From 2faaaca2efda045712ddd12b1691cacb8eb47022 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 11 Apr 2026 23:14:16 +0000
Subject: [PATCH 01/32] Initial plan
From b1efa7b95348da8fd2cf8384867691ecce108e15 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 11 Apr 2026 23:29:05 +0000
Subject: [PATCH 02/32] Fix onPreToolUse hook not firing for sub-agent tool
calls
When the CLI creates sub-agent sessions internally, their session IDs
are not in the SDK's session registry. The hooks.invoke and
permission.request handlers now fall back to any registered session
that has the appropriate handler, enabling hooks and permission checks
to fire for sub-agent tool calls.
Agent-Logs-Url: https://github.com/github/copilot-sdk-java/sessions/868c6fed-c57d-4d9f-806c-eca509096672
Co-authored-by: brunoborges <129743+brunoborges@users.noreply.github.com>
---
.../github/copilot/sdk/CopilotSession.java | 25 +++++++
.../copilot/sdk/RpcHandlerDispatcher.java | 50 +++++++++++++-
.../copilot/sdk/RpcHandlerDispatcherTest.java | 69 +++++++++++++++++--
3 files changed, 139 insertions(+), 5 deletions(-)
diff --git a/src/main/java/com/github/copilot/sdk/CopilotSession.java b/src/main/java/com/github/copilot/sdk/CopilotSession.java
index 23b1b5368..e219edbfd 100644
--- a/src/main/java/com/github/copilot/sdk/CopilotSession.java
+++ b/src/main/java/com/github/copilot/sdk/CopilotSession.java
@@ -1298,6 +1298,31 @@ void registerHooks(SessionHooks hooks) {
hooksHandler.set(hooks);
}
+ /**
+ * Returns whether this session has hooks registered.
+ *
+ * Used internally to find a session that can handle hooks invocations for
+ * sub-agent sessions whose IDs are not directly tracked by the SDK.
+ *
+ * @return {@code true} if hooks are registered and at least one handler is set
+ */
+ boolean hasHooks() {
+ SessionHooks hooks = hooksHandler.get();
+ return hooks != null && hooks.hasHooks();
+ }
+
+ /**
+ * Returns whether this session has a permission handler registered.
+ *
+ * Used internally to find a session that can handle permission requests for
+ * sub-agent sessions whose IDs are not directly tracked by the SDK.
+ *
+ * @return {@code true} if a permission handler is registered
+ */
+ boolean hasPermissionHandler() {
+ return permissionHandler.get() != null;
+ }
+
/**
* Registers transform callbacks for system message sections.
*
diff --git a/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java b/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java
index f1d488105..030643240 100644
--- a/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java
+++ b/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java
@@ -191,6 +191,12 @@ private void handlePermissionRequest(JsonRpcClient rpc, String requestId, JsonNo
JsonNode permissionRequest = params.get("permissionRequest");
CopilotSession session = sessions.get(sessionId);
+ if (session == null) {
+ // The CLI may send permission requests for sub-agent sessions
+ // whose IDs are not tracked by the SDK. Fall back to any
+ // registered session that has a permission handler.
+ session = findSessionWithPermissionHandler();
+ }
if (session == null) {
var result = new PermissionRequestResult()
.setKind(PermissionRequestResultKind.DENIED_COULD_NOT_REQUEST_FROM_USER);
@@ -293,7 +299,14 @@ private void handleHooksInvoke(JsonRpcClient rpc, String requestId, JsonNode par
CopilotSession session = sessions.get(sessionId);
if (session == null) {
- rpc.sendErrorResponse(Long.parseLong(requestId), -32602, "Unknown session " + sessionId);
+ // The CLI may send hooks.invoke for sub-agent sessions whose IDs
+ // are not tracked by the SDK. Fall back to any registered session
+ // that has hooks so that application-level hooks (e.g. onPreToolUse)
+ // also fire for sub-agent tool calls.
+ session = findSessionWithHooks();
+ }
+ if (session == null) {
+ rpc.sendResponse(Long.parseLong(requestId), Collections.singletonMap("output", null));
return;
}
@@ -318,6 +331,41 @@ private void handleHooksInvoke(JsonRpcClient rpc, String requestId, JsonNode par
});
}
+ /**
+ * Finds a session that has hooks registered.
+ *
+ * When the CLI creates sub-agent sessions internally, their session IDs are not
+ * in the SDK's session map. This method searches all registered sessions to
+ * find one with hooks, enabling hook handlers to fire for sub-agent tool calls.
+ *
+ * @return a session with hooks, or {@code null} if none found
+ */
+ private CopilotSession findSessionWithHooks() {
+ for (CopilotSession s : sessions.values()) {
+ if (s.hasHooks()) {
+ return s;
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Finds a session that has a permission handler registered.
+ *
+ * Similar to {@link #findSessionWithHooks()}, this enables permission handlers
+ * to fire for sub-agent sessions whose IDs are not tracked by the SDK.
+ *
+ * @return a session with a permission handler, or {@code null} if none found
+ */
+ private CopilotSession findSessionWithPermissionHandler() {
+ for (CopilotSession s : sessions.values()) {
+ if (s.hasPermissionHandler()) {
+ return s;
+ }
+ }
+ return null;
+ }
+
/**
* Functional interface for dispatching lifecycle events.
*/
diff --git a/src/test/java/com/github/copilot/sdk/RpcHandlerDispatcherTest.java b/src/test/java/com/github/copilot/sdk/RpcHandlerDispatcherTest.java
index 315a38b90..186546f0c 100644
--- a/src/test/java/com/github/copilot/sdk/RpcHandlerDispatcherTest.java
+++ b/src/test/java/com/github/copilot/sdk/RpcHandlerDispatcherTest.java
@@ -295,7 +295,8 @@ void toolCallHandlerFails() throws Exception {
// ===== permission.request tests =====
@Test
- void permissionRequestWithUnknownSession() throws Exception {
+ void permissionRequestWithUnknownSessionAndNoFallback() throws Exception {
+ // No sessions at all — returns denied
ObjectNode params = MAPPER.createObjectNode();
params.put("sessionId", "nonexistent");
params.putObject("permissionRequest");
@@ -307,6 +308,24 @@ void permissionRequestWithUnknownSession() throws Exception {
assertEquals("denied-no-approval-rule-and-could-not-request-from-user", result.get("kind").asText());
}
+ @Test
+ void permissionRequestFallsBackToSessionWithHandlerForSubAgent() throws Exception {
+ // Parent session has permission handler; sub-agent session ID not in map.
+ CopilotSession parent = createSession("parent-session");
+ parent.registerPermissionHandler((request, invocation) -> CompletableFuture
+ .completedFuture(new PermissionRequestResult().setKind("allow")));
+
+ ObjectNode params = MAPPER.createObjectNode();
+ params.put("sessionId", "subagent-session-id");
+ params.putObject("permissionRequest");
+
+ invokeHandler("permission.request", "15", params);
+
+ JsonNode response = readResponse();
+ JsonNode result = response.get("result").get("result");
+ assertEquals("allow", result.get("kind").asText());
+ }
+
@Test
void permissionRequestWithHandler() throws Exception {
CopilotSession session = createSession("s1");
@@ -453,7 +472,8 @@ void userInputRequestHandlerFails() throws Exception {
// ===== hooks.invoke tests =====
@Test
- void hooksInvokeWithUnknownSession() throws Exception {
+ void hooksInvokeWithUnknownSessionAndNoFallback() throws Exception {
+ // No sessions at all — returns null output (no-op)
ObjectNode params = MAPPER.createObjectNode();
params.put("sessionId", "nonexistent");
params.put("hookType", "preToolUse");
@@ -462,8 +482,49 @@ void hooksInvokeWithUnknownSession() throws Exception {
invokeHandler("hooks.invoke", "30", params);
JsonNode response = readResponse();
- assertNotNull(response.get("error"));
- assertEquals(-32602, response.get("error").get("code").asInt());
+ JsonNode output = response.get("result").get("output");
+ assertTrue(output == null || output.isNull(),
+ "Output should be null when no sessions with hooks are registered");
+ }
+
+ @Test
+ void hooksInvokeFallsBackToSessionWithHooksForSubAgent() throws Exception {
+ // Parent session has hooks; sub-agent session ID is not in the map.
+ // The dispatcher should fall back to the parent session's hooks.
+ CopilotSession parent = createSession("parent-session");
+ parent.registerHooks(new SessionHooks().setOnPreToolUse(
+ (input, invocation) -> CompletableFuture.completedFuture(PreToolUseHookOutput.allow())));
+
+ ObjectNode params = MAPPER.createObjectNode();
+ params.put("sessionId", "subagent-session-id");
+ params.put("hookType", "preToolUse");
+ ObjectNode input = params.putObject("input");
+ input.put("toolName", "glob");
+ input.put("toolCallId", "tc-sub");
+
+ invokeHandler("hooks.invoke", "35", params);
+
+ JsonNode response = readResponse();
+ JsonNode output = response.get("result").get("output");
+ assertNotNull(output, "Hooks should fire for sub-agent tool calls via fallback");
+ assertEquals("allow", output.get("permissionDecision").asText());
+ }
+
+ @Test
+ void hooksInvokeFallbackSkipsSessionWithoutHooks() throws Exception {
+ // Session exists but has no hooks — should not be used as fallback
+ createSession("no-hooks-session");
+
+ ObjectNode params = MAPPER.createObjectNode();
+ params.put("sessionId", "subagent-session-id");
+ params.put("hookType", "preToolUse");
+ params.putObject("input");
+
+ invokeHandler("hooks.invoke", "36", params);
+
+ JsonNode response = readResponse();
+ JsonNode output = response.get("result").get("output");
+ assertTrue(output == null || output.isNull(), "Should return null when no session with hooks is found");
}
@Test
From 5a8a2b4a3cd343ddc05821de4dc336feef3ca989 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 11 Apr 2026 23:31:17 +0000
Subject: [PATCH 03/32] Improve Javadoc for findSessionWithHooks and
findSessionWithPermissionHandler
Agent-Logs-Url: https://github.com/github/copilot-sdk-java/sessions/868c6fed-c57d-4d9f-806c-eca509096672
Co-authored-by: brunoborges <129743+brunoborges@users.noreply.github.com>
---
.../java/com/github/copilot/sdk/RpcHandlerDispatcher.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java b/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java
index 030643240..b0b319a0c 100644
--- a/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java
+++ b/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java
@@ -337,6 +337,10 @@ private void handleHooksInvoke(JsonRpcClient rpc, String requestId, JsonNode par
* When the CLI creates sub-agent sessions internally, their session IDs are not
* in the SDK's session map. This method searches all registered sessions to
* find one with hooks, enabling hook handlers to fire for sub-agent tool calls.
+ *
+ * If multiple sessions have hooks registered, the first one found is returned.
+ * In practice, SDK users typically register hooks on a single session that
+ * covers all sub-agent activity.
*
* @return a session with hooks, or {@code null} if none found
*/
@@ -354,6 +358,10 @@ private CopilotSession findSessionWithHooks() {
*
* Similar to {@link #findSessionWithHooks()}, this enables permission handlers
* to fire for sub-agent sessions whose IDs are not tracked by the SDK.
+ *
+ * If multiple sessions have permission handlers, the first one found is
+ * returned. In practice, SDK users typically register a single permission
+ * handler that covers all sub-agent activity.
*
* @return a session with a permission handler, or {@code null} if none found
*/
From 1d0bf62dc54edbccd61e0dd9ebfa86ca76695127 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 12 Apr 2026 00:29:20 +0000
Subject: [PATCH 04/32] Revert SDK-level fallback to match upstream
.NET/Node.js/Go behavior
All three upstream SDKs (C#, TypeScript, Go) throw/error for unknown
session IDs in hooks.invoke and permission.request handlers with no
fallback logic. The sub-agent hooks gap exists in all SDK
implementations and should be addressed at the CLI/protocol level
rather than with SDK heuristics.
Agent-Logs-Url: https://github.com/github/copilot-sdk-java/sessions/50bf8907-712c-4792-aeea-219889b1ffa9
Co-authored-by: brunoborges <129743+brunoborges@users.noreply.github.com>
---
.../github/copilot/sdk/CopilotSession.java | 25 -------
.../copilot/sdk/RpcHandlerDispatcher.java | 58 +---------------
.../copilot/sdk/RpcHandlerDispatcherTest.java | 69 ++-----------------
3 files changed, 5 insertions(+), 147 deletions(-)
diff --git a/src/main/java/com/github/copilot/sdk/CopilotSession.java b/src/main/java/com/github/copilot/sdk/CopilotSession.java
index e219edbfd..23b1b5368 100644
--- a/src/main/java/com/github/copilot/sdk/CopilotSession.java
+++ b/src/main/java/com/github/copilot/sdk/CopilotSession.java
@@ -1298,31 +1298,6 @@ void registerHooks(SessionHooks hooks) {
hooksHandler.set(hooks);
}
- /**
- * Returns whether this session has hooks registered.
- *
- * Used internally to find a session that can handle hooks invocations for
- * sub-agent sessions whose IDs are not directly tracked by the SDK.
- *
- * @return {@code true} if hooks are registered and at least one handler is set
- */
- boolean hasHooks() {
- SessionHooks hooks = hooksHandler.get();
- return hooks != null && hooks.hasHooks();
- }
-
- /**
- * Returns whether this session has a permission handler registered.
- *
- * Used internally to find a session that can handle permission requests for
- * sub-agent sessions whose IDs are not directly tracked by the SDK.
- *
- * @return {@code true} if a permission handler is registered
- */
- boolean hasPermissionHandler() {
- return permissionHandler.get() != null;
- }
-
/**
* Registers transform callbacks for system message sections.
*
diff --git a/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java b/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java
index b0b319a0c..f1d488105 100644
--- a/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java
+++ b/src/main/java/com/github/copilot/sdk/RpcHandlerDispatcher.java
@@ -191,12 +191,6 @@ private void handlePermissionRequest(JsonRpcClient rpc, String requestId, JsonNo
JsonNode permissionRequest = params.get("permissionRequest");
CopilotSession session = sessions.get(sessionId);
- if (session == null) {
- // The CLI may send permission requests for sub-agent sessions
- // whose IDs are not tracked by the SDK. Fall back to any
- // registered session that has a permission handler.
- session = findSessionWithPermissionHandler();
- }
if (session == null) {
var result = new PermissionRequestResult()
.setKind(PermissionRequestResultKind.DENIED_COULD_NOT_REQUEST_FROM_USER);
@@ -299,14 +293,7 @@ private void handleHooksInvoke(JsonRpcClient rpc, String requestId, JsonNode par
CopilotSession session = sessions.get(sessionId);
if (session == null) {
- // The CLI may send hooks.invoke for sub-agent sessions whose IDs
- // are not tracked by the SDK. Fall back to any registered session
- // that has hooks so that application-level hooks (e.g. onPreToolUse)
- // also fire for sub-agent tool calls.
- session = findSessionWithHooks();
- }
- if (session == null) {
- rpc.sendResponse(Long.parseLong(requestId), Collections.singletonMap("output", null));
+ rpc.sendErrorResponse(Long.parseLong(requestId), -32602, "Unknown session " + sessionId);
return;
}
@@ -331,49 +318,6 @@ private void handleHooksInvoke(JsonRpcClient rpc, String requestId, JsonNode par
});
}
- /**
- * Finds a session that has hooks registered.
- *
- * When the CLI creates sub-agent sessions internally, their session IDs are not
- * in the SDK's session map. This method searches all registered sessions to
- * find one with hooks, enabling hook handlers to fire for sub-agent tool calls.
- *
- * If multiple sessions have hooks registered, the first one found is returned.
- * In practice, SDK users typically register hooks on a single session that
- * covers all sub-agent activity.
- *
- * @return a session with hooks, or {@code null} if none found
- */
- private CopilotSession findSessionWithHooks() {
- for (CopilotSession s : sessions.values()) {
- if (s.hasHooks()) {
- return s;
- }
- }
- return null;
- }
-
- /**
- * Finds a session that has a permission handler registered.
- *
- * Similar to {@link #findSessionWithHooks()}, this enables permission handlers
- * to fire for sub-agent sessions whose IDs are not tracked by the SDK.
- *
- * If multiple sessions have permission handlers, the first one found is
- * returned. In practice, SDK users typically register a single permission
- * handler that covers all sub-agent activity.
- *
- * @return a session with a permission handler, or {@code null} if none found
- */
- private CopilotSession findSessionWithPermissionHandler() {
- for (CopilotSession s : sessions.values()) {
- if (s.hasPermissionHandler()) {
- return s;
- }
- }
- return null;
- }
-
/**
* Functional interface for dispatching lifecycle events.
*/
diff --git a/src/test/java/com/github/copilot/sdk/RpcHandlerDispatcherTest.java b/src/test/java/com/github/copilot/sdk/RpcHandlerDispatcherTest.java
index 186546f0c..315a38b90 100644
--- a/src/test/java/com/github/copilot/sdk/RpcHandlerDispatcherTest.java
+++ b/src/test/java/com/github/copilot/sdk/RpcHandlerDispatcherTest.java
@@ -295,8 +295,7 @@ void toolCallHandlerFails() throws Exception {
// ===== permission.request tests =====
@Test
- void permissionRequestWithUnknownSessionAndNoFallback() throws Exception {
- // No sessions at all — returns denied
+ void permissionRequestWithUnknownSession() throws Exception {
ObjectNode params = MAPPER.createObjectNode();
params.put("sessionId", "nonexistent");
params.putObject("permissionRequest");
@@ -308,24 +307,6 @@ void permissionRequestWithUnknownSessionAndNoFallback() throws Exception {
assertEquals("denied-no-approval-rule-and-could-not-request-from-user", result.get("kind").asText());
}
- @Test
- void permissionRequestFallsBackToSessionWithHandlerForSubAgent() throws Exception {
- // Parent session has permission handler; sub-agent session ID not in map.
- CopilotSession parent = createSession("parent-session");
- parent.registerPermissionHandler((request, invocation) -> CompletableFuture
- .completedFuture(new PermissionRequestResult().setKind("allow")));
-
- ObjectNode params = MAPPER.createObjectNode();
- params.put("sessionId", "subagent-session-id");
- params.putObject("permissionRequest");
-
- invokeHandler("permission.request", "15", params);
-
- JsonNode response = readResponse();
- JsonNode result = response.get("result").get("result");
- assertEquals("allow", result.get("kind").asText());
- }
-
@Test
void permissionRequestWithHandler() throws Exception {
CopilotSession session = createSession("s1");
@@ -472,8 +453,7 @@ void userInputRequestHandlerFails() throws Exception {
// ===== hooks.invoke tests =====
@Test
- void hooksInvokeWithUnknownSessionAndNoFallback() throws Exception {
- // No sessions at all — returns null output (no-op)
+ void hooksInvokeWithUnknownSession() throws Exception {
ObjectNode params = MAPPER.createObjectNode();
params.put("sessionId", "nonexistent");
params.put("hookType", "preToolUse");
@@ -482,49 +462,8 @@ void hooksInvokeWithUnknownSessionAndNoFallback() throws Exception {
invokeHandler("hooks.invoke", "30", params);
JsonNode response = readResponse();
- JsonNode output = response.get("result").get("output");
- assertTrue(output == null || output.isNull(),
- "Output should be null when no sessions with hooks are registered");
- }
-
- @Test
- void hooksInvokeFallsBackToSessionWithHooksForSubAgent() throws Exception {
- // Parent session has hooks; sub-agent session ID is not in the map.
- // The dispatcher should fall back to the parent session's hooks.
- CopilotSession parent = createSession("parent-session");
- parent.registerHooks(new SessionHooks().setOnPreToolUse(
- (input, invocation) -> CompletableFuture.completedFuture(PreToolUseHookOutput.allow())));
-
- ObjectNode params = MAPPER.createObjectNode();
- params.put("sessionId", "subagent-session-id");
- params.put("hookType", "preToolUse");
- ObjectNode input = params.putObject("input");
- input.put("toolName", "glob");
- input.put("toolCallId", "tc-sub");
-
- invokeHandler("hooks.invoke", "35", params);
-
- JsonNode response = readResponse();
- JsonNode output = response.get("result").get("output");
- assertNotNull(output, "Hooks should fire for sub-agent tool calls via fallback");
- assertEquals("allow", output.get("permissionDecision").asText());
- }
-
- @Test
- void hooksInvokeFallbackSkipsSessionWithoutHooks() throws Exception {
- // Session exists but has no hooks — should not be used as fallback
- createSession("no-hooks-session");
-
- ObjectNode params = MAPPER.createObjectNode();
- params.put("sessionId", "subagent-session-id");
- params.put("hookType", "preToolUse");
- params.putObject("input");
-
- invokeHandler("hooks.invoke", "36", params);
-
- JsonNode response = readResponse();
- JsonNode output = response.get("result").get("output");
- assertTrue(output == null || output.isNull(), "Should return null when no session with hooks is found");
+ assertNotNull(response.get("error"));
+ assertEquals(-32602, response.get("error").get("code").asInt());
}
@Test
From af77a261171abcbc4e52177d741b10fa50ee9268 Mon Sep 17 00:00:00 2001
From: Ed Burns
Date: Tue, 24 Mar 2026 14:59:20 -0400
Subject: [PATCH 05/32] On branch
edburns/dd-2853206-reference-impl-not-upstream We are tracking a reference
implementation, not an upstream.
In `git` an `upstream` is well defined. To avoid LLM confusion, let us use the proper term.
new file: .claude/skills/agentic-merge-reference-impl/SKILL.md
modified: .github/copilot-instructions.md
new file: .github/prompts/agentic-merge-reference-impl.prompt.md
new file: .github/prompts/coding-agent-merge-reference-impl-instructions.md
new file: .github/scripts/reference-impl-sync/merge-reference-impl-diff.sh
new file: .github/scripts/reference-impl-sync/merge-reference-impl-finish.sh
new file: .github/scripts/reference-impl-sync/merge-reference-impl-start.sh
new file: .github/skills/agentic-merge-reference-impl/SKILL.md
new file: .github/workflows/weekly-reference-impl-sync.lock.yml
new file: .github/workflows/weekly-reference-impl-sync.md
new file: .github/workflows/weekly-reference-impl-sync.yml
modified: CONTRIBUTING.md
modified: README.md
modified: docs/WORKFLOWS.md
Signed-off-by: Ed Burns
Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
---
.../agentic-merge-reference-impl/SKILL.md | 7 +
.github/copilot-instructions.md | 8 +-
.../agentic-merge-reference-impl.prompt.md | 439 ++++++
...agent-merge-reference-impl-instructions.md | 19 +
.../merge-reference-impl-diff.sh | 86 ++
.../merge-reference-impl-finish.sh | 63 +
.../merge-reference-impl-start.sh | 88 ++
.../agentic-merge-reference-impl/SKILL.md | 7 +
.../weekly-reference-impl-sync.lock.yml | 1239 +++++++++++++++++
.../workflows/weekly-reference-impl-sync.md | 151 ++
.../workflows/weekly-reference-impl-sync.yml | 181 +++
CONTRIBUTING.md | 2 +-
README.md | 10 +-
docs/WORKFLOWS.md | 22 +-
14 files changed, 2301 insertions(+), 21 deletions(-)
create mode 100644 .claude/skills/agentic-merge-reference-impl/SKILL.md
create mode 100644 .github/prompts/agentic-merge-reference-impl.prompt.md
create mode 100644 .github/prompts/coding-agent-merge-reference-impl-instructions.md
create mode 100755 .github/scripts/reference-impl-sync/merge-reference-impl-diff.sh
create mode 100755 .github/scripts/reference-impl-sync/merge-reference-impl-finish.sh
create mode 100755 .github/scripts/reference-impl-sync/merge-reference-impl-start.sh
create mode 100644 .github/skills/agentic-merge-reference-impl/SKILL.md
create mode 100644 .github/workflows/weekly-reference-impl-sync.lock.yml
create mode 100644 .github/workflows/weekly-reference-impl-sync.md
create mode 100644 .github/workflows/weekly-reference-impl-sync.yml
diff --git a/.claude/skills/agentic-merge-reference-impl/SKILL.md b/.claude/skills/agentic-merge-reference-impl/SKILL.md
new file mode 100644
index 000000000..421ea147b
--- /dev/null
+++ b/.claude/skills/agentic-merge-reference-impl/SKILL.md
@@ -0,0 +1,7 @@
+---
+name: agentic-merge-reference-impl
+description: Merge reference implementation changes from the official Copilot SDK into this Java SDK.
+license: MIT
+---
+
+Follow instructions in the [agentic-merge-reference-impl prompt](../../../.github/prompts/agentic-merge-reference-impl.prompt.md) to merge reference implementation changes from the official Copilot SDK into this Java SDK.
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index 284e2b800..edd40797b 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -89,9 +89,9 @@ Tests use the official copilot-sdk test harness from `https://github.com/github/
## Key Conventions
-### Upstream Merging
+### Reference Implementation Merging
-This SDK tracks the official .NET implementation at `github/copilot-sdk`. The `.lastmerge` file contains the last merged upstream commit hash. Use the `agentic-merge-upstream` skill (see `.github/prompts/agentic-merge-upstream.prompt.md`) to port changes.
+This SDK tracks the official .NET implementation at `github/copilot-sdk`. The `.lastmerge` file contains the last merged reference implementation commit hash. Use the `agentic-merge-reference-impl` skill (see `.github/prompts/agentic-merge-reference-impl.prompt.md`) to port changes.
When porting from .NET:
- Adapt to Java idioms, don't copy C# patterns directly
@@ -278,7 +278,7 @@ The repository has a pre-commit hook (`.githooks/pre-commit`) that is **automati
- Include tests for new functionality
- Update documentation if adding/changing public APIs
- Reference related issues using `#issue-number`
-- For upstream merges, follow the `agentic-merge-upstream` skill workflow
+- For reference implementation merges, follow the `agentic-merge-reference-impl` skill workflow
## Development Workflow
@@ -301,7 +301,7 @@ The release process is automated via the `publish-maven.yml` GitHub Actions work
- Updates version comparison links at the bottom of CHANGELOG.md
- Injects the upstream SDK commit hash (from `.lastmerge`) as a `> **Upstream sync:**` blockquote in both the new `[Unreleased]` section and the released version section
-2. **Upstream Sync Tracking**: Each release records which commit from the official `github/copilot-sdk` it is synced to:
+2. **Reference Implementation Sync Tracking**: Each release records which commit from the official `github/copilot-sdk` it is synced to:
- The `.lastmerge` file is read during the release workflow
- The commit hash is injected into `CHANGELOG.md` under the release heading
- Format: `> **Upstream sync:** [\`github/copilot-sdk@SHORT_HASH\`](link-to-commit)`
diff --git a/.github/prompts/agentic-merge-reference-impl.prompt.md b/.github/prompts/agentic-merge-reference-impl.prompt.md
new file mode 100644
index 000000000..fd7c3fa13
--- /dev/null
+++ b/.github/prompts/agentic-merge-reference-impl.prompt.md
@@ -0,0 +1,439 @@
+# Merge Reference Implementation SDK Changes
+
+You are an expert Java developer tasked with porting changes from the reference implementation of the Copilot SDK (primarily the .NET implementation) to this Java SDK.
+
+## ⚠️ IMPORTANT: Java SDK Design Takes Priority
+
+**The current design and architecture of the Java SDK is the priority.** When porting changes from the reference implementation:
+
+1. **Adapt, don't copy** - Translate reference implementation features to fit the Java SDK's existing patterns, naming conventions, and architecture
+2. **Preserve Java idioms** - The Java SDK should feel natural to Java developers, not like a C# port
+3. **Maintain consistency** - New code must match the existing codebase style and structure
+4. **Evaluate before porting** - Not every reference implementation change needs to be ported; some may not be applicable or may conflict with Java SDK design decisions
+
+Before making any changes, **read and understand the existing Java SDK implementation** to ensure new code integrates seamlessly.
+
+## Utility Scripts
+
+The `.github/scripts/` directory contains helper scripts that automate the repeatable parts of this workflow. **Use these scripts instead of running the commands manually.**
+
+| Script | Purpose |
+|---|---|
+| `.github/scripts/reference-impl-sync/merge-reference-impl-start.sh` | Creates branch, updates CLI, clones reference implementation, reads `.lastmerge`, prints commit summary |
+| `.github/scripts/reference-impl-sync/merge-reference-impl-diff.sh` | Detailed diff analysis grouped by area (`.NET src`, tests, snapshots, docs, etc.) |
+| `.github/scripts/reference-impl-sync/merge-reference-impl-finish.sh` | Runs format + test + build, updates `.lastmerge`, commits, pushes branch |
+| `.github/scripts/build/format-and-test.sh` | Standalone `spotless:apply` + `mvn clean verify` (useful during porting too) |
+
+All scripts write/read a `.merge-env` file (git-ignored) to share state (branch name, reference-impl dir, last-merge commit).
