From dd3ff609ce2a548458e74b5cfd9b5e2acb8e6e00 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 9 Jun 2026 23:56:31 +0000 Subject: [PATCH 1/5] Add PR targeting support to create_check_run Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/create_check_run.cjs | 70 +++++++++++++++---- actions/setup/js/create_check_run.test.cjs | 57 +++++++++++++++ actions/setup/js/safe_outputs_tools.json | 19 ++++- .../compiler_safe_outputs_config_test.go | 41 +++++++++++ pkg/workflow/create_check_run.go | 9 +++ pkg/workflow/js/safe_outputs_tools.json | 19 ++++- pkg/workflow/safe_outputs_handler_registry.go | 1 + 7 files changed, 202 insertions(+), 14 deletions(-) diff --git a/actions/setup/js/create_check_run.cjs b/actions/setup/js/create_check_run.cjs index 50ab7431d60..f6635346fe5 100644 --- a/actions/setup/js/create_check_run.cjs +++ b/actions/setup/js/create_check_run.cjs @@ -7,7 +7,7 @@ const { getErrorMessage } = require("./error_helpers.cjs"); const { logStagedPreviewInfo } = require("./staged_preview.cjs"); -const { isStagedMode } = require("./safe_output_helpers.cjs"); +const { isStagedMode, resolveTarget } = require("./safe_output_helpers.cjs"); const { createAuthenticatedGitHubClient } = require("./handler_auth.cjs"); const { withRetry, RATE_LIMIT_RETRY_CONFIG } = require("./error_recovery.cjs"); const { sanitizeContent } = require("./sanitize_content.cjs"); @@ -33,6 +33,7 @@ async function main(config = {}) { // Extract configuration const configuredName = config.name || ""; const maxCount = config.max != null ? Number(config.max) : 1; + const checkRunTarget = typeof config.target === "string" && config.target.trim() ? config.target.trim() : null; const githubClient = await createAuthenticatedGitHubClient(config); const isStaged = isStagedMode(config); @@ -51,7 +52,7 @@ async function main(config = {}) { defaultName = `${defaultName} (Result)`; } - core.info(`Create check run configuration: name="${defaultName}", max=${maxCount}`); + core.info(`Create check run configuration: name="${defaultName}", max=${maxCount}${checkRunTarget ? `, target=${checkRunTarget}` : ""}`); if (configOutputTitle) core.info(`Config output.title fallback set (${configOutputTitle.length} chars)`); if (configOutputSummary) core.info(`Config output.summary fallback set (${configOutputSummary.length} chars)`); @@ -111,12 +112,61 @@ async function main(config = {}) { const owner = context.repo.owner; const repo = context.repo.repo; - - // For pull_request events, GITHUB_SHA is the ephemeral merge commit SHA which is - // not visible in the PR checks UI or the GitHub mobile app. Use the actual PR head - // SHA from the event payload instead so the check run appears on the PR. - const prHeadSha = context.payload?.pull_request?.head?.sha; - const headSha = prHeadSha || process.env.GITHUB_SHA || context.sha; + let headSha = ""; + + if (checkRunTarget) { + const targetResult = resolveTarget({ + targetConfig: checkRunTarget, + item: message, + context, + itemType: HANDLER_TYPE, + supportsPR: false, + supportsIssue: false, + }); + if (!targetResult.success) { + core.warning(targetResult.error); + return { + success: false, + error: targetResult.error, + skipped: targetResult.shouldFail === false, + }; + } + + const pullRequestNumber = targetResult.number; + try { + const { data: pullRequest } = await withRetry( + () => + githubClient.rest.pulls.get({ + owner, + repo, + pull_number: pullRequestNumber, + }), + RATE_LIMIT_RETRY_CONFIG + ); + headSha = pullRequest?.head?.sha || ""; + if (!headSha) { + const msg = `create_check_run: pull request #${pullRequestNumber} has no head SHA`; + core.error(msg); + return { success: false, error: msg }; + } + core.info(`Using PR #${pullRequestNumber} head SHA ${headSha} (target=${checkRunTarget})`); + } catch (error) { + const errorMessage = getErrorMessage(error); + return { + success: false, + error: `Failed to resolve pull request for create_check_run: ${errorMessage}`, + }; + } + } else { + // For pull_request events, GITHUB_SHA is the ephemeral merge commit SHA which is + // not visible in the PR checks UI or the GitHub mobile app. Use the actual PR head + // SHA from the event payload instead so the check run appears on the PR. + const prHeadSha = context.payload?.pull_request?.head?.sha; + headSha = prHeadSha || process.env.GITHUB_SHA || context.sha; + if (prHeadSha) { + core.info(`Using PR head SHA ${prHeadSha} (pull_request event)`); + } + } if (!headSha) { const msg = "create_check_run: cannot determine commit SHA for check run"; @@ -124,10 +174,6 @@ async function main(config = {}) { return { success: false, error: msg }; } - if (prHeadSha) { - core.info(`Using PR head SHA ${prHeadSha} (pull_request event)`); - } - const checkRunName = defaultName; core.info(`Creating check run "${checkRunName}" on ${owner}/${repo}@${headSha} with conclusion=${conclusion}`); diff --git a/actions/setup/js/create_check_run.test.cjs b/actions/setup/js/create_check_run.test.cjs index 2dc21c32f96..8f96ec82f9f 100644 --- a/actions/setup/js/create_check_run.test.cjs +++ b/actions/setup/js/create_check_run.test.cjs @@ -163,6 +163,63 @@ describe("create_check_run", () => { process.env.GITHUB_SHA = "sha-abc123"; }); + describe("target resolution", () => { + beforeEach(() => { + process.env.GITHUB_SHA = "sha-abc123"; + mockContext.eventName = "workflow_dispatch"; + mockContext.payload = {}; + }); + + it("uses pull_request_number when target is '*'", async () => { + mockGithub.rest.pulls = { + get: async ({ pull_number }) => ({ + data: { number: pull_number, head: { sha: "target-pr-sha-42" } }, + }), + }; + + let capturedParams; + mockGithub.rest.checks.create = makeChecksCreate(p => { + capturedParams = p; + }); + + const { main } = require("./create_check_run.cjs"); + const handler = await main({ max: 10, target: "*" }); + const result = await handler({ type: "create_check_run", pull_request_number: 42, conclusion: "success", title: "Title", summary: "Summary" }, {}); + + expect(result.success).toBe(true); + expect(capturedParams.head_sha).toBe("target-pr-sha-42"); + }); + + it("returns error when target is '*' and pull_request_number is missing", async () => { + const { main } = require("./create_check_run.cjs"); + const handler = await main({ max: 10, target: "*" }); + const result = await handler({ type: "create_check_run", conclusion: "success", title: "Title", summary: "Summary" }, {}); + + expect(result.success).toBe(false); + expect(result.error).toContain('Target is "*"'); + }); + + it("uses explicit target PR number from config", async () => { + mockGithub.rest.pulls = { + get: async ({ pull_number }) => ({ + data: { number: pull_number, head: { sha: "target-pr-sha-7" } }, + }), + }; + + let capturedParams; + mockGithub.rest.checks.create = makeChecksCreate(p => { + capturedParams = p; + }); + + const { main } = require("./create_check_run.cjs"); + const handler = await main({ max: 10, target: "7" }); + const result = await handler({ type: "create_check_run", conclusion: "success", title: "Title", summary: "Summary" }, {}); + + expect(result.success).toBe(true); + expect(capturedParams.head_sha).toBe("target-pr-sha-7"); + }); + }); + it("returns error when conclusion is missing", async () => { const { main } = require("./create_check_run.cjs"); const handler = await main({ max: 10 }); diff --git a/actions/setup/js/safe_outputs_tools.json b/actions/setup/js/safe_outputs_tools.json index e05b0772214..e6b87a2c79d 100644 --- a/actions/setup/js/safe_outputs_tools.json +++ b/actions/setup/js/safe_outputs_tools.json @@ -1621,7 +1621,7 @@ }, { "name": "create_check_run", - "description": "Create a GitHub Check Run to report agent analysis results on a commit or pull request. Check Runs appear in the PR checks UI and on commits with a pass/fail status. Use this to surface structured analysis results as a first-class GitHub check. The check run name is configured in the workflow frontmatter and is NOT accepted as a parameter \u2014 do not pass name.", + "description": "Create a GitHub Check Run to report agent analysis results on a commit or pull request. Check Runs appear in the PR checks UI and on commits with a pass/fail status. Use this to surface structured analysis results as a first-class GitHub check. The check run name is configured in the workflow frontmatter and is NOT accepted as a parameter \u2014 do not pass name. When `safe-outputs.create-check-run.target` is configured, pull request targeting follows standard PR target rules. With `target: \"*\"`, include `pull_request_number` (or `pr_number`/`pr`/`pull_number`) in each call.", "inputSchema": { "type": "object", "required": ["conclusion", "title", "summary"], @@ -1642,6 +1642,23 @@ "text": { "type": "string", "description": "Optional detailed Markdown content shown in the check run details. Use this for longer output such as full analysis reports, line-by-line findings, or remediation steps. Maximum 65535 characters." + }, + "pull_request_number": { + "type": ["number", "string"], + "description": "Pull request number to attach the check run to when the workflow uses `create-check-run: target: \"*\"` (or equivalent explicit PR targeting). This is the numeric ID from the GitHub URL (e.g., 876 in github.com/owner/repo/pull/876).", + "x-synonyms": ["pullRequestNumber"] + }, + "pr_number": { + "type": ["number", "string"], + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + }, + "pr": { + "type": ["number", "string"], + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + }, + "pull_number": { + "type": ["number", "string"], + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." } }, "additionalProperties": false diff --git a/pkg/workflow/compiler_safe_outputs_config_test.go b/pkg/workflow/compiler_safe_outputs_config_test.go index 69c46ac0cb8..ad6512e3e5d 100644 --- a/pkg/workflow/compiler_safe_outputs_config_test.go +++ b/pkg/workflow/compiler_safe_outputs_config_test.go @@ -1467,6 +1467,47 @@ func TestHandlerConfigClosePullRequestTargetRepo(t *testing.T) { } } +func TestHandlerConfigCreateCheckRunTarget(t *testing.T) { + compiler := NewCompiler() + + workflowData := &WorkflowData{ + Name: "Test Workflow", + SafeOutputs: &SafeOutputsConfig{ + CreateCheckRun: &CreateCheckRunConfig{ + BaseSafeOutputConfig: BaseSafeOutputConfig{ + Max: strPtr("1"), + }, + Target: "*", + }, + }, + } + + var steps []string + compiler.addHandlerManagerConfigEnvVar(&steps, workflowData) + + for _, step := range steps { + if strings.Contains(step, "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG") { + parts := strings.Split(step, "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: ") + if len(parts) == 2 { + jsonStr := strings.TrimSpace(parts[1]) + jsonStr = strings.Trim(jsonStr, "\"") + jsonStr = strings.ReplaceAll(jsonStr, "\\\"", "\"") + + var config map[string]map[string]any + err := json.Unmarshal([]byte(jsonStr), &config) + require.NoError(t, err) + + checkRunConfig, ok := config["create_check_run"] + require.True(t, ok) + + target, ok := checkRunConfig["target"] + require.True(t, ok) + assert.Equal(t, "*", target) + } + } + } +} + // TestHandlerConfigPatchSize tests max patch size configuration func TestHandlerConfigPatchSize(t *testing.T) { tests := []struct { diff --git a/pkg/workflow/create_check_run.go b/pkg/workflow/create_check_run.go index 011f52df704..2db379674b8 100644 --- a/pkg/workflow/create_check_run.go +++ b/pkg/workflow/create_check_run.go @@ -13,6 +13,7 @@ type CreateCheckRunOutputConfig struct { // CreateCheckRunConfig holds configuration for creating GitHub Check Runs from agent output type CreateCheckRunConfig struct { BaseSafeOutputConfig `yaml:",inline"` + Target string `yaml:"target,omitempty"` // Target pull request for check run attachment: "triggering", "*", or explicit PR number Name string `yaml:"name,omitempty"` // Check run name shown in the GitHub Checks UI Output *CreateCheckRunOutputConfig `yaml:"output,omitempty"` // Optional static output defaults } @@ -36,6 +37,14 @@ func (c *Compiler) parseCreateCheckRunConfig(outputMap map[string]any) *CreateCh } } + // Parse target (optional PR targeting mode) + if target, exists := configMap["target"]; exists { + if targetStr, ok := target.