runtime-import .github/workflows/shared/reporting.md}} {{#runtime-import .github/workflows/issue-triage-agent.md}} - GH_AW_PROMPT_9222edcd22652df7_EOF + GH_AW_PROMPT_a1c0370ef2dd6d34_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -418,7 +418,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@9f050961da586148d135e113d8bb025185cdf2b8 # v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -491,9 +491,9 @@ jobs: mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_d106e49c4206fb8c_EOF' - {"add_comment":{"max":1},"add_labels":{"allowed":["bug","feature","enhancement","documentation","question","help-wanted","good-first-issue"]},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_d106e49c4206fb8c_EOF + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_5b176a500004da95_EOF' + {"add_comment":{"max":1},"add_labels":{"allowed":["bug","feature","enhancement","documentation","question","help-wanted","good-first-issue"]},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"report_incomplete":{}} + GH_AW_SAFE_OUTPUTS_CONFIG_5b176a500004da95_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -702,7 +702,7 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_383b5168701f5045_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_15aff53929236c5b_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -743,7 +743,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_383b5168701f5045_EOF + GH_AW_MCP_CONFIG_15aff53929236c5b_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true @@ -989,7 +989,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@9f050961da586148d135e113d8bb025185cdf2b8 # v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1023,7 +1023,7 @@ jobs: GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/github/gh-aw/blob/852cb06ad52958b402ed982b69957ffc57ca0619/.github/workflows/issue-triage-agent.md" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} - GH_AW_NOOP_REPORT_AS_ISSUE: "true" + GH_AW_NOOP_REPORT_AS_ISSUE: "false" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1132,7 +1132,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@9f050961da586148d135e113d8bb025185cdf2b8 # v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1343,7 +1343,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@v0.72.1 + uses: github/gh-aw-actions/setup@9f050961da586148d135e113d8bb025185cdf2b8 # v0.75.4 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1383,7 +1383,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"allowed\":[\"bug\",\"feature\",\"enhancement\",\"documentation\",\"question\",\"help-wanted\",\"good-first-issue\"]},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"allowed\":[\"bug\",\"feature\",\"enhancement\",\"documentation\",\"question\",\"help-wanted\",\"good-first-issue\"]},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"},\"report_incomplete\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/website/docs/workflows/pr-validation.md b/website/docs/workflows/pr-validation.md index c54cb16..580b12a 100644 --- a/website/docs/workflows/pr-validation.md +++ b/website/docs/workflows/pr-validation.md @@ -61,10 +61,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: '24' cache: 'npm' @@ -82,10 +82,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: '20' diff --git a/website/docs/workflows/waza-agent-evals.md b/website/docs/workflows/waza-agent-evals.md index 96acc76..20d1249 100644 --- a/website/docs/workflows/waza-agent-evals.md +++ b/website/docs/workflows/waza-agent-evals.md @@ -137,6 +137,15 @@ concurrency: group: waza-agent-evals-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +# Pin waza to a known-good release. Bump deliberately after validating that +# the new version's eval behavior still matches our baselines. Never resolve +# via `latest` — the microsoft/waza repo publishes the core release and the +# sibling azd-extension release at the same commit, and GitHub's +# `releases/latest` endpoint returns whichever was published last, which has +# bitten PR #109 with a 404 on the wrong asset. +env: + WAZA_VERSION: 'v0.33.0' + jobs: # --------------------------------------------------------------------------- # preflight: verify that the COPILOT_GITHUB_TOKEN secret is configured. @@ -365,15 +374,12 @@ jobs: with: fetch-depth: 0 - - name: Install waza (latest GitHub release) + - name: Install waza (pinned release) run: | set -euo pipefail - waza_version="$(curl -fsSL \ - -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - https://api.github.com/repos/microsoft/waza/releases/latest \ - | jq -r '.tag_name')" - if [ -z "${waza_version}" ] || [ "${waza_version}" = "null" ]; then - echo "::error::could not resolve latest waza release tag" + waza_version="${WAZA_VERSION}" + if [ -z "${waza_version}" ]; then + echo "::error::WAZA_VERSION env var is not set" exit 1 fi os="$(uname -s | tr '[:upper:]' '[:lower:]')" @@ -476,15 +482,12 @@ jobs: with: fetch-depth: 0 - - name: Install waza (latest GitHub release) + - name: Install waza (pinned release) run: | set -euo pipefail - waza_version="$(curl -fsSL \ - -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - https://api.github.com/repos/microsoft/waza/releases/latest \ - | jq -r '.tag_name')" - if [ -z "${waza_version}" ] || [ "${waza_version}" = "null" ]; then - echo "::error::could not resolve latest waza release tag" + waza_version="${WAZA_VERSION}" + if [ -z "${waza_version}" ]; then + echo "::error::WAZA_VERSION env var is not set" exit 1 fi echo "Installing waza ${waza_version}" diff --git a/website/docs/workflows/waza-evals.md b/website/docs/workflows/waza-evals.md index e6f0e09..82946be 100644 --- a/website/docs/workflows/waza-evals.md +++ b/website/docs/workflows/waza-evals.md @@ -143,6 +143,15 @@ concurrency: group: waza-evals-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +# Pin waza to a known-good release. Bump deliberately after validating that +# the new version's eval behavior still matches our baselines. Never resolve +# via `latest` — the microsoft/waza repo publishes the core release and the +# sibling azd-extension release at the same commit, and GitHub's +# `releases/latest` endpoint returns whichever was published last, which has +# bitten PR #109 with a 404 on the wrong asset. +env: + WAZA_VERSION: 'v0.33.0' + # Note: there is no top-level skill list. The canonical list lives in # .github/evals/manifest.yaml and is read by the `prepare` job below. @@ -388,15 +397,12 @@ jobs: with: fetch-depth: 0 - - name: Install waza (latest GitHub release) + - name: Install waza (pinned release) run: | set -euo pipefail - waza_version="$(curl -fsSL \ - -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - https://api.github.com/repos/microsoft/waza/releases/latest \ - | jq -r '.tag_name')" - if [ -z "${waza_version}" ] || [ "${waza_version}" = "null" ]; then - echo "::error::could not resolve latest waza release tag" + waza_version="${WAZA_VERSION}" + if [ -z "${waza_version}" ]; then + echo "::error::WAZA_VERSION env var is not set" exit 1 fi echo "Installing waza ${waza_version}" @@ -481,15 +487,12 @@ jobs: with: fetch-depth: 0 - - name: Install waza (latest GitHub release) + - name: Install waza (pinned release) run: | set -euo pipefail - waza_version="$(curl -fsSL \ - -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - https://api.github.com/repos/microsoft/waza/releases/latest \ - | jq -r '.tag_name')" - if [ -z "${waza_version}" ] || [ "${waza_version}" = "null" ]; then - echo "::error::could not resolve latest waza release tag" + waza_version="${WAZA_VERSION}" + if [ -z "${waza_version}" ]; then + echo "::error::WAZA_VERSION env var is not set" exit 1 fi echo "Installing waza ${waza_version}"