+
+## Workflow Overview
+
+1. Run `./.github/scripts/reference-impl-sync/merge-reference-impl-start.sh` (creates branch, clones reference implementation, shows summary)
+2. Run `./.github/scripts/reference-impl-sync/merge-reference-impl-diff.sh` (analyze changes)
+3. Update README with minimum CLI version requirement
+4. Identify reference implementation changes to port
+5. Apply changes to Java SDK (commit as you go)
+6. Port/adjust tests from reference implementation changes
+7. Run `./.github/scripts/build/format-and-test.sh` frequently while porting
+8. Build the package
+9. Update documentation (**required for every user-facing reference implementation change**)
+10. Run `./.github/scripts/reference-impl-sync/merge-reference-impl-finish.sh` (final test + push) and finalize Pull Request (see note below about coding agent vs. manual workflow)
+11. Perform final review before handing off
+
+---
+
+## Step 1: Initialize Reference Implementation Sync
+
+Run the start script to create a branch, update the CLI, clone the reference implementation repo, and see a summary of new commits:
+
+```bash
+./.github/scripts/reference-impl-sync/merge-reference-impl-start.sh
+```
+
+This writes a `.merge-env` file used by the other scripts. It outputs:
+- The branch name created
+- The Copilot CLI version
+- The reference-impl dir path
+- A short log of reference implementation commits since `.lastmerge`
+
+## Step 2: Analyze Upstream Changes
+
+Run the diff script for a detailed breakdown by area:
+
+```bash
+./.github/scripts/reference-impl-sync/merge-reference-impl-diff.sh # stat only
+./.github/scripts/reference-impl-sync/merge-reference-impl-diff.sh --full # full diffs
+```
+
+The diff script groups changes into: .NET source, .NET tests, test snapshots, documentation, protocol/config, Go/Node.js/Python SDKs, and other files.
+
+## Step 3: Update README with CLI Version
+
+After the start script runs, check the CLI version it printed (also saved in `.merge-env` as `CLI_VERSION`). Update the Requirements section in `README.md` and `src/site/markdown/index.md` to specify the minimum CLI version requirement.
+
+Commit this change before proceeding:
+
+```bash
+git add README.md src/site/markdown/index.md
+git commit -m "Update Copilot CLI minimum version requirement"
+```
+
+## Step 4: Identify Changes to Port
+
+Using the output from `merge-reference-impl-diff.sh`, focus on:
+- `dotnet/src/` - Primary reference implementation
+- `dotnet/test/` - Test cases to port
+- `docs/` - Documentation updates
+- `sdk-protocol-version.json` - Protocol version changes
+
+For each change in the reference implementation diff, determine:
+
+1. **New Features**: New methods, classes, or capabilities added to the SDK
+2. **Bug Fixes**: Corrections to existing functionality
+3. **API Changes**: Changes to public interfaces or method signatures
+4. **Protocol Updates**: Changes to the JSON-RPC protocol or message types
+5. **Test Updates**: New or modified test cases
+
+### Key Files to Compare
+
+| Upstream (.NET) | Java SDK Equivalent |
+|------------------------------------|--------------------------------------------------------|
+| `dotnet/src/Client.cs` | `src/main/java/com/github/copilot/sdk/CopilotClient.java` |
+| `dotnet/src/Session.cs` | `src/main/java/com/github/copilot/sdk/CopilotSession.java` |
+| `dotnet/src/Types.cs` | `src/main/java/com/github/copilot/sdk/types/*.java` |
+| `dotnet/src/Generated/*.cs` | `src/main/java/com/github/copilot/sdk/types/*.java` |
+| `dotnet/test/*.cs` | `src/test/java/com/github/copilot/sdk/*Test.java` |
+| `docs/getting-started.md` | `README.md` and `src/site/markdown/*.md` |
+| `docs/*.md` (new files) | `src/site/markdown/*.md` + update `src/site/site.xml` |
+| `sdk-protocol-version.json` | (embedded in Java code or resource file) |
+
+> **⚠️ Important:** When adding new documentation pages, always update `src/site/site.xml` to include them in the navigation menu.
+
+## Step 5: Apply Changes to Java SDK
+
+When porting changes:
+
+### ⚠️ Priority: Preserve Java SDK Design
+
+Before modifying any code:
+
+1. **Read the existing Java implementation first** - Understand current patterns, class structure, and naming
+2. **Identify the Java equivalent approach** - Don't replicate C# patterns; find the idiomatic Java way
+3. **Check for existing abstractions** - The Java SDK may already have mechanisms that differ from .NET
+4. **Preserve backward compatibility** - Existing API signatures should not break unless absolutely necessary
+5. **When in doubt, match existing code** - Follow what's already in the Java SDK, not the upstream
+
+### Commit Changes Incrementally
+
+**Important:** Commit your changes as you work, grouping related changes together:
+
+```bash
+# After porting a feature or fix, commit with a descriptive message
+git add
+git commit -m "Port from the reference implementation"
+
+# Example commits:
+# git commit -m "Port new authentication flow from the reference implementation"
+# git commit -m "Add new message types from the reference implementation protocol update"
+# git commit -m "Port bug fix for session handling from the reference implementation"
+```
+
+This creates a clear history of changes that can be reviewed in the Pull Request.
+
+### General Guidelines
+
+- **Naming Conventions**: Convert C# PascalCase to Java camelCase for methods/variables
+- **Async Patterns**: C# `async/await` → Java `CompletableFuture` or synchronous equivalents
+- **Nullable Types**: C# `?` nullable → Java `@Nullable` annotations or `Optional`
+- **Properties**: C# properties → Java getters/setters or records
+- **Records**: C# records → Java records (Java 17+)
+- **Events**: C# events → Java callbacks or listeners
+
+### Type Mappings
+
+| C# Type | Java Equivalent |
+|------------------------|------------------------------|
+| `string` | `String` |
+| `int` | `int` / `Integer` |
+| `bool` | `boolean` / `Boolean` |
+| `Task` | `CompletableFuture` |
+| `CancellationToken` | (custom implementation) |
+| `IAsyncEnumerable` | `Stream` or `Iterator` |
+| `JsonElement` | `JsonNode` (Jackson) |
+| `Dictionary` | `Map` |
+| `List` | `List` |
+
+### Code Style
+
+Follow the existing Java SDK patterns:
+- Use Jackson for JSON serialization (`ObjectMapper`)
+- Use Java records for DTOs where appropriate
+- Follow the existing package structure under `com.github.copilot.sdk`
+- Maintain backward compatibility when possible
+- **Match the style of surrounding code** - Consistency with existing code is more important than reference implementation patterns
+- **Prefer existing abstractions** - If the Java SDK already solves a problem differently than .NET, keep the Java approach
+
+## Step 6: Port Tests
+
+After porting implementation changes, **always check for new or updated tests** in the reference implementation repository:
+
+### Check for New Tests
+
+```bash
+cd "$TEMP_DIR/copilot-sdk"
+git diff "$LAST_MERGE_COMMIT"..origin/main --stat -- dotnet/test/
+git diff "$LAST_MERGE_COMMIT"..origin/main --stat -- test/snapshots/
+```
+
+### Port Test Cases
+
+For each new or modified test file in `dotnet/test/`:
+
+1. **Create corresponding Java test class** in `src/test/java/com/github/copilot/sdk/`
+2. **Follow existing test patterns** - Look at existing tests like `PermissionsTest.java` for structure
+3. **Use the E2ETestContext** infrastructure for tests that need the test harness
+4. **Match snapshot directory names** - Test snapshots in `test/snapshots/` must match the directory name used in `ctx.configureForTest()`
+
+### Test File Mapping
+
+| Upstream Test (.NET) | Java SDK Test |
+|-----------------------------|--------------------------------------------------------|
+| `dotnet/test/AskUserTests.cs` | `src/test/java/com/github/copilot/sdk/AskUserTest.java` |
+| `dotnet/test/HooksTests.cs` | `src/test/java/com/github/copilot/sdk/HooksTest.java` |
+| `dotnet/test/ClientTests.cs` | `src/test/java/com/github/copilot/sdk/CopilotClientTest.java` |
+| `dotnet/test/*Tests.cs` | `src/test/java/com/github/copilot/sdk/*Test.java` |
+
+### Test Snapshot Compatibility
+
+New test snapshots are stored in `test/snapshots/` in the reference implementation repository. These snapshots are automatically cloned during the Maven build process.
+
+If tests fail with errors like `TypeError: Cannot read properties of undefined`, the test harness may not yet support the new RPC methods. In this case:
+
+1. **Mark tests as `@Disabled`** with a clear reason (e.g., `@Disabled("Requires test harness update with X support - see upstream PR #NNN")`)
+2. **Document the dependency** in the test class Javadoc
+3. **Enable tests later** once the harness is updated
+
+### Unit Tests vs E2E Tests
+
+- **Unit tests** (like auth option validation) can run without the test harness
+- **E2E tests** require the test harness with matching snapshots
+
+Commit tests separately or together with their corresponding implementation changes.
+
+## Step 7: Format and Run Tests
+
+After applying changes, use the convenience script:
+
+```bash
+./.github/scripts/build/format-and-test.sh # format + full verify
+./.github/scripts/build/format-and-test.sh --debug # with debug logging
+```
+
+Or for quicker iteration during porting:
+
+```bash
+./.github/scripts/build/format-and-test.sh --format-only # just spotless
+./.github/scripts/build/format-and-test.sh --test-only # skip formatting
+```
+
+### If Tests Fail
+
+1. Read the test output carefully
+2. Identify the root cause (compilation error, runtime error, assertion failure)
+3. Fix the issue in the Java code
+4. Re-run tests
+5. Repeat until all tests pass
+
+### Common Issues
+
+- **Missing imports**: Add required import statements
+- **Type mismatches**: Ensure proper type conversions
+- **Null handling**: Add null checks where C# had nullable types
+- **JSON serialization**: Verify Jackson annotations are correct
+
+## Step 8: Build the Package
+
+Once tests pass, build the complete package:
+
+```bash
+mvn clean package -DskipTests
+```
+
+Verify:
+- No compilation errors
+- No warnings (if possible)
+- JAR file is generated in `target/`
+
+## Step 9: Update Documentation
+
+**Documentation is critical for new features.** Every new feature ported from the reference implementation must be documented before the merge is complete.
+Review and complete this documentation checklist before proceeding to Step 10.
+If you determine no docs changes are needed, document that decision and rationale in the PR body under a clear heading (for example, `Documentation Impact`).
+
+### Documentation Checklist
+
+For each new feature or significant change:
+
+1. **README.md**: Update the main README if there are user-facing changes
+2. **src/site/markdown/index.md**: Update if requirements or quick start examples change
+3. **src/site/markdown/documentation.md**: Add sections for new basic usage patterns
+4. **src/site/markdown/advanced.md**: Add sections for new advanced features (tools, handlers, configurations)
+5. **src/site/markdown/mcp.md**: Update if MCP-related changes are made
+6. **Javadoc**: Add/update Javadoc comments for all new/changed public APIs
+7. **src/site/site.xml**: Update if new documentation pages were added
+
+### Documentation Requirements for New Features
+
+When adding a new feature, ensure the documentation includes:
+
+- **What it does**: Clear explanation of the feature's purpose
+- **How to use it**: Code example showing typical usage
+- **API reference**: Link to relevant Javadoc
+- **Configuration options**: All available settings/properties
+
+### Example: Documenting a New Handler
+
+If a new handler (like `UserInputHandler`, `PermissionHandler`) is added, create a section in `advanced.md`:
+
+```markdown
+## Feature Name
+
+Brief description of what the feature does.
+
+\`\`\`java
+var session = client.createSession(
+ new SessionConfig()
+ .setOnFeatureRequest((request, invocation) -> {
+ // Handle the request
+ return CompletableFuture.completedFuture(result);
+ })
+).get();
+\`\`\`
+
+Explain the request/response objects and their properties.
+
+See [FeatureHandler](apidocs/com/github/copilot/sdk/json/FeatureHandler.html) Javadoc for more details.
+```
+
+### Verify Documentation Consistency
+
+Ensure consistency across all documentation files:
+
+- Requirements section should match in `README.md` and `src/site/markdown/index.md`
+- Code examples should use the same patterns and be tested
+- Links to Javadoc should use correct paths (`apidocs/...`)
+
+## Step 10: Finish, Push, and Finalize Pull Request
+
+Run the finish script which updates `.lastmerge`, runs a final build, and pushes the branch:
+
+```bash
+./.github/scripts/reference-impl-sync/merge-reference-impl-finish.sh # full format + test + push
+./.github/scripts/reference-impl-sync/merge-reference-impl-finish.sh --skip-tests # if tests already passed
+```
+
+### PR Handling: Coding Agent vs. Manual Workflow
+
+**If running as a Copilot coding agent** (triggered via GitHub issue assignment by the weekly sync workflow), a pull request has **already been created automatically** for you. Do NOT create a new one. Just push your commits to the current branch — the existing PR will be updated. Add the `reference-impl-sync` label to the existing PR by running this command in a terminal:
+
+```bash
+gh pr edit --add-label "reference-impl-sync"
+```
+
+> **No-changes scenario (coding agent only):** If after analyzing the reference implementation diff there are no relevant changes to port to the Java SDK, push an empty commit with a message explaining why no changes were needed, so the PR reflects the analysis outcome. The repository maintainer will close the PR and issue manually.
+
+**If running manually** (e.g., from VS Code via the reusable prompt), create the Pull Request using `gh` CLI or the GitHub MCP tool. Then add the label:
+
+```bash
+gh pr create --base main --title "Merge reference implementation SDK changes (YYYY-MM-DD)" --body-file /dev/stdin <<< "$PR_BODY"
+gh pr edit --add-label "reference-impl-sync"
+```
+
+The PR body should include:
+1. **Title**: `Merge reference implementation SDK changes (YYYY-MM-DD)`
+2. **Body** with:
+ - Summary of reference implementation commits analyzed (with count and commit range)
+ - Table of changes ported (commit hash + description)
+ - List of changes intentionally not ported (with reasons)
+ - Verification status (test count, build status)
+
+### PR Body Template
+
+```markdown
+## Reference Implementation Merge
+
+Ports changes from the official Copilot SDK ([github/copilot-sdk](https://github.com/github/copilot-sdk)) since last merge (``→``).
+
+### Reference implementation commits analyzed (N commits)
+
+- Brief description of each reference implementation change and whether it was ported or not
+
+### Changes ported
+
+| Commit | Description |
+|---|---|
+| `` | Description of change |
+
+### Not ported (intentionally)
+
+- **Feature name** — Reason why it wasn't ported
+
+### Verification
+
+- All **N tests pass** (`mvn clean test`)
+- Package builds successfully (`mvn clean package -DskipTests`)
+- Code formatted with Spotless
+```
+
+## Step 11: Final Review
+
+Before finishing:
+
+1. Run `git log --oneline main..$BRANCH_NAME` to review all commits
+2. Run `git diff main..$BRANCH_NAME --stat` to see a summary of all changes
+3. Ensure no unintended changes were made
+4. Verify code follows project conventions
+5. Confirm the branch was pushed to remote
+6. Confirm the Pull Request is ready (created or updated) and provide the PR URL to the user
+
+---
+
+## Checklist
+
+- [ ] New branch created from `main`
+- [ ] Copilot CLI updated to latest version
+- [ ] README.md updated with minimum CLI version requirement
+- [ ] Upstream repository cloned
+- [ ] Diff analyzed between `.lastmerge` commit and HEAD
+- [ ] New features/fixes identified
+- [ ] Changes ported to Java SDK following conventions
+- [ ] **New/updated tests ported from the reference implementation** (check `dotnet/test/` and `test/snapshots/`)
+- [ ] Tests marked `@Disabled` if harness doesn't support new features yet
+- [ ] Changes committed incrementally with descriptive messages
+- [ ] `mvn test` passes
+- [ ] `mvn package` builds successfully
+- [ ] **Documentation updated for new features:**
+ - [ ] `README.md` updated if user-facing changes
+ - [ ] `src/site/markdown/index.md` updated if requirements changed
+ - [ ] `src/site/markdown/documentation.md` updated for new basic usage
+ - [ ] `src/site/markdown/advanced.md` updated for new advanced features
+ - [ ] Javadoc added/updated for new public APIs
+- [ ] If no documentation files were changed for user-facing reference implementation changes, PR body explicitly explains why documentation changes were not needed
+- [ ] `src/site/site.xml` updated if new documentation pages were added
+- [ ] `.lastmerge` file updated with new commit hash
+- [ ] Branch pushed to remote
+- [ ] **Pull Request finalized** (coding agent: push to existing PR; manual: create via `mcp_github_create_pull_request`)
+- [ ] **`reference-impl-sync` label added** to the PR via `mcp_github_add_issue_labels`
+- [ ] PR URL provided to user
+
+---
+
+## Notes
+
+- The reference implementation SDK is at: `https://github.com/github/copilot-sdk.git`
+- Primary reference implementation is in `dotnet/` folder
+- This Java SDK targets Java 17+
+- Uses Jackson for JSON processing
+- Uses JUnit 5 for testing
+- **Java SDK design decisions take precedence over reference implementation patterns**
+- **Adapt reference implementation changes to fit Java idioms, not the other way around**
diff --git a/.github/prompts/coding-agent-merge-reference-impl-instructions.md b/.github/prompts/coding-agent-merge-reference-impl-instructions.md
new file mode 100644
index 000000000..cee6ef8a7
--- /dev/null
+++ b/.github/prompts/coding-agent-merge-reference-impl-instructions.md
@@ -0,0 +1,19 @@
+
+
+
+Follow the agentic-merge-reference-impl prompt at .github/prompts/agentic-merge-reference-impl.prompt.md
+to port reference implementation changes to the Java SDK.
+
+Use the utility scripts in .github/scripts/ subfolders for initialization, diffing, formatting, and testing.
+Commit changes incrementally. Update .lastmerge when done.
+
+IMPORTANT: A pull request has already been created automatically for you — do NOT create a new
+one. Push your commits to the current branch, and the existing PR will be updated.
+
+Add the 'reference-impl-sync' label to the existing PR by running this command in a terminal:
+
+ gh pr edit --add-label "reference-impl-sync"
+
+If after analyzing the reference implementation diff there are no relevant changes to port to the Java SDK,
+push an empty commit with a message explaining why no changes were needed, so the PR reflects
+the analysis outcome. The repository maintainer will close the PR and issue manually.
diff --git a/.github/scripts/reference-impl-sync/merge-reference-impl-diff.sh b/.github/scripts/reference-impl-sync/merge-reference-impl-diff.sh
new file mode 100755
index 000000000..8ff870103
--- /dev/null
+++ b/.github/scripts/reference-impl-sync/merge-reference-impl-diff.sh
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+# ──────────────────────────────────────────────────────────────
+# merge-reference-impl-diff.sh
+#
+# Generates a detailed diff analysis of reference implementation changes since
+# the last merge, grouped by area of interest:
+# • .NET source (primary reference)
+# • .NET tests
+# • Test snapshots
+# • Documentation
+# • Protocol / config files
+#
+# Usage: ./.github/scripts/reference-impl-sync/merge-reference-impl-diff.sh [--full]
+# --full Show actual diffs, not just stats
+#
+# Requires: .merge-env written by merge-reference-impl-start.sh
+# ──────────────────────────────────────────────────────────────
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/../../.." && pwd)"
+ENV_FILE="$ROOT_DIR/.merge-env"
+
+if [[ ! -f "$ENV_FILE" ]]; then
+ echo "❌ $ENV_FILE not found. Run ./.github/scripts/reference-impl-sync/merge-reference-impl-start.sh first."
+ exit 1
+fi
+
+# shellcheck source=/dev/null
+source "$ENV_FILE"
+
+SHOW_FULL=false
+if [[ "${1:-}" == "--full" ]]; then
+ SHOW_FULL=true
+fi
+
+cd "$REFERENCE_IMPL_DIR"
+git fetch origin main 2>/dev/null
+
+RANGE="$LAST_MERGE_COMMIT..origin/main"
+
+echo "════════════════════════════════════════════════════════════"
+echo " Reference implementation diff analysis: $RANGE"
+echo "════════════════════════════════════════════════════════════"
+
+# ── Commit log ────────────────────────────────────────────────
+echo ""
+echo "── Commit log ──"
+git log --oneline --no-decorate "$RANGE"
+echo ""
+
+# Helper to print a section
+section() {
+ local title="$1"; shift
+ local paths=("$@")
+
+ echo "── $title ──"
+ local stat
+ stat=$(git diff "$RANGE" --stat -- "${paths[@]}" 2>/dev/null || true)
+ if [[ -z "$stat" ]]; then
+ echo " (no changes)"
+ else
+ echo "$stat"
+ if $SHOW_FULL; then
+ echo ""
+ git diff "$RANGE" -- "${paths[@]}" 2>/dev/null || true
+ fi
+ fi
+ echo ""
+}
+
+# ── Sections ──────────────────────────────────────────────────
+section ".NET source (dotnet/src)" "dotnet/src/"
+section ".NET tests (dotnet/test)" "dotnet/test/"
+section "Test snapshots" "test/snapshots/"
+section "Documentation (docs/)" "docs/"
+section "Protocol & config" "sdk-protocol-version.json" "package.json" "justfile"
+section "Go SDK" "go/"
+section "Node.js SDK" "nodejs/"
+section "Python SDK" "python/"
+section "Other files" "README.md" "CONTRIBUTING.md" "SECURITY.md" "SUPPORT.md"
+
+echo "════════════════════════════════════════════════════════════"
+echo " To see full diffs: $0 --full"
+echo " To see a specific path:"
+echo " cd $REFERENCE_IMPL_DIR && git diff $RANGE -- "
+echo "════════════════════════════════════════════════════════════"
diff --git a/.github/scripts/reference-impl-sync/merge-reference-impl-finish.sh b/.github/scripts/reference-impl-sync/merge-reference-impl-finish.sh
new file mode 100755
index 000000000..480d43bc0
--- /dev/null
+++ b/.github/scripts/reference-impl-sync/merge-reference-impl-finish.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+# ──────────────────────────────────────────────────────────────
+# merge-reference-impl-finish.sh
+#
+# Finalises a reference implementation merge:
+# 1. Runs format + test + build (via format-and-test.sh)
+# 2. Updates .lastmerge to reference implementation HEAD
+# 3. Commits the .lastmerge update
+# 4. Pushes the branch to origin
+#
+# Usage: ./.github/scripts/reference-impl-sync/merge-reference-impl-finish.sh
+# ./.github/scripts/reference-impl-sync/merge-reference-impl-finish.sh --skip-tests
+#
+# Requires: .merge-env written by merge-reference-impl-start.sh
+# ──────────────────────────────────────────────────────────────
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/../../.." && pwd)"
+ENV_FILE="$ROOT_DIR/.merge-env"
+
+if [[ ! -f "$ENV_FILE" ]]; then
+ echo "❌ $ENV_FILE not found. Run ./.github/scripts/reference-impl-sync/merge-reference-impl-start.sh first."
+ exit 1
+fi
+
+# shellcheck source=/dev/null
+source "$ENV_FILE"
+
+SKIP_TESTS=false
+if [[ "${1:-}" == "--skip-tests" ]]; then
+ SKIP_TESTS=true
+fi
+
+cd "$ROOT_DIR"
+
+# ── 1. Format, test, build ───────────────────────────────────
+if $SKIP_TESTS; then
+ echo "▸ Formatting only (tests skipped)…"
+ mvn spotless:apply
+ mvn clean package -DskipTests
+else
+ echo "▸ Running format + test + build…"
+ "$ROOT_DIR/.github/scripts/build/format-and-test.sh"
+fi
+
+# ── 2. Update .lastmerge ─────────────────────────────────────
+echo "▸ Updating .lastmerge…"
+NEW_COMMIT=$(cd "$REFERENCE_IMPL_DIR" && git rev-parse origin/main)
+echo "$NEW_COMMIT" > "$ROOT_DIR/.lastmerge"
+
+git add .lastmerge
+git commit -m "Update .lastmerge to $NEW_COMMIT"
+
+# ── 3. Push branch ───────────────────────────────────────────
+echo "▸ Pushing branch $BRANCH_NAME to origin…"
+git push -u origin "$BRANCH_NAME"
+
+echo ""
+echo "✅ Branch pushed. Next step:"
+echo " Create a Pull Request (base: main, head: $BRANCH_NAME)"
+echo ""
+echo " Suggested title: Merge reference implementation SDK changes ($(date +%Y-%m-%d))"
+echo " Don't forget to add the 'reference-impl-sync' label."
diff --git a/.github/scripts/reference-impl-sync/merge-reference-impl-start.sh b/.github/scripts/reference-impl-sync/merge-reference-impl-start.sh
new file mode 100755
index 000000000..76408e4ec
--- /dev/null
+++ b/.github/scripts/reference-impl-sync/merge-reference-impl-start.sh
@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+# ──────────────────────────────────────────────────────────────
+# merge-reference-impl-start.sh
+#
+# Prepares the workspace for a reference implementation merge:
+# 1. Creates a dated branch from main
+# 2. Updates Copilot CLI and records the new version
+# 3. Clones the reference implementation copilot-sdk repo into a temp dir
+# 4. Reads .lastmerge and prints a short summary of new commits
+#
+# Usage: ./.github/scripts/reference-impl-sync/merge-reference-impl-start.sh
+# Output: Exports REFERENCE_IMPL_DIR and LAST_MERGE_COMMIT to a
+# .merge-env file so other scripts can source it.
+# ──────────────────────────────────────────────────────────────
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/../../.." && pwd)"
+cd "$ROOT_DIR"
+
+REFERENCE_IMPL_REPO="https://github.com/github/copilot-sdk.git"
+ENV_FILE="$ROOT_DIR/.merge-env"
+
+# ── 1. Create branch (or reuse existing) ─────────────────────
+CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+
+if [[ "$CURRENT_BRANCH" != "main" ]]; then
+ # Already on a non-main branch (e.g., coding agent's auto-created PR branch).
+ # Stay on this branch — do not create a new one.
+ BRANCH_NAME="$CURRENT_BRANCH"
+ echo "▸ Already on branch '$BRANCH_NAME' — reusing it (coding agent mode)."
+ git pull origin main --no-edit 2>/dev/null || echo " (pull from main skipped or fast-forward not possible)"
+else
+ echo "▸ Ensuring main is up to date…"
+ git pull origin main
+
+ BRANCH_NAME="merge-reference-impl-$(date +%Y%m%d)"
+ echo "▸ Creating branch: $BRANCH_NAME"
+ git checkout -b "$BRANCH_NAME"
+fi
+
+# ── 2. Update Copilot CLI ────────────────────────────────────
+echo "▸ Updating Copilot CLI…"
+if command -v copilot &>/dev/null; then
+ copilot update || echo " (copilot update returned non-zero – check manually)"
+ CLI_VERSION=$(copilot --version | head -n 1 | awk '{print $NF}')
+ echo " Copilot CLI version: $CLI_VERSION"
+else
+ echo " ⚠ 'copilot' command not found – skipping CLI update."
+ CLI_VERSION="UNKNOWN"
+fi
+
+# ── 3. Clone reference implementation ────────────────────────────────────────
+TEMP_DIR=$(mktemp -d)
+REFERENCE_IMPL_DIR="$TEMP_DIR/copilot-sdk"
+echo "▸ Cloning reference implementation into $REFERENCE_IMPL_DIR …"
+git clone --depth=200 "$REFERENCE_IMPL_REPO" "$REFERENCE_IMPL_DIR"
+
+# ── 4. Read last merge commit ────────────────────────────────
+if [[ ! -f "$ROOT_DIR/.lastmerge" ]]; then
+ echo "❌ .lastmerge file not found in repo root."
