feat: update actions/github-script to v9.0.0 with builtin getOctokit

[Copilot]

Summary

Updates actions/github-script from v8 to v9.0.0, using the new builtin getOctokit factory function instead of dynamically importing @actions/github.

In v9.0.0, getOctokit is injected directly into the script context (like github, core, context, etc.), so scripts no longer need to import("@actions/github") to create secondary authenticated clients.

Changes

Core version update

• Bumps DefaultGitHubScriptVersion from v8 to v9
• Adds actions/github-script@v9 SHA pin (3a2844b7e9c422d3c10d287c895573f7108da1b3) to actions-lock.json
• Updates package.json dev dependency to actions/github-script#v9.0.0 for TypeScript types

Builtin getOctokit support

• setup_globals.cjs: adds getOctokit as a 6th parameter, stores it as global.getOctokit
• All setupGlobals(core, github, context, exec, io) calls in Go files updated to setupGlobals(core, github, context, exec, io, getOctokit) (~90 call sites across 17 files)

Remove @actions/github dynamic import

• handler_auth.cjs: removes const { getOctokit } = await import("@actions/github"), uses builtin getOctokit(token) directly
• assign_to_agent.cjs: same
• create_issue.cjs: same
• create_pull_request.cjs: same

Remove npm install support for @actions/github

• actions/setup/setup.sh: removes the block that ran npm install @actions/github when custom tokens were enabled
• actions/setup/action.yml: removes the safe-output-custom-tokens input
• compiler_yaml_step_generation.go: removes enableCustomTokens parameter from generateSetupStep
• compiler_safe_outputs_job.go: removes custom-tokens Node.js setup logic for custom image runners
• compiler_safe_outputs_core.go: removes hasCustomTokenSafeOutputs and collectBaseSafeOutputConfigs (now unused)

Test updates

• handler_auth.test.cjs: mocks global.getOctokit instead of @actions/github
• cjs_require_validation_test.go: removes exception for handler_auth.cjs
• safe_outputs_runs_on_test.go: removes TestSafeOutputsCustomRunnerNodeSetup (no longer relevant)
• SHA references in test files and golden files updated from v8 SHA to v9 SHA
• All 187 workflow lock files recompiled

---

---

✨ PR Review Safe Output Test - Run 24220925131

💥 [THE END] — Illustrated by Smoke Claude · ● 398.6K · ◷

---

---

✨ PR Review Safe Output Test - Run 24220926430

💥 [THE END] — Illustrated by Smoke Claude · ● 295.4K · ◷

---

Changeset

• Type: patch
• Description: Updated workflow generation and safe-output scripts to use actions/github-script@v9 and the builtin getOctokit context API.

Generated by Changeset Generator for issue #25553 · ◷

[salmanmkc]

🥳

[Copilot]

Pull request overview

This PR upgrades actions/github-script usage from v8 to v9 across the project and updates the generated GitHub Actions scripts to use the new built-in getOctokit injection (removing the prior runtime dependency on dynamically importing/installing @actions/github).

Changes:

• Bump the default github-script major version to v9 and update action pin/lock data accordingly.
• Extend setupGlobals(...) to accept getOctokit and update generated JS snippets / golden workflow outputs to pass it.
• Remove “custom tokens” runtime-install path for @actions/github and adjust compilation logic and tests accordingly.