(string); ok { + checkRunConfig.Target = targetStr + createCheckRunLog.Printf("Using check run target: %s", targetStr) + } + } + // Parse optional output defaults block if outputVal, exists := configMap["output"]; exists { if outputConfigMap, ok := outputVal.(map[string]any); ok { diff --git a/pkg/workflow/js/safe_outputs_tools.json b/pkg/workflow/js/safe_outputs_tools.json index e05b0772214..e6b87a2c79d 100644 --- a/pkg/workflow/js/safe_outputs_tools.json +++ b/pkg/workflow/js/safe_outputs_tools.json @@ -1621,7 +1621,7 @@ }, { "name": "create_check_run", - "description": "Create a GitHub Check Run to report agent analysis results on a commit or pull request. Check Runs appear in the PR checks UI and on commits with a pass/fail status. Use this to surface structured analysis results as a first-class GitHub check. The check run name is configured in the workflow frontmatter and is NOT accepted as a parameter \u2014 do not pass name.", + "description": "Create a GitHub Check Run to report agent analysis results on a commit or pull request. Check Runs appear in the PR checks UI and on commits with a pass/fail status. Use this to surface structured analysis results as a first-class GitHub check. The check run name is configured in the workflow frontmatter and is NOT accepted as a parameter \u2014 do not pass name. When `safe-outputs.create-check-run.target` is configured, pull request targeting follows standard PR target rules. With `target: \"*\"`, include `pull_request_number` (or `pr_number`/`pr`/`pull_number`) in each call.", "inputSchema": { "type": "object", "required": ["conclusion", "title", "summary"], @@ -1642,6 +1642,23 @@ "text": { "type": "string", "description": "Optional detailed Markdown content shown in the check run details. Use this for longer output such as full analysis reports, line-by-line findings, or remediation steps. Maximum 65535 characters." + }, + "pull_request_number": { + "type": ["number", "string"], + "description": "Pull request number to attach the check run to when the workflow uses `create-check-run: target: \"*\"` (or equivalent explicit PR targeting). This is the numeric ID from the GitHub URL (e.g., 876 in github.com/owner/repo/pull/876).", + "x-synonyms": ["pullRequestNumber"] + }, + "pr_number": { + "type": ["number", "string"], + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + }, + "pr": { + "type": ["number", "string"], + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + }, + "pull_number": { + "type": ["number", "string"], + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." } }, "additionalProperties": false diff --git a/pkg/workflow/safe_outputs_handler_registry.go b/pkg/workflow/safe_outputs_handler_registry.go index 120212d0f06..2b5e28d894f 100644 --- a/pkg/workflow/safe_outputs_handler_registry.go +++ b/pkg/workflow/safe_outputs_handler_registry.go @@ -237,6 +237,7 @@ var handlerRegistry = map[string]handlerBuilder{ c := cfg.CreateCheckRun builder := newHandlerConfigBuilder(). AddTemplatableInt("max", c.Max). + AddIfNotEmpty("target", c.Target). AddIfNotEmpty("name", c.Name). AddIfTrue("staged", c.Staged) if c.Output != nil { From 88c10ae61c6b1c2e6f5222c7cb9551c84eb930ee Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 01:34:24 +0000 Subject: [PATCH 2/5] Address review feedback: permissions, warning log, and test assertion - Add NewPermissionsContentsReadChecksWritePRRead for target-configured check runs - Conditionally emit pull-requests:read when create-check-run has a target set - Warn when target config value is non-string rather than silently ignoring - Fix TestHandlerConfigCreateCheckRunTarget false-positive by tracking and asserting foundHandlerConfig Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/compiler_safe_outputs_config_test.go | 3 +++ pkg/workflow/create_check_run.go | 2 ++ pkg/workflow/permissions_factory.go | 10 ++++++++++ pkg/workflow/safe_output_handlers.go | 3 +++ 4 files changed, 18 insertions(+) diff --git a/pkg/workflow/compiler_safe_outputs_config_test.go b/pkg/workflow/compiler_safe_outputs_config_test.go index ad6512e3e5d..e04191b7dc0 100644 --- a/pkg/workflow/compiler_safe_outputs_config_test.go +++ b/pkg/workflow/compiler_safe_outputs_config_test.go @@ -1485,8 +1485,10 @@ func TestHandlerConfigCreateCheckRunTarget(t *testing.T) { var steps []string compiler.addHandlerManagerConfigEnvVar(&steps, workflowData) + foundHandlerConfig := false for _, step := range steps { if strings.Contains(step, "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG") { + foundHandlerConfig = true parts := strings.Split(step, "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: ") if len(parts) == 2 { jsonStr := strings.TrimSpace(parts[1]) @@ -1506,6 +1508,7 @@ func TestHandlerConfigCreateCheckRunTarget(t *testing.T) { } } } + require.True(t, foundHandlerConfig, "Expected GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG in generated steps") } // TestHandlerConfigPatchSize tests max patch size configuration diff --git a/pkg/workflow/create_check_run.go b/pkg/workflow/create_check_run.go index 2db379674b8..40abda40d2c 100644 --- a/pkg/workflow/create_check_run.go +++ b/pkg/workflow/create_check_run.go @@ -42,6 +42,8 @@ func (c *Compiler) parseCreateCheckRunConfig(outputMap map[string]any) *CreateCh if targetStr, ok := target.(string); ok { checkRunConfig.Target = targetStr createCheckRunLog.Printf("Using check run target: %s", targetStr) + } else { + createCheckRunLog.Printf("Warning: create-check-run target value %v is not a string and will be ignored", target) } } diff --git a/pkg/workflow/permissions_factory.go b/pkg/workflow/permissions_factory.go index 1c5d223c457..babe76107c9 100644 --- a/pkg/workflow/permissions_factory.go +++ b/pkg/workflow/permissions_factory.go @@ -174,6 +174,16 @@ func NewPermissionsContentsReadChecksWrite() *Permissions { }) } +// NewPermissionsContentsReadChecksWritePRRead creates permissions with contents: read, checks: write, and pull-requests: read +// Used when create-check-run has a target configured and must resolve the PR head SHA via the REST API +func NewPermissionsContentsReadChecksWritePRRead() *Permissions { + return NewPermissionsFromMap(map[PermissionScope]PermissionLevel{ + PermissionContents: PermissionRead, + PermissionChecks: PermissionWrite, + PermissionPullRequests: PermissionRead, + }) +} + // Clone returns a deep copy of the Permissions object. The clone shares no underlying // state with the original, so callers can safely call Set() on the clone without // affecting the original (e.g. when reusing CachedPermissions). diff --git a/pkg/workflow/safe_output_handlers.go b/pkg/workflow/safe_output_handlers.go index ab85dcc383d..05a68ab8ddf 100644 --- a/pkg/workflow/safe_output_handlers.go +++ b/pkg/workflow/safe_output_handlers.go @@ -247,6 +247,9 @@ var safeOutputHandlers = []safeOutputHandlerDescriptor{ if !isSafeOutputHandlerEnabledAndUnstaged(safeOutputs, "CreateCheckRun") { return nil } + if safeOutputs.CreateCheckRun != nil && safeOutputs.CreateCheckRun.Target != "" { + return NewPermissionsContentsReadChecksWritePRRead() + } return NewPermissionsContentsReadChecksWrite() }, }, From 54c8d74ef56310905490876aff9a7f0e1a1a3507 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 01:41:16 +0000 Subject: [PATCH 3/5] Address github-actions review threads: error logging, staged mode, x-synonyms, and tests - Use core.error/core.info instead of core.warning for target resolution failures - Skip pulls.get API call in staged mode; include PR number in staged preview message - Add comment explaining why target: "triggering" always goes via API (refreshed SHA) - Add tests: pulls.get throw, target: "triggering", staged mode skips API call - Fix x-synonyms: pull_request_number lists alias property names; add synonyms for all aliases - Apply x-synonyms fix to both safe_outputs_tools.json copies Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/create_check_run.cjs | 29 +- actions/setup/js/create_check_run.test.cjs | 57 ++ actions/setup/js/safe_outputs_tools.json | 13 +- pkg/workflow/js/safe_outputs_tools.json | 803 ++++++++++++++++----- 4 files changed, 723 insertions(+), 179 deletions(-) diff --git a/actions/setup/js/create_check_run.cjs b/actions/setup/js/create_check_run.cjs index f6635346fe5..8870f754dee 100644 --- a/actions/setup/js/create_check_run.cjs +++ b/actions/setup/js/create_check_run.cjs @@ -124,15 +124,40 @@ async function main(config = {}) { supportsIssue: false, }); if (!targetResult.success) { - core.warning(targetResult.error); + if (targetResult.shouldFail) { + core.error(targetResult.error); + } else { + core.info(targetResult.error); + } return { success: false, error: targetResult.error, - skipped: targetResult.shouldFail === false, + skipped: !targetResult.shouldFail, }; } const pullRequestNumber = targetResult.number; + + // In staged mode we know the PR number but skip the live API call that fetches the + // head SHA — there is nothing to attach a real check run to. + if (isStaged) { + logStagedPreviewInfo(`Would create check run "${defaultName}" targeting PR #${pullRequestNumber} with conclusion=${conclusion}, title="${resolvedTitle}"`); + processedCount++; + return { + success: true, + staged: true, + previewInfo: { + name: defaultName, + conclusion, + title: resolvedTitle, + }, + }; + } + + // Fetch the current PR head SHA via the API. We intentionally go through the API + // even when the context payload already carries a SHA (e.g. target: "triggering" on + // a pull_request event) so that we always use the most recent head in case the PR + // was force-pushed between the triggering event and when this handler runs. try { const { data: pullRequest } = await withRetry( () => diff --git a/actions/setup/js/create_check_run.test.cjs b/actions/setup/js/create_check_run.test.cjs index 8f96ec82f9f..c3388ebf15a 100644 --- a/actions/setup/js/create_check_run.test.cjs +++ b/actions/setup/js/create_check_run.test.cjs @@ -218,6 +218,63 @@ describe("create_check_run", () => { expect(result.success).toBe(true); expect(capturedParams.head_sha).toBe("target-pr-sha-7"); }); + + it("returns error when pulls.get throws (e.g. 404 or 403)", async () => { + mockGithub.rest.pulls = { + get: async () => { + throw new Error("Not Found"); + }, + }; + + const { main } = require("./create_check_run.cjs"); + const handler = await main({ max: 10, target: "*" }); + const result = await handler({ type: "create_check_run", pull_request_number: 42, conclusion: "success", title: "Title", summary: "Summary" }, {}); + + expect(result.success).toBe(false); + expect(result.error).toContain("Failed to resolve pull request"); + }); + + it("resolves triggering PR context when target is 'triggering'", async () => { + mockContext.eventName = "pull_request"; + mockContext.payload = { pull_request: { number: 99, head: { sha: "payload-sha-99" } } }; + mockGithub.rest.pulls = { + get: async ({ pull_number }) => ({ + data: { number: pull_number, head: { sha: "api-sha-99" } }, + }), + }; + + let capturedParams; + mockGithub.rest.checks.create = makeChecksCreate(p => { + capturedParams = p; + }); + + const { main } = require("./create_check_run.cjs"); + const handler = await main({ max: 10, target: "triggering" }); + const result = await handler({ type: "create_check_run", conclusion: "success", title: "T", summary: "S" }, {}); + + expect(result.success).toBe(true); + // Uses the