+ exit 1
+fi
+LAST_MERGE_COMMIT=$(tr -d '[:space:]' < "$ROOT_DIR/.lastmerge")
+echo "▸ Last merged reference implementation commit: $LAST_MERGE_COMMIT"
+
+# Quick summary
+echo ""
+echo "── Reference implementation commits since last merge ──"
+(cd "$REFERENCE_IMPL_DIR" && git fetch origin main && \
+ git log --oneline "$LAST_MERGE_COMMIT"..origin/main) || \
+ echo " (could not generate log – the commit may have been rebased)"
+echo ""
+
+# ── 5. Write env file for other scripts ──────────────────────
+cat > "$ENV_FILE" <
+ GH_AW_PROMPT_EOF
+ cat "/opt/gh-aw/prompts/xpia.md"
+ cat "/opt/gh-aw/prompts/temp_folder_prompt.md"
+ cat "/opt/gh-aw/prompts/markdown.md"
+ cat "/opt/gh-aw/prompts/safe_outputs_prompt.md"
+ cat << 'GH_AW_PROMPT_EOF'
+
+ Tools: add_comment, create_issue, close_issue, assign_to_agent, missing_tool, missing_data, noop
+
+
+ The following GitHub context information is available for this workflow:
+ {{#if __GH_AW_GITHUB_ACTOR__ }}
+ - **actor**: __GH_AW_GITHUB_ACTOR__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_REPOSITORY__ }}
+ - **repository**: __GH_AW_GITHUB_REPOSITORY__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_WORKSPACE__ }}
+ - **workspace**: __GH_AW_GITHUB_WORKSPACE__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
+ - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
+ - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
+ - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
+ - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_RUN_ID__ }}
+ - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
+ {{/if}}
+
+
+ GH_AW_PROMPT_EOF
+ cat << 'GH_AW_PROMPT_EOF'
+
+ GH_AW_PROMPT_EOF
+ cat << 'GH_AW_PROMPT_EOF'
+ {{#runtime-import .github/workflows/weekly-reference-impl-sync.md}}
+ GH_AW_PROMPT_EOF
+ } > "$GH_AW_PROMPT"
+ - name: Interpolate variables and render templates
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');
+ await main();
+ - name: Substitute placeholders
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ GH_AW_GITHUB_ACTOR: ${{ github.actor }}
+ GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
+ GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
+ GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
+ GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
+ GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
+ GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
+ GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+
+ const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
+
+ // Call the substitution function
+ return await substitutePlaceholders({
+ file: process.env.GH_AW_PROMPT,
+ substitutions: {
+ GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
+ GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
+ GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
+ GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
+ GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
+ GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
+ GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
+ GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE
+ }
+ });
+ - name: Validate prompt placeholders
+ env:
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh
+ - name: Print prompt
+ env:
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ run: bash /opt/gh-aw/actions/print_prompt_summary.sh
+ - name: Upload activation artifact
+ if: success()
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ with:
+ name: activation
+ path: |
+ /tmp/gh-aw/aw_info.json
+ /tmp/gh-aw/aw-prompts/prompt.txt
+ retention-days: 1
+
+ agent:
+ needs: activation
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ issues: read
+ concurrency:
+ group: "gh-aw-copilot-${{ github.workflow }}"
+ env:
+ DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+ GH_AW_ASSETS_ALLOWED_EXTS: ""
+ GH_AW_ASSETS_BRANCH: ""
+ GH_AW_ASSETS_MAX_SIZE_KB: 0
+ GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
+ GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
+ GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
+ GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
+ GH_AW_WORKFLOW_ID_SANITIZED: weeklyreferenceimplsync
+ outputs:
+ checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
+ detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
+ detection_success: ${{ steps.detection_conclusion.outputs.success }}
+ has_patch: ${{ steps.collect_output.outputs.has_patch }}
+ model: ${{ needs.activation.outputs.model }}
+ output: ${{ steps.collect_output.outputs.output }}
+ output_types: ${{ steps.collect_output.outputs.output_types }}
+ steps:
+ - name: Setup Scripts
+ uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
+ with:
+ destination: /opt/gh-aw/actions
+ - name: Checkout repository
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+ - name: Create gh-aw temp directory
+ run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
+ - name: Configure Git credentials
+ env:
+ REPO_NAME: ${{ github.repository }}
+ SERVER_URL: ${{ github.server_url }}
+ run: |
+ git config --global user.email "github-actions[bot]@users.noreply.github.com"
+ git config --global user.name "github-actions[bot]"
+ git config --global am.keepcr true
+ # Re-authenticate git with GitHub token
+ SERVER_URL_STRIPPED="${SERVER_URL#https://}"
+ git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
+ echo "Git configured with standard GitHub Actions identity"
+ - name: Checkout PR branch
+ id: checkout-pr
+ if: |
+ (github.event.pull_request) || (github.event.issue.pull_request)
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs');
+ await main();
+ - name: Install GitHub Copilot CLI
+ run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.420
+ - name: Install awf binary
+ run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0
+ - name: Determine automatic lockdown mode for GitHub MCP Server
+ id: determine-automatic-lockdown
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
+ GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
+ with:
+ script: |
+ const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
+ - name: Download container images
+ run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.6 ghcr.io/github/github-mcp-server:v0.31.0 node:lts-alpine
+ - name: Write Safe Outputs Config
+ run: |
+ mkdir -p /opt/gh-aw/safeoutputs
+ mkdir -p /tmp/gh-aw/safeoutputs
+ mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
+ cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF'
+ {"add_comment":{"max":10,"target":"*"},"assign_to_agent":{"default_agent":"copilot","max":1,"target":"*"},"close_issue":{"max":10,"required_labels":["reference-impl-sync"],"target":"*"},"create_issue":{"expires":144,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}}
+ GH_AW_SAFE_OUTPUTS_CONFIG_EOF
+ cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF'
+ [
+ {
+ "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[reference-impl-sync] \". Labels [reference-impl-sync] will be automatically added. Assignees [copilot] will be automatically assigned.",
+ "inputSchema": {
+ "additionalProperties": false,
+ "properties": {
+ "body": {
+ "description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate.",
+ "type": "string"
+ },
+ "labels": {
+ "description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository.",
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "parent": {
+ "description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from a previously created issue in the same workflow run.",
+ "type": [
+ "number",
+ "string"
+ ]
+ },
+ "temporary_id": {
+ "description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 3 to 8 alphanumeric characters (e.g., 'aw_abc1', 'aw_Test123'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.",
+ "pattern": "^aw_[A-Za-z0-9]{3,8}$",
+ "type": "string"
+ },
+ "title": {
+ "description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive.",
+ "type": "string"
+ }
+ },
+ "required": [
+ "title",
+ "body"
+ ],
+ "type": "object"
+ },
+ "name": "create_issue"
+ },
+ {
+ "description": "Close a GitHub issue with a closing comment. You can and should always add a comment when closing an issue to explain the action or provide context. This tool is ONLY for closing issues - use update_issue if you need to change the title, body, labels, or other metadata without closing. Use close_issue when work is complete, the issue is no longer relevant, or it's a duplicate. The closing comment should explain the resolution or reason for closing. If the issue is already closed, a comment will still be posted. CONSTRAINTS: Maximum 10 issue(s) can be closed. Target: *.",
+ "inputSchema": {
+ "additionalProperties": false,
+ "properties": {
+ "body": {
+ "description": "Closing comment explaining why the issue is being closed and summarizing any resolution, workaround, or conclusion.",
+ "type": "string"
+ },
+ "issue_number": {
+ "description": "Issue number to close. This is the numeric ID from the GitHub URL (e.g., 901 in github.com/owner/repo/issues/901). If omitted, closes the issue that triggered this workflow (requires an issue event trigger).",
+ "type": [
+ "number",
+ "string"
+ ]
+ }
+ },
+ "required": [
+ "body"
+ ],
+ "type": "object"
+ },
+ "name": "close_issue"
+ },
+ {
+ "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 10 comment(s) can be added. Target: *.",
+ "inputSchema": {
+ "additionalProperties": false,
+ "properties": {
+ "body": {
+ "description": "The comment text in Markdown format. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation. CONSTRAINTS: The complete comment (your body text + automatically added footer) must not exceed 65536 characters total. Maximum 10 mentions (@username), maximum 50 links (http/https URLs). A footer (~200-500 characters) is automatically appended with workflow attribution, so leave adequate space. If these limits are exceeded, the tool call will fail with a detailed error message indicating which constraint was violated.",
+ "type": "string"
+ },
+ "item_number": {
+ "description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). If omitted, the tool auto-targets the issue, PR, or discussion that triggered this workflow. Auto-targeting only works for issue, pull_request, discussion, and comment event triggers — it does NOT work for schedule, workflow_dispatch, push, or workflow_run triggers. For those trigger types, always provide item_number explicitly, or the comment will be silently discarded.",
+ "type": "number"
+ }
+ },
+ "required": [
+ "body"
+ ],
+ "type": "object"
+ },
+ "name": "add_comment"
+ },
+ {
+ "description": "Assign the GitHub Copilot coding agent to work on an issue or pull request. The agent will analyze the issue/PR and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot. Example usage: assign_to_agent(issue_number=123, agent=\"copilot\") or assign_to_agent(pull_number=456, agent=\"copilot\", pull_request_repo=\"owner/repo\") CONSTRAINTS: Maximum 1 issue(s) can be assigned to agent.",
+ "inputSchema": {
+ "additionalProperties": false,
+ "properties": {
+ "agent": {
+ "description": "Agent identifier to assign. Defaults to 'copilot' (the Copilot coding agent) if not specified.",
+ "type": "string"
+ },
+ "issue_number": {
+ "description": "Issue number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both.",
+ "type": [
+ "number",
+ "string"
+ ]
+ },
+ "pull_number": {
+ "description": "Pull request number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both.",
+ "type": [
+ "number",
+ "string"
+ ]
+ },
+ "pull_request_repo": {
+ "description": "Target repository where the pull request should be created, in 'owner/repo' format. If omitted, the PR will be created in the same repository as the issue. This allows issues and code to live in different repositories. The global pull-request-repo configuration (if set) is automatically allowed; additional repositories must be listed in allowed-pull-request-repos.",
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "name": "assign_to_agent"
+ },
+ {
+ "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.",
+ "inputSchema": {
+ "additionalProperties": false,
+ "properties": {
+ "alternatives": {
+ "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
+ "type": "string"
+ },
+ "reason": {
+ "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).",
+ "type": "string"
+ },
+ "tool": {
+ "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.",
+ "type": "string"
+ }
+ },
+ "required": [
+ "reason"
+ ],
+ "type": "object"
+ },
+ "name": "missing_tool"
+ },
+ {
+ "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.",
+ "inputSchema": {
+ "additionalProperties": false,
+ "properties": {
+ "message": {
+ "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').",
+ "type": "string"
+ }
+ },
+ "required": [
+ "message"
+ ],
+ "type": "object"
+ },
+ "name": "noop"
+ },
+ {
+ "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.",
+ "inputSchema": {
+ "additionalProperties": false,
+ "properties": {
+ "alternatives": {
+ "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
+ "type": "string"
+ },
+ "context": {
+ "description": "Additional context about the missing data or where it should come from (max 256 characters).",
+ "type": "string"
+ },
+ "data_type": {
+ "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.",
+ "type": "string"
+ },
+ "reason": {
+ "description": "Explanation of why this data is needed to complete the task (max 256 characters).",
+ "type": "string"
+ }
+ },
+ "required": [],
+ "type": "object"
+ },
+ "name": "missing_data"
+ }
+ ]
+ GH_AW_SAFE_OUTPUTS_TOOLS_EOF
+ cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF'
+ {
+ "add_comment": {
+ "defaultMax": 1,
+ "fields": {
+ "body": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 65000
+ },
+ "item_number": {
+ "issueOrPRNumber": true
+ },
+ "repo": {
+ "type": "string",
+ "maxLength": 256
+ }
+ }
+ },
+ "assign_to_agent": {
+ "defaultMax": 1,
+ "fields": {
+ "agent": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 128
+ },
+ "issue_number": {
+ "issueNumberOrTemporaryId": true
+ },
+ "pull_number": {
+ "optionalPositiveInteger": true
+ },
+ "pull_request_repo": {
+ "type": "string",
+ "maxLength": 256
+ },
+ "repo": {
+ "type": "string",
+ "maxLength": 256
+ }
+ },
+ "customValidation": "requiresOneOf:issue_number,pull_number"
+ },
+ "close_issue": {
+ "defaultMax": 1,
+ "fields": {
+ "body": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 65000
+ },
+ "issue_number": {
+ "optionalPositiveInteger": true
+ },
+ "repo": {
+ "type": "string",
+ "maxLength": 256
+ }
+ }
+ },
+ "create_issue": {
+ "defaultMax": 1,
+ "fields": {
+ "body": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 65000
+ },
+ "labels": {
+ "type": "array",
+ "itemType": "string",
+ "itemSanitize": true,
+ "itemMaxLength": 128
+ },
+ "parent": {
+ "issueOrPRNumber": true
+ },
+ "repo": {
+ "type": "string",
+ "maxLength": 256
+ },
+ "temporary_id": {
+ "type": "string"
+ },
+ "title": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 128
+ }
+ }
+ },
+ "missing_data": {
+ "defaultMax": 20,
+ "fields": {
+ "alternatives": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 256
+ },
+ "context": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 256
+ },
+ "data_type": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 128
+ },
+ "reason": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 256
+ }
+ }
+ },
+ "missing_tool": {
+ "defaultMax": 20,
+ "fields": {
+ "alternatives": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 512
+ },
+ "reason": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 256
+ },
+ "tool": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 128
+ }
+ }
+ },
+ "noop": {
+ "defaultMax": 1,
+ "fields": {
+ "message": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 65000
+ }
+ }
+ }
+ }
+ GH_AW_SAFE_OUTPUTS_VALIDATION_EOF
+ - name: Generate Safe Outputs MCP Server Config
+ id: safe-outputs-config
+ run: |
+ # Generate a secure random API key (360 bits of entropy, 40+ chars)
+ # Mask immediately to prevent timing vulnerabilities
+ API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
+ echo "::add-mask::${API_KEY}"
+
+ PORT=3001
+
+ # Set outputs for next steps
+ {
+ echo "safe_outputs_api_key=${API_KEY}"
+ echo "safe_outputs_port=${PORT}"
+ } >> "$GITHUB_OUTPUT"
+
+ echo "Safe Outputs MCP server will run on port ${PORT}"
+
+ - name: Start Safe Outputs MCP HTTP Server
+ id: safe-outputs-start
+ env:
+ DEBUG: '*'
+ GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
+ GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
+ GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
+ GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
+ GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
+ run: |
+ # Environment variables are set above to prevent template injection
+ export DEBUG
+ export GH_AW_SAFE_OUTPUTS_PORT
+ export GH_AW_SAFE_OUTPUTS_API_KEY
+ export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
+ export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
+ export GH_AW_MCP_LOG_DIR
+
+ bash /opt/gh-aw/actions/start_safe_outputs_server.sh
+
+ - name: Start MCP Gateway
+ id: start-mcp-gateway
+ env:
+ GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
+ GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
+ GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
+ GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ run: |
+ set -eo pipefail
+ mkdir -p /tmp/gh-aw/mcp-config
+
+ # Export gateway environment variables for MCP config and gateway script
+ export MCP_GATEWAY_PORT="80"
+ export MCP_GATEWAY_DOMAIN="host.docker.internal"
+ MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
+ echo "::add-mask::${MCP_GATEWAY_API_KEY}"
+ export MCP_GATEWAY_API_KEY
+ export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
+ mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
+ export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288"
+ export DEBUG="*"
+
+ export GH_AW_ENGINE="copilot"
+ export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.6'
+
+ mkdir -p /home/runner/.copilot
+ cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
+ {
+ "mcpServers": {
+ "github": {
+ "type": "stdio",
+ "container": "ghcr.io/github/github-mcp-server:v0.31.0",
+ "env": {
+ "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN",
+ "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
+ "GITHUB_READ_ONLY": "1",
+ "GITHUB_TOOLSETS": "context,repos,issues"
+ }
+ },
+ "safeoutputs": {
+ "type": "http",
+ "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
+ "headers": {
+ "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
+ }
+ }
+ },
+ "gateway": {
+ "port": $MCP_GATEWAY_PORT,
+ "domain": "${MCP_GATEWAY_DOMAIN}",
+ "apiKey": "${MCP_GATEWAY_API_KEY}",
+ "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
+ }
+ }
+ GH_AW_MCP_CONFIG_EOF
+ - name: Download activation artifact
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+ with:
+ name: activation
+ path: /tmp/gh-aw
+ - name: Clean git credentials
+ run: bash /opt/gh-aw/actions/clean_git_credentials.sh
+ - name: Execute GitHub Copilot CLI
+ id: agentic_execution
+ # Copilot CLI tool arguments (sorted):
+ timeout-minutes: 20
+ run: |
+ set -o pipefail
+ # shellcheck disable=SC1003
+ sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
+ -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
+ env:
+ COPILOT_AGENT_RUNNER_TYPE: STANDALONE
+ COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+ GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
+ GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }}
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
+ GITHUB_API_URL: ${{ github.api_url }}
+ GITHUB_HEAD_REF: ${{ github.head_ref }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ GITHUB_REF_NAME: ${{ github.ref_name }}
+ GITHUB_SERVER_URL: ${{ github.server_url }}
+ GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
+ GITHUB_WORKSPACE: ${{ github.workspace }}
+ XDG_CONFIG_HOME: /home/runner
+ - name: Configure Git credentials
+ env:
+ REPO_NAME: ${{ github.repository }}
+ SERVER_URL: ${{ github.server_url }}
+ run: |
+ git config --global user.email "github-actions[bot]@users.noreply.github.com"
+ git config --global user.name "github-actions[bot]"
+ git config --global am.keepcr true
+ # Re-authenticate git with GitHub token
+ SERVER_URL_STRIPPED="${SERVER_URL#https://}"
+ git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
+ echo "Git configured with standard GitHub Actions identity"
+ - name: Copy Copilot session state files to logs
+ if: always()
+ continue-on-error: true
+ run: |
+ # Copy Copilot session state files to logs folder for artifact collection
+ # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
+ SESSION_STATE_DIR="$HOME/.copilot/session-state"
+ LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
+
+ if [ -d "$SESSION_STATE_DIR" ]; then
+ echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
+ mkdir -p "$LOGS_DIR"
+ cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true
+ echo "Session state files copied successfully"
+ else
+ echo "No session-state directory found at $SESSION_STATE_DIR"
+ fi
+ - name: Stop MCP Gateway
+ if: always()
+ continue-on-error: true
+ env:
+ MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
+ MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
+ GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
+ run: |
+ bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
+ - name: Redact secrets in logs
+ if: always()
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
+ await main();
+ env:
+ GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
+ SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+ SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
+ SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
+ SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ - name: Upload Safe Outputs
+ if: always()
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ with:
+ name: safe-output
+ path: ${{ env.GH_AW_SAFE_OUTPUTS }}
+ if-no-files-found: warn
+ - name: Ingest agent output
+ id: collect_output
+ if: always()
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
+ GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
+ GITHUB_SERVER_URL: ${{ github.server_url }}
+ GITHUB_API_URL: ${{ github.api_url }}
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs');
+ await main();
+ - name: Upload sanitized agent output
+ if: always() && env.GH_AW_AGENT_OUTPUT
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ with:
+ name: agent-output
+ path: ${{ env.GH_AW_AGENT_OUTPUT }}
+ if-no-files-found: warn
+ - name: Upload engine output files
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ with:
+ name: agent_outputs
+ path: |
+ /tmp/gh-aw/sandbox/agent/logs/
+ /tmp/gh-aw/redacted-urls.log
+ if-no-files-found: ignore
+ - name: Parse agent logs for step summary
+ if: always()
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs');
+ await main();
+ - name: Parse MCP Gateway logs for step summary
+ if: always()
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs');
+ await main();
+ - name: Print firewall logs
+ if: always()
+ continue-on-error: true
+ env:
+ AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
+ run: |
+ # Fix permissions on firewall logs so they can be uploaded as artifacts
+ # AWF runs with sudo, creating files owned by root
+ sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
+ # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
+ if command -v awf &> /dev/null; then
+ awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"
+ else
+ echo 'AWF binary not installed, skipping firewall log summary'
+ fi
+ - name: Upload agent artifacts
+ if: always()
+ continue-on-error: true
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ with:
+ name: agent-artifacts
+ path: |
+ /tmp/gh-aw/aw-prompts/prompt.txt
+ /tmp/gh-aw/mcp-logs/
+ /tmp/gh-aw/sandbox/firewall/logs/
+ /tmp/gh-aw/agent-stdio.log
+ /tmp/gh-aw/agent/
+ if-no-files-found: ignore
+ # --- Threat Detection (inline) ---
+ - name: Check if detection needed
+ id: detection_guard
+ if: always()
+ env:
+ OUTPUT_TYPES: ${{ steps.collect_output.outputs.output_types }}
+ HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
+ run: |
+ if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then
+ echo "run_detection=true" >> "$GITHUB_OUTPUT"
+ echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
+ else
+ echo "run_detection=false" >> "$GITHUB_OUTPUT"
+ echo "Detection skipped: no agent outputs or patches to analyze"
+ fi
+ - name: Clear MCP configuration for detection
+ if: always() && steps.detection_guard.outputs.run_detection == 'true'
+ run: |
+ rm -f /tmp/gh-aw/mcp-config/mcp-servers.json
+ rm -f /home/runner/.copilot/mcp-config.json
+ rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
+ - name: Prepare threat detection files
+ if: always() && steps.detection_guard.outputs.run_detection == 'true'
+ run: |
+ mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
+ cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
+ cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true
+ for f in /tmp/gh-aw/aw-*.patch; do
+ [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
+ done
+ echo "Prepared threat detection files:"
+ ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true
+ - name: Setup threat detection
+ if: always() && steps.detection_guard.outputs.run_detection == 'true'
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ WORKFLOW_DESCRIPTION: "Weekly reference implementation sync workflow. Checks for new commits in the official\nCopilot SDK (github/copilot-sdk) and assigns to Copilot to port changes."
+ HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs');
+ await main();
+ - name: Ensure threat-detection directory and log
+ if: always() && steps.detection_guard.outputs.run_detection == 'true'
+ run: |
+ mkdir -p /tmp/gh-aw/threat-detection
+ touch /tmp/gh-aw/threat-detection/detection.log
+ - name: Execute GitHub Copilot CLI
+ if: always() && steps.detection_guard.outputs.run_detection == 'true'
+ id: detection_agentic_execution
+ # Copilot CLI tool arguments (sorted):
+ # --allow-tool shell(cat)
+ # --allow-tool shell(grep)
+ # --allow-tool shell(head)
+ # --allow-tool shell(jq)
+ # --allow-tool shell(ls)
+ # --allow-tool shell(tail)
+ # --allow-tool shell(wc)
+ timeout-minutes: 20
+ run: |
+ set -o pipefail
+ # shellcheck disable=SC1003
+ sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
+ -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
+ env:
+ COPILOT_AGENT_RUNNER_TYPE: STANDALONE
+ COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+ GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }}
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ GITHUB_API_URL: ${{ github.api_url }}
+ GITHUB_HEAD_REF: ${{ github.head_ref }}
+ GITHUB_REF_NAME: ${{ github.ref_name }}
+ GITHUB_SERVER_URL: ${{ github.server_url }}
+ GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
+ GITHUB_WORKSPACE: ${{ github.workspace }}
+ XDG_CONFIG_HOME: /home/runner
+ - name: Parse threat detection results
+ id: parse_detection_results
+ if: always() && steps.detection_guard.outputs.run_detection == 'true'
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs');
+ await main();
+ - name: Upload threat detection log
+ if: always() && steps.detection_guard.outputs.run_detection == 'true'
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ with:
+ name: threat-detection.log
+ path: /tmp/gh-aw/threat-detection/detection.log
+ if-no-files-found: ignore
+ - name: Set detection conclusion
+ id: detection_conclusion
+ if: always()
+ env:
+ RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
+ DETECTION_SUCCESS: ${{ steps.parse_detection_results.outputs.success }}
+ run: |
+ if [[ "$RUN_DETECTION" != "true" ]]; then
+ echo "conclusion=skipped" >> "$GITHUB_OUTPUT"
+ echo "success=true" >> "$GITHUB_OUTPUT"
+ echo "Detection was not needed, marking as skipped"
+ elif [[ "$DETECTION_SUCCESS" == "true" ]]; then
+ echo "conclusion=success" >> "$GITHUB_OUTPUT"
+ echo "success=true" >> "$GITHUB_OUTPUT"
+ echo "Detection passed successfully"
+ else
+ echo "conclusion=failure" >> "$GITHUB_OUTPUT"
+ echo "success=false" >> "$GITHUB_OUTPUT"
+ echo "Detection found issues"
+ fi
+
+ conclusion:
+ needs:
+ - activation
+ - agent
+ - safe_outputs
+ if: (always()) && (needs.agent.result != 'skipped')
+ runs-on: ubuntu-slim
+ permissions:
+ contents: read
+ discussions: write
+ issues: write
+ pull-requests: write
+ outputs:
+ noop_message: ${{ steps.noop.outputs.noop_message }}
+ tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
+ total_count: ${{ steps.missing_tool.outputs.total_count }}
+ steps:
+ - name: Setup Scripts
+ uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
+ with:
+ destination: /opt/gh-aw/actions
+ - name: Download agent output artifact
+ continue-on-error: true
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+ with:
+ name: agent-output
+ path: /tmp/gh-aw/safeoutputs/
+ - name: Setup agent output environment variable
+ run: |
+ mkdir -p /tmp/gh-aw/safeoutputs/
+ find "/tmp/gh-aw/safeoutputs/" -type f -print
+ echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
+ - name: Process No-Op Messages
+ id: noop
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
+ GH_AW_NOOP_MAX: "1"
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/noop.cjs');
+ await main();
+ - name: Record Missing Tool
+ id: missing_tool
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/missing_tool.cjs');
+ await main();
+ - name: Handle Agent Failure
+ id: handle_agent_failure
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+ GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
+ GH_AW_WORKFLOW_ID: "weekly-reference-impl-sync"
+ GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
+ GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
+ GH_AW_ASSIGNMENT_ERRORS: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_errors }}
+ GH_AW_ASSIGNMENT_ERROR_COUNT: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_error_count }}
+ GH_AW_GROUP_REPORTS: "false"
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs');
+ await main();
+ - name: Handle No-Op Message
+ id: handle_noop_message
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+ GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
+ GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }}
+ GH_AW_NOOP_REPORT_AS_ISSUE: "false"
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs');
+ await main();
+
+ safe_outputs:
+ needs: agent
+ if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true')
+ runs-on: ubuntu-slim
+ permissions:
+ contents: read
+ discussions: write
+ issues: write
+ pull-requests: write
+ timeout-minutes: 15
+ env:
+ GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/${{ github.workflow }}"
+ GH_AW_ENGINE_ID: "copilot"
+ GH_AW_WORKFLOW_ID: "weekly-reference-impl-sync"
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ outputs:
+ assign_to_agent_assigned: ${{ steps.assign_to_agent.outputs.assigned }}
+ assign_to_agent_assignment_error_count: ${{ steps.assign_to_agent.outputs.assignment_error_count }}
+ assign_to_agent_assignment_errors: ${{ steps.assign_to_agent.outputs.assignment_errors }}
+ code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
+ code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
+ comment_id: ${{ steps.process_safe_outputs.outputs.comment_id }}
+ comment_url: ${{ steps.process_safe_outputs.outputs.comment_url }}
+ create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
+ create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
+ created_issue_number: ${{ steps.process_safe_outputs.outputs.created_issue_number }}
+ created_issue_url: ${{ steps.process_safe_outputs.outputs.created_issue_url }}
+ process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
+ process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
+ steps:
+ - name: Setup Scripts
+ uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
+ with:
+ destination: /opt/gh-aw/actions
+ - name: Download agent output artifact
+ continue-on-error: true
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+ with:
+ name: agent-output
+ path: /tmp/gh-aw/safeoutputs/
+ - name: Setup agent output environment variable
+ run: |
+ mkdir -p /tmp/gh-aw/safeoutputs/
+ find "/tmp/gh-aw/safeoutputs/" -type f -print
+ echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
+ - name: Process Safe Outputs
+ id: process_safe_outputs
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
+ GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
+ GITHUB_SERVER_URL: ${{ github.server_url }}
+ GITHUB_API_URL: ${{ github.api_url }}
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":10,\"target\":\"*\"},\"close_issue\":{\"max\":10,\"required_labels\":[\"reference-impl-sync\"],\"target\":\"*\"},\"create_issue\":{\"assignees\":[\"copilot\"],\"expires\":144,\"labels\":[\"reference-impl-sync\"],\"max\":1,\"title_prefix\":\"[reference-impl-sync] \"},\"missing_data\":{},\"missing_tool\":{}}"
+ GH_AW_ASSIGN_COPILOT: "true"
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs');
+ await main();
+ - name: Assign Copilot to created issues
+ if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != ''
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_ISSUES_TO_ASSIGN_COPILOT: ${{ steps.process_safe_outputs.outputs.issues_to_assign_copilot }}
+ with:
+ github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs');
+ await main();
+ - name: Assign to agent
+ id: assign_to_agent
+ if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'assign_to_agent'))
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
+ GH_AW_AGENT_MAX_COUNT: 1
+ GH_AW_AGENT_DEFAULT: "copilot"
+ GH_AW_AGENT_DEFAULT_MODEL: "claude-opus-4.6"
+ GH_AW_AGENT_TARGET: "*"
+ GH_AW_TEMPORARY_ID_MAP: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
+ with:
+ github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs');
+ await main();
+ - name: Upload safe output items manifest
+ if: always()
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ with:
+ name: safe-output-items
+ path: /tmp/safe-output-items.jsonl
+ if-no-files-found: warn
+
diff --git a/.github/workflows/weekly-reference-impl-sync.md b/.github/workflows/weekly-reference-impl-sync.md
new file mode 100644
index 000000000..7e72248e1
--- /dev/null
+++ b/.github/workflows/weekly-reference-impl-sync.md
@@ -0,0 +1,151 @@
+---
+description: |
+ Weekly reference implementation sync workflow. Checks for new commits in the official
+ Copilot SDK (github/copilot-sdk) and assigns to Copilot to port changes.