Show a summary per file

File	Description
pkg/workflow/threat_detection.go	Updates generated require snippets to pass getOctokit; adjusts setup step signature usage.
pkg/workflow/threat_detection_test.go	Updates assertions for the new setupGlobals(..., getOctokit) call.
pkg/workflow/testdata/wasm_golden/WasmBinary/with-imports.golden	Updates pinned github-script SHA to v9 and updates setupGlobals call signature in golden output.
pkg/workflow/testdata/wasm_golden/WasmBinary/basic-copilot.golden	Same: v9 pin + getOctokit argument in golden output.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden	Same: v9 pin + getOctokit argument in golden output.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-test-tools.golden	Same: v9 pin + getOctokit argument in golden output.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Same: v9 pin + getOctokit argument in golden output.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/claude-with-network.golden	Same: v9 pin + getOctokit argument in golden output.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden	Same: v9 pin + getOctokit argument in golden output.
pkg/workflow/template.go	Updates template rendering step to call setupGlobals(..., getOctokit).
pkg/workflow/template_rendering_test.go	Updates test expectations for setupGlobals(..., getOctokit).
pkg/workflow/safe_outputs_steps.go	Updates generated safe-output github-script steps to pass getOctokit.
pkg/workflow/safe_outputs_runs_on_test.go	Removes test tied to custom-token Node.js setup logic (now removed).
pkg/workflow/safe_output_helpers_test.go	Updates tests to expect the v9 pinned SHA.
pkg/workflow/repo_memory.go	Updates setup step signature usage and setupGlobals(..., getOctokit) in generated JS.
pkg/workflow/redact_secrets.go	Updates redact-secrets step to pass getOctokit.
pkg/workflow/redact_secrets_test.go	Updates expectations for v9 pinned SHA.
pkg/workflow/publish_assets.go	Updates setup step signature usage (custom-tokens parameter removed).
pkg/workflow/pr.go	Updates PR checkout script snippets to pass getOctokit.
pkg/workflow/pr_ready_for_review_checkout_test.go	Updates expectations for v9 pinned SHA.
pkg/workflow/pr_checkout_test.go	Updates expectations for v9 pinned SHA.
pkg/workflow/notify_comment.go	Updates setup step signature usage (custom-tokens parameter removed).
pkg/workflow/maintenance_workflow.go	Updates maintenance workflow script snippets to pass getOctokit.
pkg/workflow/detection_success_test.go	Updates assertion for setupGlobals(..., getOctokit).
pkg/workflow/data/action_pins.json	Adds v9 pin entry for actions/github-script@v9.
pkg/workflow/compute_text_lazy_test.go	Updates expectations for v9 pinned SHA.
pkg/workflow/compiler_yaml.go	Updates various generated YAML steps to pass getOctokit.
pkg/workflow/compiler_yaml_step_generation.go	Removes custom-token support from generateSetupStep signature and YAML emission.
pkg/workflow/compiler_yaml_main_job.go	Updates generated step to pass getOctokit.
pkg/workflow/compiler_yaml_ai_execution.go	Updates log parsing / summaries steps to pass getOctokit.
pkg/workflow/compiler_unlock_job.go	Updates setup step signature usage.
pkg/workflow/compiler_safe_outputs_steps.go	Updates safe-output step generation to pass getOctokit.
pkg/workflow/compiler_safe_outputs_job.go	Removes custom-token path + Node.js setup logic; updates setup step signature usage.
pkg/workflow/compiler_safe_outputs_core.go	Removes helper functions used only for custom-token detection logic.
pkg/workflow/compiler_pre_activation_job.go	Updates setup step signature usage.
pkg/workflow/compiler_main_job.go	Updates setup step signature usage.
pkg/workflow/compiler_github_actions_steps.go	Updates shared helper-generated scripts to pass getOctokit.
pkg/workflow/compiler_activation_job.go	Updates setup step signature usage.
pkg/workflow/compile_outputs_pr_test.go	Updates expectations for v9 pinned SHA.
pkg/workflow/compile_outputs_label_test.go	Updates expectations for v9 pinned SHA.
pkg/workflow/compile_outputs_issue_test.go	Updates expectations for v9 pinned SHA.
pkg/workflow/compile_outputs_comment_test.go	Updates expectations for v9 pinned SHA.
pkg/workflow/cjs_require_validation_test.go	Removes handler_auth.cjs exception for @actions/github require/import.
pkg/workflow/cache.go	Updates generated scripts and setup step signature usage to pass getOctokit.
pkg/workflow/aw_info_tmp_test.go	Updates assertion for setupGlobals(..., getOctokit).
pkg/workflow/action_sha_validation_test.go	Updates forbidden pattern to actions/github-script@v9.
pkg/workflow/action_sha_checker_test.go	Updates fixture SHA to v9.
pkg/workflow/action_pins_logging_test.go	Updates test fixtures to use the new github-script SHA.
pkg/workflow/action_cache_test.go	Updates test fixtures to use the new github-script SHA.
pkg/constants/version_constants.go	Sets DefaultGitHubScriptVersion to v9.
actions/setup/setup.sh	Removes runtime npm install @actions/github path for custom tokens.
actions/setup/js/setup_globals.cjs	Adds getOctokit parameter and stores it on global.getOctokit.
actions/setup/js/package.json	Pins @actions/github-script dev dependency to #v9.0.0 for types.
actions/setup/js/handler_auth.test.cjs	Switches mocking from @actions/github to global.getOctokit.
actions/setup/js/handler_auth.cjs	Removes dynamic import of @actions/github and uses getOctokit directly.
actions/setup/js/create_pull_request.cjs	Removes dynamic import of @actions/github and uses getOctokit directly.
actions/setup/js/create_issue.cjs	Removes dynamic import of @actions/github and uses getOctokit directly.
actions/setup/js/assign_to_agent.cjs	Removes dynamic import of @actions/github and uses getOctokit directly.
actions/setup/js/assign_agent_helpers.cjs	Updates comment referencing github-script v9 compatibility.
actions/setup/action.yml	Removes safe-output-custom-tokens input.
.github/workflows/test-workflow.lock.yml	Recompiled lockfile: v9 pin + setupGlobals(..., getOctokit).
.github/workflows/metrics-collector.lock.yml	Recompiled lockfile: v9 pin + setupGlobals(..., getOctokit).
.github/workflows/issue-triage-agent.lock.yml	Recompiled lockfile: v9 pin + setupGlobals(..., getOctokit).
.github/workflows/gpclean.lock.yml	Recompiled lockfile: v9 pin + setupGlobals(..., getOctokit).
.github/workflows/firewall.lock.yml	Recompiled lockfile: v9 pin + setupGlobals(..., getOctokit).
.github/workflows/example-permissions-warning.lock.yml	Recompiled lockfile: v9 pin + setupGlobals(..., getOctokit).
.github/workflows/daily-malicious-code-scan.lock.yml	Recompiled lockfile: v9 pin + setupGlobals(..., getOctokit).
.github/workflows/codex-github-remote-mcp-test.lock.yml	Recompiled lockfile: v9 pin + setupGlobals(..., getOctokit).
.github/workflows/bot-detection.lock.yml	Partially updated lockfile; still contains v8 references per search results.
.github/workflows/agentics-maintenance.yml	Updates github-script pin to v9 and passes getOctokit into setupGlobals.
.github/workflows/ace-editor.lock.yml	Partially updated lockfile; still contains v8 references per search results.
.github/aw/actions-lock.json	Adds v9 pin entry for actions/github-script@v9.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 50/250 changed files
• Comments generated: 9