API-fetched SHA (not the payload SHA) so it is always current + expect(capturedParams.head_sha).toBe("api-sha-99"); + }); + + it("skips pulls.get API call and returns staged preview when target is set and staged mode is active", async () => { + process.env.GH_AW_SAFE_OUTPUTS_STAGED = "true"; + let pullsGetCalled = false; + mockGithub.rest.pulls = { + get: async () => { + pullsGetCalled = true; + return { data: { head: { sha: "should-not-be-called" } } }; + }, + }; + + const { main } = require("./create_check_run.cjs"); + const handler = await main({ max: 10, target: "*" }); + const result = await handler({ type: "create_check_run", pull_request_number: 42, conclusion: "failure", title: "Title", summary: "Summary" }, {}); + + expect(pullsGetCalled).toBe(false); + expect(result.success).toBe(true); + expect(result.staged).toBe(true); + }); }); it("returns error when conclusion is missing", async () => { diff --git a/actions/setup/js/safe_outputs_tools.json b/actions/setup/js/safe_outputs_tools.json index e6b87a2c79d..169bca5e8a1 100644 --- a/actions/setup/js/safe_outputs_tools.json +++ b/actions/setup/js/safe_outputs_tools.json @@ -345,7 +345,7 @@ "temporary_id": { "type": "string", "pattern": "^#?aw_[A-Za-z0-9_]{3,12}$", - "description": "Unique temporary identifier for this pull request. Canonical form: '#aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_) — e.g., '#aw_pr1', '#aw_fix_123'. The bare 'aw_pr1' form is also accepted and normalised to '#aw_pr1'. Use this same '#aw_ID' form in body text to cross-reference this PR; these references are replaced with the real pull request number after creation.", + "description": "Unique temporary identifier for this pull request. Canonical form: '#aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_) \u2014 e.g., '#aw_pr1', '#aw_fix_123'. The bare 'aw_pr1' form is also accepted and normalised to '#aw_pr1'. Use this same '#aw_ID' form in body text to cross-reference this PR; these references are replaced with the real pull request number after creation.", "x-synonyms": ["temporaryId"] }, "secrecy": { @@ -1646,19 +1646,22 @@ "pull_request_number": { "type": ["number", "string"], "description": "Pull request number to attach the check run to when the workflow uses `create-check-run: target: \"*\"` (or equivalent explicit PR targeting). This is the numeric ID from the GitHub URL (e.g., 876 in github.com/owner/repo/pull/876).", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": ["pr_number", "pr", "pull_number"] }, "pr_number": { "type": ["number", "string"], - "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls.", + "x-synonyms": ["prNumber"] }, "pr": { "type": ["number", "string"], - "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls.", + "x-synonyms": ["pullRequest", "pull"] }, "pull_number": { "type": ["number", "string"], - "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls.", + "x-synonyms": ["pullNumber"] } }, "additionalProperties": false diff --git a/pkg/workflow/js/safe_outputs_tools.json b/pkg/workflow/js/safe_outputs_tools.json index e6b87a2c79d..b56ba3ac816 100644 --- a/pkg/workflow/js/safe_outputs_tools.json +++ b/pkg/workflow/js/safe_outputs_tools.json @@ -4,7 +4,10 @@ "description": "WRITE-ONCE: do NOT call this tool with empty or placeholder arguments to probe or discover its schema \u2014 required fields (title, body) are listed in this schema; if you are not ready to open the real issue, call `noop` instead. Creates a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead.", "inputSchema": { "type": "object", - "required": ["title", "body"], + "required": [ + "title", + "body" + ], "properties": { "title": { "type": "string", @@ -27,14 +30,20 @@ "description": "Optional issue fields to set after creating the issue (e.g., Priority, Iteration, Start Date).", "items": { "type": "object", - "required": ["name", "value"], + "required": [ + "name", + "value" + ], "properties": { "name": { "type": "string", "description": "Issue field name exactly as configured in the repository (e.g., \"Priority\", \"Iteration\")." }, "value": { - "type": ["string", "number"], + "type": [ + "string", + "number" + ], "description": "Field value. Use string for text, single-select, iteration, and date (YYYY-MM-DD) fields; use number for numeric fields." } }, @@ -42,14 +51,19 @@ } }, "parent": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id from a previously created issue in the same workflow run \u2014 use the '#aw_abc123' form (e.g., '#aw_Test123'); the bare 'aw_abc123' form is also accepted and normalised to '#aw_abc123'." }, "temporary_id": { "type": "string", "pattern": "^#?aw_[A-Za-z0-9_]{3,12}$", "description": "Unique temporary identifier for this issue. Canonical form: '#aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_) \u2014 e.g., '#aw_abc1', '#aw_pr_fix'. The bare 'aw_abc1' form is also accepted and normalised to '#aw_abc1'. Use this same '#aw_ID' form in body text to cross-reference the issue; these references are replaced with the real issue number after creation.", - "x-synonyms": ["temporaryId"] + "x-synonyms": [ + "temporaryId" + ] }, "secrecy": { "type": "string", @@ -68,7 +82,9 @@ "description": "Create a GitHub Copilot coding agent session to delegate coding work. Use this when you need another Copilot coding agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead.", "inputSchema": { "type": "object", - "required": ["body"], + "required": [ + "body" + ], "properties": { "body": { "type": "string", @@ -91,7 +107,10 @@ "description": "Create a GitHub discussion for announcements, Q&A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. Arguments must be flat tool arguments (title, body), not nested under create_discussion.", "inputSchema": { "type": "object", - "required": ["title", "body"], + "required": [ + "title", + "body" + ], "properties": { "title": { "type": "string", @@ -104,7 +123,10 @@ "category": { "type": "string", "description": "Discussion category by name (e.g., 'General'), slug (e.g., 'general'), or ID. If omitted, uses the first available category. Category must exist in the repository. NOTE: the field is named category (not categoryId or category_id as in the GitHub GraphQL API).", - "x-synonyms": ["categoryId", "category_id"] + "x-synonyms": [ + "categoryId", + "category_id" + ] }, "secrecy": { "type": "string", @@ -140,9 +162,14 @@ "description": "Replace the discussion labels with this list (e.g., ['bug', 'help wanted']). Labels must exist in the repository. This replaces all existing labels on the discussion." }, "discussion_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Discussion number to update. This is the numeric ID from the GitHub URL (e.g., 345 in github.com/owner/repo/discussions/345). Required when the workflow target is '*' (any discussion).", - "x-synonyms": ["discussionNumber"] + "x-synonyms": [ + "discussionNumber" + ] }, "secrecy": { "type": "string", @@ -161,7 +188,9 @@ "description": "Close a GitHub discussion with a resolution comment and optional reason. You can and should always add a comment when closing a discussion to explain the action or provide context. Use this to mark discussions as resolved, answered, or no longer needed. The closing comment should explain why the discussion is being closed. If the discussion is already closed, a comment will still be posted.", "inputSchema": { "type": "object", - "required": ["body"], + "required": [ + "body" + ], "properties": { "body": { "type": "string", @@ -169,13 +198,23 @@ }, "reason": { "type": "string", - "enum": ["RESOLVED", "DUPLICATE", "OUTDATED", "ANSWERED"], + "enum": [ + "RESOLVED", + "DUPLICATE", + "OUTDATED", + "ANSWERED" + ], "description": "Resolution reason: RESOLVED (issue addressed), DUPLICATE (discussed elsewhere), OUTDATED (no longer relevant), or ANSWERED (question answered)." }, "discussion_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Discussion number to close. This is the numeric ID from the GitHub URL (e.g., 678 in github.com/owner/repo/discussions/678). If omitted, closes the discussion that triggered this workflow (requires a discussion event trigger).", - "x-synonyms": ["discussionNumber"] + "x-synonyms": [ + "discussionNumber" + ] }, "secrecy": { "type": "string", @@ -194,16 +233,23 @@ "description": "Close a GitHub issue with a closing comment. You can and should always add a comment when closing an issue to explain the action or provide context. This tool is ONLY for closing issues - use update_issue if you need to change the title, body, labels, or other metadata without closing. Use close_issue when work is complete, the issue is no longer relevant, or it's a duplicate. The closing comment should explain the resolution or reason for closing. If the issue is already closed, a comment will still be posted.", "inputSchema": { "type": "object", - "required": ["body"], + "required": [ + "body" + ], "properties": { "body": { "type": "string", "description": "Closing comment explaining why the issue is being closed and summarizing any resolution, workaround, or conclusion." }, "issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Issue number to close. This is the numeric ID from the GitHub URL (e.g., 901 in github.com/owner/repo/issues/901). If omitted, closes the issue that triggered this workflow (requires an issue event trigger).", - "x-synonyms": ["issueNumber"] + "x-synonyms": [ + "issueNumber" + ] }, "secrecy": { "type": "string", @@ -222,16 +268,23 @@ "description": "Close a pull request WITHOUT merging, adding a closing comment. You can and should always add a comment when closing a PR to explain the action or provide context. Use this for PRs that should be abandoned, superseded, or closed for other reasons. The closing comment should explain why the PR is being closed. This does NOT merge the changes. If the PR is already closed, a comment will still be posted.", "inputSchema": { "type": "object", - "required": ["body"], + "required": [ + "body" + ], "properties": { "body": { "type": "string", "description": "Closing comment explaining why the PR is being closed without merging (e.g., superseded by another PR, no longer needed, approach rejected)." }, "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to close. This is the numeric ID from the GitHub URL (e.g., 432 in github.com/owner/repo/pull/432). If omitted, closes the PR that triggered this workflow (requires a pull_request event trigger).", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pullRequestNumber" + ] }, "secrecy": { "type": "string", @@ -250,7 +303,9 @@ "description": "WRITE-ONCE: do NOT call this tool with empty or placeholder arguments to probe or discover its schema \u2014 the required `body` field is listed in this schema; if you are not ready to post a real comment, call `noop` instead. Adds a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission.", "inputSchema": { "type": "object", - "required": ["body"], + "required": [ + "body" + ], "properties": { "body": { "type": "string", @@ -258,38 +313,63 @@ "description": "The comment text in Markdown format. Must be the final intended comment \u2014 not a placeholder or test value. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation. CONSTRAINTS: The complete comment (your body text + automatically added footer) must not exceed 65536 characters total. Maximum 10 mentions (@username), maximum 50 links (http/https URLs). A footer (~200-500 characters) is automatically appended with workflow attribution, so leave adequate space. If these limits are exceeded, the tool call will fail with a detailed error message indicating which constraint was violated." }, "item_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). Can also be a temporary_id from a previously created issue in the same workflow run \u2014 use the '#aw_abc123' form; the bare 'aw_abc123' form is also accepted and normalised to '#aw_abc123'. If omitted, the tool auto-targets the issue, PR, or discussion that triggered this workflow. Auto-targeting only works for issue, pull_request, discussion, and comment event triggers \u2014 it does NOT work for schedule, workflow_dispatch, push, or workflow_run triggers. For those trigger types, always provide item_number explicitly, or the tool call will fail with an error. Required when safe-outputs.add-comment.target is '*' (any item): calls without item_number (or pr_number/pr alias) are rejected. NOTE: this field is named item_number, NOT issue_number.", - "x-synonyms": ["issue_number", "itemNumber"] + "x-synonyms": [ + "issue_number", + "itemNumber" + ] }, "pr_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Alias for item_number when targeting a pull request. Prefer item_number in new calls.", - "x-synonyms": ["prNumber"] + "x-synonyms": [ + "prNumber" + ] }, "pr": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Alias for item_number when targeting a pull request. Prefer item_number in new calls." }, "temporary_id": { "type": "string", "pattern": "^#?aw_[A-Za-z0-9_]{3,12}$", "description": "Unique temporary identifier for this comment. Canonical form: '#aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_) \u2014 e.g., '#aw_abc1', '#aw_pr_fix'. The bare 'aw_abc1' form is also accepted and normalised to '#aw_abc1'. Auto-generated if not provided. The temporary ID is returned in the tool response so you can reference this comment later.", - "x-synonyms": ["temporaryId"] + "x-synonyms": [ + "temporaryId" + ] }, "reply_to_id": { "type": "string", "description": "Node ID of the discussion comment to reply to, enabling threaded discussion comments. When provided, the new comment is posted as a reply to the specified top-level discussion comment. If the given node ID belongs to a nested reply, the handler automatically resolves it to the top-level parent. Only applicable for discussion comments \u2014 ignored for issue and pull request comments.", - "x-synonyms": ["replyToId"] + "x-synonyms": [ + "replyToId" + ] }, "comment_id": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Existing issue or pull request comment ID to update instead of creating a new comment.", - "x-synonyms": ["commentId"] + "x-synonyms": [ + "commentId" + ] }, "target": { "type": "string", - "enum": ["status"], + "enum": [ + "status" + ], "description": "When set to 'status', updates the activation status comment for this run (if available) instead of creating a new comment." }, "secrecy": { @@ -309,7 +389,10 @@ "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. This is a write-once declaration for a real intended PR, not a sandbox or probe: do not call it with placeholder content, test titles/bodies, or auth experiments. If you are not ready to open the real PR, use noop or report_incomplete instead. For code review comments on an existing PR, use create_pull_request_review_comment instead.", "inputSchema": { "type": "object", - "required": ["title", "body"], + "required": [ + "title", + "body" + ], "properties": { "title": { "type": "string", @@ -345,8 +428,10 @@ "temporary_id": { "type": "string", "pattern": "^#?aw_[A-Za-z0-9_]{3,12}$", - "description": "Unique temporary identifier for this pull request. Canonical form: '#aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_) — e.g., '#aw_pr1', '#aw_fix_123'. The bare 'aw_pr1' form is also accepted and normalised to '#aw_pr1'. Use this same '#aw_ID' form in body text to cross-reference this PR; these references are replaced with the real pull request number after creation.", - "x-synonyms": ["temporaryId"] + "description": "Unique temporary identifier for this pull request. Canonical form: '#aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_) \u2014 e.g., '#aw_pr1', '#aw_fix_123'. The bare 'aw_pr1' form is also accepted and normalised to '#aw_pr1'. Use this same '#aw_ID' form in body text to cross-reference this PR; these references are replaced with the real pull request number after creation.", + "x-synonyms": [ + "temporaryId" + ] }, "secrecy": { "type": "string", @@ -365,14 +450,21 @@ "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead. When the workflow is configured with `target: \"*\"`, you must specify `pull_request_number` to indicate which PR to target.", "inputSchema": { "type": "object", - "required": ["path", "line", "body"], + "required": [ + "path", + "line", + "body" + ], "properties": { "path": { "type": "string", "description": "File path relative to the repository root (e.g., 'src/auth/login.js'). Must be a file that was changed in the PR." }, "line": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Line number for the comment. For single-line comments, this is the target line. For multi-line comments, this is the ending line." }, "body": { @@ -380,18 +472,31 @@ "description": "Review comment content in Markdown. Provide specific, actionable feedback about the code at this location." }, "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to add the review comment to. This is the numeric ID from the GitHub URL (e.g., 876 in github.com/owner/repo/pull/876). If omitted, adds the comment to the PR that triggered this workflow. Required when the workflow target is '*' (any PR) \u2014 omitting it will cause the comment to fail.", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pullRequestNumber" + ] }, "start_line": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Starting line number for multi-line comments. When set, the comment spans from start_line to line. Omit for single-line comments.", - "x-synonyms": ["startLine"] + "x-synonyms": [ + "startLine" + ] }, "side": { "type": "string", - "enum": ["LEFT", "RIGHT"], + "enum": [ + "LEFT", + "RIGHT" + ], "description": "Side of the diff to comment on: RIGHT for the new version (additions), LEFT for the old version (deletions). Defaults to RIGHT." }, "repo": { @@ -422,13 +527,22 @@ }, "event": { "type": "string", - "enum": ["APPROVE", "REQUEST_CHANGES", "COMMENT"], + "enum": [ + "APPROVE", + "REQUEST_CHANGES", + "COMMENT" + ], "description": "Review decision: APPROVE to approve the pull request, REQUEST_CHANGES to formally request changes before merging, or COMMENT for general feedback without a formal decision. Defaults to COMMENT when omitted." }, "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to submit the review on. This is the numeric ID from the GitHub URL (e.g., 876 in github.com/owner/repo/pull/876). If omitted, submits the review on the PR that triggered this workflow. Required when the workflow target is '*' (any PR) \u2014 omitting it will cause the review to fail.", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pullRequestNumber" + ] }, "repo": { "type": "string", @@ -451,21 +565,34 @@ "description": "Reply to an existing review comment on a pull request. Use this to respond to feedback, answer questions, or acknowledge review comments. The comment_id must be the numeric ID of an existing review comment.", "inputSchema": { "type": "object", - "required": ["comment_id", "body"], + "required": [ + "comment_id", + "body" + ], "properties": { "comment_id": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "The numeric ID of the review comment to reply to (e.g., 42853901 from the comment URL or API response).", - "x-synonyms": ["commentId"] + "x-synonyms": [ + "commentId" + ] }, "body": { "type": "string", "description": "The reply text in Markdown format. Provide a clear response to the review comment." }, "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to reply on. This is the numeric ID from the GitHub URL (e.g., 876 in github.com/owner/repo/pull/876). If omitted, replies on the PR that triggered this workflow.", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pullRequestNumber" + ] }, "secrecy": { "type": "string", @@ -484,12 +611,16 @@ "description": "Resolve a review thread on a pull request. Use this to mark a review conversation as resolved after addressing the feedback. The thread_id must be the node ID of the review thread (e.g., PRRT_kwDO...).", "inputSchema": { "type": "object", - "required": ["thread_id"], + "required": [ + "thread_id" + ], "properties": { "thread_id": { "type": "string", "description": "The node ID of the review thread to resolve (e.g., 'PRRT_kwDOABCD...'). This is the GraphQL node ID, not a numeric ID.", - "x-synonyms": ["threadId"] + "x-synonyms": [ + "threadId" + ] }, "secrecy": { "type": "string", @@ -508,28 +639,46 @@ "description": "Create a code scanning alert for security vulnerabilities, code quality issues, or other findings. Alerts appear in the repository's Security tab and integrate with GitHub's security features. Use this for automated security analysis results.", "inputSchema": { "type": "object", - "required": ["file", "line", "severity", "message"], + "required": [ + "file", + "line", + "severity", + "message" + ], "properties": { "file": { "type": "string", "description": "File path relative to the repository root where the issue was found (e.g., 'src/auth/password.js')." }, "line": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Line number where the issue was found in the file." }, "severity": { "type": "string", - "enum": ["error", "warning", "info", "note"], + "enum": [ + "error", + "warning", + "info", + "note" + ], "description": "Alert severity level: 'error' (critical security issues), 'warning' (potential problems), 'info' (informational), or 'note' (minor observations). This field is named severity, NOT level.", - "x-synonyms": ["level"] + "x-synonyms": [ + "level" + ] }, "message": { "type": "string", "description": "Clear description of the security issue or finding. Include what's wrong and ideally how to fix it." }, "column": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Column number for more precise location of the issue within the line." }, "ruleIdSuffix": { @@ -562,10 +711,15 @@ "description": "Label names to add (e.g., ['bug', 'priority-high']). Labels must exist in the repository. This field is required \u2014 omitting it will cause a validation error." }, "item_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "pattern": "^(\\d+|#?aw_[A-Za-z0-9_]{3,12})$", "description": "Issue or PR number to add labels to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/issues/456). Can also be a temporary_id from a previously created issue in the same workflow run \u2014 use the '#aw_abc123' form; the bare 'aw_abc123' form is also accepted and normalised to '#aw_abc123'. If omitted, adds labels to the issue or PR that triggered this workflow. Only works for issue or pull_request event triggers. For schedule, workflow_dispatch, or other triggers, item_number is required \u2014 omitting it will silently skip the label operation.", - "x-synonyms": ["itemNumber"] + "x-synonyms": [ + "itemNumber" + ] }, "secrecy": { "type": "string", @@ -576,7 +730,9 @@ "description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\")." } }, - "required": ["labels"], + "required": [ + "labels" + ], "additionalProperties": false } }, @@ -594,10 +750,15 @@ "description": "Label names to remove (e.g., ['smoke', 'needs-triage']). Non-existent labels are silently skipped." }, "item_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "pattern": "^(\\d+|#?aw_[A-Za-z0-9_]{3,12})$", "description": "Issue or PR number to remove labels from. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/issues/456). Can also be a temporary_id from a previously created issue in the same workflow run \u2014 use the '#aw_abc123' form; the bare 'aw_abc123' form is also accepted and normalised to '#aw_abc123'. If omitted, removes labels from the item that triggered this workflow.", - "x-synonyms": ["itemNumber"] + "x-synonyms": [ + "itemNumber" + ] }, "secrecy": { "type": "string", @@ -608,7 +769,9 @@ "description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\")." } }, - "required": ["labels"], + "required": [ + "labels" + ], "additionalProperties": false } }, @@ -631,12 +794,19 @@ "type": "string" }, "description": "GitHub team slugs to add as team reviewers (e.g., ['platform-team', 'security-reviewers']). Teams must have access to the repository.", - "x-synonyms": ["teamReviewers"] + "x-synonyms": [ + "teamReviewers" + ] }, "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to add reviewers to. This is the numeric ID from the GitHub URL (e.g., 876 in github.com/owner/repo/pull/876). If omitted, adds reviewers to the PR that triggered this workflow. Only works for pull_request event triggers. For workflow_dispatch, schedule, or other triggers, pull_request_number is required \u2014 omitting it will silently skip the reviewer assignment.", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pullRequestNumber" + ] }, "secrecy": { "type": "string", @@ -655,22 +825,36 @@ "description": "Assign an issue to a milestone for release planning and progress tracking. Milestones can be specified by number or title. When auto_create is configured, missing milestones are created automatically.", "inputSchema": { "type": "object", - "required": ["issue_number"], + "required": [ + "issue_number" + ], "properties": { "issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Issue number to assign to the milestone. This is the numeric ID from the GitHub URL (e.g., 567 in github.com/owner/repo/issues/567). Can also be a temporary_id from a previously created issue in the same workflow run \u2014 use the '#aw_abc123' form; the bare 'aw_abc123' form is also accepted and normalised to '#aw_abc123'.", - "x-synonyms": ["issueNumber"] + "x-synonyms": [ + "issueNumber" + ] }, "milestone_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Milestone number to assign the issue to. This is the numeric ID from the milestone URL (e.g., 12 in github.com/owner/repo/milestone/12). Either milestone_number or milestone_title must be provided.", - "x-synonyms": ["milestoneNumber"] + "x-synonyms": [ + "milestoneNumber" + ] }, "milestone_title": { "type": "string", "description": "Milestone title to assign the issue to (e.g., \"v1.0\"). Used as an alternative to milestone_number \u2014 the handler looks up the milestone by title. Either milestone_number or milestone_title must be provided.", - "x-synonyms": ["milestoneTitle"] + "x-synonyms": [ + "milestoneTitle" + ] }, "secrecy": { "type": "string", @@ -691,14 +875,24 @@ "type": "object", "properties": { "issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Issue number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id from an issue created earlier in the same workflow run \u2014 use the '#aw_abc123' form (e.g., '#aw_Test123'); the bare 'aw_abc123' form is also accepted and normalised to '#aw_abc123'. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both.", - "x-synonyms": ["issueNumber"] + "x-synonyms": [ + "issueNumber" + ] }, "pull_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both.", - "x-synonyms": ["pullNumber"] + "x-synonyms": [ + "pullNumber" + ] }, "agent": { "type": "string", @@ -707,7 +901,9 @@ "pull_request_repo": { "type": "string", "description": "Target repository where the pull request should be created, in 'owner/repo' format. If omitted, the PR will be created in the same repository as the issue. This allows issues and code to live in different repositories. The global pull-request-repo configuration (if set) is automatically allowed; additional repositories must be listed in allowed-pull-request-repos.", - "x-synonyms": ["pullRequestRepo"] + "x-synonyms": [ + "pullRequestRepo" + ] }, "secrecy": { "type": "string", @@ -726,12 +922,19 @@ "description": "Assign one or more GitHub users to an issue. Use this to delegate work to specific team members. Users must have access to the repository.", "inputSchema": { "type": "object", - "required": ["issue_number"], + "required": [ + "issue_number" + ], "properties": { "issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Issue number to assign users to. This is the numeric ID from the GitHub URL (e.g., 543 in github.com/owner/repo/issues/543). If omitted, assigns to the issue that triggered this workflow.", - "x-synonyms": ["issueNumber"] + "x-synonyms": [ + "issueNumber" + ] }, "assignees": { "type": "array", @@ -763,9 +966,14 @@ "type": "object", "properties": { "issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Issue number to unassign users from. This is the numeric ID from the GitHub URL (e.g., 543 in github.com/owner/repo/issues/543). If omitted, uses the issue that triggered this workflow.", - "x-synonyms": ["issueNumber"] + "x-synonyms": [ + "issueNumber" + ] }, "assignees": { "type": "array", @@ -802,7 +1010,10 @@ "properties": { "status": { "type": "string", - "enum": ["open", "closed"], + "enum": [ + "open", + "closed" + ], "description": "New issue status: 'open' to reopen a closed issue, 'closed' to close an open issue." }, "title": { @@ -815,7 +1026,12 @@ }, "operation": { "type": "string", - "enum": ["replace", "append", "prepend", "replace-island"], + "enum": [ + "replace", + "append", + "prepend", + "replace-island" + ], "description": "How to update the issue body: 'append' (default - add to end with separator), 'prepend' (add to start with separator), 'replace' (overwrite entire body), or 'replace-island' (update a run-specific section)." }, "labels": { @@ -833,13 +1049,21 @@ "description": "Replace the issue assignees with this list of GitHub usernames (e.g., ['octocat', 'mona'])." }, "milestone": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Milestone number to assign (e.g., 1). Use null to clear." }, "issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Issue number to update. This is the numeric ID from the GitHub URL (e.g., 789 in github.com/owner/repo/issues/789). ONLY effective when the workflow is configured with `update-issue: target: '*'` in the frontmatter. When the workflow uses `target: triggering` (the default), this field is ignored and the tool updates the issue that triggered the workflow instead. If you need to update a specific issue in a scheduled or workflow_dispatch workflow, the workflow frontmatter must include `update-issue: target: '*'`.", - "x-synonyms": ["issueNumber"] + "x-synonyms": [ + "issueNumber" + ] }, "secrecy": { "type": "string", @@ -869,26 +1093,45 @@ }, "operation": { "type": "string", - "enum": ["replace", "append", "prepend"], + "enum": [ + "replace", + "append", + "prepend" + ], "description": "How to update the PR body: 'replace' (default - completely overwrite), 'append' (add to end with separator), or 'prepend' (add to start with separator). Title is always replaced." }, "update_branch": { "type": "boolean", "description": "When true, update the pull request branch with the latest base branch changes before applying other updates. Defaults to false. Note: only true counts as a meaningful update; passing false is the same as omitting this field.", - "x-synonyms": ["updateBranch"] + "x-synonyms": [ + "updateBranch" + ] }, "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to update. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/pull/234). Required when the workflow target is '*' (any PR).", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pullRequestNumber" + ] }, "pr_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Alias for pull_request_number. Prefer pull_request_number in new calls.", - "x-synonyms": ["prNumber"] + "x-synonyms": [ + "prNumber" + ] }, "pr": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." }, "draft": { @@ -914,25 +1157,40 @@ "type": "object", "properties": { "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to merge. This is the numeric ID from the GitHub URL (e.g., 321 in github.com/owner/repo/pull/321). If omitted, uses the triggering pull request context.", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pullRequestNumber" + ] }, "merge_method": { "type": "string", - "enum": ["merge", "squash", "rebase"], + "enum": [ + "merge", + "squash", + "rebase" + ], "description": "Merge strategy to use: 'merge', 'squash', or 'rebase'. Defaults to 'merge'.", - "x-synonyms": ["mergeMethod"] + "x-synonyms": [ + "mergeMethod" + ] }, "commit_title": { "type": "string", "description": "Optional custom commit title to use for the merge commit/squash commit.", - "x-synonyms": ["commitTitle"] + "x-synonyms": [ + "commitTitle" + ] }, "commit_message": { "type": "string", "description": "Optional custom commit message body for the merge.", - "x-synonyms": ["commitMessage"] + "x-synonyms": [ + "commitMessage" + ] }, "repo": { "type": "string", @@ -955,7 +1213,9 @@ "description": "Push committed changes to a pull request's branch. APPEND-ONLY: this tool adds new commits on top of the existing PR branch \u2014 force-push is NOT supported and will be rejected. Use this to add follow-up commits to an existing PR, such as addressing review feedback or fixing issues. This is a write-once declaration for a real intended PR branch update, not a sandbox or probe: do not call it with probe branches, placeholder commit messages, or auth experiments. If you are not ready to push the real update, use noop or report_incomplete instead. Changes must be committed locally before calling this tool. IMPORTANT: do NOT use 'git merge' to update the branch against another branch \u2014 merge commits cannot be signed; the action will attempt to squash them into a single linear commit before pushing, but this rewrites history. Use 'git rebase' instead to avoid the rewrite.", "inputSchema": { "type": "object", - "required": ["message"], + "required": [ + "message" + ], "properties": { "branch": { "type": "string", @@ -964,12 +1224,19 @@ "message": { "type": "string", "description": "Commit message describing the changes. Follow repository commit message conventions (e.g., conventional commits). This field is named message, NOT commit_message.", - "x-synonyms": ["commit_message"] + "x-synonyms": [ + "commit_message" + ] }, "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to push changes to. This is the numeric ID from the GitHub URL (e.g., 654 in github.com/owner/repo/pull/654). Required when the workflow target is '*' (any PR).", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pullRequestNumber" + ] }, "secrecy": { "type": "string", @@ -988,7 +1255,9 @@ "description": "Upload a file as a URL-addressable asset that can be referenced in issues, PRs, or comments. The file is stored on an orphaned git branch and returns a permanent URL. Use this for images, diagrams, or other files that need to be embedded in GitHub content.", "inputSchema": { "type": "object", - "required": ["path"], + "required": [ + "path" + ], "properties": { "path": { "type": "string", @@ -1041,7 +1310,9 @@ "type": "string", "pattern": "^#?aw_[A-Za-z0-9_]{3,12}$", "description": "Optional temporary identifier for this artifact upload. Canonical form: '#aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_) \u2014 e.g., '#aw_chart1', '#aw_img_out'. The bare 'aw_chart1' form is also accepted. Declare this ID here if you plan to embed the artifact URL in a subsequent message body using '#aw_ID' \u2014 for example '![chart](#aw_chart1)' in a create_discussion body. The safe-outputs processor replaces '#aw_ID' references with the actual artifact download URL after upload. When skip-archive is true the URL points directly to the file and is suitable for inline images.", - "x-synonyms": ["temporaryId"] + "x-synonyms": [ + "temporaryId" + ] }, "secrecy": { "type": "string", @@ -1060,7 +1331,11 @@ "description": "Update a GitHub release description by replacing, appending to, or prepending to the existing content. Use this to add release notes, changelogs, or additional information to an existing release.", "inputSchema": { "type": "object", - "required": ["tag", "operation", "body"], + "required": [ + "tag", + "operation", + "body" + ], "properties": { "tag": { "type": "string", @@ -1068,7 +1343,11 @@ }, "operation": { "type": "string", - "enum": ["replace", "append", "prepend"], + "enum": [ + "replace", + "append", + "prepend" + ], "description": "How to update the release body: 'replace' (completely overwrite), 'append' (add to end with separator), or 'prepend' (add to start with separator)." }, "body": { @@ -1092,7 +1371,9 @@ "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted. When a bash command is blocked by security policy, call this tool with reason set to \"security\".", "inputSchema": { "type": "object", - "required": ["reason"], + "required": [ + "reason" + ], "properties": { "tool": { "type": "string", @@ -1123,7 +1404,9 @@ "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.", "inputSchema": { "type": "object", - "required": ["message"], + "required": [ + "message" + ], "properties": { "message": { "type": "string", @@ -1146,17 +1429,30 @@ "description": "Link an issue as a sub-issue of a parent issue. Use this to establish parent-child relationships between issues for better organization and tracking of related work items.", "inputSchema": { "type": "object", - "required": ["parent_issue_number", "sub_issue_number"], + "required": [ + "parent_issue_number", + "sub_issue_number" + ], "properties": { "parent_issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "The parent issue number to link the sub-issue to. This is the numeric ID from the GitHub URL (e.g., 100 in github.com/owner/repo/issues/100).", - "x-synonyms": ["parentIssueNumber"] + "x-synonyms": [ + "parentIssueNumber" + ] }, "sub_issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "The issue number to link as a sub-issue of the parent. This is the numeric ID from the GitHub URL (e.g., 101 in github.com/owner/repo/issues/101).", - "x-synonyms": ["subIssueNumber"] + "x-synonyms": [ + "subIssueNumber" + ] }, "secrecy": { "type": "string", @@ -1175,16 +1471,27 @@ "description": "Hide a comment on a GitHub issue, pull request, or discussion. This collapses the comment and marks it as spam, abuse, off-topic, outdated, resolved, or low-quality. Use this for inappropriate, off-topic, or outdated comments. The comment_id must be a GraphQL node ID (string like 'IC_kwDOABCD123456'), not a numeric REST API comment ID. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.hide-comment configuration to exclude this permission.", "inputSchema": { "type": "object", - "required": ["comment_id"], + "required": [ + "comment_id" + ], "properties": { "comment_id": { "type": "string", "description": "GraphQL node ID of the comment to hide (e.g., 'IC_kwDOABCD123456'). This is the GraphQL node ID, not the numeric comment ID from REST API. Can be obtained from GraphQL queries or comment API responses.", - "x-synonyms": ["commentId"] + "x-synonyms": [ + "commentId" + ] }, "reason": { "type": "string", - "enum": ["SPAM", "ABUSE", "OFF_TOPIC", "OUTDATED", "RESOLVED", "LOW_QUALITY"], + "enum": [ + "SPAM", + "ABUSE", + "OFF_TOPIC", + "OUTDATED", + "RESOLVED", + "LOW_QUALITY" + ], "description": "Optional reason for hiding the comment. Defaults to SPAM if not provided. Valid values: SPAM (spam content), ABUSE (abusive/harassment content), OFF_TOPIC (not relevant to discussion), OUTDATED (no longer applicable), RESOLVED (issue/question has been resolved), LOW_QUALITY (low-quality content)." }, "secrecy": { @@ -1204,17 +1511,26 @@ "description": "Set the type of a GitHub issue. Pass an empty string \"\" to clear the issue type. Issue types must be configured in the repository or organization settings before they can be assigned.", "inputSchema": { "type": "object", - "required": ["issue_type"], + "required": [ + "issue_type" + ], "properties": { "issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Issue number to set the type for. If omitted, sets the type on the issue that triggered this workflow.", - "x-synonyms": ["issueNumber"] + "x-synonyms": [ + "issueNumber" + ] }, "issue_type": { "type": "string", "description": "Issue type name to set (e.g., \"Bug\", \"Feature\", \"Task\"). Use an empty string \"\" to clear the current issue type.", - "x-synonyms": ["issueType"] + "x-synonyms": [ + "issueType" + ] }, "secrecy": { "type": "string", @@ -1233,22 +1549,33 @@ "description": "Set a single GitHub issue field by name and value. Use field_name for discovery by field label (for example, \"Priority\"), or provide field_node_id to skip discovery. Supports text, number, date (YYYY-MM-DD), and single-select fields (value must match an option name).", "inputSchema": { "type": "object", - "required": ["value"], + "required": [ + "value" + ], "properties": { "issue_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Issue number to set the field on. If omitted, targets the issue that triggered this workflow.", - "x-synonyms": ["issueNumber"] + "x-synonyms": [ + "issueNumber" + ] }, "field_name": { "type": "string", "description": "Issue field name to set (e.g., \"Priority\", \"Severity\", \"Customer Impact\").", - "x-synonyms": ["fieldName"] + "x-synonyms": [ + "fieldName" + ] }, "field_node_id": { "type": "string", "description": "Optional GraphQL node ID of the issue field. Provide this to skip field-name discovery and set a field directly.", - "x-synonyms": ["fieldNodeId"] + "x-synonyms": [ + "fieldNodeId" + ] }, "value": { "type": "string", @@ -1271,7 +1598,9 @@ "description": "Manage GitHub Projects: add issues/pull requests/draft issues, update item fields (status, priority, effort, dates), manage custom fields, and create project views. Use this to organize work by adding items to projects, updating field values, creating custom fields up-front, and setting up project views (table, board, roadmap).\n\nThree modes: (1) Add or update project items with custom field values; (2) Create project fields; (3) Create project views. This is the primary tool for ProjectOps automation - add items to projects, set custom fields for tracking, and organize project boards.", "inputSchema": { "type": "object", - "required": ["project"], + "required": [ + "project" + ], "properties": { "project": { "type": "string", @@ -1280,47 +1609,71 @@ }, "operation": { "type": "string", - "enum": ["create_fields", "create_view"], + "enum": [ + "create_fields", + "create_view" + ], "description": "Optional operation mode. Use create_fields to create required fields up-front, or create_view to add a project view. When omitted, the tool adds/updates project items." }, "content_type": { "type": "string", - "enum": ["issue", "pull_request", "draft_issue"], + "enum": [ + "issue", + "pull_request", + "draft_issue" + ], "description": "Type of item to add to the project. Use 'issue' or 'pull_request' to add existing repo content, or 'draft_issue' to create a draft item inside the project. Required when operation is not specified.", - "x-synonyms": ["contentType"] + "x-synonyms": [ + "contentType" + ] }, "content_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Issue or pull request number to add to the project. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123 for issue #123, or 456 in github.com/owner/repo/pull/456 for PR #456), or a temporary ID from a recent create_issue call \u2014 use '#aw_abc123' (canonical); bare 'aw_abc123' is also accepted. Required when content_type is 'issue' or 'pull_request'.", - "x-synonyms": ["contentNumber"] + "x-synonyms": [ + "contentNumber" + ] }, "target_repo": { "type": "string", "pattern": "^[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+$", "description": "Repository containing the issue or pull request, in \"owner/repo\" format (e.g., \"github/docs\"). Use this when the issue or PR belongs to a different repository than the one running the workflow. The repository must be permitted by either safe-outputs.update-project.target-repo (including the default host repository) or safe-outputs.update-project.allowed-repos.", - "x-synonyms": ["targetRepo"] + "x-synonyms": [ + "targetRepo" + ] }, "draft_title": { "type": "string", "description": "Title for a Projects v2 draft issue. Required when content_type is 'draft_issue'.", - "x-synonyms": ["draftTitle"] + "x-synonyms": [ + "draftTitle" + ] }, "draft_body": { "type": "string", "description": "Optional body for a Projects v2 draft issue (markdown). Only used when content_type is 'draft_issue'.", - "x-synonyms": ["draftBody"] + "x-synonyms": [ + "draftBody" + ] }, "draft_issue_id": { "type": "string", "pattern": "^#?aw_[A-Za-z0-9_]{3,12}$", "description": "Temporary ID of an existing draft issue to update \u2014 use '#aw_abc1' (canonical); bare 'aw_abc1' is also accepted. Use this to reference a draft created earlier with a matching temporary_id. When provided, draft_title is not required for updates.", - "x-synonyms": ["draftIssueId"] + "x-synonyms": [ + "draftIssueId" + ] }, "temporary_id": { "type": "string", "pattern": "^#?aw_[A-Za-z0-9_]{3,12}$", "description": "Unique temporary identifier for this draft issue. Canonical form: '#aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_) \u2014 e.g., '#aw_abc1', '#aw_pr_fix'. The bare 'aw_abc1' form is also accepted. Provide this when creating a new draft to enable future updates via draft_issue_id.", - "x-synonyms": ["temporaryId"] + "x-synonyms": [ + "temporaryId" + ] }, "fields": { "type": "object", @@ -1331,7 +1684,10 @@ "description": "Field definitions to create when operation is create_fields. Required when operation='create_fields'.", "items": { "type": "object", - "required": ["name", "data_type"], + "required": [ + "name", + "data_type" + ], "properties": { "name": { "type": "string", @@ -1339,7 +1695,13 @@ }, "data_type": { "type": "string", - "enum": ["TEXT", "NUMBER", "DATE", "SINGLE_SELECT", "ITERATION"], + "enum": [ + "TEXT", + "NUMBER", + "DATE", + "SINGLE_SELECT", + "ITERATION" + ], "description": "Field type. Use SINGLE_SELECT with options for enumerated values." }, "options": { @@ -1352,19 +1714,28 @@ }, "additionalProperties": false }, - "x-synonyms": ["fieldDefinitions"] + "x-synonyms": [ + "fieldDefinitions" + ] }, "view": { "type": "object", "description": "View definition to create when operation is create_view. Required when operation='create_view'.", - "required": ["name", "layout"], + "required": [ + "name", + "layout" + ], "properties": { "name": { "type": "string" }, "layout": { "type": "string", - "enum": ["table", "board", "roadmap"] + "enum": [ + "table", + "board", + "roadmap" + ] }, "filter": { "type": "string" @@ -1382,7 +1753,9 @@ "create_if_missing": { "type": "boolean", "description": "Whether to create the project if it doesn't exist. Defaults to false. Requires projects:write permission when true.", - "x-synonyms": ["createIfMissing"] + "x-synonyms": [ + "createIfMissing" + ] }, "secrecy": { "type": "string", @@ -1406,7 +1779,9 @@ "data_type": { "type": "string", "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", - "x-synonyms": ["dataType"] + "x-synonyms": [ + "dataType" + ] }, "reason": { "type": "string", @@ -1437,7 +1812,9 @@ "description": "Signal that the task could not be completed due to an infrastructure or tool failure (e.g., MCP server crash, missing authentication, inaccessible repository). Use this when required tools or data are unavailable and the task cannot be meaningfully performed. This is distinct from noop (no action needed) \u2014 it indicates an active failure that prevented the task from running. The workflow framework