+
+on:
+ schedule: weekly
+ workflow_dispatch:
+
+permissions:
+ contents: read
+ actions: read
+ issues: read
+
+network:
+ allowed:
+ - defaults
+ - github
+
+tools:
+ github:
+ toolsets: [context, repos, issues]
+
+safe-outputs:
+ create-issue:
+ title-prefix: "[reference-impl-sync] "
+ assignees: [copilot]
+ labels: [reference-impl-sync]
+ expires: 6
+ close-issue:
+ required-labels: [reference-impl-sync]
+ target: "*"
+ max: 10
+ add-comment:
+ target: "*"
+ max: 10
+ assign-to-agent:
+ name: "copilot"
+ model: "claude-opus-4.6"
+ target: "*"
+ noop:
+ report-as-issue: false
+---
+# Weekly Reference Implementation Sync Agentic Workflow
+This document describes the `weekly-reference-impl-sync.yml` GitHub Actions workflow, which automates the detection of new changes in the official [Copilot SDK](https://github.com/github/copilot-sdk) and delegates the merge work to the Copilot coding agent.
+
+## Overview
+
+The workflow runs on a **weekly schedule** (every Monday at 10:00 UTC) and can also be triggered manually. It does **not** perform the actual merge — instead, it detects reference implementation changes and creates a GitHub issue assigned to `copilot`, instructing the agent to follow the [agentic-merge-reference-impl](../prompts/agentic-merge-reference-impl.prompt.md) prompt to port the changes.
+
+The agent must also create the Pull Request with the label `reference-impl-sync`. This allows the workflow to track the merge progress and avoid creating duplicate issues if the agent is still working on a previous sync.
+
+## Trigger
+
+| Trigger | Schedule |
+|---|---|
+| `schedule` | Every Monday at 10:00 UTC (`0 10 * * 1`) |
+| `workflow_dispatch` | Manual trigger from the Actions tab |
+
+## Workflow Steps
+
+### 1. Checkout repository
+
+Checks out the repo to read the `.lastmerge` file, which contains the SHA of the last reference implementation commit that was merged into the Java SDK.
+
+### 2. Check for reference implementation changes
+
+- Reads the last merged commit hash from `.lastmerge`
+- Clones the reference implementation `github/copilot-sdk` repository
+- Compares `.lastmerge` against reference implementation `HEAD`
+- If they match: sets `has_changes=false`
+- If they differ: counts new commits, generates a summary (up to 20 most recent), and sets outputs (`commit_count`, `reference_impl_head`, `last_merge`, `summary`)
+
+### 3. Close previous reference-impl-sync issues (when changes found)
+
+**Condition:** `has_changes == true`
+
+Before creating a new issue, closes any existing open issues with the `reference-impl-sync` label. This prevents stale issues from accumulating when previous sync attempts were incomplete or superseded. Each closed issue receives a comment explaining it was superseded.
+
+### 4. Close stale reference-impl-sync issues (when no changes found)
+
+**Condition:** `has_changes == false`
+
+If the reference implementation is already up to date, closes any lingering open `reference-impl-sync` issues with a comment noting that no changes were detected. This handles the case where a previous issue was created but the changes were merged manually (updating `.lastmerge`) before the agent completed.
+
+### 5. Create issue and assign to Copilot
+
+**Condition:** `has_changes == true`
+
+Creates a new GitHub issue with:
+
+- **Title:** `Reference implementation sync: N new commits (YYYY-MM-DD)`
+- **Label:** `reference-impl-sync`
+- **Assignee:** `copilot`
+- **Body:** Contains commit count, commit range links, a summary of recent commits, and a link to the merge prompt
+
+The Copilot coding agent picks up the issue, creates a branch and PR, then follows the merge prompt to port the changes.
+
+### 6. Summary
+
+Writes a GitHub Actions step summary with:
+
+- Whether changes were detected
+- Commit count and range
+- Recent reference implementation commits
+- Link to the created issue (if any)
+
+## Flow Diagram
+
+```
+┌─────────────────────┐
+│ Schedule / Manual │
+└──────────┬──────────┘
+ │
+ ▼
+┌──────────────────────────┐
+│ Read .lastmerge │
+│ Clone reference impl SDK │
+│ Compare commits │
+└──────────┬───────────────┘
+ │
+ ┌─────┴─────┐
+ │ │
+ changes? no changes
+ │ │
+ ▼ ▼
+┌──────────┐ ┌──────────────────┐
+│ Close old│ │ Close stale │
+│ issues │ │ issues │
+└────┬─────┘ └──────────────────┘
+ │
+ ▼
+┌──────────────────────────┐
+│ Create issue assigned to │
+│ copilot │
+└──────────────────────────┘
+ │
+ ▼
+┌──────────────────────────┐
+│ Agent follows prompt to │
+│ port changes → PR │
+└──────────────────────────┘
+```
+
+## Related Files
+
+| File | Purpose |
+|---|---|
+| `.lastmerge` | Stores the SHA of the last merged reference implementation commit |
+| [agentic-merge-reference-impl.prompt.md](../prompts/agentic-merge-reference-impl.prompt.md) | Detailed instructions the Copilot agent follows to port changes |
+| `.github/scripts/reference-impl-sync/` | Helper scripts used by the merge prompt |
diff --git a/.github/workflows/weekly-reference-impl-sync.yml b/.github/workflows/weekly-reference-impl-sync.yml
new file mode 100644
index 000000000..aa3fc971a
--- /dev/null
+++ b/.github/workflows/weekly-reference-impl-sync.yml
@@ -0,0 +1,181 @@
+name: "Weekly Reference Implementation Sync"
+
+on:
+ schedule:
+ # Every Monday at 10:00 UTC (5:00 AM EST / 6:00 AM EDT)
+ - cron: '0 10 * * 1'
+ workflow_dispatch:
+
+permissions:
+ contents: write
+ issues: write
+ pull-requests: write
+
+env:
+ # Used for `gh` CLI operations to create/close/comment issues. Must be a PAT with repo permissions because the default
+ GH_AW_AGENT_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN }}
+ GH_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN }}
+
+jobs:
+
+ check-and-sync:
+ name: "Check reference implementation & trigger Copilot merge"
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+ - name: Check for reference implementation changes
+ id: check
+ run: |
+ LAST_MERGE=$(cat .lastmerge)
+ echo "Last merged commit: $LAST_MERGE"
+
+ git clone --quiet https://github.com/github/copilot-sdk.git /tmp/reference-impl
+ cd /tmp/reference-impl
+
+ REFERENCE_IMPL_HEAD=$(git rev-parse HEAD)
+ echo "Reference implementation HEAD: $REFERENCE_IMPL_HEAD"
+
+ echo "last_merge=$LAST_MERGE" >> "$GITHUB_OUTPUT"
+
+ if [ "$LAST_MERGE" = "$REFERENCE_IMPL_HEAD" ]; then
+ echo "No new reference implementation changes since last merge."
+ echo "has_changes=false" >> "$GITHUB_OUTPUT"
+ else
+ COMMIT_COUNT=$(git rev-list --count "$LAST_MERGE".."$REFERENCE_IMPL_HEAD")
+ echo "Found $COMMIT_COUNT new reference implementation commits."
+ echo "has_changes=true" >> "$GITHUB_OUTPUT"
+ echo "commit_count=$COMMIT_COUNT" >> "$GITHUB_OUTPUT"
+ echo "reference_impl_head=$REFERENCE_IMPL_HEAD" >> "$GITHUB_OUTPUT"
+
+ # Generate a short summary of changes
+ SUMMARY=$(git log --oneline "$LAST_MERGE".."$REFERENCE_IMPL_HEAD" | head -20)
+ {
+ echo "summary<> "$GITHUB_OUTPUT"
+ fi
+
+ - name: Close previous reference-impl-sync issues
+ if: steps.check.outputs.has_changes == 'true'
+ run: |
+ # Find all open issues with the reference-impl-sync label
+ OPEN_ISSUES=$(gh issue list \
+ --repo "${{ github.repository }}" \
+ --label "reference-impl-sync" \
+ --state open \
+ --json number \
+ --jq '.[].number')
+
+ for ISSUE_NUM in $OPEN_ISSUES; do
+ echo "Closing superseded issue #${ISSUE_NUM}"
+ gh issue comment "$ISSUE_NUM" \
+ --repo "${{ github.repository }}" \
+ --body "Superseded by a newer reference implementation sync issue. Closing this one."
+ gh issue close "$ISSUE_NUM" \
+ --repo "${{ github.repository }}" \
+ --reason "not planned"
+ done
+
+ - name: Close stale reference-impl-sync issues (no changes)
+ if: steps.check.outputs.has_changes == 'false'
+ run: |
+ OPEN_ISSUES=$(gh issue list \
+ --repo "${{ github.repository }}" \
+ --label "reference-impl-sync" \
+ --state open \
+ --json number \
+ --jq '.[].number')
+
+ for ISSUE_NUM in $OPEN_ISSUES; do
+ echo "Closing stale issue #${ISSUE_NUM} — reference implementation is up to date"
+ gh issue comment "$ISSUE_NUM" \
+ --repo "${{ github.repository }}" \
+ --body "No new reference implementation changes detected. The Java SDK is up to date. Closing."
+ gh issue close "$ISSUE_NUM" \
+ --repo "${{ github.repository }}" \
+ --reason "completed"
+ done
+
+ - name: Create issue and assign to Copilot
+ id: create-issue
+ if: steps.check.outputs.has_changes == 'true'
+ env:
+ SUMMARY: ${{ steps.check.outputs.summary }}
+ run: |
+ COMMIT_COUNT="${{ steps.check.outputs.commit_count }}"
+ LAST_MERGE="${{ steps.check.outputs.last_merge }}"
+ REFERENCE_IMPL_HEAD="${{ steps.check.outputs.reference_impl_head }}"
+ DATE=$(date -u +"%Y-%m-%d")
+ REPO="${{ github.repository }}"
+
+ BODY="## Automated Reference Implementation Sync
+
+ There are **${COMMIT_COUNT}** new commits in the [official Copilot SDK](https://github.com/github/copilot-sdk) since the last merge.
+
+ - **Last merged commit:** [\`${LAST_MERGE}\`](https://github.com/github/copilot-sdk/commit/${LAST_MERGE})
+ - **Reference implementation HEAD:** [\`${REFERENCE_IMPL_HEAD}\`](https://github.com/github/copilot-sdk/commit/${REFERENCE_IMPL_HEAD})
+
+ ### Recent reference implementation commits
+
+ \`\`\`
+ ${SUMMARY}
+ \`\`\`
+
+ ### Instructions
+
+ Follow the [agentic-merge-reference-impl](.github/prompts/agentic-merge-reference-impl.prompt.md) prompt to port these changes to the Java SDK."
+
+ # Create the issue and assign to Copilot coding agent
+ ISSUE_URL=$(gh issue create \
+ --repo "$REPO" \
+ --title "Reference implementation sync: ${COMMIT_COUNT} new commits (${DATE})" \
+ --body "$BODY" \
+ --label "reference-impl-sync" \
+ --assignee "copilot-swe-agent")
+
+ echo "issue_url=$ISSUE_URL" >> "$GITHUB_OUTPUT"
+ echo "✅ Issue created and assigned to Copilot coding agent: $ISSUE_URL"
+
+ - name: Summary
+ if: always()
+ env:
+ SUMMARY: ${{ steps.check.outputs.summary }}
+ run: |
+ HAS_CHANGES="${{ steps.check.outputs.has_changes }}"
+ COMMIT_COUNT="${{ steps.check.outputs.commit_count }}"
+ LAST_MERGE="${{ steps.check.outputs.last_merge }}"
+ REFERENCE_IMPL_HEAD="${{ steps.check.outputs.reference_impl_head }}"
+ ISSUE_URL="${{ steps.create-issue.outputs.issue_url }}"
+
+ {
+ echo "## Weekly Reference Implementation Sync"
+ echo ""
+ if [ "$HAS_CHANGES" = "true" ]; then
+ echo "### ✅ New reference implementation changes detected"
+ echo ""
+ echo "| | |"
+ echo "|---|---|"
+ echo "| **New commits** | ${COMMIT_COUNT} |"
+ echo "| **Last merged** | \`${LAST_MERGE:0:12}\` |"
+ echo "| **Reference implementation HEAD** | \`${REFERENCE_IMPL_HEAD:0:12}\` |"
+ echo ""
+ echo "An issue has been created and assigned to the Copilot coding agent: "
+ echo " -> ${ISSUE_URL}"
+ echo ""
+ echo "### Recent reference implementation commits"
+ echo ""
+ echo '```'
+ echo "$SUMMARY"
+ echo '```'
+ else
+ echo "### ⏭️ No changes"
+ echo ""
+ echo "The Java SDK is already up to date with the reference implementation Copilot SDK."
+ echo ""
+ echo "**Last merged commit:** \`${LAST_MERGE:0:12}\`"
+ fi
+ } >> "$GITHUB_STEP_SUMMARY"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b9320ee1a..6c85671bf 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -19,7 +19,7 @@ We'd love your help with:
* Making the SDK more idiomatic and nice to use for Java developers
* Improving documentation
-If you have ideas for entirely new features, please post an issue or start a discussion. We're very open to new features but need to make sure they align with the direction of the upstream [Copilot SDK](https://github.com/github/copilot-sdk) and can be maintained in sync. Note that this repo periodically merges upstream changes — see the [README](README.md#agentic-upstream-merge-and-sync) for details on how that works.
+If you have ideas for entirely new features, please post an issue or start a discussion. We're very open to new features but need to make sure they align with the direction of the [Copilot SDK](https://github.com/github/copilot-sdk) reference implementation and can be maintained in sync. Note that this repo periodically merges reference implementation changes — see the [README](README.md#agentic-reference-implementation-merge-and-sync) for details on how that works.
## Prerequisites for running and testing code
diff --git a/README.md b/README.md
index a33aaedda..34c04ace7 100644
--- a/README.md
+++ b/README.md
@@ -161,14 +161,14 @@ See [WORKFLOWS.md](docs/WORKFLOWS.md) for a full overview and details on each wo
Contributions are welcome! Please see the [Contributing Guide](CONTRIBUTING.md) for details.
-### Agentic Upstream Merge and Sync
+### Agentic Reference Implementation Merge and Sync
-This SDK tracks the official [Copilot SDK](https://github.com/github/copilot-sdk) (.NET reference implementation) and ports changes to Java. The upstream merge process is automated with AI assistance:
+This SDK tracks the official [Copilot SDK](https://github.com/github/copilot-sdk) (.NET reference implementation) and ports changes to Java. The reference implementation merge process is automated with AI assistance:
-**Weekly automated sync** — A [scheduled GitHub Actions workflow](.github/workflows/weekly-upstream-sync.yml) runs every Monday at 5 AM ET. It checks for new upstream commits since the last merge (tracked in [`.lastmerge`](.lastmerge)), and if changes are found, creates an issue labeled `upstream-sync` and assigns it to the GitHub Copilot coding agent. Any previously open `upstream-sync` issues are automatically closed.
+**Weekly automated sync** — A [scheduled GitHub Actions workflow](.github/workflows/weekly-reference-impl-sync.yml) runs every Monday at 5 AM ET. It checks for new reference implementation commits since the last merge (tracked in [`.lastmerge`](.lastmerge)), and if changes are found, creates an issue labeled `reference-impl-sync` and assigns it to the GitHub Copilot coding agent. Any previously open `reference-impl-sync` issues are automatically closed.
-**Reusable prompt** — The merge workflow is defined in [`agentic-merge-upstream.prompt.md`](.github/prompts/agentic-merge-upstream.prompt.md). It can be triggered manually from:
-- **VS Code Copilot Chat** — type `/agentic-merge-upstream`
+**Reusable prompt** — The merge workflow is defined in [`agentic-merge-reference-impl.prompt.md`](.github/prompts/agentic-merge-reference-impl.prompt.md). It can be triggered manually from:
+- **VS Code Copilot Chat** — type `/agentic-merge-reference-impl`
- **GitHub Copilot CLI** — use `copilot` CLI with the same skill reference
### Development Setup
diff --git a/docs/WORKFLOWS.md b/docs/WORKFLOWS.md
index 74afbd337..57ec34f71 100644
--- a/docs/WORKFLOWS.md
+++ b/docs/WORKFLOWS.md
@@ -7,8 +7,8 @@
| [Build & Test](workflows/build-test.yml) | Builds, lints, and tests the Java SDK | `push` (main), `pull_request`, `merge_group`, `workflow_dispatch` | Sundays at 00:00 UTC |
| [Deploy Documentation](workflows/deploy-site.yml) | Generates and deploys versioned docs to GitHub Pages | `workflow_run` (after Build & Test), `release`, `workflow_dispatch` | — |
| [Publish to Maven Central](workflows/publish-maven.yml) | Releases the SDK to Maven Central and creates a GitHub Release | `workflow_dispatch` | — |
-| [Weekly Upstream Sync](workflows/weekly-upstream-sync.yml) | Checks for new upstream commits and creates an issue for Copilot to merge | `workflow_dispatch` | Mondays at 10:00 UTC |
-| [Weekly Upstream Sync (Agentic)](workflows/weekly-upstream-sync.lock.yml) | Compiled agentic workflow that executes the upstream sync via `gh-aw` | `workflow_dispatch` | Tuesdays at 08:39 UTC (scattered) |
+| [Weekly Reference Implementation Sync](workflows/weekly-reference-impl-sync.yml) | Checks for new reference implementation commits and creates an issue for Copilot to merge | `workflow_dispatch` | Mondays at 10:00 UTC |
+| [Weekly Reference Implementation Sync (Agentic)](workflows/weekly-reference-impl-sync.lock.yml) | Compiled agentic workflow that executes the reference implementation sync via `gh-aw` | `workflow_dispatch` | Tuesdays at 08:39 UTC (scattered) |
| [Copilot Setup Steps](workflows/copilot-setup-steps.yml) | Configures the environment for the GitHub Copilot coding agent | `push` (on self-change), `workflow_dispatch` | — |
---
@@ -53,7 +53,7 @@ Manual-only workflow that performs a full release:
1. Determines release and next development versions (auto-derived from `pom.xml` or manually specified)
2. Updates `CHANGELOG.md`, `README.md`, and `jbang-example.java` with the release version
-3. Injects the upstream sync commit hash from `.lastmerge` into the changelog
+3. Injects the reference implementation sync commit hash from `.lastmerge` into the changelog
4. Runs `mvn release:prepare` and `mvn release:perform` to deploy to Maven Central
5. Creates a GitHub Release with auto-generated notes
6. Moves the `latest` git tag forward
@@ -62,26 +62,26 @@ Manual-only workflow that performs a full release:
---
-## Weekly Upstream Sync
+## Weekly Reference Implementation Sync
-**File:** [`weekly-upstream-sync.yml`](workflows/weekly-upstream-sync.yml)
+**File:** [`weekly-reference-impl-sync.yml`](workflows/weekly-reference-impl-sync.yml)
Runs every Monday at 10:00 UTC. Clones the official `github/copilot-sdk` repository and compares `HEAD` against the commit hash stored in `.lastmerge`.
If new commits are found:
-1. Closes any previously open `upstream-sync` issues
-2. Creates a new issue with a summary of upstream changes
+1. Closes any previously open `reference-impl-sync` issues
+2. Creates a new issue with a summary of reference implementation changes
3. Assigns the issue to `copilot-swe-agent` for automated porting
-If no changes are found, any stale open `upstream-sync` issues are closed.
+If no changes are found, any stale open `reference-impl-sync` issues are closed.
---
-## Weekly Upstream Sync (Agentic Workflow: Experimental)
+## Weekly Reference Implementation Sync (Agentic Workflow: Experimental)
-**File:** [`weekly-upstream-sync.lock.yml`](workflows/weekly-upstream-sync.lock.yml)
+**File:** [`weekly-reference-impl-sync.lock.yml`](workflows/weekly-reference-impl-sync.lock.yml)
-Auto-generated compiled workflow produced by `gh aw compile` from the corresponding `.md` source. This is the agentic counterpart that actually executes the upstream merge using the `gh-aw` MCP server and Copilot coding agent.
+Auto-generated compiled workflow produced by `gh aw compile` from the corresponding `.md` source. This is the agentic counterpart that actually executes the reference implementation merge using the `gh-aw` MCP server and Copilot coding agent.
> **Do not edit this file directly.** Edit the `.md` source and run `gh aw compile`.
From f3f196bb84471619ac4e20432262790dcf9ba0b8 Mon Sep 17 00:00:00 2001
From: Ed Burns
Date: Thu, 16 Apr 2026 15:11:00 -0400
Subject: [PATCH 06/32] Replace upstream terminology with reference
implementation
Rebase the topic branch onto current main and preserve the original intent:
replace "upstream" naming with "reference implementation" across the repo.
- Update docs, prompts, workflows, and release automation wording
- Remove legacy upstream-sync assets superseded by reference-impl-sync assets
- Update references in tests and project guidance content
- Keep behavior aligned while clarifying terminology
- Apply Spotless formatting updates in touched Java test files
Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
---
.../skills/agentic-merge-upstream/SKILL.md | 7 -
.github/copilot-instructions.md | 11 +-
.../agentic-merge-reference-impl.prompt.md | 17 +-
.../prompts/agentic-merge-upstream.prompt.md | 439 ------
.../coding-agent-merge-instructions.md | 19 -
.github/scripts/release/update-changelog.sh | 33 +-
.../upstream-sync/merge-upstream-diff.sh | 86 --
.../upstream-sync/merge-upstream-finish.sh | 63 -
.../upstream-sync/merge-upstream-start.sh | 88 --
.../skills/agentic-merge-upstream/SKILL.md | 7 -
.github/workflows/publish-maven.yml | 15 +-
.../workflows/weekly-upstream-sync.lock.yml | 1239 -----------------
.github/workflows/weekly-upstream-sync.md | 117 --
.github/workflows/weekly-upstream-sync.yml | 181 ---
CHANGELOG.md | 111 +-
CONTRIBUTING.md | 3 +-
README.md | 3 +-
docs/WORKFLOWS.md | 5 +-
...adr-001-semver-pre-general-availability.md | 3 +-
...n-and-reference-implementation-tracking.md | 3 +-
.../com/github/copilot/sdk/CommandsTest.java | 3 +-
.../github/copilot/sdk/ElicitationTest.java | 3 +-
.../com/github/copilot/sdk/HooksTest.java | 4 +-
23 files changed, 113 insertions(+), 2347 deletions(-)
delete mode 100644 .claude/skills/agentic-merge-upstream/SKILL.md
delete mode 100644 .github/prompts/agentic-merge-upstream.prompt.md
delete mode 100644 .github/prompts/coding-agent-merge-instructions.md
delete mode 100755 .github/scripts/upstream-sync/merge-upstream-diff.sh
delete mode 100755 .github/scripts/upstream-sync/merge-upstream-finish.sh
delete mode 100755 .github/scripts/upstream-sync/merge-upstream-start.sh
delete mode 100644 .github/skills/agentic-merge-upstream/SKILL.md
delete mode 100644 .github/workflows/weekly-upstream-sync.lock.yml
delete mode 100644 .github/workflows/weekly-upstream-sync.md
delete mode 100644 .github/workflows/weekly-upstream-sync.yml
diff --git a/.claude/skills/agentic-merge-upstream/SKILL.md b/.claude/skills/agentic-merge-upstream/SKILL.md
deleted file mode 100644
index 32428db89..000000000
--- a/.claude/skills/agentic-merge-upstream/SKILL.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-name: agentic-merge-upstream
-description: Merge upstream changes from the official Copilot SDK into this Java SDK.
-license: MIT
----
-
-Follow instructions in the [agentic-merge-upstream prompt](../../../.github/prompts/agentic-merge-upstream.prompt.md) to merge upstream changes from the official Copilot SDK into this Java SDK.
\ No newline at end of file
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index edd40797b..c1a2d8dec 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -9,7 +9,7 @@ These instructions guide GitHub Copilot when assisting with this repository. The
- **Tech Stack**: Java 17+, Maven, Jackson for JSON, JUnit for testing
- **Purpose**: Provide a Java SDK for programmatic control of GitHub Copilot CLI
- **Architecture**: JSON-RPC client communicating with Copilot CLI over stdio
-- **Key Goals**: Maintain parity with upstream .NET SDK while following Java idioms
+- **Key Goals**: Maintain parity with reference implementation .NET SDK while following Java idioms
## Build & Test Commands
@@ -85,7 +85,7 @@ Tests use the official copilot-sdk test harness from `https://github.com/github/
- **E2ETestContext** - Manages test environment with CapiProxy for deterministic API responses
- **CapiProxy** - Node.js-based replaying proxy using YAML snapshots from `test/snapshots/`
-- Test snapshots are stored in the upstream repo's `test/snapshots/` directory
+- Test snapshots are stored in the reference implementation repo's `test/snapshots/` directory
## Key Conventions
@@ -217,7 +217,7 @@ Test method names are converted to lowercase snake_case for snapshot filenames t
- **DO NOT** modify `target/` directory - this contains build artifacts
- **DO NOT** edit `pom.xml` dependencies without careful consideration - this SDK has minimal dependencies by design
- **DO NOT** change the Jackson version without testing against all serialization patterns
-- **DO NOT** modify test snapshots in `target/copilot-sdk/test/snapshots/` - these come from upstream
+- **DO NOT** modify test snapshots in `target/copilot-sdk/test/snapshots/` - these come from reference implementation
- **DO NOT** alter the Eclipse formatter configuration in `pom.xml` without team consensus
- **DO NOT** remove or skip Checkstyle or Spotless checks
@@ -299,12 +299,12 @@ The release process is automated via the `publish-maven.yml` GitHub Actions work
- Converts the `## [Unreleased]` section to `## [version] - date`
- Creates a new empty `## [Unreleased]` section at the top
- Updates version comparison links at the bottom of CHANGELOG.md
- - Injects the upstream SDK commit hash (from `.lastmerge`) as a `> **Upstream sync:**` blockquote in both the new `[Unreleased]` section and the released version section
+ - Injects the reference implementation SDK commit hash (from `.lastmerge`) as a `> **Reference implementation sync:**` blockquote in both the new `[Unreleased]` section and the released version section
2. **Reference Implementation Sync Tracking**: Each release records which commit from the official `github/copilot-sdk` it is synced to:
- The `.lastmerge` file is read during the release workflow
- The commit hash is injected into `CHANGELOG.md` under the release heading
- - Format: `> **Upstream sync:** [\`github/copilot-sdk@SHORT_HASH\`](link-to-commit)`
+ - Format: `> **Reference implementation sync:** [\`github/copilot-sdk@SHORT_HASH\`](link-to-commit)`
3. **Documentation Updates**: README.md and jbang-example.java are updated with the new version.
@@ -316,3 +316,4 @@ The release process is automated via the `publish-maven.yml` GitHub Actions work
5. **Rollback**: If the release fails, the documentation commit is automatically reverted
The workflow is triggered manually via workflow_dispatch with optional version parameters.
+
diff --git a/.github/prompts/agentic-merge-reference-impl.prompt.md b/.github/prompts/agentic-merge-reference-impl.prompt.md
index fd7c3fa13..1c19b6f1c 100644
--- a/.github/prompts/agentic-merge-reference-impl.prompt.md
+++ b/.github/prompts/agentic-merge-reference-impl.prompt.md
@@ -56,7 +56,7 @@ This writes a `.merge-env` file used by the other scripts. It outputs:
- The reference-impl dir path
- A short log of reference implementation commits since `.lastmerge`
-## Step 2: Analyze Upstream Changes
+## Step 2: Analyze reference implementation Changes
Run the diff script for a detailed breakdown by area:
@@ -96,7 +96,7 @@ For each change in the reference implementation diff, determine:
### Key Files to Compare
-| Upstream (.NET) | Java SDK Equivalent |
+| reference implementation (.NET) | Java SDK Equivalent |
|------------------------------------|--------------------------------------------------------|
| `dotnet/src/Client.cs` | `src/main/java/com/github/copilot/sdk/CopilotClient.java` |
| `dotnet/src/Session.cs` | `src/main/java/com/github/copilot/sdk/CopilotSession.java` |
@@ -121,7 +121,7 @@ Before modifying any code:
2. **Identify the Java equivalent approach** - Don't replicate C# patterns; find the idiomatic Java way
3. **Check for existing abstractions** - The Java SDK may already have mechanisms that differ from .NET
4. **Preserve backward compatibility** - Existing API signatures should not break unless absolutely necessary
-5. **When in doubt, match existing code** - Follow what's already in the Java SDK, not the upstream
+5. **When in doubt, match existing code** - Follow what's already in the Java SDK, not the reference implementation
### Commit Changes Incrementally
@@ -181,8 +181,8 @@ After porting implementation changes, **always check for new or updated tests**
```bash
cd "$TEMP_DIR/copilot-sdk"
-git diff "$LAST_MERGE_COMMIT"..origin/main --stat -- dotnet/test/
-git diff "$LAST_MERGE_COMMIT"..origin/main --stat -- test/snapshots/
+git diff "$LAST_REFERENCE_IMPL_COMMIT"..origin/main --stat -- dotnet/test/
+git diff "$LAST_REFERENCE_IMPL_COMMIT"..origin/main --stat -- test/snapshots/
```
### Port Test Cases
@@ -196,7 +196,7 @@ For each new or modified test file in `dotnet/test/`:
### Test File Mapping
-| Upstream Test (.NET) | Java SDK Test |
+| reference implementation Test (.NET) | Java SDK Test |
|-----------------------------|--------------------------------------------------------|
| `dotnet/test/AskUserTests.cs` | `src/test/java/com/github/copilot/sdk/AskUserTest.java` |
| `dotnet/test/HooksTests.cs` | `src/test/java/com/github/copilot/sdk/HooksTest.java` |
@@ -209,7 +209,7 @@ New test snapshots are stored in `test/snapshots/` in the reference implementati
If tests fail with errors like `TypeError: Cannot read properties of undefined`, the test harness may not yet support the new RPC methods. In this case:
-1. **Mark tests as `@Disabled`** with a clear reason (e.g., `@Disabled("Requires test harness update with X support - see upstream PR #NNN")`)
+1. **Mark tests as `@Disabled`** with a clear reason (e.g., `@Disabled("Requires test harness update with X support - see reference implementation PR #NNN")`)
2. **Document the dependency** in the test class Javadoc
3. **Enable tests later** once the harness is updated
@@ -403,7 +403,7 @@ Before finishing:
- [ ] New branch created from `main`
- [ ] Copilot CLI updated to latest version
- [ ] README.md updated with minimum CLI version requirement
-- [ ] Upstream repository cloned
+- [ ] reference implementation repository cloned
- [ ] Diff analyzed between `.lastmerge` commit and HEAD
- [ ] New features/fixes identified
- [ ] Changes ported to Java SDK following conventions
@@ -437,3 +437,4 @@ Before finishing:
- Uses JUnit 5 for testing
- **Java SDK design decisions take precedence over reference implementation patterns**
- **Adapt reference implementation changes to fit Java idioms, not the other way around**
+
diff --git a/.github/prompts/agentic-merge-upstream.prompt.md b/.github/prompts/agentic-merge-upstream.prompt.md
deleted file mode 100644
index c1d2c54a0..000000000
--- a/.github/prompts/agentic-merge-upstream.prompt.md
+++ /dev/null
@@ -1,439 +0,0 @@
-# Merge Upstream SDK Changes
-
-You are an expert Java developer tasked with porting changes from the official Copilot SDK (primarily the .NET implementation) to this Java SDK.
