diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4b74051e54..36aab99ec8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2710,21 +2710,15 @@ jobs:
FIREWALL_VERSION=$(extract "DefaultFirewallVersion")
MCPG_VERSION=$(extract "DefaultMCPGatewayVersion")
- APM_VERSION=$(extract "DefaultAPMVersion")
- APM_ACTION_VERSION=$(extract "DefaultAPMActionVersion")
GITHUB_MCP_VERSION=$(extract "DefaultGitHubMCPServerVersion")
echo "firewall_version=$FIREWALL_VERSION" >> $GITHUB_OUTPUT
echo "mcpg_version=$MCPG_VERSION" >> $GITHUB_OUTPUT
- echo "apm_version=$APM_VERSION" >> $GITHUB_OUTPUT
- echo "apm_action_version=$APM_ACTION_VERSION" >> $GITHUB_OUTPUT
echo "github_mcp_version=$GITHUB_MCP_VERSION" >> $GITHUB_OUTPUT
echo "Extracted versions from pkg/constants/constants.go:"
echo " gh-aw-firewall: $FIREWALL_VERSION"
echo " gh-aw-mcpg: $MCPG_VERSION"
- echo " microsoft/APM: $APM_VERSION"
- echo " microsoft/apm-action: $APM_ACTION_VERSION"
echo " github-mcp-server: $GITHUB_MCP_VERSION"
- name: Check gh-aw-firewall release
@@ -2769,48 +2763,6 @@ jobs:
echo "" >> $GITHUB_STEP_SUMMARY
sleep 2 # Avoid GitHub API rate limiting between checks
- - name: Check microsoft/APM release
- env:
- VERSION: ${{ steps.versions.outputs.apm_version }}
- run: |
- set -e
- REPO="microsoft/APM"
-
- echo "## Checking microsoft/APM ${VERSION}" >> $GITHUB_STEP_SUMMARY
- echo "" >> $GITHUB_STEP_SUMMARY
-
- echo "Checking GitHub release: ${REPO}@${VERSION}..."
- if gh release view "${VERSION}" --repo "${REPO}" > /dev/null 2>&1; then
- echo "✅ GitHub release ${VERSION} is available for ${REPO}" | tee -a $GITHUB_STEP_SUMMARY
- else
- echo "❌ GitHub release ${VERSION} not found for ${REPO}" | tee -a $GITHUB_STEP_SUMMARY
- exit 1
- fi
-
- echo "" >> $GITHUB_STEP_SUMMARY
- sleep 2 # Avoid GitHub API rate limiting between checks
-
- - name: Check microsoft/apm-action release
- env:
- VERSION: ${{ steps.versions.outputs.apm_action_version }}
- run: |
- set -e
- REPO="microsoft/apm-action"
-
- echo "## Checking microsoft/apm-action ${VERSION}" >> $GITHUB_STEP_SUMMARY
- echo "" >> $GITHUB_STEP_SUMMARY
-
- echo "Checking GitHub release: ${REPO}@${VERSION}..."
- if gh release view "${VERSION}" --repo "${REPO}" > /dev/null 2>&1; then
- echo "✅ GitHub release ${VERSION} is available for ${REPO}" | tee -a $GITHUB_STEP_SUMMARY
- else
- echo "❌ GitHub release ${VERSION} not found for ${REPO}" | tee -a $GITHUB_STEP_SUMMARY
- exit 1
- fi
-
- echo "" >> $GITHUB_STEP_SUMMARY
- sleep 2 # Avoid GitHub API rate limiting between checks
-
- name: Check github-mcp-server release
env:
VERSION: ${{ steps.versions.outputs.github_mcp_version }}
diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml
index 49b99896fc..bb90780b22 100644
--- a/.github/workflows/cli-version-checker.lock.yml
+++ b/.github/workflows/cli-version-checker.lock.yml
@@ -20,14 +20,14 @@
#
# For more information: https://github.github.com/gh-aw/introduction/overview/
#
-# Monitors and updates agentic CLI tools (Claude Code, GitHub Copilot CLI, OpenAI Codex, GitHub MCP Server, Playwright MCP, Playwright Browser, MCP Gateway, APM) for new versions
+# Monitors and updates agentic CLI tools (Claude Code, GitHub Copilot CLI, OpenAI Codex, GitHub MCP Server, Playwright MCP, Playwright Browser, MCP Gateway) for new versions
#
# Resolved workflow manifest:
# Imports:
# - shared/jqschema.md
# - shared/reporting.md
#
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"e33a1982ca40e184f0ac66603487475e34c5357114f7bb3fe75d9ff92b3df4b6","agent_id":"claude"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f1edaf6fb88a3f4f73256faa6a1c60181f239cbc5e01436d07f90b282d6bff79","agent_id":"claude"}
name: "CLI Version Checker"
"on":
@@ -138,15 +138,15 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_76a39be9e5d02f01_EOF'
+ cat << 'GH_AW_PROMPT_9efb833a32d5a4cd_EOF'
- GH_AW_PROMPT_76a39be9e5d02f01_EOF
+ GH_AW_PROMPT_9efb833a32d5a4cd_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_76a39be9e5d02f01_EOF'