will treat this as a failure signal even when the agent exits successfully.", "inputSchema": { "type": "object", - "required": ["reason"], + "required": [ + "reason" + ], "properties": { "reason": { "type": "string", @@ -1468,21 +1845,30 @@ }, "owner_type": { "type": "string", - "enum": ["org", "user"], + "enum": [ + "org", + "user" + ], "description": "Type of owner: 'org' for organization or 'user' for user account. Default: 'org'.", - "x-synonyms": ["ownerType"] + "x-synonyms": [ + "ownerType" + ] }, "item_url": { "type": "string", "pattern": "^(https://github\\\\.com/[^/]+/[^/]+/issues/(\\\\d+|#?aw_[A-Za-z0-9_]{3,12})|#?aw_[A-Za-z0-9_]{3,12})$", "description": "Optional GitHub issue URL or temporary ID to add as the first item to the project. Accepts either a full URL (e.g., 'https://github.com/owner/repo/issues/123'), a URL with temporary ID (e.g., 'https://github.com/owner/repo/issues/#aw_abc1'), or a plain temporary ID \u2014 use '#aw_abc1' (canonical); bare 'aw_abc1' is also accepted.", - "x-synonyms": ["itemUrl"] + "x-synonyms": [ + "itemUrl" + ] }, "temporary_id": { "type": "string", "pattern": "^#?aw_[A-Za-z0-9_]{3,12}$", "description": "Optional temporary identifier for this project. Canonical form: '#aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_) \u2014 e.g., '#aw_abc1', '#aw_pr_fix'. The bare 'aw_abc1' form is also accepted. If not provided, one will be auto-generated and returned in the response. Use this same '#aw_ID' form in add_project_item to reference this project.", - "x-synonyms": ["temporaryId"] + "x-synonyms": [ + "temporaryId" + ] }, "secrecy": { "type": "string", @@ -1501,7 +1887,10 @@ "description": "Post a status update to a GitHub Project to communicate progress and health. Use this to provide stakeholders with regular updates on project status (on-track, at-risk, off-track, complete, inactive), timeline information, and progress summaries. Status updates create a historical record of project progress, enabling tracking over time and informed decision-making.", "inputSchema": { "type": "object", - "required": ["project", "body"], + "required": [ + "project", + "body" + ], "properties": { "project": { "type": "string", @@ -1510,20 +1899,30 @@ }, "status": { "type": "string", - "enum": ["ON_TRACK", "AT_RISK", "OFF_TRACK", "COMPLETE", "INACTIVE"], + "enum": [ + "ON_TRACK", + "AT_RISK", + "OFF_TRACK", + "COMPLETE", + "INACTIVE" + ], "description": "Status indicator for the project. Defaults to ON_TRACK. Values: ON_TRACK (progressing well), AT_RISK (has issues/blockers), OFF_TRACK (significantly behind), COMPLETE (finished), INACTIVE (paused/cancelled)." }, "start_date": { "type": "string", "pattern": "^\\\\d{4}-\\\\d{2}-\\\\d{2}$", "description": "Optional project start date in YYYY-MM-DD format (e.g., '2026-01-06').", - "x-synonyms": ["startDate"] + "x-synonyms": [ + "startDate" + ] }, "target_date": { "type": "string", "pattern": "^\\\\d{4}-\\\\d{2}-\\\\d{2}$", "description": "Optional project target/end date in YYYY-MM-DD format (e.g., '2026-12-31').", - "x-synonyms": ["targetDate"] + "x-synonyms": [ + "targetDate" + ] }, "body": { "type": "string", @@ -1546,22 +1945,35 @@ "description": "Create an autofix for a code scanning alert. Use this to provide automated fixes for security vulnerabilities detected by code scanning tools. The fix should contain the corrected code that resolves the security issue.", "inputSchema": { "type": "object", - "required": ["alert_number", "fix_description", "fix_code"], + "required": [ + "alert_number", + "fix_description", + "fix_code" + ], "properties": { "alert_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "The security alert number to create an autofix for. This is the numeric ID from the code scanning alert (e.g., 42 in github.com/owner/repo/security/code-scanning/42).", - "x-synonyms": ["alertNumber"] + "x-synonyms": [ + "alertNumber" + ] }, "fix_description": { "type": "string", "description": "Clear description of the fix being applied. Explain what security issue is being resolved and how the fix addresses it. Example: 'Sanitize user input to prevent SQL injection by using parameterized queries instead of string concatenation.'", - "x-synonyms": ["fixDescription"] + "x-synonyms": [ + "fixDescription" + ] }, "fix_code": { "type": "string", "description": "The code changes to apply as the autofix. This should be the corrected code that resolves the security vulnerability. Example for SQL injection fix: 'query = db.prepare(\"SELECT * FROM users WHERE id = ?\").bind(userId)'", - "x-synonyms": ["fixCode"] + "x-synonyms": [ + "fixCode" + ] }, "secrecy": { "type": "string", @@ -1580,16 +1992,23 @@ "description": "Mark a draft pull request as ready for review by setting draft=false and adding a comment. Use this when a draft PR has reached a state where it's ready for team review. The comment should explain what was completed and why the PR is now ready.", "inputSchema": { "type": "object", - "required": ["reason"], + "required": [ + "reason" + ], "properties": { "reason": { "type": "string", "description": "Comment explaining why the PR is ready for review (e.g., 'All tests passing and documentation updated', 'Feature implementation complete and ready for feedback')." }, "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to mark as ready. This is the numeric ID from the GitHub URL (e.g., 432 in github.com/owner/repo/pull/432). If omitted, marks the PR that triggered this workflow (requires a pull_request event trigger).", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pullRequestNumber" + ] }, "secrecy": { "type": "string", @@ -1613,7 +2032,9 @@ "memory_id": { "type": "string", "description": "Memory identifier to validate. Defaults to 'default' if not specified.", - "x-synonyms": ["memoryId"] + "x-synonyms": [ + "memoryId" + ] } }, "additionalProperties": false @@ -1624,11 +2045,23 @@ "description": "Create a GitHub Check Run to report agent analysis results on a commit or pull request. Check Runs appear in the PR checks UI and on commits with a pass/fail status. Use this to surface structured analysis results as a first-class GitHub check. The check run name is configured in the workflow frontmatter and is NOT accepted as a parameter \u2014 do not pass name. When `safe-outputs.create-check-run.target` is configured, pull request targeting follows standard PR target rules. With `target: \"*\"`, include `pull_request_number` (or `pr_number`/`pr`/`pull_number`) in each call.", "inputSchema": { "type": "object", - "required": ["conclusion", "title", "summary"], + "required": [ + "conclusion", + "title", + "summary" + ], "properties": { "conclusion": { "type": "string", - "enum": ["success", "failure", "neutral", "cancelled", "skipped", "timed_out", "action_required"], + "enum": [ + "success", + "failure", + "neutral", + "cancelled", + "skipped", + "timed_out", + "action_required" + ], "description": "The final conclusion of the check run. Use \"success\" when the check passes, \"failure\" when issues are found that must be fixed, \"neutral\" for informational results with no required action." }, "title": { @@ -1644,21 +2077,47 @@ "description": "Optional detailed Markdown content shown in the check run details. Use this for longer output such as full analysis reports, line-by-line findings, or remediation steps. Maximum 65535 characters." }, "pull_request_number": { - "type": ["number", "string"], + "type": [ + "number", + "string" + ], "description": "Pull request number to attach the check run to when the workflow uses `create-check-run: target: \"*\"` (or equivalent explicit PR targeting). This is the numeric ID from the GitHub URL (e.g., 876 in github.com/owner/repo/pull/876).", - "x-synonyms": ["pullRequestNumber"] + "x-synonyms": [ + "pr_number", + "pr", + "pull_number" + ] }, "pr_number": { - "type": ["number", "string"], - "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + "type": [ + "number", + "string" + ], + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls.", + "x-synonyms": [ + "prNumber" + ] }, "pr": { - "type": ["number", "string"], - "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + "type": [ + "number", + "string" + ], + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls.", + "x-synonyms": [ + "pullRequest", + "pull" + ] }, "pull_number": { - "type": ["number", "string"], - "description": "Alias for pull_request_number. Prefer pull_request_number in new calls." + "type": [ + "number", + "string" + ], + "description": "Alias for pull_request_number. Prefer pull_request_number in new calls.", + "x-synonyms": [ + "pullNumber" + ] } }, "additionalProperties": false From 184b8ad7e7efb7d3244cf858b1edac21458a0c61 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 03:22:06 +0000 Subject: [PATCH 4/5] Deep review: add core.error to pulls.get catch, consolidate staged returns, strengthen test Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/create_check_run.cjs | 89 ++++++++++------------ actions/setup/js/create_check_run.test.cjs | 8 +- 2 files changed, 46 insertions(+), 51 deletions(-) diff --git a/actions/setup/js/create_check_run.cjs b/actions/setup/js/create_check_run.cjs index 8870f754dee..a5a9fe16554 100644 --- a/actions/setup/js/create_check_run.cjs +++ b/actions/setup/js/create_check_run.cjs @@ -113,6 +113,7 @@ async function main(config = {}) { const owner = context.repo.owner; const repo = context.repo.repo; let headSha = ""; + let resolvedPrNumber = null; if (checkRunTarget) { const targetResult = resolveTarget({ @@ -136,51 +137,37 @@ async function main(config = {}) { }; } - const pullRequestNumber = targetResult.number; - - // In staged mode we know the PR number but skip the live API call that fetches the - // head SHA — there is nothing to attach a real check run to. - if (isStaged) { - logStagedPreviewInfo(`Would create check run "${defaultName}" targeting PR #${pullRequestNumber} with conclusion=${conclusion}, title="${resolvedTitle}"`); - processedCount++; - return { - success: true, - staged: true, - previewInfo: { - name: defaultName, - conclusion, - title: resolvedTitle, - }, - }; - } + resolvedPrNumber = targetResult.number; // Fetch the current PR head SHA via the API. We intentionally go through the API // even when the context payload already carries a SHA (e.g. target: "triggering" on // a pull_request event) so that we always use the most recent head in case the PR // was force-pushed between the triggering event and when this handler runs. - try { - const { data: pullRequest } = await withRetry( - () => - githubClient.rest.pulls.get({ - owner, - repo, - pull_number: pullRequestNumber, - }), - RATE_LIMIT_RETRY_CONFIG - ); - headSha = pullRequest?.head?.sha || ""; - if (!headSha) { - const msg = `create_check_run: pull request #${pullRequestNumber} has no head SHA`; + // Skipped in staged mode — there is nothing to attach a real check run to. + if (!isStaged) { + try { + const { data: pullRequest } = await withRetry( + () => + githubClient.rest.pulls.get({ + owner, + repo, + pull_number: resolvedPrNumber, + }), + RATE_LIMIT_RETRY_CONFIG + ); + headSha = pullRequest?.head?.sha || ""; + if (!headSha) { + const msg = `create_check_run: pull request #${resolvedPrNumber} has no head SHA`; + core.error(msg); + return { success: false, error: msg }; + } + core.info(`Using PR #${resolvedPrNumber} head SHA ${headSha} (target=${checkRunTarget})`); + } catch (error) { + const errorMessage = getErrorMessage(error); + const msg = `Failed to resolve pull request for create_check_run: ${errorMessage}`; core.error(msg); return { success: false, error: msg }; } - core.info(`Using PR #${pullRequestNumber} head SHA ${headSha} (target=${checkRunTarget})`); - } catch (error) { - const errorMessage = getErrorMessage(error); - return { - success: false, - error: `Failed to resolve pull request for create_check_run: ${errorMessage}`, - }; } } else { // For pull_request events, GITHUB_SHA is the ephemeral merge commit SHA which is @@ -193,31 +180,33 @@ async function main(config = {}) { } } - if (!headSha) { - const msg = "create_check_run: cannot determine commit SHA for check run"; - core.error(msg); - return { success: false, error: msg }; - } - - const checkRunName = defaultName; - - core.info(`Creating check run "${checkRunName}" on ${owner}/${repo}@${headSha} with conclusion=${conclusion}`); - - // If in staged mode, preview without executing + // In staged mode, preview without making live API calls to create the actual check run. + // Include the resolved PR number in the preview when targeting a specific PR. if (isStaged) { - logStagedPreviewInfo(`Would create check run "${checkRunName}" with conclusion=${conclusion}, title="${resolvedTitle}"`); + const prSuffix = resolvedPrNumber != null ? ` targeting PR #${resolvedPrNumber}` : ""; + logStagedPreviewInfo(`Would create check run "${defaultName}"${prSuffix} with conclusion=${conclusion}, title="${resolvedTitle}"`); processedCount++; return { success: true, staged: true, previewInfo: { - name: checkRunName, + name: defaultName, conclusion, title: resolvedTitle, }, }; } + if (!headSha) { + const msg = "create_check_run: cannot determine commit SHA for check run"; + core.error(msg); + return { success: false, error: msg }; + } + + const checkRunName = defaultName; + + core.info(`Creating check run "${checkRunName}" on ${owner}/${repo}@${headSha} with conclusion=${conclusion}`); + try { const output = { title: resolvedTitle, diff --git a/actions/setup/js/create_check_run.test.cjs b/actions/setup/js/create_check_run.test.cjs index c3388ebf15a..fd9f4385293 100644 --- a/actions/setup/js/create_check_run.test.cjs +++ b/actions/setup/js/create_check_run.test.cjs @@ -219,19 +219,25 @@ describe("create_check_run", () => { expect(capturedParams.head_sha).toBe("target-pr-sha-7"); }); - it("returns error when pulls.get throws (e.g. 404 or 403)", async () => { + it("returns error and emits core.error when pulls.get throws (e.g. 404 or 403)", async () => { mockGithub.rest.pulls = { get: async () => { throw new Error("Not Found"); }, }; + let coreErrorMessage = null; + mockCore.error = msg => { + coreErrorMessage = msg; + }; + const { main } = require("./create_check_run.cjs"); const handler = await main({ max: 10, target: "*" }); const result = await handler({ type: "create_check_run", pull_request_number: 42, conclusion: "success", title: "Title", summary: "Summary" }, {}); expect(result.success).toBe(false); expect(result.error).toContain("Failed to resolve pull request"); + expect(coreErrorMessage).toContain("Failed to resolve pull request"); }); it("resolves triggering PR context when target is 'triggering'", async () => { From 034c15df4108c9d369217ba4d327d78c415ba3e2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 03:48:41 +0000 Subject: [PATCH 5/5] docs(spec): add create_check_run type definition to safe-outputs specification v1.23.0 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../docs/specs/safe-outputs-specification.md | 128 +++++++++++++++++- 1 file changed, 126 insertions(+), 2 deletions(-) diff --git a/docs/src/content/docs/specs/safe-outputs-specification.md b/docs/src/content/docs/specs/safe-outputs-specification.md index 392c7890f96..e73a56edf49 100644 --- a/docs/src/content/docs/specs/safe-outputs-specification.md +++ b/docs/src/content/docs/specs/safe-outputs-specification.md @@ -7,9 +7,9 @@ sidebar: # Safe Outputs MCP Gateway Specification -**Version**: 1.22.0 +**Version**: 1.23.0 **Status**: Working Draft -**Publication Date**: 2026-06-06 +**Publication Date**: 2026-06-10 **Editor**: GitHub Agentic Workflows Team **This Version**: [safe-outputs-specification](/gh-aw/specs/safe-outputs-specification/) **Latest Published Version**: This document @@ -3676,6 +3676,122 @@ safe-outputs: --- +#### Type: create_check_run + +**Purpose**: Create a GitHub Check Run to report agent analysis results as a first-class status check on a commit or pull request. + +**Default Max**: 1 +**Cross-Repository Support**: No (same repository only) +**Mandatory**: No + +**MCP Tool Schema**: + +```json +{ + "name": "create_check_run", + "description": "Create a GitHub Check Run to report agent analysis results on a commit or pull request. Check Runs appear in the PR checks UI and on commits with a pass/fail status. Use this to surface structured analysis results as a first-class GitHub check. The check run name is configured in the workflow frontmatter and is NOT accepted as a parameter. When `safe-outputs.create-check-run.target` is configured, pull request targeting follows standard PR target rules. With `target: \"*\"`, include `pull_request_number` (or `pr_number`/`pr`/`pull_number`) in each call.", + "inputSchema": { + "type": "object", + "required": ["conclusion", "title", "summary"], + "properties": { + "conclusion": { + "type": "string", + "enum": ["success", "failure", "neutral", "cancelled", "skipped", "timed_out", "action_required"], + "description": "The final conclusion of the check run." + }, + "title": { + "type": "string", + "description": "Short title summarizing the check result. Shown in the checks UI next to the check run name. Maximum 256 characters." + }, + "summary": { + "type": "string", + "description": "Markdown-formatted summary of the check result. Shown in the checks detail view. Maximum 65535 characters." + }, + "text": { + "type": "string", + "description": "Optional detailed Markdown content shown in the check run details. Maximum 65535 characters." + }, + "pull_request_number": { + "type": ["number", "string"], + "description": "Pull request number to attach the check run to when `target: \"*\"` is configured. Aliases: pr_number, pr, pull_number.", + "x-synonyms": ["pr_number", "pr", "pull_number"] + } + }, + "additionalProperties": false + } +} +``` + +**Operational Semantics**: + +1. **SHA Resolution**: When `target` is configured, the handler resolves the target pull request number via the shared target resolution logic, then fetches the current PR head SHA via `GET /repos/{owner}/{repo}/pulls/{pull_number}`. The API fetch is intentional even when the event payload carries a SHA (e.g. `target: "triggering"` on a `pull_request` event) so that the check run always references the most recent head in the event of a force push between the triggering event and handler execution. +2. **Fallback SHA** (no `target`): The handler uses `pull_request.head.sha` from the event payload when present (avoids the ephemeral merge commit SHA produced by `pull_request` events), falling back to `GITHUB_SHA`, then `context.sha`. +3. **Check Run Creation**: Issues `POST /repos/{owner}/{repo}/check-runs` with status `completed` and the resolved `head_sha`. The check run name is taken from frontmatter configuration, defaulting to the workflow name (with `(Result)` suffix to avoid collapsing into the workflow's own check suite entry in compact UI views). +4. **Staged Mode**: In staged mode the handler logs a preview message with the resolved PR number (when `target` is set) and returns without calling the Checks API or the Pulls API. +5. **Error Handling**: Hard failures (target resolution failure, missing PR head SHA, Pulls API error) emit `core.error` for a red workflow annotation and return `{ success: false }`. Soft skips (e.g. `target: "triggering"` in a non-PR context) emit `core.info` and return `{ success: false, skipped: true }`. + +**Configuration Parameters**: + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +| `name` | `string` | Workflow name | Check run name shown in the GitHub Checks UI. Auto-suffixed with `(Result)` when equal to the workflow name to avoid UI collapsing. | +| `target` | `string` | — | PR targeting mode: `"triggering"` (use PR from event context), `"*"` (use `pull_request_number` from each call), or an explicit PR number expression (e.g. `"${{ github.event.inputs.pr }}"` ). When omitted the handler falls back to the event-payload SHA heuristic. | +| `max` | `number` | `1` | Maximum number of check runs per workflow run. | +| `staged` | `boolean` | `false` | Enable staged mode for this handler. | +| `output.title` | `string` | — | Static fallback title when the agent does not provide one. | +| `output.summary` | `string` | — | Static fallback summary when the agent does not provide one. | + +**Required Permissions**: + +*GitHub Actions Token* (when `target` is NOT configured): + +- `contents: read` - Repository metadata and context +- `checks: write` - Check run creation + +*GitHub Actions Token* (when `target` IS configured): + +- `contents: read` - Repository metadata and context +- `checks: write` - Check run creation +- `pull-requests: read` - PR head SHA resolution via `GET /repos/{owner}/{repo}/pulls/{pull_number}` + +*GitHub App*: + +- `checks: write` - Check run creation +- `pull-requests: read` - PR head SHA resolution (when `target` is configured) +- `metadata: read` - Repository metadata (automatically granted) + +**Notes**: + +- The check run `name` is configured in workflow frontmatter, NOT accepted as an agent-provided parameter. Agents MUST NOT pass `name` in the tool call. +- `conclusion` is required and MUST be one of: `success`, `failure`, `neutral`, `cancelled`, `skipped`, `timed_out`, `action_required`. +- `title` and `summary` are required. Both may be supplied as static fallbacks in frontmatter (`output.title`, `output.summary`) when the agent does not produce them. +- `pull_request_number` (aliases: `pr_number`, `pr`, `pull_number`) is only meaningful when `target: "*"` is configured. +- The `pull-requests: read` permission is automatically added to the compiled workflow only when `target` is configured; workflows without a `target` are not affected. + +**Example Frontmatter**: + +```yaml +safe-outputs: + create-check-run: + name: "Security Scan" + target: "*" + max: 1 +``` + +**Example Agent Message**: + +```json +{ + "type": "create_check_run", + "pull_request_number": 876, + "conclusion": "failure", + "title": "3 issues found", + "summary": "### Findings\n- Issue A\n- Issue B\n- Issue C" +} +``` + +--- + #### Type: create_agent_session **Purpose**: Create GitHub Copilot coding agent sessions for code change delegation. @@ -5035,6 +5151,14 @@ This specification revision aligns with directly relevant `CHANGELOG.md` entries - **Earlier changelog entry**: status comments were decoupled from default AI reaction behavior; explicit `on.status-comment` configuration is required when status comments are desired. - **Earlier changelog entry**: `command` trigger was renamed to `slash_command` with deprecation compatibility. +**Version 1.23.0** (2026-06-10): + +- **Added**: `create_check_run` safe output type definition in Section 7.3, including full MCP tool schema, operational semantics, configuration parameters, and permission requirements. +- **Specified**: Dual-permission profile for `create_check_run`: `contents: read` + `checks: write` when no `target` is configured; adds `pull-requests: read` when `target` is set (required for PR head SHA resolution via `GET /repos/{owner}/{repo}/pulls/{pull_number}`). +- **Specified**: SHA resolution order: API-fetched PR head SHA (when `target` configured) → event-payload `pull_request.head.sha` → `GITHUB_SHA` → `context.sha`. +- **Specified**: Staged-mode behavior: Pulls API call is skipped; preview message includes the resolved PR number when `target` is set. +- **Updated**: Publication metadata to 1.23.0. + **Version 1.22.0** (2026-06-06): - **Added**: `base-branch` configuration parameter on `push_to_pull_request_branch`, matching the existing field on `create_pull_request`.