-
-## ⚠️ IMPORTANT: Java SDK Design Takes Priority
-
-**The current design and architecture of the Java SDK is the priority.** When porting changes from upstream:
-
-1. **Adapt, don't copy** - Translate upstream features to fit the Java SDK's existing patterns, naming conventions, and architecture
-2. **Preserve Java idioms** - The Java SDK should feel natural to Java developers, not like a C# port
-3. **Maintain consistency** - New code must match the existing codebase style and structure
-4. **Evaluate before porting** - Not every upstream change needs to be ported; some may not be applicable or may conflict with Java SDK design decisions
-
-Before making any changes, **read and understand the existing Java SDK implementation** to ensure new code integrates seamlessly.
-
-## Utility Scripts
-
-The `.github/scripts/` directory contains helper scripts that automate the repeatable parts of this workflow. **Use these scripts instead of running the commands manually.**
-
-| Script | Purpose |
-|---|---|
-| `.github/scripts/upstream-sync/merge-upstream-start.sh` | Creates branch, updates CLI, clones upstream, reads `.lastmerge`, prints commit summary |
-| `.github/scripts/upstream-sync/merge-upstream-diff.sh` | Detailed diff analysis grouped by area (`.NET src`, tests, snapshots, docs, etc.) |
-| `.github/scripts/upstream-sync/merge-upstream-finish.sh` | Runs format + test + build, updates `.lastmerge`, commits, pushes branch |
-| `.github/scripts/build/format-and-test.sh` | Standalone `spotless:apply` + `mvn clean verify` (useful during porting too) |
-
-All scripts write/read a `.merge-env` file (git-ignored) to share state (branch name, upstream dir, last-merge commit).
-
-## Workflow Overview
-
-1. Run `./.github/scripts/upstream-sync/merge-upstream-start.sh` (creates branch, clones upstream, shows summary)
-2. Run `./.github/scripts/upstream-sync/merge-upstream-diff.sh` (analyze changes)
-3. Update README with minimum CLI version requirement
-4. Identify upstream changes to port
-5. Apply changes to Java SDK (commit as you go)
-6. Port/adjust tests from upstream changes
-7. Run `./.github/scripts/build/format-and-test.sh` frequently while porting
-8. Build the package
-9. Update documentation (**required for every user-facing upstream change**)
-10. Run `./.github/scripts/upstream-sync/merge-upstream-finish.sh` (final test + push) and finalize Pull Request (see note below about coding agent vs. manual workflow)
-11. Perform final review before handing off
-
----
-
-## Step 1: Initialize Upstream Sync
-
-Run the start script to create a branch, update the CLI, clone the upstream repo, and see a summary of new commits:
-
-```bash
-./.github/scripts/upstream-sync/merge-upstream-start.sh
-```
-
-This writes a `.merge-env` file used by the other scripts. It outputs:
-- The branch name created
-- The Copilot CLI version
-- The upstream dir path
-- A short log of upstream commits since `.lastmerge`
-
-## Step 2: Analyze Upstream Changes
-
-Run the diff script for a detailed breakdown by area:
-
-```bash
-./.github/scripts/upstream-sync/merge-upstream-diff.sh # stat only
-./.github/scripts/upstream-sync/merge-upstream-diff.sh --full # full diffs
-```
-
-The diff script groups changes into: .NET source, .NET tests, test snapshots, documentation, protocol/config, Go/Node.js/Python SDKs, and other files.
-
-## Step 3: Update README with CLI Version
-
-After the start script runs, check the CLI version it printed (also saved in `.merge-env` as `CLI_VERSION`). Update the Requirements section in `README.md` and `src/site/markdown/index.md` to specify the minimum CLI version requirement.
-
-Commit this change before proceeding:
-
-```bash
-git add README.md src/site/markdown/index.md
-git commit -m "Update Copilot CLI minimum version requirement"
-```
-
-## Step 4: Identify Changes to Port
-
-Using the output from `merge-upstream-diff.sh`, focus on:
-- `dotnet/src/` - Primary reference implementation
-- `dotnet/test/` - Test cases to port
-- `docs/` - Documentation updates
-- `sdk-protocol-version.json` - Protocol version changes
-
-For each change in the upstream diff, determine:
-
-1. **New Features**: New methods, classes, or capabilities added to the SDK
-2. **Bug Fixes**: Corrections to existing functionality
-3. **API Changes**: Changes to public interfaces or method signatures
-4. **Protocol Updates**: Changes to the JSON-RPC protocol or message types
-5. **Test Updates**: New or modified test cases
-
-### Key Files to Compare
-
-| Upstream (.NET) | Java SDK Equivalent |
-|------------------------------------|--------------------------------------------------------|
-| `dotnet/src/Client.cs` | `src/main/java/com/github/copilot/sdk/CopilotClient.java` |
-| `dotnet/src/Session.cs` | `src/main/java/com/github/copilot/sdk/CopilotSession.java` |
-| `dotnet/src/Types.cs` | `src/main/java/com/github/copilot/sdk/types/*.java` |
-| `dotnet/src/Generated/*.cs` | `src/main/java/com/github/copilot/sdk/types/*.java` |
-| `dotnet/test/*.cs` | `src/test/java/com/github/copilot/sdk/*Test.java` |
-| `docs/getting-started.md` | `README.md` and `src/site/markdown/*.md` |
-| `docs/*.md` (new files) | `src/site/markdown/*.md` + update `src/site/site.xml` |
-| `sdk-protocol-version.json` | (embedded in Java code or resource file) |
-
-> **⚠️ Important:** When adding new documentation pages, always update `src/site/site.xml` to include them in the navigation menu.
-
-## Step 5: Apply Changes to Java SDK
-
-When porting changes:
-
-### ⚠️ Priority: Preserve Java SDK Design
-
-Before modifying any code:
-
-1. **Read the existing Java implementation first** - Understand current patterns, class structure, and naming
-2. **Identify the Java equivalent approach** - Don't replicate C# patterns; find the idiomatic Java way
-3. **Check for existing abstractions** - The Java SDK may already have mechanisms that differ from .NET
-4. **Preserve backward compatibility** - Existing API signatures should not break unless absolutely necessary
-5. **When in doubt, match existing code** - Follow what's already in the Java SDK, not the upstream
-
-### Commit Changes Incrementally
-
-**Important:** Commit your changes as you work, grouping related changes together:
-
-```bash
-# After porting a feature or fix, commit with a descriptive message
-git add
-git commit -m "Port from upstream"
-
-# Example commits:
-# git commit -m "Port new authentication flow from upstream"
-# git commit -m "Add new message types from upstream protocol update"
-# git commit -m "Port bug fix for session handling from upstream"
-```
-
-This creates a clear history of changes that can be reviewed in the Pull Request.
-
-### General Guidelines
-
-- **Naming Conventions**: Convert C# PascalCase to Java camelCase for methods/variables
-- **Async Patterns**: C# `async/await` → Java `CompletableFuture` or synchronous equivalents
-- **Nullable Types**: C# `?` nullable → Java `@Nullable` annotations or `Optional`
-- **Properties**: C# properties → Java getters/setters or records
-- **Records**: C# records → Java records (Java 17+)
-- **Events**: C# events → Java callbacks or listeners
-
-### Type Mappings
-
-| C# Type | Java Equivalent |
-|------------------------|------------------------------|
-| `string` | `String` |
-| `int` | `int` / `Integer` |
-| `bool` | `boolean` / `Boolean` |
-| `Task` | `CompletableFuture` |
-| `CancellationToken` | (custom implementation) |
-| `IAsyncEnumerable` | `Stream` or `Iterator` |
-| `JsonElement` | `JsonNode` (Jackson) |
-| `Dictionary` | `Map` |
-| `List` | `List` |
-
-### Code Style
-
-Follow the existing Java SDK patterns:
-- Use Jackson for JSON serialization (`ObjectMapper`)
-- Use Java records for DTOs where appropriate
-- Follow the existing package structure under `com.github.copilot.sdk`
-- Maintain backward compatibility when possible
-- **Match the style of surrounding code** - Consistency with existing code is more important than upstream patterns
-- **Prefer existing abstractions** - If the Java SDK already solves a problem differently than .NET, keep the Java approach
-
-## Step 6: Port Tests
-
-After porting implementation changes, **always check for new or updated tests** in the upstream repository:
-
-### Check for New Tests
-
-```bash
-cd "$TEMP_DIR/copilot-sdk"
-git diff "$LAST_MERGE_COMMIT"..origin/main --stat -- dotnet/test/
-git diff "$LAST_MERGE_COMMIT"..origin/main --stat -- test/snapshots/
-```
-
-### Port Test Cases
-
-For each new or modified test file in `dotnet/test/`:
-
-1. **Create corresponding Java test class** in `src/test/java/com/github/copilot/sdk/`
-2. **Follow existing test patterns** - Look at existing tests like `PermissionsTest.java` for structure
-3. **Use the E2ETestContext** infrastructure for tests that need the test harness
-4. **Match snapshot directory names** - Test snapshots in `test/snapshots/` must match the directory name used in `ctx.configureForTest()`
-
-### Test File Mapping
-
-| Upstream Test (.NET) | Java SDK Test |
-|-----------------------------|--------------------------------------------------------|
-| `dotnet/test/AskUserTests.cs` | `src/test/java/com/github/copilot/sdk/AskUserTest.java` |
-| `dotnet/test/HooksTests.cs` | `src/test/java/com/github/copilot/sdk/HooksTest.java` |
-| `dotnet/test/ClientTests.cs` | `src/test/java/com/github/copilot/sdk/CopilotClientTest.java` |
-| `dotnet/test/*Tests.cs` | `src/test/java/com/github/copilot/sdk/*Test.java` |
-
-### Test Snapshot Compatibility
-
-New test snapshots are stored in `test/snapshots/` in the upstream repository. These snapshots are automatically cloned during the Maven build process.
-
-If tests fail with errors like `TypeError: Cannot read properties of undefined`, the test harness may not yet support the new RPC methods. In this case:
-
-1. **Mark tests as `@Disabled`** with a clear reason (e.g., `@Disabled("Requires test harness update with X support - see upstream PR #NNN")`)
-2. **Document the dependency** in the test class Javadoc
-3. **Enable tests later** once the harness is updated
-
-### Unit Tests vs E2E Tests
-
-- **Unit tests** (like auth option validation) can run without the test harness
-- **E2E tests** require the test harness with matching snapshots
-
-Commit tests separately or together with their corresponding implementation changes.
-
-## Step 7: Format and Run Tests
-
-After applying changes, use the convenience script:
-
-```bash
-./.github/scripts/build/format-and-test.sh # format + full verify
-./.github/scripts/build/format-and-test.sh --debug # with debug logging
-```
-
-Or for quicker iteration during porting:
-
-```bash
-./.github/scripts/build/format-and-test.sh --format-only # just spotless
-./.github/scripts/build/format-and-test.sh --test-only # skip formatting
-```
-
-### If Tests Fail
-
-1. Read the test output carefully
-2. Identify the root cause (compilation error, runtime error, assertion failure)
-3. Fix the issue in the Java code
-4. Re-run tests
-5. Repeat until all tests pass
-
-### Common Issues
-
-- **Missing imports**: Add required import statements
-- **Type mismatches**: Ensure proper type conversions
-- **Null handling**: Add null checks where C# had nullable types
-- **JSON serialization**: Verify Jackson annotations are correct
-
-## Step 8: Build the Package
-
-Once tests pass, build the complete package:
-
-```bash
-mvn clean package -DskipTests
-```
-
-Verify:
-- No compilation errors
-- No warnings (if possible)
-- JAR file is generated in `target/`
-
-## Step 9: Update Documentation
-
-**Documentation is critical for new features.** Every new feature ported from upstream must be documented before the merge is complete.
-Review and complete this documentation checklist before proceeding to Step 10.
-If you determine no docs changes are needed, document that decision and rationale in the PR body under a clear heading (for example, `Documentation Impact`).
-
-### Documentation Checklist
-
-For each new feature or significant change:
-
-1. **README.md**: Update the main README if there are user-facing changes
-2. **src/site/markdown/index.md**: Update if requirements or quick start examples change
-3. **src/site/markdown/documentation.md**: Add sections for new basic usage patterns
-4. **src/site/markdown/advanced.md**: Add sections for new advanced features (tools, handlers, configurations)
-5. **src/site/markdown/mcp.md**: Update if MCP-related changes are made
-6. **Javadoc**: Add/update Javadoc comments for all new/changed public APIs
-7. **src/site/site.xml**: Update if new documentation pages were added
-
-### Documentation Requirements for New Features
-
-When adding a new feature, ensure the documentation includes:
-
-- **What it does**: Clear explanation of the feature's purpose
-- **How to use it**: Code example showing typical usage
-- **API reference**: Link to relevant Javadoc
-- **Configuration options**: All available settings/properties
-
-### Example: Documenting a New Handler
-
-If a new handler (like `UserInputHandler`, `PermissionHandler`) is added, create a section in `advanced.md`:
-
-```markdown
-## Feature Name
-
-Brief description of what the feature does.
-
-\`\`\`java
-var session = client.createSession(
- new SessionConfig()
- .setOnFeatureRequest((request, invocation) -> {
- // Handle the request
- return CompletableFuture.completedFuture(result);
- })
-).get();
-\`\`\`
-
-Explain the request/response objects and their properties.
-
-See [FeatureHandler](apidocs/com/github/copilot/sdk/json/FeatureHandler.html) Javadoc for more details.
-```
-
-### Verify Documentation Consistency
-
-Ensure consistency across all documentation files:
-
-- Requirements section should match in `README.md` and `src/site/markdown/index.md`
-- Code examples should use the same patterns and be tested
-- Links to Javadoc should use correct paths (`apidocs/...`)
-
-## Step 10: Finish, Push, and Finalize Pull Request
-
-Run the finish script which updates `.lastmerge`, runs a final build, and pushes the branch:
-
-```bash
-./.github/scripts/upstream-sync/merge-upstream-finish.sh # full format + test + push
-./.github/scripts/upstream-sync/merge-upstream-finish.sh --skip-tests # if tests already passed
-```
-
-### PR Handling: Coding Agent vs. Manual Workflow
-
-**If running as a Copilot coding agent** (triggered via GitHub issue assignment by the weekly sync workflow), a pull request has **already been created automatically** for you. Do NOT create a new one. Just push your commits to the current branch — the existing PR will be updated. Add the `upstream-sync` label to the existing PR by running this command in a terminal:
-
-```bash
-gh pr edit --add-label "upstream-sync"
-```
-
-> **No-changes scenario (coding agent only):** If after analyzing the upstream diff there are no relevant changes to port to the Java SDK, push an empty commit with a message explaining why no changes were needed, so the PR reflects the analysis outcome. The repository maintainer will close the PR and issue manually.
-
-**If running manually** (e.g., from VS Code via the reusable prompt), create the Pull Request using `gh` CLI or the GitHub MCP tool. Then add the label:
-
-```bash
-gh pr create --base main --title "Merge upstream SDK changes (YYYY-MM-DD)" --body-file /dev/stdin <<< "$PR_BODY"
-gh pr edit --add-label "upstream-sync"
-```
-
-The PR body should include:
-1. **Title**: `Merge upstream SDK changes (YYYY-MM-DD)`
-2. **Body** with:
- - Summary of upstream commits analyzed (with count and commit range)
- - Table of changes ported (commit hash + description)
- - List of changes intentionally not ported (with reasons)
- - Verification status (test count, build status)
-
-### PR Body Template
-
-```markdown
-## Upstream Merge
-
-Ports changes from the official Copilot SDK ([github/copilot-sdk](https://github.com/github/copilot-sdk)) since last merge (``→``).
-
-### Upstream commits analyzed (N commits)
-
-- Brief description of each upstream change and whether it was ported or not
-
-### Changes ported
-
-| Commit | Description |
-|---|---|
-| `` | Description of change |
-
-### Not ported (intentionally)
-
-- **Feature name** — Reason why it wasn't ported
-
-### Verification
-
-- All **N tests pass** (`mvn clean test`)
-- Package builds successfully (`mvn clean package -DskipTests`)
-- Code formatted with Spotless
-```
-
-## Step 11: Final Review
-
-Before finishing:
-
-1. Run `git log --oneline main..$BRANCH_NAME` to review all commits
-2. Run `git diff main..$BRANCH_NAME --stat` to see a summary of all changes
-3. Ensure no unintended changes were made
-4. Verify code follows project conventions
-5. Confirm the branch was pushed to remote
-6. Confirm the Pull Request is ready (created or updated) and provide the PR URL to the user
-
----
-
-## Checklist
-
-- [ ] New branch created from `main`
-- [ ] Copilot CLI updated to latest version
-- [ ] README.md updated with minimum CLI version requirement
-- [ ] Upstream repository cloned
-- [ ] Diff analyzed between `.lastmerge` commit and HEAD
-- [ ] New features/fixes identified
-- [ ] Changes ported to Java SDK following conventions
-- [ ] **New/updated tests ported from upstream** (check `dotnet/test/` and `test/snapshots/`)
-- [ ] Tests marked `@Disabled` if harness doesn't support new features yet
-- [ ] Changes committed incrementally with descriptive messages
-- [ ] `mvn test` passes
-- [ ] `mvn package` builds successfully
-- [ ] **Documentation updated for new features:**
- - [ ] `README.md` updated if user-facing changes
- - [ ] `src/site/markdown/index.md` updated if requirements changed
- - [ ] `src/site/markdown/documentation.md` updated for new basic usage
- - [ ] `src/site/markdown/advanced.md` updated for new advanced features
- - [ ] Javadoc added/updated for new public APIs
-- [ ] If no documentation files were changed for user-facing upstream changes, PR body explicitly explains why documentation changes were not needed
-- [ ] `src/site/site.xml` updated if new documentation pages were added
-- [ ] `.lastmerge` file updated with new commit hash
-- [ ] Branch pushed to remote
-- [ ] **Pull Request finalized** (coding agent: push to existing PR; manual: create via `mcp_github_create_pull_request`)
-- [ ] **`upstream-sync` label added** to the PR via `mcp_github_add_issue_labels`
-- [ ] PR URL provided to user
-
----
-
-## Notes
-
-- The upstream SDK is at: `https://github.com/github/copilot-sdk.git`
-- Primary reference implementation is in `dotnet/` folder
-- This Java SDK targets Java 17+
-- Uses Jackson for JSON processing
-- Uses JUnit 5 for testing
-- **Java SDK design decisions take precedence over upstream patterns**
-- **Adapt upstream changes to fit Java idioms, not the other way around**
diff --git a/.github/prompts/coding-agent-merge-instructions.md b/.github/prompts/coding-agent-merge-instructions.md
deleted file mode 100644
index 1c18e1f5f..000000000
--- a/.github/prompts/coding-agent-merge-instructions.md
+++ /dev/null
@@ -1,19 +0,0 @@
-
-
-
-Follow the agentic-merge-upstream prompt at .github/prompts/agentic-merge-upstream.prompt.md
-to port upstream changes to the Java SDK.
-
-Use the utility scripts in .github/scripts/ subfolders for initialization, diffing, formatting, and testing.
-Commit changes incrementally. Update .lastmerge when done.
-
-IMPORTANT: A pull request has already been created automatically for you — do NOT create a new
-one. Push your commits to the current branch, and the existing PR will be updated.
-
-Add the 'upstream-sync' label to the existing PR by running this command in a terminal:
-
- gh pr edit --add-label "upstream-sync"
-
-If after analyzing the upstream diff there are no relevant changes to port to the Java SDK,
-push an empty commit with a message explaining why no changes were needed, so the PR reflects
-the analysis outcome. The repository maintainer will close the PR and issue manually.
diff --git a/.github/scripts/release/update-changelog.sh b/.github/scripts/release/update-changelog.sh
index a18d35b02..926da5b3b 100755
--- a/.github/scripts/release/update-changelog.sh
+++ b/.github/scripts/release/update-changelog.sh
@@ -2,24 +2,24 @@
set -e
# Script to update CHANGELOG.md during release process
-# Usage: ./update-changelog.sh [upstream-hash]
+# Usage: ./update-changelog.sh [reference implementation-hash]
# Example: ./update-changelog.sh 1.0.8
# Example: ./update-changelog.sh 1.0.8 05e3c46c8c23130c9c064dc43d00ec78f7a75eab
if [ -z "$1" ]; then
echo "Error: Version argument required"
- echo "Usage: $0 [upstream-hash]"
+ echo "Usage: $0 [reference implementation-hash]"
exit 1
fi
VERSION="$1"
-UPSTREAM_HASH="${2:-}"
+REFERENCE_IMPL_HASH="${2:-}"
CHANGELOG_FILE="${CHANGELOG_FILE:-CHANGELOG.md}"
RELEASE_DATE=$(date +%Y-%m-%d)
echo "Updating CHANGELOG.md for version ${VERSION} (${RELEASE_DATE})"
-if [ -n "$UPSTREAM_HASH" ]; then
- echo " Upstream SDK sync: ${UPSTREAM_HASH:0:7}"
+if [ -n "$REFERENCE_IMPL_HASH" ]; then
+ echo " Reference implementation SDK sync: ${REFERENCE_IMPL_HASH:0:7}"
fi
# Check if CHANGELOG.md exists
@@ -38,7 +38,7 @@ fi
TEMP_FILE=$(mktemp)
# Process the CHANGELOG
-awk -v version="$VERSION" -v date="$RELEASE_DATE" -v upstream_hash="$UPSTREAM_HASH" '
+awk -v version="$VERSION" -v date="$RELEASE_DATE" -v REFERENCE_IMPL_HASH="$REFERENCE_IMPL_HASH" '
BEGIN {
unreleased_found = 0
content_found = 0
@@ -65,26 +65,26 @@ links_section && repo_url == "" && /^\[[0-9]+\.[0-9]+\.[0-9]+(-java\.[0-9]+)?\]:
if (!unreleased_found) {
print "## [Unreleased]"
print ""
- if (upstream_hash != "") {
- short_hash = substr(upstream_hash, 1, 7)
- print "> **Upstream sync:** [`github/copilot-sdk@" short_hash "`](https://github.com/github/copilot-sdk/commit/" upstream_hash ")"
+ if (REFERENCE_IMPL_HASH != "") {
+ short_hash = substr(REFERENCE_IMPL_HASH, 1, 7)
+ print "> **Reference implementation sync:** [`github/copilot-sdk@" short_hash "`](https://github.com/github/copilot-sdk/commit/" REFERENCE_IMPL_HASH ")"
print ""
}
print "## [" version "] - " date
- if (upstream_hash != "") {
+ if (REFERENCE_IMPL_HASH != "") {
print ""
- print "> **Upstream sync:** [`github/copilot-sdk@" short_hash "`](https://github.com/github/copilot-sdk/commit/" upstream_hash ")"
+ print "> **Reference implementation sync:** [`github/copilot-sdk@" short_hash "`](https://github.com/github/copilot-sdk/commit/" REFERENCE_IMPL_HASH ")"
}
unreleased_found = 1
- skip_old_upstream = 1
+ skip_old_reference_impl = 1
next
}
}
-# Skip the old upstream sync line and surrounding blank lines from the previous [Unreleased] section
-skip_old_upstream && /^[[:space:]]*$/ { next }
-skip_old_upstream && /^> \*\*Upstream sync:\*\*/ { next }
-skip_old_upstream && !/^[[:space:]]*$/ && !/^> \*\*Upstream sync:\*\*/ { skip_old_upstream = 0 }
+# Skip the old Reference implementation sync line and surrounding blank lines from the previous [Unreleased] section
+skip_old_reference_impl && /^[[:space:]]*$/ { next }
+skip_old_reference_impl && /^> \*\*Reference implementation sync:\*\*/ { next }
+skip_old_reference_impl && !/^[[:space:]]*$/ && !/^> \*\*Reference implementation sync:\*\*/ { skip_old_reference_impl = 0 }
# Capture the first version link to get the previous version
links_section && first_version_link == "" && /^\[[0-9]+\.[0-9]+\.[0-9]+(-java\.[0-9]+)?\]:/ {
@@ -119,3 +119,4 @@ echo "✓ CHANGELOG.md updated successfully"
echo " - Added version ${VERSION} with date ${RELEASE_DATE}"
echo " - Created new [Unreleased] section"
echo " - Updated version comparison links"
+
diff --git a/.github/scripts/upstream-sync/merge-upstream-diff.sh b/.github/scripts/upstream-sync/merge-upstream-diff.sh
deleted file mode 100755
index ee61b6ffc..000000000
--- a/.github/scripts/upstream-sync/merge-upstream-diff.sh
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/usr/bin/env bash
-# ──────────────────────────────────────────────────────────────
-# merge-upstream-diff.sh
-#
-# Generates a detailed diff analysis of upstream changes since
-# the last merge, grouped by area of interest:
-# • .NET source (primary reference)
-# • .NET tests
-# • Test snapshots
-# • Documentation
-# • Protocol / config files
-#
-# Usage: ./.github/scripts/upstream-sync/merge-upstream-diff.sh [--full]
-# --full Show actual diffs, not just stats
-#
-# Requires: .merge-env written by merge-upstream-start.sh
-# ──────────────────────────────────────────────────────────────
-set -euo pipefail
-
-ROOT_DIR="$(cd "$(dirname "$0")/../../.." && pwd)"
-ENV_FILE="$ROOT_DIR/.merge-env"
-
-if [[ ! -f "$ENV_FILE" ]]; then
- echo "❌ $ENV_FILE not found. Run ./.github/scripts/upstream-sync/merge-upstream-start.sh first."