+ cat << 'GH_AW_PROMPT_9efb833a32d5a4cd_EOF'
Tools: create_issue, missing_tool, missing_data, noop
@@ -178,14 +178,14 @@ jobs:
{{/if}}
- GH_AW_PROMPT_76a39be9e5d02f01_EOF
+ GH_AW_PROMPT_9efb833a32d5a4cd_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_76a39be9e5d02f01_EOF'
+ cat << 'GH_AW_PROMPT_9efb833a32d5a4cd_EOF'
{{#runtime-import .github/workflows/shared/jqschema.md}}
{{#runtime-import .github/workflows/shared/reporting.md}}
{{#runtime-import .github/workflows/cli-version-checker.md}}
- GH_AW_PROMPT_76a39be9e5d02f01_EOF
+ GH_AW_PROMPT_9efb833a32d5a4cd_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -378,12 +378,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_0958f22e0ad4d408_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_60b24497e03bb0bc_EOF'
{"create_issue":{"close_older_issues":true,"expires":48,"labels":["automation","dependencies","cookie"],"max":1,"title_prefix":"[ca] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"}}
- GH_AW_SAFE_OUTPUTS_CONFIG_0958f22e0ad4d408_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_60b24497e03bb0bc_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_afa717040d23fd51_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_696faa309d70ef9d_EOF'
{
"description_suffixes": {
"create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ca] \". Labels [\"automation\" \"dependencies\" \"cookie\"] will be automatically added."
@@ -391,8 +391,8 @@ jobs:
"repo_params": {},
"dynamic_tools": []
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_afa717040d23fd51_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_ed2e88e1c53ff40c_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_696faa309d70ef9d_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_f27ed83cff760e3e_EOF'
{
"create_issue": {
"defaultMax": 1,
@@ -485,7 +485,7 @@ jobs:
}
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_ed2e88e1c53ff40c_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_f27ed83cff760e3e_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -552,7 +552,7 @@ jobs:
export GH_AW_ENGINE="claude"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.9'
- cat << GH_AW_MCP_CONFIG_6bd1c59bc85cb175_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_68bf802d1e480d49_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"github": {
@@ -592,7 +592,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_6bd1c59bc85cb175_EOF
+ GH_AW_MCP_CONFIG_68bf802d1e480d49_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
@@ -1037,7 +1037,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
WORKFLOW_NAME: "CLI Version Checker"
- WORKFLOW_DESCRIPTION: "Monitors and updates agentic CLI tools (Claude Code, GitHub Copilot CLI, OpenAI Codex, GitHub MCP Server, Playwright MCP, Playwright Browser, MCP Gateway, APM) for new versions"
+ WORKFLOW_DESCRIPTION: "Monitors and updates agentic CLI tools (Claude Code, GitHub Copilot CLI, OpenAI Codex, GitHub MCP Server, Playwright MCP, Playwright Browser, MCP Gateway) for new versions"
HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
with:
script: |
diff --git a/.github/workflows/cli-version-checker.md b/.github/workflows/cli-version-checker.md
index 9f46e3ad03..9120dd0204 100644
--- a/.github/workflows/cli-version-checker.md
+++ b/.github/workflows/cli-version-checker.md
@@ -1,5 +1,5 @@
---
-description: Monitors and updates agentic CLI tools (Claude Code, GitHub Copilot CLI, OpenAI Codex, GitHub MCP Server, Playwright MCP, Playwright Browser, MCP Gateway, APM) for new versions
+description: Monitors and updates agentic CLI tools (Claude Code, GitHub Copilot CLI, OpenAI Codex, GitHub MCP Server, Playwright MCP, Playwright Browser, MCP Gateway) for new versions
on:
schedule: daily
workflow_dispatch:
@@ -31,7 +31,7 @@ timeout-minutes: 45
# CLI Version Checker
-Monitor and update agentic CLI tools: Claude Code, GitHub Copilot CLI, OpenAI Codex, GitHub MCP Server, Playwright MCP, Playwright Browser, MCP Gateway, and APM (Agent Package Manager).