[Copilot]

getOctokit is referenced as a free variable, but it is not defined in this module scope. Since setup_globals.cjs stores it on global.getOctokit, this call will throw ReferenceError: getOctokit is not defined at runtime. Update this to use global.getOctokit(token) (or destructure from global) and ensure setupGlobals(..., getOctokit) was called before requiring this module.

[Copilot]

getOctokit is referenced as a free variable in this CJS module, but it is not defined here. With the new approach, getOctokit is stored on global.getOctokit by setup_globals.cjs, so this should call global.getOctokit(token) (or equivalent) to avoid a runtime ReferenceError.

[Copilot]

getOctokit is not defined in this module scope. Because setup_globals.cjs attaches it as global.getOctokit, this should use global.getOctokit(token) (or destructure from global) to avoid a runtime ReferenceError when a dedicated client is needed.

[Copilot]

getOctokit is referenced directly but is not defined in this module scope. After setup_globals.cjs runs, it will be available as global.getOctokit; use that (or destructure from global) to avoid ReferenceError: getOctokit is not defined when creating the dedicated client.

[Copilot]

setupGlobals now requires a 6th getOctokit argument, but there are still workflows/lockfiles in the repo calling the 5-arg form (e.g. .github/workflows/copilot-maintenance.yml:46, pkg/cli/workflows/example-blocked-domains.lock.yml:104, pkg/workflow/test-yaml-import.lock.yml:66). Those will leave global.getOctokit unset and break any handler code that needs per-token clients. Update the remaining call sites (or make the 6th parameter backward-compatible).

[Copilot]

This lock file still references actions/github-script v8 alongside v9 (see the manifest on this line, plus remaining uses: actions/github-script@...ed597411... later in the file). If the intent is to fully bump to v9, update the remaining v8 steps so the manifest and pinned SHAs are consistent.

[Copilot]

This lock file still includes actions/github-script v8 in the manifest (and there are still uses: actions/github-script@...ed597411... occurrences later). If the repo is migrating to github-script v9, the remaining v8-pinned steps should be updated so the manifest reflects a single, consistent github-script version.

[Copilot]

The fixture uses the v9 SHA (3a2844…) but the version comment still says # v8.0.0, which makes the test data misleading. Update the comment (and expected extracted version, if needed) to match the v9 pin being used.