- exit 1
-fi
-
-# shellcheck source=/dev/null
-source "$ENV_FILE"
-
-SHOW_FULL=false
-if [[ "${1:-}" == "--full" ]]; then
- SHOW_FULL=true
-fi
-
-cd "$UPSTREAM_DIR"
-git fetch origin main 2>/dev/null
-
-RANGE="$LAST_MERGE_COMMIT..origin/main"
-
-echo "════════════════════════════════════════════════════════════"
-echo " Upstream diff analysis: $RANGE"
-echo "════════════════════════════════════════════════════════════"
-
-# ── Commit log ────────────────────────────────────────────────
-echo ""
-echo "── Commit log ──"
-git log --oneline --no-decorate "$RANGE"
-echo ""
-
-# Helper to print a section
-section() {
- local title="$1"; shift
- local paths=("$@")
-
- echo "── $title ──"
- local stat
- stat=$(git diff "$RANGE" --stat -- "${paths[@]}" 2>/dev/null || true)
- if [[ -z "$stat" ]]; then
- echo " (no changes)"
- else
- echo "$stat"
- if $SHOW_FULL; then
- echo ""
- git diff "$RANGE" -- "${paths[@]}" 2>/dev/null || true
- fi
- fi
- echo ""
-}
-
-# ── Sections ──────────────────────────────────────────────────
-section ".NET source (dotnet/src)" "dotnet/src/"
-section ".NET tests (dotnet/test)" "dotnet/test/"
-section "Test snapshots" "test/snapshots/"
-section "Documentation (docs/)" "docs/"
-section "Protocol & config" "sdk-protocol-version.json" "package.json" "justfile"
-section "Go SDK" "go/"
-section "Node.js SDK" "nodejs/"
-section "Python SDK" "python/"
-section "Other files" "README.md" "CONTRIBUTING.md" "SECURITY.md" "SUPPORT.md"
-
-echo "════════════════════════════════════════════════════════════"
-echo " To see full diffs: $0 --full"
-echo " To see a specific path:"
-echo " cd $UPSTREAM_DIR && git diff $RANGE -- "
-echo "════════════════════════════════════════════════════════════"
diff --git a/.github/scripts/upstream-sync/merge-upstream-finish.sh b/.github/scripts/upstream-sync/merge-upstream-finish.sh
deleted file mode 100755
index 1663ef259..000000000
--- a/.github/scripts/upstream-sync/merge-upstream-finish.sh
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-# ──────────────────────────────────────────────────────────────
-# merge-upstream-finish.sh
-#
-# Finalises an upstream merge:
-# 1. Runs format + test + build (via format-and-test.sh)
-# 2. Updates .lastmerge to upstream HEAD
-# 3. Commits the .lastmerge update
-# 4. Pushes the branch to origin
-#
-# Usage: ./.github/scripts/upstream-sync/merge-upstream-finish.sh
-# ./.github/scripts/upstream-sync/merge-upstream-finish.sh --skip-tests
-#
-# Requires: .merge-env written by merge-upstream-start.sh
-# ──────────────────────────────────────────────────────────────
-set -euo pipefail
-
-ROOT_DIR="$(cd "$(dirname "$0")/../../.." && pwd)"
-ENV_FILE="$ROOT_DIR/.merge-env"
-
-if [[ ! -f "$ENV_FILE" ]]; then
- echo "❌ $ENV_FILE not found. Run ./.github/scripts/upstream-sync/merge-upstream-start.sh first."
- exit 1
-fi
-
-# shellcheck source=/dev/null
-source "$ENV_FILE"
-
-SKIP_TESTS=false
-if [[ "${1:-}" == "--skip-tests" ]]; then
- SKIP_TESTS=true
-fi
-
-cd "$ROOT_DIR"
-
-# ── 1. Format, test, build ───────────────────────────────────
-if $SKIP_TESTS; then
- echo "▸ Formatting only (tests skipped)…"
- mvn spotless:apply
- mvn clean package -DskipTests
-else
- echo "▸ Running format + test + build…"
- "$ROOT_DIR/.github/scripts/build/format-and-test.sh"
-fi
-
-# ── 2. Update .lastmerge ─────────────────────────────────────
-echo "▸ Updating .lastmerge…"
-NEW_COMMIT=$(cd "$UPSTREAM_DIR" && git rev-parse origin/main)
-echo "$NEW_COMMIT" > "$ROOT_DIR/.lastmerge"
-
-git add .lastmerge
-git commit -m "Update .lastmerge to $NEW_COMMIT"
-
-# ── 3. Push branch ───────────────────────────────────────────
-echo "▸ Pushing branch $BRANCH_NAME to origin…"
-git push -u origin "$BRANCH_NAME"
-
-echo ""
-echo "✅ Branch pushed. Next step:"
-echo " Create a Pull Request (base: main, head: $BRANCH_NAME)"
-echo ""
-echo " Suggested title: Merge upstream SDK changes ($(date +%Y-%m-%d))"
-echo " Don't forget to add the 'upstream-sync' label."
diff --git a/.github/scripts/upstream-sync/merge-upstream-start.sh b/.github/scripts/upstream-sync/merge-upstream-start.sh
deleted file mode 100755
index 755361cd1..000000000
--- a/.github/scripts/upstream-sync/merge-upstream-start.sh
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/usr/bin/env bash
-# ──────────────────────────────────────────────────────────────
-# merge-upstream-start.sh
-#
-# Prepares the workspace for an upstream merge:
-# 1. Creates a dated branch from main
-# 2. Updates Copilot CLI and records the new version
-# 3. Clones the upstream copilot-sdk repo into a temp dir
-# 4. Reads .lastmerge and prints a short summary of new commits
-#
-# Usage: ./.github/scripts/upstream-sync/merge-upstream-start.sh
-# Output: Exports UPSTREAM_DIR and LAST_MERGE_COMMIT to a
-# .merge-env file so other scripts can source it.
-# ──────────────────────────────────────────────────────────────
-set -euo pipefail
-
-ROOT_DIR="$(cd "$(dirname "$0")/../../.." && pwd)"
-cd "$ROOT_DIR"
-
-UPSTREAM_REPO="https://github.com/github/copilot-sdk.git"
-ENV_FILE="$ROOT_DIR/.merge-env"
-
-# ── 1. Create branch (or reuse existing) ─────────────────────
-CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
-
-if [[ "$CURRENT_BRANCH" != "main" ]]; then
- # Already on a non-main branch (e.g., coding agent's auto-created PR branch).
- # Stay on this branch — do not create a new one.
- BRANCH_NAME="$CURRENT_BRANCH"
- echo "▸ Already on branch '$BRANCH_NAME' — reusing it (coding agent mode)."
- git pull origin main --no-edit 2>/dev/null || echo " (pull from main skipped or fast-forward not possible)"
-else
- echo "▸ Ensuring main is up to date…"
- git pull origin main
-
- BRANCH_NAME="merge-upstream-$(date +%Y%m%d)"
- echo "▸ Creating branch: $BRANCH_NAME"
- git checkout -b "$BRANCH_NAME"
-fi
-
-# ── 2. Update Copilot CLI ────────────────────────────────────
-echo "▸ Updating Copilot CLI…"
-if command -v copilot &>/dev/null; then
- copilot update || echo " (copilot update returned non-zero – check manually)"
- CLI_VERSION=$(copilot --version | head -n 1 | awk '{print $NF}')
- echo " Copilot CLI version: $CLI_VERSION"
-else
- echo " ⚠ 'copilot' command not found – skipping CLI update."
- CLI_VERSION="UNKNOWN"
-fi
-
-# ── 3. Clone upstream ────────────────────────────────────────
-TEMP_DIR=$(mktemp -d)
-UPSTREAM_DIR="$TEMP_DIR/copilot-sdk"
-echo "▸ Cloning upstream into $UPSTREAM_DIR …"
-git clone --depth=200 "$UPSTREAM_REPO" "$UPSTREAM_DIR"
-
-# ── 4. Read last merge commit ────────────────────────────────
-if [[ ! -f "$ROOT_DIR/.lastmerge" ]]; then
- echo "❌ .lastmerge file not found in repo root."
- exit 1
-fi
-LAST_MERGE_COMMIT=$(tr -d '[:space:]' < "$ROOT_DIR/.lastmerge")
-echo "▸ Last merged upstream commit: $LAST_MERGE_COMMIT"
-
-# Quick summary
-echo ""
-echo "── Upstream commits since last merge ──"
-(cd "$UPSTREAM_DIR" && git fetch origin main && \
- git log --oneline "$LAST_MERGE_COMMIT"..origin/main) || \
- echo " (could not generate log – the commit may have been rebased)"
-echo ""
-
-# ── 5. Write env file for other scripts ──────────────────────
-cat > "$ENV_FILE" <[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\(-java\.[0-9][0-9]*\)\{0,1\}|${VERSION}|g" README.md
@@ -249,3 +249,4 @@ jobs:
-f publish_as_latest=true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
diff --git a/.github/workflows/weekly-upstream-sync.lock.yml b/.github/workflows/weekly-upstream-sync.lock.yml
deleted file mode 100644
index c2bceee20..000000000
--- a/.github/workflows/weekly-upstream-sync.lock.yml
+++ /dev/null
@@ -1,1239 +0,0 @@
-#
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
-# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
-# \_| |_/\__, |\___|_| |_|\__|_|\___|
-# __/ |
-# _ _ |___/
-# | | | | / _| |
-# | | | | ___ _ __ _ __| |_| | _____ ____
-# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
-# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
-# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
-#
-# This file was automatically generated by gh-aw (v0.51.6). DO NOT EDIT.
-#
-# To update this file, edit the corresponding .md file and run:
-# gh aw compile
-# Not all edits will cause changes to this file.
-#
-# For more information: https://github.github.com/gh-aw/introduction/overview/
-#
-# Weekly upstream sync workflow. Checks for new commits in the official
-# Copilot SDK (github/copilot-sdk) and assigns to Copilot to port changes.
-#
-# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"fc14b09206c7aeafcd52c843adce996a1c14cf15875f9b647ef71f631b3b296e","compiler_version":"v0.51.6"}
-
-name: "Weekly Upstream Sync Agentic Workflow"
-"on":
- schedule:
- - cron: "39 8 * * 2"
- # Friendly format: weekly (scattered)
- workflow_dispatch:
-
-permissions: {}
-
-concurrency:
- group: "gh-aw-${{ github.workflow }}"
-
-run-name: "Weekly Upstream Sync Agentic Workflow"
-
-jobs:
- activation:
- runs-on: ubuntu-slim
- permissions:
- contents: read
- outputs:
- comment_id: ""
- comment_repo: ""
- model: ${{ steps.generate_aw_info.outputs.model }}
- secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
- steps:
- - name: Setup Scripts
- uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
- with:
- destination: /opt/gh-aw/actions
- - name: Generate agentic run info
- id: generate_aw_info
- env:
- GH_AW_INFO_ENGINE_ID: "copilot"
- GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
- GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }}
- GH_AW_INFO_VERSION: ""
- GH_AW_INFO_AGENT_VERSION: "0.0.420"
- GH_AW_INFO_CLI_VERSION: "v0.51.6"
- GH_AW_INFO_WORKFLOW_NAME: "Weekly Upstream Sync Agentic Workflow"
- GH_AW_INFO_EXPERIMENTAL: "false"
- GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
- GH_AW_INFO_STAGED: "false"
- GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]'
- GH_AW_INFO_FIREWALL_ENABLED: "true"
- GH_AW_INFO_AWF_VERSION: "v0.23.0"
- GH_AW_INFO_AWMG_VERSION: ""
- GH_AW_INFO_FIREWALL_TYPE: "squid"
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- with:
- script: |
- const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs');
- await main(core, context);
- - name: Validate COPILOT_GITHUB_TOKEN secret
- id: validate-secret
- run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
- env:
- COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- - name: Checkout .github and .agents folders
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- sparse-checkout: |
- .github
- .agents
- sparse-checkout-cone-mode: true
- fetch-depth: 1
- persist-credentials: false
- - name: Check workflow file timestamps
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_WORKFLOW_FILE: "weekly-upstream-sync.lock.yml"
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs');
- await main();
- - name: Create prompt with built-in context
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
- GH_AW_GITHUB_ACTOR: ${{ github.actor }}
- GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
- GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
- GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
- GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
- run: |
- bash /opt/gh-aw/actions/create_prompt_first.sh
- {
- cat << 'GH_AW_PROMPT_EOF'
-
- GH_AW_PROMPT_EOF
- cat "/opt/gh-aw/prompts/xpia.md"
- cat "/opt/gh-aw/prompts/temp_folder_prompt.md"
- cat "/opt/gh-aw/prompts/markdown.md"
- cat "/opt/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_EOF'
-
- Tools: add_comment, create_issue, close_issue, assign_to_agent, missing_tool, missing_data, noop
-
-
- The following GitHub context information is available for this workflow:
- {{#if __GH_AW_GITHUB_ACTOR__ }}
- - **actor**: __GH_AW_GITHUB_ACTOR__
- {{/if}}
- {{#if __GH_AW_GITHUB_REPOSITORY__ }}
- - **repository**: __GH_AW_GITHUB_REPOSITORY__
- {{/if}}
- {{#if __GH_AW_GITHUB_WORKSPACE__ }}
- - **workspace**: __GH_AW_GITHUB_WORKSPACE__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
- - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
- - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
- - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
- - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__
- {{/if}}
- {{#if __GH_AW_GITHUB_RUN_ID__ }}
- - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
- {{/if}}
-
-
- GH_AW_PROMPT_EOF
- cat << 'GH_AW_PROMPT_EOF'
-
- GH_AW_PROMPT_EOF
- cat << 'GH_AW_PROMPT_EOF'
- {{#runtime-import .github/workflows/weekly-upstream-sync.md}}
- GH_AW_PROMPT_EOF
- } > "$GH_AW_PROMPT"
- - name: Interpolate variables and render templates
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');
- await main();
- - name: Substitute placeholders
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_GITHUB_ACTOR: ${{ github.actor }}
- GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
- GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
- GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
- GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
-
- const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
- // Call the substitution function
- return await substitutePlaceholders({
- file: process.env.GH_AW_PROMPT,
- substitutions: {
- GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
- GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
- GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
- GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
- GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE
- }
- });
- - name: Validate prompt placeholders
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh
- - name: Print prompt
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- run: bash /opt/gh-aw/actions/print_prompt_summary.sh
- - name: Upload activation artifact
- if: success()
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: activation
- path: |
- /tmp/gh-aw/aw_info.json
- /tmp/gh-aw/aw-prompts/prompt.txt
- retention-days: 1
-
- agent:
- needs: activation
- runs-on: ubuntu-latest
- permissions:
- actions: read
- contents: read
- issues: read
- concurrency:
- group: "gh-aw-copilot-${{ github.workflow }}"
- env:
- DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
- GH_AW_ASSETS_ALLOWED_EXTS: ""
- GH_AW_ASSETS_BRANCH: ""
- GH_AW_ASSETS_MAX_SIZE_KB: 0
- GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
- GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
- GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
- GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
- GH_AW_WORKFLOW_ID_SANITIZED: weeklyupstreamsync
- outputs:
- checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
- detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
- detection_success: ${{ steps.detection_conclusion.outputs.success }}
- has_patch: ${{ steps.collect_output.outputs.has_patch }}
- model: ${{ needs.activation.outputs.model }}
- output: ${{ steps.collect_output.outputs.output }}
- output_types: ${{ steps.collect_output.outputs.output_types }}
- steps:
- - name: Setup Scripts
- uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
- with:
- destination: /opt/gh-aw/actions
- - name: Checkout repository
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- - name: Create gh-aw temp directory
- run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
- - name: Configure Git credentials
- env:
- REPO_NAME: ${{ github.repository }}
- SERVER_URL: ${{ github.server_url }}
- run: |
- git config --global user.email "github-actions[bot]@users.noreply.github.com"
- git config --global user.name "github-actions[bot]"
- git config --global am.keepcr true
- # Re-authenticate git with GitHub token
- SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
- echo "Git configured with standard GitHub Actions identity"
- - name: Checkout PR branch
- id: checkout-pr
- if: |
- (github.event.pull_request) || (github.event.issue.pull_request)
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs');
- await main();
- - name: Install GitHub Copilot CLI
- run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.420
- - name: Install awf binary
- run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0
- - name: Determine automatic lockdown mode for GitHub MCP Server
- id: determine-automatic-lockdown
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
- GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
- with:
- script: |
- const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
- await determineAutomaticLockdown(github, context, core);
- - name: Download container images
- run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.6 ghcr.io/github/github-mcp-server:v0.31.0 node:lts-alpine
- - name: Write Safe Outputs Config
- run: |
- mkdir -p /opt/gh-aw/safeoutputs
- mkdir -p /tmp/gh-aw/safeoutputs
- mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF'
- {"add_comment":{"max":10,"target":"*"},"assign_to_agent":{"default_agent":"copilot","max":1,"target":"*"},"close_issue":{"max":10,"required_labels":["upstream-sync"],"target":"*"},"create_issue":{"expires":144,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}}
- GH_AW_SAFE_OUTPUTS_CONFIG_EOF
- cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF'
- [
- {
- "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[upstream-sync] \". Labels [upstream-sync] will be automatically added. Assignees [copilot] will be automatically assigned.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "body": {
- "description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate.",
- "type": "string"
- },
- "labels": {
- "description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository.",
- "items": {
- "type": "string"
- },
- "type": "array"
- },
- "parent": {
- "description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from a previously created issue in the same workflow run.",
- "type": [
- "number",
- "string"
- ]
- },
- "temporary_id": {
- "description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 3 to 8 alphanumeric characters (e.g., 'aw_abc1', 'aw_Test123'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.",
- "pattern": "^aw_[A-Za-z0-9]{3,8}$",
- "type": "string"
- },
- "title": {
- "description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive.",
- "type": "string"
- }
- },
- "required": [
- "title",
- "body"
- ],
- "type": "object"
- },
- "name": "create_issue"
- },
- {
- "description": "Close a GitHub issue with a closing comment. You can and should always add a comment when closing an issue to explain the action or provide context. This tool is ONLY for closing issues - use update_issue if you need to change the title, body, labels, or other metadata without closing. Use close_issue when work is complete, the issue is no longer relevant, or it's a duplicate. The closing comment should explain the resolution or reason for closing. If the issue is already closed, a comment will still be posted. CONSTRAINTS: Maximum 10 issue(s) can be closed. Target: *.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "body": {
- "description": "Closing comment explaining why the issue is being closed and summarizing any resolution, workaround, or conclusion.",
- "type": "string"
- },
- "issue_number": {
- "description": "Issue number to close. This is the numeric ID from the GitHub URL (e.g., 901 in github.com/owner/repo/issues/901). If omitted, closes the issue that triggered this workflow (requires an issue event trigger).",
- "type": [
- "number",
- "string"
- ]
- }
- },
- "required": [
- "body"
- ],
- "type": "object"
- },
- "name": "close_issue"
- },
- {
- "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 10 comment(s) can be added. Target: *.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "body": {
- "description": "The comment text in Markdown format. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation. CONSTRAINTS: The complete comment (your body text + automatically added footer) must not exceed 65536 characters total. Maximum 10 mentions (@username), maximum 50 links (http/https URLs). A footer (~200-500 characters) is automatically appended with workflow attribution, so leave adequate space. If these limits are exceeded, the tool call will fail with a detailed error message indicating which constraint was violated.",
- "type": "string"
- },
- "item_number": {
- "description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). If omitted, the tool auto-targets the issue, PR, or discussion that triggered this workflow. Auto-targeting only works for issue, pull_request, discussion, and comment event triggers — it does NOT work for schedule, workflow_dispatch, push, or workflow_run triggers. For those trigger types, always provide item_number explicitly, or the comment will be silently discarded.",
- "type": "number"
- }
- },
- "required": [
- "body"
- ],
- "type": "object"
- },
- "name": "add_comment"
- },
- {
- "description": "Assign the GitHub Copilot coding agent to work on an issue or pull request. The agent will analyze the issue/PR and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot. Example usage: assign_to_agent(issue_number=123, agent=\"copilot\") or assign_to_agent(pull_number=456, agent=\"copilot\", pull_request_repo=\"owner/repo\") CONSTRAINTS: Maximum 1 issue(s) can be assigned to agent.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "agent": {
- "description": "Agent identifier to assign. Defaults to 'copilot' (the Copilot coding agent) if not specified.",
- "type": "string"
- },
- "issue_number": {
- "description": "Issue number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both.",
- "type": [
- "number",
- "string"
- ]
- },
- "pull_number": {
- "description": "Pull request number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both.",
- "type": [
- "number",
- "string"
- ]
- },
- "pull_request_repo": {
- "description": "Target repository where the pull request should be created, in 'owner/repo' format. If omitted, the PR will be created in the same repository as the issue. This allows issues and code to live in different repositories. The global pull-request-repo configuration (if set) is automatically allowed; additional repositories must be listed in allowed-pull-request-repos.",
- "type": "string"
- }
- },
- "type": "object"
- },
- "name": "assign_to_agent"
- },
- {
- "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "alternatives": {
- "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
- "type": "string"
- },
- "reason": {
- "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).",
- "type": "string"
- },
- "tool": {
- "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.",
- "type": "string"
- }
- },
- "required": [
- "reason"
- ],
- "type": "object"
- },
- "name": "missing_tool"
- },
- {
- "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "message": {
- "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').",
- "type": "string"
- }
- },
- "required": [
- "message"
- ],
- "type": "object"
- },
- "name": "noop"
- },
- {
- "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "alternatives": {
- "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
- "type": "string"
- },
- "context": {
- "description": "Additional context about the missing data or where it should come from (max 256 characters).",
- "type": "string"
- },
- "data_type": {
- "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.",
- "type": "string"
- },
- "reason": {
- "description": "Explanation of why this data is needed to complete the task (max 256 characters).",
- "type": "string"
- }
- },
- "required": [],
- "type": "object"
- },
- "name": "missing_data"
- }
- ]
- GH_AW_SAFE_OUTPUTS_TOOLS_EOF
- cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF'
- {
- "add_comment": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "item_number": {
- "issueOrPRNumber": true
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- }
- }
- },
- "assign_to_agent": {
- "defaultMax": 1,
- "fields": {
- "agent": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- },
- "issue_number": {
- "issueNumberOrTemporaryId": true
- },
- "pull_number": {
- "optionalPositiveInteger": true
- },
- "pull_request_repo": {
- "type": "string",
- "maxLength": 256
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- }
- },
- "customValidation": "requiresOneOf:issue_number,pull_number"
- },
- "close_issue": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "issue_number": {
- "optionalPositiveInteger": true
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- }
- }
- },
- "create_issue": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "labels": {
- "type": "array",
- "itemType": "string",
- "itemSanitize": true,
- "itemMaxLength": 128
- },
- "parent": {
- "issueOrPRNumber": true
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- },
- "temporary_id": {
- "type": "string"
- },
- "title": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- }
- }
- },
- "missing_data": {
- "defaultMax": 20,
- "fields": {
- "alternatives": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "context": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "data_type": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- },
- "reason": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- }
- }
- },
- "missing_tool": {
- "defaultMax": 20,
- "fields": {
- "alternatives": {
- "type": "string",
- "sanitize": true,
- "maxLength": 512
- },
- "reason": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "tool": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- }
- }
- },
- "noop": {
- "defaultMax": 1,
- "fields": {
- "message": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- }
- }
- }
- }
- GH_AW_SAFE_OUTPUTS_VALIDATION_EOF
- - name: Generate Safe Outputs MCP Server Config
- id: safe-outputs-config
- run: |
- # Generate a secure random API key (360 bits of entropy, 40+ chars)
- # Mask immediately to prevent timing vulnerabilities
- API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
- echo "::add-mask::${API_KEY}"
-
- PORT=3001
-
- # Set outputs for next steps
- {
- echo "safe_outputs_api_key=${API_KEY}"
- echo "safe_outputs_port=${PORT}"
- } >> "$GITHUB_OUTPUT"
-
- echo "Safe Outputs MCP server will run on port ${PORT}"
-
- - name: Start Safe Outputs MCP HTTP Server
- id: safe-outputs-start
- env:
- DEBUG: '*'
- GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
- GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
- GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
- GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
- GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
- run: |
- # Environment variables are set above to prevent template injection
- export DEBUG
- export GH_AW_SAFE_OUTPUTS_PORT
- export GH_AW_SAFE_OUTPUTS_API_KEY
- export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
- export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
- export GH_AW_MCP_LOG_DIR
-
- bash /opt/gh-aw/actions/start_safe_outputs_server.sh
-
- - name: Start MCP Gateway
- id: start-mcp-gateway
- env:
- GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
- GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
- GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
- GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
- GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- run: |
- set -eo pipefail
- mkdir -p /tmp/gh-aw/mcp-config
-
- # Export gateway environment variables for MCP config and gateway script
- export MCP_GATEWAY_PORT="80"
- export MCP_GATEWAY_DOMAIN="host.docker.internal"
- MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
- echo "::add-mask::${MCP_GATEWAY_API_KEY}"
- export MCP_GATEWAY_API_KEY
- export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
- mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
- export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288"
- export DEBUG="*"
-
- export GH_AW_ENGINE="copilot"
- export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.6'
-
- mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
- {
- "mcpServers": {
- "github": {
- "type": "stdio",
- "container": "ghcr.io/github/github-mcp-server:v0.31.0",
- "env": {
- "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN",
- "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
- "GITHUB_READ_ONLY": "1",
- "GITHUB_TOOLSETS": "context,repos,issues"
- }
- },
- "safeoutputs": {
- "type": "http",
- "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
- "headers": {
- "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
- }
- }
- },
- "gateway": {
- "port": $MCP_GATEWAY_PORT,
- "domain": "${MCP_GATEWAY_DOMAIN}",
- "apiKey": "${MCP_GATEWAY_API_KEY}",
- "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
- }
- }
- GH_AW_MCP_CONFIG_EOF
- - name: Download activation artifact
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
- with:
- name: activation
- path: /tmp/gh-aw
- - name: Clean git credentials
- run: bash /opt/gh-aw/actions/clean_git_credentials.sh
- - name: Execute GitHub Copilot CLI
- id: agentic_execution
- # Copilot CLI tool arguments (sorted):
- timeout-minutes: 20
- run: |
- set -o pipefail
- # shellcheck disable=SC1003
- sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
- -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
- env:
- COPILOT_AGENT_RUNNER_TYPE: STANDALONE
- COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
- GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }}
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
- GITHUB_API_URL: ${{ github.api_url }}
- GITHUB_HEAD_REF: ${{ github.head_ref }}
- GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- GITHUB_REF_NAME: ${{ github.ref_name }}
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
- GITHUB_WORKSPACE: ${{ github.workspace }}
- XDG_CONFIG_HOME: /home/runner
- - name: Configure Git credentials
- env:
- REPO_NAME: ${{ github.repository }}
- SERVER_URL: ${{ github.server_url }}
- run: |
- git config --global user.email "github-actions[bot]@users.noreply.github.com"
- git config --global user.name "github-actions[bot]"
- git config --global am.keepcr true
- # Re-authenticate git with GitHub token
- SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
- echo "Git configured with standard GitHub Actions identity"
- - name: Copy Copilot session state files to logs
- if: always()
- continue-on-error: true
- run: |
- # Copy Copilot session state files to logs folder for artifact collection
- # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
- SESSION_STATE_DIR="$HOME/.copilot/session-state"
- LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
- if [ -d "$SESSION_STATE_DIR" ]; then
- echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
- mkdir -p "$LOGS_DIR"
- cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true
- echo "Session state files copied successfully"
- else
- echo "No session-state directory found at $SESSION_STATE_DIR"
- fi
- - name: Stop MCP Gateway
- if: always()
- continue-on-error: true
- env:
- MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
- MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
- GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
- run: |
- bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
- - name: Redact secrets in logs
- if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
- await main();
- env:
- GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
- SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
- SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
- SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- - name: Upload Safe Outputs
- if: always()
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: safe-output
- path: ${{ env.GH_AW_SAFE_OUTPUTS }}
- if-no-files-found: warn
- - name: Ingest agent output
- id: collect_output
- if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
- GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_API_URL: ${{ github.api_url }}
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs');
- await main();
- - name: Upload sanitized agent output
- if: always() && env.GH_AW_AGENT_OUTPUT
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: agent-output
- path: ${{ env.GH_AW_AGENT_OUTPUT }}
- if-no-files-found: warn
- - name: Upload engine output files
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: agent_outputs
- path: |
- /tmp/gh-aw/sandbox/agent/logs/
- /tmp/gh-aw/redacted-urls.log
- if-no-files-found: ignore
- - name: Parse agent logs for step summary
- if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs');
- await main();
- - name: Parse MCP Gateway logs for step summary
- if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs');
- await main();
- - name: Print firewall logs
- if: always()
- continue-on-error: true
- env:
- AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
- run: |
- # Fix permissions on firewall logs so they can be uploaded as artifacts
- # AWF runs with sudo, creating files owned by root
- sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
- # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
- if command -v awf &> /dev/null; then
- awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"
- else
- echo 'AWF binary not installed, skipping firewall log summary'
- fi
- - name: Upload agent artifacts
- if: always()
- continue-on-error: true
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: agent-artifacts
- path: |
- /tmp/gh-aw/aw-prompts/prompt.txt
- /tmp/gh-aw/mcp-logs/
- /tmp/gh-aw/sandbox/firewall/logs/
- /tmp/gh-aw/agent-stdio.log
- /tmp/gh-aw/agent/
- if-no-files-found: ignore
- # --- Threat Detection (inline) ---
- - name: Check if detection needed
- id: detection_guard
- if: always()
- env:
- OUTPUT_TYPES: ${{ steps.collect_output.outputs.output_types }}
- HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
- run: |
- if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then
- echo "run_detection=true" >> "$GITHUB_OUTPUT"
- echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
- else
- echo "run_detection=false" >> "$GITHUB_OUTPUT"
- echo "Detection skipped: no agent outputs or patches to analyze"
- fi
- - name: Clear MCP configuration for detection
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- run: |
- rm -f /tmp/gh-aw/mcp-config/mcp-servers.json
- rm -f /home/runner/.copilot/mcp-config.json
- rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
- - name: Prepare threat detection files
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- run: |
- mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
- cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
- cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true
- for f in /tmp/gh-aw/aw-*.patch; do
- [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- done
- echo "Prepared threat detection files:"
- ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- - name: Setup threat detection
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- WORKFLOW_NAME: "Weekly Upstream Sync Agentic Workflow"
- WORKFLOW_DESCRIPTION: "Weekly upstream sync workflow. Checks for new commits in the official\nCopilot SDK (github/copilot-sdk) and assigns to Copilot to port changes."
- HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs');
- await main();
- - name: Ensure threat-detection directory and log
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- run: |
- mkdir -p /tmp/gh-aw/threat-detection
- touch /tmp/gh-aw/threat-detection/detection.log
- - name: Execute GitHub Copilot CLI
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- id: detection_agentic_execution
- # Copilot CLI tool arguments (sorted):
- # --allow-tool shell(cat)
- # --allow-tool shell(grep)
- # --allow-tool shell(head)
- # --allow-tool shell(jq)
- # --allow-tool shell(ls)
- # --allow-tool shell(tail)
- # --allow-tool shell(wc)
- timeout-minutes: 20
- run: |
- set -o pipefail
- # shellcheck disable=SC1003
- sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
- -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
- env:
- COPILOT_AGENT_RUNNER_TYPE: STANDALONE
- COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }}
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GITHUB_API_URL: ${{ github.api_url }}
- GITHUB_HEAD_REF: ${{ github.head_ref }}
- GITHUB_REF_NAME: ${{ github.ref_name }}
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
- GITHUB_WORKSPACE: ${{ github.workspace }}
- XDG_CONFIG_HOME: /home/runner
- - name: Parse threat detection results
- id: parse_detection_results
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs');
- await main();
- - name: Upload threat detection log
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: threat-detection.log
- path: /tmp/gh-aw/threat-detection/detection.log
- if-no-files-found: ignore
- - name: Set detection conclusion
- id: detection_conclusion
- if: always()
- env:
- RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
- DETECTION_SUCCESS: ${{ steps.parse_detection_results.outputs.success }}
- run: |
- if [[ "$RUN_DETECTION" != "true" ]]; then
- echo "conclusion=skipped" >> "$GITHUB_OUTPUT"
- echo "success=true" >> "$GITHUB_OUTPUT"
- echo "Detection was not needed, marking as skipped"
- elif [[ "$DETECTION_SUCCESS" == "true" ]]; then
- echo "conclusion=success" >> "$GITHUB_OUTPUT"
- echo "success=true" >> "$GITHUB_OUTPUT"
- echo "Detection passed successfully"
- else
- echo "conclusion=failure" >> "$GITHUB_OUTPUT"
- echo "success=false" >> "$GITHUB_OUTPUT"
- echo "Detection found issues"
- fi
-
- conclusion:
- needs:
- - activation
- - agent
- - safe_outputs
- if: (always()) && (needs.agent.result != 'skipped')
- runs-on: ubuntu-slim
- permissions:
- contents: read
- discussions: write
- issues: write
- pull-requests: write
- outputs:
- noop_message: ${{ steps.noop.outputs.noop_message }}
- tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
- total_count: ${{ steps.missing_tool.outputs.total_count }}
- steps:
- - name: Setup Scripts
- uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
- with:
- destination: /opt/gh-aw/actions
- - name: Download agent output artifact
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
- with:
- name: agent-output
- path: /tmp/gh-aw/safeoutputs/
- - name: Setup agent output environment variable
- run: |
- mkdir -p /tmp/gh-aw/safeoutputs/
- find "/tmp/gh-aw/safeoutputs/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
- - name: Process No-Op Messages
- id: noop
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_NOOP_MAX: "1"
- GH_AW_WORKFLOW_NAME: "Weekly Upstream Sync Agentic Workflow"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/noop.cjs');
- await main();
- - name: Record Missing Tool
- id: missing_tool
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Weekly Upstream Sync Agentic Workflow"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/missing_tool.cjs');
- await main();
- - name: Handle Agent Failure
- id: handle_agent_failure
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Weekly Upstream Sync Agentic Workflow"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
- GH_AW_WORKFLOW_ID: "weekly-upstream-sync"
- GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
- GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
- GH_AW_ASSIGNMENT_ERRORS: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_errors }}
- GH_AW_ASSIGNMENT_ERROR_COUNT: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_error_count }}
- GH_AW_GROUP_REPORTS: "false"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs');
- await main();
- - name: Handle No-Op Message
- id: handle_noop_message
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Weekly Upstream Sync Agentic Workflow"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
- GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }}
- GH_AW_NOOP_REPORT_AS_ISSUE: "false"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs');
- await main();
-
- safe_outputs:
- needs: agent
- if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true')
- runs-on: ubuntu-slim
- permissions:
- contents: read
- discussions: write
- issues: write
- pull-requests: write
- timeout-minutes: 15
- env:
- GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/${{ github.workflow }}"
- GH_AW_ENGINE_ID: "copilot"
- GH_AW_WORKFLOW_ID: "weekly-upstream-sync"
- GH_AW_WORKFLOW_NAME: "Weekly Upstream Sync Agentic Workflow"
- outputs:
- assign_to_agent_assigned: ${{ steps.assign_to_agent.outputs.assigned }}
- assign_to_agent_assignment_error_count: ${{ steps.assign_to_agent.outputs.assignment_error_count }}
- assign_to_agent_assignment_errors: ${{ steps.assign_to_agent.outputs.assignment_errors }}
- code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
- code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
- comment_id: ${{ steps.process_safe_outputs.outputs.comment_id }}
- comment_url: ${{ steps.process_safe_outputs.outputs.comment_url }}
- create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
- create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
- created_issue_number: ${{ steps.process_safe_outputs.outputs.created_issue_number }}
- created_issue_url: ${{ steps.process_safe_outputs.outputs.created_issue_url }}
- process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
- process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
- steps:
- - name: Setup Scripts
- uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
- with:
- destination: /opt/gh-aw/actions
- - name: Download agent output artifact
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
- with:
- name: agent-output
- path: /tmp/gh-aw/safeoutputs/
- - name: Setup agent output environment variable
- run: |
- mkdir -p /tmp/gh-aw/safeoutputs/
- find "/tmp/gh-aw/safeoutputs/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
- - name: Process Safe Outputs
- id: process_safe_outputs
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_API_URL: ${{ github.api_url }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":10,\"target\":\"*\"},\"close_issue\":{\"max\":10,\"required_labels\":[\"upstream-sync\"],\"target\":\"*\"},\"create_issue\":{\"assignees\":[\"copilot\"],\"expires\":144,\"labels\":[\"upstream-sync\"],\"max\":1,\"title_prefix\":\"[upstream-sync] \"},\"missing_data\":{},\"missing_tool\":{}}"
- GH_AW_ASSIGN_COPILOT: "true"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs');
- await main();
- - name: Assign Copilot to created issues
- if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != ''
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_ISSUES_TO_ASSIGN_COPILOT: ${{ steps.process_safe_outputs.outputs.issues_to_assign_copilot }}
- with:
- github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs');
- await main();
- - name: Assign to agent
- id: assign_to_agent
- if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'assign_to_agent'))
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_AGENT_MAX_COUNT: 1
- GH_AW_AGENT_DEFAULT: "copilot"
- GH_AW_AGENT_DEFAULT_MODEL: "claude-opus-4.6"
- GH_AW_AGENT_TARGET: "*"
- GH_AW_TEMPORARY_ID_MAP: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
- with:
- github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs');
- await main();
- - name: Upload safe output items manifest
- if: always()
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: safe-output-items
- path: /tmp/safe-output-items.jsonl
- if-no-files-found: warn
-
diff --git a/.github/workflows/weekly-upstream-sync.md b/.github/workflows/weekly-upstream-sync.md
deleted file mode 100644
index 0aaff8d1e..000000000
--- a/.github/workflows/weekly-upstream-sync.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-description: |
- Weekly upstream sync workflow. Checks for new commits in the official
- Copilot SDK (github/copilot-sdk) and assigns to Copilot to port changes.
-
-on:
- schedule: weekly
- workflow_dispatch:
-
-permissions:
- contents: read
- actions: read
- issues: read
-
-network:
- allowed:
- - defaults
- - github
-
-tools:
- github:
- toolsets: [context, repos, issues]
-
-safe-outputs:
- create-issue:
- title-prefix: "[upstream-sync] "
- assignees: [copilot]
- labels: [upstream-sync]
- expires: 6
- close-issue:
- required-labels: [upstream-sync]
- target: "*"
- max: 10
- add-comment:
- target: "*"
- max: 10
- assign-to-agent:
- name: "copilot"
- model: "claude-opus-4.6"
- target: "*"
- noop:
- report-as-issue: false
----
-# Weekly Upstream Sync
-
-You are an automation agent that detects new upstream changes and creates GitHub issues. You do **NOT** perform any code merges, edits, or pushes. Do **NOT** invoke any skills (especially `agentic-merge-upstream`). Your only job is to check for changes and use safe-output tools to create or close issues.
-
-## Instructions
-
-Follow these steps exactly:
-
-### Step 1: Read `.lastmerge`
-
-Read the file `.lastmerge` in the repository root. It contains the SHA of the last upstream commit that was merged into this Java SDK.
-
-### Step 2: Check for upstream changes
-
-Clone the upstream repository and compare commits:
-
-```bash
-LAST_MERGE=$(cat .lastmerge)
-git clone --quiet https://github.com/github/copilot-sdk.git /tmp/gh-aw/agent/upstream
-cd /tmp/gh-aw/agent/upstream
-UPSTREAM_HEAD=$(git rev-parse HEAD)
-```
-
-If `LAST_MERGE` equals `UPSTREAM_HEAD`, there are **no new changes**. Go to Step 3a.
-
-If they differ, count the new commits and generate a summary:
-
-```bash
-COMMIT_COUNT=$(git rev-list --count "$LAST_MERGE".."$UPSTREAM_HEAD")
-SUMMARY=$(git log --oneline "$LAST_MERGE".."$UPSTREAM_HEAD" | head -20)
-```
-
-Go to Step 3b.
-
-### Step 3a: No changes detected
-
-1. Search for any open issues with the `upstream-sync` label using the GitHub MCP tools.
-2. If there are open `upstream-sync` issues, close each one using the `close_issue` safe-output tool with a comment: "No new upstream changes detected. The Java SDK is up to date. Closing."
-3. Call the `noop` safe-output tool with message: "No new upstream changes since last merge ()."
-4. **Stop here.** Do not proceed further.
-
-### Step 3b: Changes detected
-
-1. Search for any open issues with the `upstream-sync` label using the GitHub MCP tools.
-2. Close each existing open `upstream-sync` issue using the `close_issue` safe-output tool with a comment: "Superseded by a newer upstream sync check."
-3. Create a new issue using the `create_issue` safe-output tool with:
- - **Title:** `Upstream sync: new commits ()`
- - **Body:** Include the following information:
- ```
- ## Automated Upstream Sync
-
- There are **** new commits in the [official Copilot SDK](https://github.com/github/copilot-sdk) since the last merge.
-
- - **Last merged commit:** [``](https://github.com/github/copilot-sdk/commit/)
- - **Upstream HEAD:** [``](https://github.com/github/copilot-sdk/commit/)
-
- ### Recent upstream commits
-
- ```
-
- ```
-
- ### Instructions
-
- Follow the [agentic-merge-upstream](.github/prompts/agentic-merge-upstream.prompt.md) prompt to port these changes to the Java SDK.
- ```
-4. After creating the issue, use the `assign_to_agent` safe-output tool to assign Copilot to the newly created issue.
-
-## Important constraints
-
-- **Do NOT edit any files**, create branches, or push code.
-- **Do NOT invoke any skills** such as `agentic-merge-upstream` or `commit-as-pull-request`.
-- **Do NOT attempt to merge or port upstream changes.** That is done by a separate agent that picks up the issue you create.
-- You **MUST** call at least one safe-output tool (`create_issue`, `close_issue`, `noop`, etc.) before finishing.
diff --git a/.github/workflows/weekly-upstream-sync.yml b/.github/workflows/weekly-upstream-sync.yml
deleted file mode 100644
index 5281fa032..000000000
--- a/.github/workflows/weekly-upstream-sync.yml
+++ /dev/null
@@ -1,181 +0,0 @@
-name: "Weekly Upstream Sync"
-
-on:
- schedule:
- # Every Monday at 10:00 UTC (5:00 AM EST / 6:00 AM EDT)
- - cron: '0 10 * * 1'
- workflow_dispatch:
-
-permissions:
- contents: write
- issues: write
- pull-requests: write
-
-env:
- # Used for `gh` CLI operations to create/close/comment issues. Must be a PAT with repo permissions because the default
- GH_AW_AGENT_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN }}
- GH_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN }}
-
-jobs:
-
- check-and-sync:
- name: "Check upstream & trigger Copilot merge"
- runs-on: ubuntu-latest
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
- - name: Check for upstream changes
- id: check
- run: |
- LAST_MERGE=$(cat .lastmerge)
- echo "Last merged commit: $LAST_MERGE"
-
- git clone --quiet https://github.com/github/copilot-sdk.git /tmp/upstream
- cd /tmp/upstream
-
- UPSTREAM_HEAD=$(git rev-parse HEAD)
- echo "Upstream HEAD: $UPSTREAM_HEAD"
-
- echo "last_merge=$LAST_MERGE" >> "$GITHUB_OUTPUT"
-
- if [ "$LAST_MERGE" = "$UPSTREAM_HEAD" ]; then
- echo "No new upstream changes since last merge."
- echo "has_changes=false" >> "$GITHUB_OUTPUT"
- else
- COMMIT_COUNT=$(git rev-list --count "$LAST_MERGE".."$UPSTREAM_HEAD")
- echo "Found $COMMIT_COUNT new upstream commits."
- echo "has_changes=true" >> "$GITHUB_OUTPUT"
- echo "commit_count=$COMMIT_COUNT" >> "$GITHUB_OUTPUT"
- echo "upstream_head=$UPSTREAM_HEAD" >> "$GITHUB_OUTPUT"
-
- # Generate a short summary of changes
- SUMMARY=$(git log --oneline "$LAST_MERGE".."$UPSTREAM_HEAD" | head -20)
- {
- echo "summary<> "$GITHUB_OUTPUT"
- fi
-
- - name: Close previous upstream-sync issues
- if: steps.check.outputs.has_changes == 'true'
- run: |
- # Find all open issues with the upstream-sync label
- OPEN_ISSUES=$(gh issue list \
- --repo "${{ github.repository }}" \
- --label "upstream-sync" \
- --state open \
- --json number \
- --jq '.[].number')
-
- for ISSUE_NUM in $OPEN_ISSUES; do
- echo "Closing superseded issue #${ISSUE_NUM}"
- gh issue comment "$ISSUE_NUM" \
- --repo "${{ github.repository }}" \
- --body "Superseded by a newer upstream sync issue. Closing this one."
- gh issue close "$ISSUE_NUM" \
- --repo "${{ github.repository }}" \
- --reason "not planned"
- done
-
- - name: Close stale upstream-sync issues (no changes)
- if: steps.check.outputs.has_changes == 'false'
- run: |
- OPEN_ISSUES=$(gh issue list \
- --repo "${{ github.repository }}" \
- --label "upstream-sync" \
- --state open \
- --json number \
- --jq '.[].number')
-
- for ISSUE_NUM in $OPEN_ISSUES; do
- echo "Closing stale issue #${ISSUE_NUM} — upstream is up to date"
- gh issue comment "$ISSUE_NUM" \
- --repo "${{ github.repository }}" \
- --body "No new upstream changes detected. The Java SDK is up to date. Closing."
- gh issue close "$ISSUE_NUM" \
- --repo "${{ github.repository }}" \
- --reason "completed"
- done
-
- - name: Create issue and assign to Copilot
- id: create-issue
- if: steps.check.outputs.has_changes == 'true'
- env:
- SUMMARY: ${{ steps.check.outputs.summary }}
- run: |
- COMMIT_COUNT="${{ steps.check.outputs.commit_count }}"
- LAST_MERGE="${{ steps.check.outputs.last_merge }}"
- UPSTREAM_HEAD="${{ steps.check.outputs.upstream_head }}"
- DATE=$(date -u +"%Y-%m-%d")
- REPO="${{ github.repository }}"
-
- BODY="## Automated Upstream Sync
-
- There are **${COMMIT_COUNT}** new commits in the [official Copilot SDK](https://github.com/github/copilot-sdk) since the last merge.
-
- - **Last merged commit:** [\`${LAST_MERGE}\`](https://github.com/github/copilot-sdk/commit/${LAST_MERGE})
- - **Upstream HEAD:** [\`${UPSTREAM_HEAD}\`](https://github.com/github/copilot-sdk/commit/${UPSTREAM_HEAD})
-
- ### Recent upstream commits
-
- \`\`\`
- ${SUMMARY}
- \`\`\`
-
- ### Instructions
-
- Follow the [agentic-merge-upstream](.github/prompts/agentic-merge-upstream.prompt.md) prompt to port these changes to the Java SDK."
-
- # Create the issue and assign to Copilot coding agent
- ISSUE_URL=$(gh issue create \
- --repo "$REPO" \
- --title "Upstream sync: ${COMMIT_COUNT} new commits (${DATE})" \
- --body "$BODY" \
- --label "upstream-sync" \
- --assignee "copilot-swe-agent")
-
- echo "issue_url=$ISSUE_URL" >> "$GITHUB_OUTPUT"
- echo "✅ Issue created and assigned to Copilot coding agent: $ISSUE_URL"
-
- - name: Summary
- if: always()
- env:
- SUMMARY: ${{ steps.check.outputs.summary }}
- run: |
- HAS_CHANGES="${{ steps.check.outputs.has_changes }}"
- COMMIT_COUNT="${{ steps.check.outputs.commit_count }}"
- LAST_MERGE="${{ steps.check.outputs.last_merge }}"
- UPSTREAM_HEAD="${{ steps.check.outputs.upstream_head }}"
- ISSUE_URL="${{ steps.create-issue.outputs.issue_url }}"
-
- {
- echo "## Weekly Upstream Sync"
- echo ""
- if [ "$HAS_CHANGES" = "true" ]; then
- echo "### ✅ New upstream changes detected"
- echo ""
- echo "| | |"
- echo "|---|---|"
- echo "| **New commits** | ${COMMIT_COUNT} |"
- echo "| **Last merged** | \`${LAST_MERGE:0:12}\` |"
- echo "| **Upstream HEAD** | \`${UPSTREAM_HEAD:0:12}\` |"
- echo ""
- echo "An issue has been created and assigned to the Copilot coding agent: "
- echo " -> ${ISSUE_URL}"
- echo ""
- echo "### Recent upstream commits"
- echo ""
- echo '```'
- echo "$SUMMARY"
- echo '```'
- else
- echo "### ⏭️ No changes"
- echo ""
- echo "The Java SDK is already up to date with the upstream Copilot SDK."
- echo ""
- echo "**Last merged commit:** \`${LAST_MERGE:0:12}\`"
- fi
- } >> "$GITHUB_STEP_SUMMARY"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 38f6e6589..130bc5105 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,17 +8,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
## [Unreleased]
-> **Upstream sync:** [`github/copilot-sdk@c3fa6cb`](https://github.com/github/copilot-sdk/commit/c3fa6cbfb83d4a20b7912b1a17013d48f5a277a1)
+> **Reference implementation sync:** [`github/copilot-sdk@c3fa6cb`](https://github.com/github/copilot-sdk/commit/c3fa6cbfb83d4a20b7912b1a17013d48f5a277a1)
## [0.2.2-java.1] - 2026-04-07
-> **Upstream sync:** [`github/copilot-sdk@c3fa6cb`](https://github.com/github/copilot-sdk/commit/c3fa6cbfb83d4a20b7912b1a17013d48f5a277a1)
+> **Reference implementation sync:** [`github/copilot-sdk@c3fa6cb`](https://github.com/github/copilot-sdk/commit/c3fa6cbfb83d4a20b7912b1a17013d48f5a277a1)
### Added
-- Slash commands — register `/command` handlers invoked from the CLI TUI via `SessionConfig.setCommands()` (upstream: [`f7fd757`](https://github.com/github/copilot-sdk/commit/f7fd757))
+- Slash commands — register `/command` handlers invoked from the CLI TUI via `SessionConfig.setCommands()` (reference implementation: [`f7fd757`](https://github.com/github/copilot-sdk/commit/f7fd757))
- `CommandDefinition`, `CommandContext`, `CommandHandler`, `CommandWireDefinition` — types for defining and handling slash commands
- `CommandExecuteEvent` — event dispatched when a registered slash command is executed
-- Elicitation (UI dialogs) — incoming handler via `SessionConfig.setOnElicitationRequest()` and outgoing convenience methods via `session.getUi()` (upstream: [`f7fd757`](https://github.com/github/copilot-sdk/commit/f7fd757))
+- Elicitation (UI dialogs) — incoming handler via `SessionConfig.setOnElicitationRequest()` and outgoing convenience methods via `session.getUi()` (reference implementation: [`f7fd757`](https://github.com/github/copilot-sdk/commit/f7fd757))
- `ElicitationContext`, `ElicitationHandler`, `ElicitationParams`, `ElicitationResult`, `ElicitationResultAction`, `ElicitationSchema`, `InputOptions` — types for elicitation
- `ElicitationRequestedEvent` — event dispatched when an elicitation request is received
- `SessionUiApi` — convenience API on `session.getUi()` for `confirm()`, `select()`, `input()`, and `elicitation()` calls
@@ -35,27 +35,27 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
## [0.2.1-java.1] - 2026-04-02
-> **Upstream sync:** [`github/copilot-sdk@4088739`](https://github.com/github/copilot-sdk/commit/40887393a9e687dacc141a645799441b0313ff15)
+> **Reference implementation sync:** [`github/copilot-sdk@4088739`](https://github.com/github/copilot-sdk/commit/40887393a9e687dacc141a645799441b0313ff15)
## [0.2.1-java.0] - 2026-03-26
-> **Upstream sync:** [`github/copilot-sdk@4088739`](https://github.com/github/copilot-sdk/commit/40887393a9e687dacc141a645799441b0313ff15)
+> **Reference implementation sync:** [`github/copilot-sdk@4088739`](https://github.com/github/copilot-sdk/commit/40887393a9e687dacc141a645799441b0313ff15)
### Added
-- `UnknownSessionEvent` — forward-compatible placeholder for event types not yet known to the SDK; unknown events are now dispatched to handlers instead of being silently dropped (upstream: [`d82fd62`](https://github.com/github/copilot-sdk/commit/d82fd62))
-- `PermissionRequestResultKind.NO_RESULT` — new constant that signals the handler intentionally abstains from answering a permission request, leaving it unanswered for another client (upstream: [`df59a0e`](https://github.com/github/copilot-sdk/commit/df59a0e))
-- `ToolDefinition.skipPermission` field and `ToolDefinition.createSkipPermission()` factory — marks a tool to skip the permission prompt (upstream: [`10c4d02`](https://github.com/github/copilot-sdk/commit/10c4d02))
-- `SystemMessageMode.CUSTOMIZE` — new enum value for fine-grained system prompt customization (upstream: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
-- `SectionOverrideAction` enum — specifies the operation on a system prompt section (replace, remove, append, prepend, transform) (upstream: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
-- `SectionOverride` class — describes how one section of the system prompt should be modified, with optional transform callback (upstream: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
-- `SystemPromptSections` constants — well-known section identifier strings for use with CUSTOMIZE mode (upstream: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
-- `SystemMessageConfig.setSections(Map)` — section-level overrides for CUSTOMIZE mode (upstream: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
-- `systemMessage.transform` RPC handler — the SDK now registers a handler that invokes transform callbacks registered in the session config (upstream: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
-- `CopilotSession.setModel(String, String)` — new overload that accepts an optional reasoning effort level (upstream: [`ea90f07`](https://github.com/github/copilot-sdk/commit/ea90f07))
+- `UnknownSessionEvent` — forward-compatible placeholder for event types not yet known to the SDK; unknown events are now dispatched to handlers instead of being silently dropped (reference implementation: [`d82fd62`](https://github.com/github/copilot-sdk/commit/d82fd62))
+- `PermissionRequestResultKind.NO_RESULT` — new constant that signals the handler intentionally abstains from answering a permission request, leaving it unanswered for another client (reference implementation: [`df59a0e`](https://github.com/github/copilot-sdk/commit/df59a0e))
+- `ToolDefinition.skipPermission` field and `ToolDefinition.createSkipPermission()` factory — marks a tool to skip the permission prompt (reference implementation: [`10c4d02`](https://github.com/github/copilot-sdk/commit/10c4d02))
+- `SystemMessageMode.CUSTOMIZE` — new enum value for fine-grained system prompt customization (reference implementation: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
+- `SectionOverrideAction` enum — specifies the operation on a system prompt section (replace, remove, append, prepend, transform) (reference implementation: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
+- `SectionOverride` class — describes how one section of the system prompt should be modified, with optional transform callback (reference implementation: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
+- `SystemPromptSections` constants — well-known section identifier strings for use with CUSTOMIZE mode (reference implementation: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
+- `SystemMessageConfig.setSections(Map)` — section-level overrides for CUSTOMIZE mode (reference implementation: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
+- `systemMessage.transform` RPC handler — the SDK now registers a handler that invokes transform callbacks registered in the session config (reference implementation: [`005b780`](https://github.com/github/copilot-sdk/commit/005b780))
+- `CopilotSession.setModel(String, String)` — new overload that accepts an optional reasoning effort level (reference implementation: [`ea90f07`](https://github.com/github/copilot-sdk/commit/ea90f07))
- `CopilotSession.log(String, String, Boolean, String)` — new overload with an optional `url` parameter (minor addition)
-- `BlobAttachment` class — inline base64-encoded binary attachment for messages (e.g., images) (upstream: [`698b259`](https://github.com/github/copilot-sdk/commit/698b259))
+- `BlobAttachment` class — inline base64-encoded binary attachment for messages (e.g., images) (reference implementation: [`698b259`](https://github.com/github/copilot-sdk/commit/698b259))
- `MessageAttachment` sealed interface — type-safe base for all attachment types (`Attachment`, `BlobAttachment`), with Jackson polymorphic serialization support
-- `TelemetryConfig` class — OpenTelemetry configuration for the CLI server; set on `CopilotClientOptions.setTelemetry()` (upstream: [`f2d21a0`](https://github.com/github/copilot-sdk/commit/f2d21a0))
-- `CopilotClientOptions.setTelemetry(TelemetryConfig)` — enables OpenTelemetry instrumentation in the CLI server (upstream: [`f2d21a0`](https://github.com/github/copilot-sdk/commit/f2d21a0))
+- `TelemetryConfig` class — OpenTelemetry configuration for the CLI server; set on `CopilotClientOptions.setTelemetry()` (reference implementation: [`f2d21a0`](https://github.com/github/copilot-sdk/commit/f2d21a0))
+- `CopilotClientOptions.setTelemetry(TelemetryConfig)` — enables OpenTelemetry instrumentation in the CLI server (reference implementation: [`f2d21a0`](https://github.com/github/copilot-sdk/commit/f2d21a0))
### Changed
@@ -70,61 +70,61 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
## [0.1.32-java.0] - 2026-03-17
-> **Upstream sync:** [`github/copilot-sdk@062b61c`](https://github.com/github/copilot-sdk/commit/062b61c8aa63b9b5d45fa1d7b01723e6660ffa83)
+> **Reference implementation sync:** [`github/copilot-sdk@062b61c`](https://github.com/github/copilot-sdk/commit/062b61c8aa63b9b5d45fa1d7b01723e6660ffa83)
## [1.0.11] - 2026-03-12
-> **Upstream sync:** [`github/copilot-sdk@062b61c`](https://github.com/github/copilot-sdk/commit/062b61c8aa63b9b5d45fa1d7b01723e6660ffa83)
+> **Reference implementation sync:** [`github/copilot-sdk@062b61c`](https://github.com/github/copilot-sdk/commit/062b61c8aa63b9b5d45fa1d7b01723e6660ffa83)
### Added
-- `CopilotClientOptions.setOnListModels(Supplier>>)` — custom handler for `listModels()` used in BYOK mode to return models from a custom provider instead of querying the CLI (upstream: [`e478657`](https://github.com/github/copilot-sdk/commit/e478657))
-- `SessionConfig.setAgent(String)` — pre-selects a custom agent by name when creating a session (upstream: [`7766b1a`](https://github.com/github/copilot-sdk/commit/7766b1a))
-- `ResumeSessionConfig.setAgent(String)` — pre-selects a custom agent by name when resuming a session (upstream: [`7766b1a`](https://github.com/github/copilot-sdk/commit/7766b1a))
-- `SessionConfig.setOnEvent(Consumer)` — registers an event handler before the `session.create` RPC is issued, ensuring no early events are missed (upstream: [`4125fe7`](https://github.com/github/copilot-sdk/commit/4125fe7))
-- `ResumeSessionConfig.setOnEvent(Consumer)` — registers an event handler before the `session.resume` RPC is issued (upstream: [`4125fe7`](https://github.com/github/copilot-sdk/commit/4125fe7))
-- New broadcast session event types (protocol v3): `ExternalToolRequestedEvent` (`external_tool.requested`), `ExternalToolCompletedEvent` (`external_tool.completed`), `PermissionRequestedEvent` (`permission.requested`), `PermissionCompletedEvent` (`permission.completed`), `CommandQueuedEvent` (`command.queued`), `CommandCompletedEvent` (`command.completed`), `ExitPlanModeRequestedEvent` (`exit_plan_mode.requested`), `ExitPlanModeCompletedEvent` (`exit_plan_mode.completed`), `SystemNotificationEvent` (`system.notification`) (upstream: [`1653812`](https://github.com/github/copilot-sdk/commit/1653812), [`396e8b3`](https://github.com/github/copilot-sdk/commit/396e8b3))
-- `CopilotSession.log(String)` and `CopilotSession.log(String, String, Boolean)` — log a message to the session timeline (upstream: [`4125fe7`](https://github.com/github/copilot-sdk/commit/4125fe7))