+Monitor and update agentic CLI tools: Claude Code, GitHub Copilot CLI, OpenAI Codex, GitHub MCP Server, Playwright MCP, Playwright Browser, and MCP Gateway.
**Repository**: ${{ github.repository }} | **Run**: ${{ github.run_id }}
@@ -74,12 +74,6 @@ For each CLI/MCP server:
- Release Notes: https://github.com/github/gh-aw-mcpg/releases
- Docker Image: `ghcr.io/github/gh-aw-mcpg:v{VERSION}`
- Used as default sandbox.agent container (see `pkg/constants/constants.go`)
-- **APM (Agent Package Manager)**: `https://api.github.com/repos/microsoft/APM/releases/latest`
- - Repository: https://github.com/microsoft/APM
- - Release Notes: https://github.com/microsoft/APM/releases
- - Pinned via `DefaultAPMVersion` constant in `pkg/constants/constants.go`
- - Used as the `version:` input in generated `microsoft/apm-action` steps
-
**Optimization**: Fetch all versions in parallel using multiple npm view or WebFetch calls in a single turn.
### Research & Analysis
@@ -124,10 +118,6 @@ For each update, analyze intermediate versions:
- Parse release body for changelog entries
- **CRITICAL**: Convert PR/issue references to full URLs (e.g., `https://github.com/github/gh-aw-mcpg/pull/123`)
- Note: Used as default sandbox.agent container in MCP Gateway configuration
-- **APM**: Fetch release notes from https://github.com/microsoft/APM/releases/tag/{VERSION}
- - Parse release body for changelog entries
- - **CRITICAL**: Convert PR/issue references to full URLs (e.g., `https://github.com/microsoft/APM/pull/123`)
-
**NPM Metadata Fallback**: When GitHub release notes are unavailable, use:
- `npm view --json` for package metadata
- Compare CLI help outputs between versions
@@ -275,7 +265,6 @@ Legacy template reference (adapt to use Report Structure Pattern above):
- GitHub MCP Server: Always fetch from https://github.com/github/github-mcp-server/releases
- Playwright Browser: Always fetch from https://github.com/microsoft/playwright/releases
- MCP Gateway: Always fetch from https://github.com/github/gh-aw-mcpg/releases
- - APM: Always fetch from https://github.com/microsoft/APM/releases
- Copilot CLI: Try to fetch, but may be inaccessible (private repo)
- Playwright MCP: Check NPM metadata, uses Playwright versioning
- **EXPLORE SUBCOMMANDS**: Install and test CLI tools to discover new features via `--help` and explore each subcommand
diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml
index 52ced31e19..4b5396d980 100644
--- a/.github/workflows/daily-doc-updater.lock.yml
+++ b/.github/workflows/daily-doc-updater.lock.yml
@@ -332,10 +332,10 @@ jobs:
- name: Restore cache-memory file share data
uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
- key: memory-approved-0072b676-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
+ key: memory-approved-6f25a3c0-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
path: /tmp/gh-aw/cache-memory
restore-keys: |
- memory-approved-0072b676-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-
+ memory-approved-6f25a3c0-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-
- name: Setup cache-memory git repository
env:
GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory
@@ -390,6 +390,7 @@ jobs:
id: parse-guard-vars
env:
GH_AW_BLOCKED_USERS_VAR: ${{ vars.GH_AW_GITHUB_BLOCKED_USERS || '' }}
+ GH_AW_TRUSTED_USERS_VAR: ${{ vars.GH_AW_GITHUB_TRUSTED_USERS || '' }}
GH_AW_APPROVAL_LABELS_EXTRA: cookie
GH_AW_APPROVAL_LABELS_VAR: ${{ vars.GH_AW_GITHUB_APPROVAL_LABELS || '' }}
run: bash ${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh
@@ -625,7 +626,8 @@ jobs:
"approval-labels": ${{ steps.parse-guard-vars.outputs.approval_labels }},
"blocked-users": ${{ steps.parse-guard-vars.outputs.blocked_users }},
"min-integrity": "approved",
- "repos": "all"
+ "repos": "all",
+ "trusted-users": ${{ steps.parse-guard-vars.outputs.trusted_users }}
}
}
},
@@ -1476,6 +1478,6 @@ jobs:
if: steps.check_cache_default.outputs.has_content == 'true'
uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
- key: memory-approved-0072b676-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
+ key: memory-approved-6f25a3c0-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
path: /tmp/gh-aw/cache-memory