[Copilot]

These tests are still keyed around actions/github-script@v8/v8.0.0 but now use the v9 SHA. This works for the duplicate-SHA scenario, but it no longer matches the repo’s default github-script major and is confusing. Consider updating the versions used in the test names/keys to v9/v9.0.0 to reflect the current pin.

[github-actions]

👋 Smoke test agent agrees — updating test names/keys from v8/v8.0.0 to v9/v9.0.0 would remove the confusion between the SHA pin and the version label.

📰 BREAKING: Report filed by Smoke Copilot · ● 963.8K

[pelikhan]

@copilot fix https://github.com/github/gh-aw/actions/runs/24219396443/job/70707248531

[salmanmkc]

need to add getOctokit to actions/setup/js/types/github-script.d.ts

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 96/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	7
✅ Design tests (behavioral contracts)	7 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	6 (86%)
Duplicate test clusters	0
Test inflation detected	No
🚨 Coding-guideline violations	None

---

Test Classification Details

All 7 analyzed tests

Test	File	Classification	Notes
"returns the global github when no github-token in config"	actions/setup/js/handler_auth.test.cjs	✅ Design	Edge case: no-token path; asserts identity of returned client
"returns the global github when config is empty object"	actions/setup/js/handler_auth.test.cjs	✅ Design	Edge case: irrelevant config keys ignored
"creates a new Octokit when github-token is set in config"	actions/setup/js/handler_auth.test.cjs	✅ Design	Happy path; asserts returned client ≠ global and token propagated
"logs a message when using per-handler token"	actions/setup/js/handler_auth.test.cjs	✅ Design	Behavioral side-effect: logging contract enforced
"creates distinct Octokit instances for different tokens"	actions/setup/js/handler_auth.test.cjs	✅ Design	Edge case: token isolation between calls
"does not mutate the global github object"	actions/setup/js/handler_auth.test.cjs	✅ Design	Invariant: global github unchanged after call
TestCJSFilesNoActionsRequires (modified)	pkg/workflow/cjs_require_validation_test.go	✅ Design	Behavioral contract: no .cjs file may use undeclared npm packages

---

Test Change Summary

This PR's test changes fall into three categories:

1. handler_auth.test.cjs — mock strategy refactored (behavioral tests preserved)

The key change: replaced vi.mock("@actions/github", ...) (module-level mock) with global.getOctokit = vi.fn(...) (global mock). This is the correct adaptation for actions/github-script@v9, which injects getOctokit as a builtin global rather than via the @actions/github npm package. The 6 behavioral it() blocks themselves are unchanged — the same behavioral contracts are still enforced.

The mock target (global.getOctokit) is external I/O injected by the GitHub Actions runtime — this is a legitimate mock target, not an internal business-logic function.

2. safe_outputs_runs_on_test.go — TestSafeOutputsCustomRunnerNodeSetup deleted (correct cleanup)

This 5-case table-driven test verified that npm install @actions/github`` was emitted before actions/setup for custom runners. Since `setup.sh` no longer installs `@actions/github` (the v9 builtin eliminates that need), the test was correctly removed with the feature. This is appropriate test hygiene, not coverage loss.

3. cjs_require_validation_test.go — exception for handler_auth.cjs removed (tighter contract)

TestCJSFilesNoActionsRequires previously allowed handler_auth.cjs to require("@actions/github"). Since the file no longer imports that package, the allowlist entry is correctly removed. The contract is now stricter, which is an improvement.

Mechanical SHA updates (16 Go test files)

16 Go test files had hardcoded SHA constants updated from the v8 SHA (ed597411...) to the new v9 SHA (3a2844b7...). These are pure test-data maintenance updates — no behavioral logic changed in these files.

---

Test Inflation Analysis

File	Test lines added	Prod lines added	Ratio	Status
handler_auth.test.cjs	9	0 (1 deleted)	N/A (refactor)	✅ No inflation — production change was a deletion; test swapped one mock approach for another with identical net line count

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 test (unit — //go:build !integration) — build tags verified on all modified files ✅
• 🟨 JavaScript (*.test.cjs): 6 tests (vitest)

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All modified tests enforce observable behavioral contracts. The changes correctly reflect the actions/github-script@v9 API change — tests were updated in lock-step with the production code, a deleted feature's tests were removed, and no behavioral coverage was lost.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

🧪 Test quality analysis by Test Quality Sentinel · ● 736.5K · ◷

[github-actions]

✅ Test Quality Sentinel: 96/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 7 analyzed tests enforce observable behavioral contracts. Mock strategy in handler_auth.test.cjs was correctly updated for github-script@v9's builtin getOctokit global, TestSafeOutputsCustomRunnerNodeSetup was properly removed with the deleted feature, and 16 SHA constants were updated mechanically. No coding-guideline violations detected.

[salmanmkc]

@copilot add getOctokit to actions/setup/js/types/github-script.d.ts

[salmanmkc]

@copilot add getOctokit to actions/setup/js/types/github-script.d.ts

[Copilot]

@copilot fix https://github.com/github/gh-aw/actions/runs/24219396443/job/70707248531

Fixed in 41d4059. The CI failure was TestAddCommentDiscussionsFieldSchemaIntegration — the test cases were using name: without an on: trigger, which fails the shared-workflow validation. Added on: push to those test cases.

Also addressed all code review feedback in the same commit:

• Changed getOctokit(token) → global.getOctokit(token) in handler_auth.cjs, assign_to_agent.cjs, create_issue.cjs, create_pull_request.cjs
• Updated all source MD files and static YAML files that still referenced github-script@v8/v8 SHA to use v9
• Fixed remaining 5-arg setupGlobals calls in copilot-maintenance.yml and test-yaml-import.lock.yml
• Updated test data in action_sha_checker_test.go (comment # v8.0.0 → # v9.0.0) and action_pins_logging_test.go / action_cache_test.go (v8/v8.0.0 keys → v9/v9.0.0)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ase,codename,allshow (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw chr/testify/asseimage (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel find /usr/bin/git kflows/changesetgit :latest repository(owne--show-toplevel git rev-�� --show-toplevel bash /usr/bin/git h ../../../.pretgit B90BGy20iVj1 /opt/hostedtoolc--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git ithub/workflows git /usr/bin/head git rev-�� --show-toplevel head /usr/bin/git ath ../../../.prgit node /home/REDACTED/.do--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha graphql -f /usr/bin/git -f owner=github -f git -C rite 'scripts/**/*.js' --ignore-path .prettierignore --log-level=error 2>&1 rev-parse bin/sh se 4692186/b078/vetrev-parse ache/go/1.25.8/x--show-toplevel bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git k/node_modules/.bin/sh nore git ache/node/24.14.--show-toplevel git rev-�� te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret--log-level=error git cal/bin/sh --show-toplevel git ache/node/24.14.--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel bash /usr/bin/git w/js/**/*.json' git owner (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a ache/go/1.25.8/xrev-parse k/node_modules/.--show-toplevel git rev-�� --show-toplevel git /usr/bin/git v6hwOIGnX ache/go/1.25.8/xrev-parse k/gh-aw/gh-aw/ac--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha prettier --write /usr/local/sbin/bash !../../../pkg/wogit --ignore-path ../../../.pretti--show-toplevel bash --no�� --noprofile bash /usr/bin/git kflows/ai-moderagit de/node/bin/noderev-parse (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha pkg/mod/github.com/aymanbagabas/go-udiff@v0.4.1/lcs/common.go pkg/mod/github.com/aymanbagabas/go-udiff@v0.4.1/lcs/doc.go /usr/bin/gcc rror /tmp/go-build353rev-parse run-script/lib/n--show-toplevel gcc -###�� -x c /usr/bin/git - (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git /home/REDACTED/worgit config ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git --show-toplevel git k/gh-aw/gh-aw/ac--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha k/gh-aw/gh-aw/tmp/smoke_test_22524436360.go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/cgo ithub/workflows /tmp/go-build353rev-parse /opt/hostedtoolc--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/cgo -V=f�� (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha "prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../.git /opt/hostedtoolcache/go/1.25.8/xghcr.io/github/serena-mcp-server:latest /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/asm rror /tmp/go-build353rev-parse /opt/pipx_bin/ba--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/asm -V=f�� de/node/bin/git bash /usr/bin/git k/gh-aw/gh-aw/.ggit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha "prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../.git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile rror /tmp/go-build353rev-parse /usr/local/bin/b--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build2917002610/b125/_pkg_.a -trimpath /usr/bin/git -p github.com/aymanrev-parse -lang=go1.24 git (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha "prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../.git /opt/hostedtoolcache/go/1.25.8/xconfig /usr/bin/tail rror /tmp/go-build353rev-parse /sh tail -5 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha run format:pkg-json /opt/pipx_bin/bash tierignore git run-script/lib/n--show-toplevel bash --no�� --noprofile node /usr/bin/git /opt/hostedtoolcgit git /snap/bin/bash git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha prettier --write /usr/sbin/bash !../../../pkg/wogit --ignore-path ../../../.pretti--show-toplevel bash --no�� --noprofile bash /usr/bin/git ithub/workflows (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha format:pkg-json --silent /snap/bin/bash tierignore git ache/node/24.14.--show-toplevel bash --no�� --noprofile node /usr/bin/git /opt/hostedtoolcgit :latest r: $owner, name:--show-toplevel git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha kflows/workflow-health-manager.lock.yml rev-parse tnet/tools/bash linuxagent-logcogit .cfg x_amd64/compile git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore x_amd64/compile /usr/bin/git -2.15.1.3-py3.12git .cfg ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha */*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore git /usr/bin/git --show-toplevel git $name) { has--show-toplevel git -C */*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path rev-parse /usr/bin/git l git /usr/bin/git git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq $name) { hasDiscussionsEnabled } } --show-toplevel x_amd64/compile /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/compile /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --local commit.gpgsign ache/go/1.25.8/x-f (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel git ndor/bin/bash ref/tags/v0.1.2 git 64/bin/node git _har�� iew.lock.yml git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel 64/pkg/tool/linu-C /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha k/gh-aw/gh-aw/cmd/gh-aw/main.go /opt/hostedtoolcconfig /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -unreachable=falgit /tmp/go-build353rev-parse run-script/lib/n--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build4229223273/b366/_pkg_.a -trimpath /usr/bin/git -p main -lang=go1.25 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha "prettier" --write 'scripts/**/*.js' --ignore-path .prettierignore --log-level=error node /home/REDACTED/work/gh-aw/gh-aw/node_modules/.bin/node tierignore git -d node /hom�� --write ../../../**/*.json /usr/bin/git --ignore-path ../../../.prettirev-parse /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha .js' --ignore-path .prettierignore --log-level=error config de_modules/.bin/node remote.origin.urgit .cfg 64/pkg/tool/linu--show-toplevel git tion�� dler_auth.test.cjs --reporter=verbose 64/pkg/tool/linu--jq son ignore committer.email n-dir/bash git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha k/gh-aw/gh-aw/.github/workflows git tions/node_modules/.bin/sh --show-toplevel git 1/x64/bin/node infocmp -1 *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore git /usr/bin/infocmp --show-toplevel git x_amd64/link infocmp (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha .js' --ignore-path .prettierignore --log-level=error 64/pkg/tool/linurev-parse tions/setup/node_modules/.bin/node get --local 64/pkg/tool/linu--show-toplevel git tion�� dler_auth.test.cjs --reporter=verbose rev-parse son ignore committer.name $name) { has--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse tions/setup/js/node_modules/.bin/sh --show-toplevel git r: $owner, name:--show-toplevel git show�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore git /usr/bin/docker 07a9d4d84ff7a3b git x_amd64/cgo docker (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git ithub/workflows -f /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git on' --ignore-patgit :latest _modules/.bin/no--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git ithub/workflows git /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git json' --ignore-pgit :latest /usr/bin/gh git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha yml -tests (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ignore-path ../../../.prettierignore git /snap/bin/bash --show-toplevel node /usr/bin/git bash --no�� t-burner.lock.yml git /opt/hostedtoolcache/uv/0.11.6/x86_64/bash --show-toplevel node /usr/bin/find bash (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha get --global 64/pkg/tool/linux_amd64/vet http.https://gitgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha --show-toplevel git 1/x64/bin/node --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git 1/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ithub/workflows -tests (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ignore-path ../../../.prettierignore git /opt/pipx_bin/bash --show-toplevel node /usr/bin/git bash --no�� --noprofile git er: String!, $name: String!) { -f --show-toplevel node /usr/bin/git bash (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot add getOctokit to actions/setup/js/types/github-script.d.ts

Added in 3c2de30. getOctokit is now declared as var getOctokit: typeof __actionsGithub.getOctokit in the declare global block — using var (not const) so it's also accessible as global.getOctokit on globalThis. This also eliminated the unused @ts-expect-error directive in setup_globals.cjs since the assignment is now type-safe.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js . 86_64/git forks.js rev-�� --reverse origin/fallback-branch..HEAD t -m Initial commit ndor/bin/git /usr/lib/git-cor--stdout (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git comm�� -m Initial commit cal/bin/git ranch main odules/npm/node_-b git conf�� user.email test@test.com /git -b feature-branch tnet/tools/git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[salmanmkc]

@copilot fix merge conflicts

[Copilot]

@copilot v9 import paths may break existing type imports — the type file imports Context from @actions/github/lib/context and GitHub from @actions/github/lib/utils. These deep imports may not exist ...

Verified — both deep imports still work with v9. @actions/github@9.0.0 ships lib/context.d.ts and lib/utils.d.ts on disk, and our tsconfig.json uses "moduleResolution": "node" which resolves by filesystem path (not the exports map). Running tsc --noEmit produces zero errors and both paths resolve correctly:

context → node_modules/@actions/github/lib/context.d.ts ✓
utils   → node_modules/@actions/github/lib/utils.d.ts   ✓

If we ever move to "moduleResolution": "bundler" or "node16" we'd need to switch the Context import to the top-level @actions/github, but that's not a concern today.

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	v4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	v20.20.2
python3	✅	3.12.3
go	✅	1.24.13
java	✅	21.0.10
dotnet	✅	10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ● 159.4K · ◷

[github-actions]

Smoke Test: Codex (run 24220926458)
PRs: #25560 Optimize Functional Pragmatist workflow token usage (~54% prompt reduction); #25558 fix: add cli-proxy image to Docker pre-download list
GitHub MCP ✅
Serena MCP ❌
Playwright ✅
Web Fetch ❌
File Write ✅ | Bash Cat ✅ | Build ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

🚀 Smoke Test Results — run 24220926503

Test	Status
GitHub MCP	✅
MCP Scripts GH CLI	✅
Serena MCP	⚠️ skipped
Playwright	✅
Web Fetch	✅
File Writing + Bash	✅
Discussion Interaction	✅
Build gh-aw	✅
Upload Artifact	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅

Overall: ✅ PASS — @Copilot (author), @pelikhan @Copilot (assignees)

📰 BREAKING: Report filed by Smoke Copilot · ● 963.8K · ◷

[github-actions]

Smoke test review of PR #25553 — upgrading actions/github-script to v9.0.0 with builtin getOctokit. The changes look solid: removing dynamic @actions/github imports is cleaner, and the 6th-parameter injection approach is well-executed across ~90 call sites. Minor suggestion: add JSDoc to setupGlobals and a changelog note about the new getOctokit usage pattern.

📰 BREAKING: Report filed by Smoke Copilot · ● 963.8K

[github-actions]

Adding getOctokit as a 6th parameter to setupGlobals is the right approach for v9 compatibility. Consider adding a JSDoc comment documenting all 6 parameters so callers know what to pass and in what order — the function signature is getting complex enough to warrant inline documentation.

[github-actions]

Good call removing @actions/github dynamic imports — this simplifies the dependency tree and aligns with v9's injection model. Worth adding a note in the PR description or CHANGELOG that scripts can now call getOctokit(token) directly without any imports.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[pelikhan]

LGTM

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude · ● 398.6K

[github-actions]

The SHA pin 3a2844b7e9c422d3c10d287c895573f7108da1b3 for actions/github-script@v9 looks correct. Good practice pinning to a specific commit SHA for security and reproducibility.

[github-actions]

Good update from v8 to v9. The migration to use the builtin getOctokit injected into the script context is a clean improvement that removes the need for dynamic imports from @actions/github.

[github-actions]

Smoke Test Run 24220926430 results:

Core (#1–12): ✅✅✅✅✅✅✅✅✅✅✅✅
PR Review (#13–19): ✅✅✅⚠️✅✅⚠️

Overall: PARTIAL (17 pass, 2 skipped — resolve thread & close PR)

💥 [THE END] — Illustrated by Smoke Claude · ● 295.4K · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude · ● 295.4K

[github-actions]

Good upgrade to actions/github-script@v9 here. The new getOctokit parameter is now properly included in the setupGlobals call, which is consistent with all other step updates in this PR.

[github-actions]

The new actions/github-script@v9 pin with SHA 3a2844b7e9c422d3c10d287c895573f7108da1b3 looks correct. This ensures reproducible builds by pinning to an exact commit rather than a floating tag.

[github-actions]

Commit pushed: 0e4257a

Generated by Changeset Generator