+- `CopilotClientOptions.setOnListModels(Supplier>>)` — custom handler for `listModels()` used in BYOK mode to return models from a custom provider instead of querying the CLI (reference implementation: [`e478657`](https://github.com/github/copilot-sdk/commit/e478657))
+- `SessionConfig.setAgent(String)` — pre-selects a custom agent by name when creating a session (reference implementation: [`7766b1a`](https://github.com/github/copilot-sdk/commit/7766b1a))
+- `ResumeSessionConfig.setAgent(String)` — pre-selects a custom agent by name when resuming a session (reference implementation: [`7766b1a`](https://github.com/github/copilot-sdk/commit/7766b1a))
+- `SessionConfig.setOnEvent(Consumer)` — registers an event handler before the `session.create` RPC is issued, ensuring no early events are missed (reference implementation: [`4125fe7`](https://github.com/github/copilot-sdk/commit/4125fe7))
+- `ResumeSessionConfig.setOnEvent(Consumer)` — registers an event handler before the `session.resume` RPC is issued (reference implementation: [`4125fe7`](https://github.com/github/copilot-sdk/commit/4125fe7))
+- New broadcast session event types (protocol v3): `ExternalToolRequestedEvent` (`external_tool.requested`), `ExternalToolCompletedEvent` (`external_tool.completed`), `PermissionRequestedEvent` (`permission.requested`), `PermissionCompletedEvent` (`permission.completed`), `CommandQueuedEvent` (`command.queued`), `CommandCompletedEvent` (`command.completed`), `ExitPlanModeRequestedEvent` (`exit_plan_mode.requested`), `ExitPlanModeCompletedEvent` (`exit_plan_mode.completed`), `SystemNotificationEvent` (`system.notification`) (reference implementation: [`1653812`](https://github.com/github/copilot-sdk/commit/1653812), [`396e8b3`](https://github.com/github/copilot-sdk/commit/396e8b3))
+- `CopilotSession.log(String)` and `CopilotSession.log(String, String, Boolean)` — log a message to the session timeline (reference implementation: [`4125fe7`](https://github.com/github/copilot-sdk/commit/4125fe7))
### Changed
-- **Protocol version bumped to v3.** The SDK now supports CLI servers running v2 or v3 (backward-compatible range). Sessions are now registered in the client's session map *before* the `session.create`/`session.resume` RPC is issued, ensuring broadcast events emitted immediately on session start are never dropped (upstream: [`4125fe7`](https://github.com/github/copilot-sdk/commit/4125fe7), [`1653812`](https://github.com/github/copilot-sdk/commit/1653812))
-- In protocol v3, tool calls and permission requests that have a registered handler are now handled automatically via `ExternalToolRequestedEvent` and `PermissionRequestedEvent` broadcast events; results are sent back via `session.tools.handlePendingToolCall` and `session.permissions.handlePendingPermissionRequest` RPC calls (upstream: [`1653812`](https://github.com/github/copilot-sdk/commit/1653812))
+- **Protocol version bumped to v3.** The SDK now supports CLI servers running v2 or v3 (backward-compatible range). Sessions are now registered in the client's session map *before* the `session.create`/`session.resume` RPC is issued, ensuring broadcast events emitted immediately on session start are never dropped (reference implementation: [`4125fe7`](https://github.com/github/copilot-sdk/commit/4125fe7), [`1653812`](https://github.com/github/copilot-sdk/commit/1653812))
+- In protocol v3, tool calls and permission requests that have a registered handler are now handled automatically via `ExternalToolRequestedEvent` and `PermissionRequestedEvent` broadcast events; results are sent back via `session.tools.handlePendingToolCall` and `session.permissions.handlePendingPermissionRequest` RPC calls (reference implementation: [`1653812`](https://github.com/github/copilot-sdk/commit/1653812))
## [1.0.10] - 2026-03-03
-> **Upstream sync:** [`github/copilot-sdk@dcd86c1`](https://github.com/github/copilot-sdk/commit/dcd86c189501ce1b46b787ca60d90f3f315f3079)
+> **Reference implementation sync:** [`github/copilot-sdk@dcd86c1`](https://github.com/github/copilot-sdk/commit/dcd86c189501ce1b46b787ca60d90f3f315f3079)
### Added
-- `CopilotSession.setModel(String)` — changes the model for an existing session mid-conversation; the new model takes effect for the next message, and conversation history is preserved (upstream: [`bd98e3a`](https://github.com/github/copilot-sdk/commit/bd98e3a))
-- `ToolDefinition.createOverride(String, String, Map, ToolHandler)` — creates a tool definition that overrides a built-in CLI tool with the same name (upstream: [`f843c80`](https://github.com/github/copilot-sdk/commit/f843c80))
-- `ToolDefinition` record now includes `overridesBuiltInTool` field; when `true`, signals to the CLI that the custom tool intentionally replaces a built-in (upstream: [`f843c80`](https://github.com/github/copilot-sdk/commit/f843c80))
-- `CopilotSession.listAgents()` — lists custom agents available for selection (upstream: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
-- `CopilotSession.getCurrentAgent()` — gets the currently selected custom agent (upstream: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
-- `CopilotSession.selectAgent(String)` — selects a custom agent for the session (upstream: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
-- `CopilotSession.deselectAgent()` — deselects the current custom agent (upstream: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
-- `CopilotSession.compact()` — triggers immediate session context compaction (upstream: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
-- `AgentInfo` — new JSON type representing a custom agent with `name`, `displayName`, and `description` (upstream: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
-- New event types: `SessionTaskCompleteEvent` (`session.task_complete`), `AssistantStreamingDeltaEvent` (`assistant.streaming_delta`), `SubagentDeselectedEvent` (`subagent.deselected`) (upstream: various commits)
+- `CopilotSession.setModel(String)` — changes the model for an existing session mid-conversation; the new model takes effect for the next message, and conversation history is preserved (reference implementation: [`bd98e3a`](https://github.com/github/copilot-sdk/commit/bd98e3a))
+- `ToolDefinition.createOverride(String, String, Map, ToolHandler)` — creates a tool definition that overrides a built-in CLI tool with the same name (reference implementation: [`f843c80`](https://github.com/github/copilot-sdk/commit/f843c80))
+- `ToolDefinition` record now includes `overridesBuiltInTool` field; when `true`, signals to the CLI that the custom tool intentionally replaces a built-in (reference implementation: [`f843c80`](https://github.com/github/copilot-sdk/commit/f843c80))
+- `CopilotSession.listAgents()` — lists custom agents available for selection (reference implementation: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
+- `CopilotSession.getCurrentAgent()` — gets the currently selected custom agent (reference implementation: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
+- `CopilotSession.selectAgent(String)` — selects a custom agent for the session (reference implementation: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
+- `CopilotSession.deselectAgent()` — deselects the current custom agent (reference implementation: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
+- `CopilotSession.compact()` — triggers immediate session context compaction (reference implementation: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
+- `AgentInfo` — new JSON type representing a custom agent with `name`, `displayName`, and `description` (reference implementation: [`9d998fb`](https://github.com/github/copilot-sdk/commit/9d998fb))
+- New event types: `SessionTaskCompleteEvent` (`session.task_complete`), `AssistantStreamingDeltaEvent` (`assistant.streaming_delta`), `SubagentDeselectedEvent` (`subagent.deselected`) (reference implementation: various commits)
- `AssistantTurnStartEvent` data now includes `interactionId` field
- `AssistantMessageEvent` data now includes `interactionId` field
- `ToolExecutionCompleteEvent` data now includes `model` and `interactionId` fields
- `SkillInvokedEvent` data now includes `pluginName` and `pluginVersion` fields
- `AssistantUsageEvent` data now includes `copilotUsage` field with `CopilotUsage` and `TokenDetails` nested types
-- E2E tests for custom tool permission approval and denial flows (upstream: [`388f2f3`](https://github.com/github/copilot-sdk/commit/388f2f3))
+- E2E tests for custom tool permission approval and denial flows (reference implementation: [`388f2f3`](https://github.com/github/copilot-sdk/commit/388f2f3))
### Changed
-- **Breaking:** `createSession(SessionConfig)` now requires a non-null `onPermissionRequest` handler; throws `IllegalArgumentException` if not provided (upstream: [`279f6c4`](https://github.com/github/copilot-sdk/commit/279f6c4))
-- **Breaking:** `resumeSession(String, ResumeSessionConfig)` now requires a non-null `onPermissionRequest` handler; throws `IllegalArgumentException` if not provided (upstream: [`279f6c4`](https://github.com/github/copilot-sdk/commit/279f6c4))
-- **Breaking:** The no-arg `createSession()` and `resumeSession(String)` overloads were removed (upstream: [`279f6c4`](https://github.com/github/copilot-sdk/commit/279f6c4))
-- `AssistantMessageDeltaEvent` data: `totalResponseSizeBytes` field moved to new `AssistantStreamingDeltaEvent` (upstream: various)
+- **Breaking:** `createSession(SessionConfig)` now requires a non-null `onPermissionRequest` handler; throws `IllegalArgumentException` if not provided (reference implementation: [`279f6c4`](https://github.com/github/copilot-sdk/commit/279f6c4))
+- **Breaking:** `resumeSession(String, ResumeSessionConfig)` now requires a non-null `onPermissionRequest` handler; throws `IllegalArgumentException` if not provided (reference implementation: [`279f6c4`](https://github.com/github/copilot-sdk/commit/279f6c4))
+- **Breaking:** The no-arg `createSession()` and `resumeSession(String)` overloads were removed (reference implementation: [`279f6c4`](https://github.com/github/copilot-sdk/commit/279f6c4))
+- `AssistantMessageDeltaEvent` data: `totalResponseSizeBytes` field moved to new `AssistantStreamingDeltaEvent` (reference implementation: various)
### Fixed
-- Permission checks now also apply to SDK-registered custom tools, invoking the `onPermissionRequest` handler with `kind="custom-tool"` before executing tools (upstream: [`388f2f3`](https://github.com/github/copilot-sdk/commit/388f2f3))
+- Permission checks now also apply to SDK-registered custom tools, invoking the `onPermissionRequest` handler with `kind="custom-tool"` before executing tools (reference implementation: [`388f2f3`](https://github.com/github/copilot-sdk/commit/388f2f3))
## [1.0.9] - 2026-02-16
-> **Upstream sync:** [`github/copilot-sdk@e40d57c`](https://github.com/github/copilot-sdk/commit/e40d57c86e18b495722adbf42045288c03924342)
+> **Reference implementation sync:** [`github/copilot-sdk@e40d57c`](https://github.com/github/copilot-sdk/commit/e40d57c86e18b495722adbf42045288c03924342)
### Added
#### Cookbook with Practical Recipes
@@ -191,7 +191,7 @@ session.on(SessionContextChangedEvent.class, event -> {
## [1.0.8] - 2026-02-08
-> **Upstream sync:** [`github/copilot-sdk@05e3c46`](https://github.com/github/copilot-sdk/commit/05e3c46c8c23130c9c064dc43d00ec78f7a75eab)
+> **Reference implementation sync:** [`github/copilot-sdk@05e3c46`](https://github.com/github/copilot-sdk/commit/05e3c46c8c23130c9c064dc43d00ec78f7a75eab)
### Added
@@ -347,7 +347,7 @@ New types: `GetForegroundSessionResponse`, `SetForegroundSessionResponse`
### Changed
- Enhanced permission request handling with graceful error recovery
-- Updated test harness integration to clone from upstream SDK
+- Updated test harness integration to clone from reference implementation SDK
- Improved logging for session events and user input requests
### Fixed
@@ -366,8 +366,8 @@ New types: `GetForegroundSessionResponse`, `SetForegroundSessionResponse`
### Changed
-- Merged upstream SDK changes (commit 87ff5510)
-- Added agentic-merge-upstream Claude skill for tracking upstream changes
+- Merged reference implementation SDK changes (commit 87ff5510)
+- Added agentic-merge-reference-impl Claude skill for tracking reference implementation changes
### Fixed
@@ -376,7 +376,7 @@ New types: `GetForegroundSessionResponse`, `SetForegroundSessionResponse`
- NPM dependency installation in CI workflow
- Enhanced error handling in permission request processing
- Checkstyle and Maven Resources Plugin version updates
-- Test harness CLI installation to match upstream version
+- Test harness CLI installation to match reference implementation version
## [1.0.4] - 2026-01-27
@@ -394,7 +394,7 @@ New types: `GetForegroundSessionResponse`, `SetForegroundSessionResponse`
- Refactored tool argument handling for improved type safety
- Optimized event listener registration in examples
- Enhanced site navigation with documentation links
-- Merged upstream SDK changes from commit f902b76
+- Merged reference implementation SDK changes from commit f902b76
### Fixed
@@ -410,7 +410,7 @@ New types: `GetForegroundSessionResponse`, `SetForegroundSessionResponse`
- MCP Servers documentation and integration examples
- Infinite sessions documentation section
- Versioned documentation template with version selector
-- Guidelines for porting upstream SDK changes to Java
+- Guidelines for porting reference implementation SDK changes to Java
- Configuration for automatically generated release notes
### Changed
@@ -519,3 +519,4 @@ New types: `GetForegroundSessionResponse`, `SetForegroundSessionResponse`
[1.0.2]: https://github.com/github/copilot-sdk-java/compare/v1.0.1...v1.0.2
[1.0.1]: https://github.com/github/copilot-sdk-java/compare/1.0.0...v1.0.1
[1.0.0]: https://github.com/github/copilot-sdk-java/releases/tag/1.0.0
+
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 6c85671bf..f86976c01 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -5,7 +5,7 @@
Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
-This repository contains the **GitHub Copilot SDK for Java**, the official Java variant of the official [GitHub Copilot SDK](https://github.com/github/copilot-sdk). For issues or features related to the upstream SDK, please contribute there instead.
+This repository contains the **GitHub Copilot SDK for Java**, the official Java variant of the official [GitHub Copilot SDK](https://github.com/github/copilot-sdk). For issues or features related to the reference implementation SDK, please contribute there instead.
Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
@@ -65,3 +65,4 @@ Here are a few things you can do that will increase the likelihood of your pull
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
- [GitHub Help](https://help.github.com)
+
diff --git a/README.md b/README.md
index 34c04ace7..d425fa4eb 100644
--- a/README.md
+++ b/README.md
@@ -153,7 +153,7 @@ jbang https://github.com/github/copilot-sdk-java/blob/latest/jbang-example.java
## CI/CD Workflows
-This project uses several GitHub Actions workflows for building, testing, releasing, and syncing with the upstream SDK.
+This project uses several GitHub Actions workflows for building, testing, releasing, and syncing with the reference implementation SDK.
See [WORKFLOWS.md](docs/WORKFLOWS.md) for a full overview and details on each workflow.
@@ -212,3 +212,4 @@ MIT — see [LICENSE](LICENSE) for details.
[](https://www.star-history.com/#github/copilot-sdk-java&Date)
⭐ Drop a star if you find this useful!
+
diff --git a/docs/WORKFLOWS.md b/docs/WORKFLOWS.md
index 57ec34f71..1cbb22b36 100644
--- a/docs/WORKFLOWS.md
+++ b/docs/WORKFLOWS.md
@@ -21,9 +21,9 @@ Runs on every push to `main`, on pull requests, and in merge groups. Also runs w
Steps:
1. Checks code formatting with Spotless
-2. Compiles the SDK and clones the upstream test harness
+2. Compiles the SDK and clones the reference implementation test harness
3. Verifies Javadoc generation
-4. Installs the Copilot CLI from the cloned upstream SDK
+4. Installs the Copilot CLI from the cloned reference implementation SDK
5. Runs the full test suite with `mvn verify`
6. Uploads test results (JaCoCo + Surefire) as artifacts for site generation
@@ -98,3 +98,4 @@ Sets up:
- JDK 17 (Temurin)
- `gh-aw` CLI extension
- Maven cache
+
diff --git a/docs/adr/adr-001-semver-pre-general-availability.md b/docs/adr/adr-001-semver-pre-general-availability.md
index 44c9cf6db..33bdcc86c 100644
--- a/docs/adr/adr-001-semver-pre-general-availability.md
+++ b/docs/adr/adr-001-semver-pre-general-availability.md
@@ -20,8 +20,9 @@ We took an architectural decision to enable us to pursue investigating this poss
Chosen option: "Track SemVer of reference implementation, with one exception.", because this enables us to pursue Virtual Threads without delaying the first public release of `copilot-sdk-java`. Also, we're supposed to be aggressively modernizing our customers.
-To some extent, I would use qualifiers to mark a release as having some feature that is awaiting an upstream full release before it goes full ga, i.e you put out 0.1.46-virtualthreads.3 until upstream is ready to move to 0.2.0 then you release your virtual threads change and go 0.2.0. So I would make your agreement that your version numbers would match with the exception of qualifiers that you might add in exceptional circumstances.
+To some extent, I would use qualifiers to mark a release as having some feature that is awaiting an reference implementation full release before it goes full ga, i.e you put out 0.1.46-virtualthreads.3 until reference implementation is ready to move to 0.2.0 then you release your virtual threads change and go 0.2.0. So I would make your agreement that your version numbers would match with the exception of qualifiers that you might add in exceptional circumstances.
## Related work items
- https://devdiv.visualstudio.com/DevDiv/_workitems/edit/2745172
+
diff --git a/docs/adr/adr-002-maven-version-and-reference-implementation-tracking.md b/docs/adr/adr-002-maven-version-and-reference-implementation-tracking.md
index 7ef3d8ec8..6a0b54f22 100644
--- a/docs/adr/adr-002-maven-version-and-reference-implementation-tracking.md
+++ b/docs/adr/adr-002-maven-version-and-reference-implementation-tracking.md
@@ -6,7 +6,7 @@ Releases of this implementation track releases of the reference implementation.
## Considered Options
-- Simple number qualifier (0.1.32-0, 0.1.32-1, ...) fails on a subtle but important point: 0.1.32-0 is treated identically to 0.1.32 by Maven (trailing zeros are normalized away), and bare numeric qualifiers are pre-release semantics. Your "first release" would sort before the upstream bare version.
+- Simple number qualifier (0.1.32-0, 0.1.32-1, ...) fails on a subtle but important point: 0.1.32-0 is treated identically to 0.1.32 by Maven (trailing zeros are normalized away), and bare numeric qualifiers are pre-release semantics. Your "first release" would sort before the reference implementation bare version.
- Java and number in the qualifier (0.1.32-java.N
@@ -54,3 +54,4 @@ Everything looks healthy. Here's the status:
## Related work items
- https://devdiv.visualstudio.com/DevDiv/_workitems/edit/2766089
+
diff --git a/src/test/java/com/github/copilot/sdk/CommandsTest.java b/src/test/java/com/github/copilot/sdk/CommandsTest.java
index baf26b39b..6bddbed28 100644
--- a/src/test/java/com/github/copilot/sdk/CommandsTest.java
+++ b/src/test/java/com/github/copilot/sdk/CommandsTest.java
@@ -25,7 +25,8 @@
* representation).
*
*
- * Ported from {@code CommandsTests.cs} in the upstream dotnet SDK.
+ * Ported from {@code CommandsTests.cs} in the reference implementation dotnet
+ * SDK.
*
*/
class CommandsTest {
diff --git a/src/test/java/com/github/copilot/sdk/ElicitationTest.java b/src/test/java/com/github/copilot/sdk/ElicitationTest.java
index d6e2ac0b5..6b748b4cc 100644
--- a/src/test/java/com/github/copilot/sdk/ElicitationTest.java
+++ b/src/test/java/com/github/copilot/sdk/ElicitationTest.java
@@ -29,7 +29,8 @@
* Unit tests for the Elicitation feature and Session Capabilities.
*
*
- * Ported from {@code ElicitationTests.cs} in the upstream dotnet SDK.
+ * Ported from {@code ElicitationTests.cs} in the reference implementation
+ * dotnet SDK.
*
* Note: Tests for userPromptSubmitted, sessionStart, and sessionEnd hooks are
- * not included as they are not tested in the upstream .NET or Node.js SDKs and
- * require test harness updates to properly invoke these hooks.
+ * not included as they are not tested in the reference implementation .NET or
+ * Node.js SDKs and require test harness updates to properly invoke these hooks.
*
*/
public class HooksTest {
From 1413aa6bddacec9515dccf52df0caed189d32964 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 16 Apr 2026 19:26:14 +0000
Subject: [PATCH 07/32] Fix [reference-impl-hash] parameter naming in
update-changelog.sh
Agent-Logs-Url: https://github.com/github/copilot-sdk-java/sessions/dc42a537-067a-4251-bd14-0fb8fede94d9
Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
---
.github/scripts/release/update-changelog.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/scripts/release/update-changelog.sh b/.github/scripts/release/update-changelog.sh
index 926da5b3b..ff35dec72 100755
--- a/.github/scripts/release/update-changelog.sh
+++ b/.github/scripts/release/update-changelog.sh
@@ -2,13 +2,13 @@
set -e
# Script to update CHANGELOG.md during release process
-# Usage: ./update-changelog.sh [reference implementation-hash]
+# Usage: ./update-changelog.sh [reference-impl-hash]
# Example: ./update-changelog.sh 1.0.8
# Example: ./update-changelog.sh 1.0.8 05e3c46c8c23130c9c064dc43d00ec78f7a75eab
if [ -z "$1" ]; then
echo "Error: Version argument required"
- echo "Usage: $0 [reference implementation-hash]"
+ echo "Usage: $0 [reference-impl-hash]"
exit 1
fi
From 55df0012c43605e2eed754ac90b34be639ef9b71 Mon Sep 17 00:00:00 2001
From: Ed Burns
Date: Thu, 16 Apr 2026 18:15:55 -0400
Subject: [PATCH 08/32] Ignore tilde files
Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
---
.gitignore | 1 +
1 file changed, 1 insertion(+)
diff --git a/.gitignore b/.gitignore
index ddb2508ba..f079a3d20 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ changebundle.txt*
.classpath
.project
.settings
+*~
From 36de59cabdbe3419f3cbc228cc93b10f91f495bf Mon Sep 17 00:00:00 2001
From: Ed Burns
Date: Thu, 16 Apr 2026 18:26:33 -0400
Subject: [PATCH 09/32] Address very important comment by copilot.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@Copilot wrote:
> This file is runtime-imported by weekly-reference-impl-sync.lock.yml as the agent prompt, but its content is written as documentation rather than imperative agent instructions (e.g., it doesn’t tell the agent to read .lastmerge, clone, compare commits, and must call a safe-output tool). As a result, the agentic workflow may fail or behave unpredictably. Please restore the prior imperative, step-by-step instruction style (like the deleted weekly-upstream-sync.md), updated to the new reference-impl terminology, and ensure it explicitly requires calling create-issue/close-issue/noop as appropriate.
Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
---
.../workflows/weekly-reference-impl-sync.md | 134 +++++++-----------
1 file changed, 50 insertions(+), 84 deletions(-)
diff --git a/.github/workflows/weekly-reference-impl-sync.md b/.github/workflows/weekly-reference-impl-sync.md
index 7e72248e1..711f16ccb 100644
--- a/.github/workflows/weekly-reference-impl-sync.md
+++ b/.github/workflows/weekly-reference-impl-sync.md
@@ -41,111 +41,77 @@ safe-outputs:
noop:
report-as-issue: false
---
-# Weekly Reference Implementation Sync Agentic Workflow
-This document describes the `weekly-reference-impl-sync.yml` GitHub Actions workflow, which automates the detection of new changes in the official [Copilot SDK](https://github.com/github/copilot-sdk) and delegates the merge work to the Copilot coding agent.
+# Weekly Reference Implementation Sync
-## Overview
+You are an automation agent that detects new reference implementation changes and creates GitHub issues. You do **NOT** perform any code merges, edits, or pushes. Do **NOT** invoke any skills (especially `agentic-merge-reference-impl`). Your only job is to check for changes and use safe-output tools to create or close issues.
-The workflow runs on a **weekly schedule** (every Monday at 10:00 UTC) and can also be triggered manually. It does **not** perform the actual merge — instead, it detects reference implementation changes and creates a GitHub issue assigned to `copilot`, instructing the agent to follow the [agentic-merge-reference-impl](../prompts/agentic-merge-reference-impl.prompt.md) prompt to port the changes.
+## Instructions
-The agent must also create the Pull Request with the label `reference-impl-sync`. This allows the workflow to track the merge progress and avoid creating duplicate issues if the agent is still working on a previous sync.
+Follow these steps exactly:
-## Trigger
+### Step 1: Read `.lastmerge`
-| Trigger | Schedule |
-|---|---|
-| `schedule` | Every Monday at 10:00 UTC (`0 10 * * 1`) |
-| `workflow_dispatch` | Manual trigger from the Actions tab |
+Read the file `.lastmerge` in the repository root. It contains the SHA of the last reference implementation commit that was merged into this Java SDK.
-## Workflow Steps
+### Step 2: Check for reference implementation changes
-### 1. Checkout repository
+Clone the reference implementation repository and compare commits:
-Checks out the repo to read the `.lastmerge` file, which contains the SHA of the last reference implementation commit that was merged into the Java SDK.
-
-### 2. Check for reference implementation changes
-
-- Reads the last merged commit hash from `.lastmerge`
-- Clones the reference implementation `github/copilot-sdk` repository
-- Compares `.lastmerge` against reference implementation `HEAD`
-- If they match: sets `has_changes=false`
-- If they differ: counts new commits, generates a summary (up to 20 most recent), and sets outputs (`commit_count`, `reference_impl_head`, `last_merge`, `summary`)
-
-### 3. Close previous reference-impl-sync issues (when changes found)
-
-**Condition:** `has_changes == true`
+```bash
+LAST_MERGE=$(cat .lastmerge)
+git clone --quiet https://github.com/github/copilot-sdk.git /tmp/gh-aw/agent/refererce-impl
+cd /tmp/gh-aw/agent/refererce-impl
+REFERENCE_IMPL_HEAD=$(git rev-parse HEAD)
+```
-Before creating a new issue, closes any existing open issues with the `reference-impl-sync` label. This prevents stale issues from accumulating when previous sync attempts were incomplete or superseded. Each closed issue receives a comment explaining it was superseded.
+If `LAST_MERGE` equals `REFERENCE_IMPL_HEAD`, there are **no new changes**. Go to Step 3a.
-### 4. Close stale reference-impl-sync issues (when no changes found)
+If they differ, count the new commits and generate a summary:
-**Condition:** `has_changes == false`
+```bash
+COMMIT_COUNT=$(git rev-list --count "$LAST_MERGE".."$REFERENCE_IMPL_HEAD")
+SUMMARY=$(git log --oneline "$LAST_MERGE".."$REFERENCE_IMPL_HEAD" | head -20)
+```
-If the reference implementation is already up to date, closes any lingering open `reference-impl-sync` issues with a comment noting that no changes were detected. This handles the case where a previous issue was created but the changes were merged manually (updating `.lastmerge`) before the agent completed.
+Go to Step 3b.
-### 5. Create issue and assign to Copilot
+### Step 3a: No changes detected
-**Condition:** `has_changes == true`
+1. Search for any open issues with the `reference-impl-sync` label using the GitHub MCP tools.
+2. If there are open `reference-impl-sync` labeled issues, close each one using the `close_issue` safe-output tool with a comment: "No new reference implementation changes detected. The Java SDK is up to date. Closing."
+3. Call the `noop` safe-output tool with message: "No new reference implementation changes since last merge ()."
+4. **Stop here.** Do not proceed further.
-Creates a new GitHub issue with:
+### Step 3b: Changes detected
-- **Title:** `Reference implementation sync: N new commits (YYYY-MM-DD)`
-- **Label:** `reference-impl-sync`
-- **Assignee:** `copilot`
-- **Body:** Contains commit count, commit range links, a summary of recent commits, and a link to the merge prompt
+1. Search for any open issues with the `refererce-impl-sync` label using the GitHub MCP tools.
+2. Close each existing open `refererce-impl-sync` issue using the `close_issue` safe-output tool with a comment: "Superseded by a newer reference implementation sync check."
+3. Create a new issue using the `create_issue` safe-output tool with:
+ - **Title:** `Reference Implementation sync: new commits ()`
+ - **Body:** Include the following information:
+ ```
+ ## Automated Reference Implementation Sync
-The Copilot coding agent picks up the issue, creates a branch and PR, then follows the merge prompt to port the changes.
+ There are **** new commits in the [official Copilot SDK](https://github.com/github/copilot-sdk) since the last merge.
-### 6. Summary
+ - **Last merged commit:** [``](https://github.com/github/copilot-sdk/commit/)
+ - **Reference Implementation HEAD:** [``](https://github.com/github/copilot-sdk/commit/)
-Writes a GitHub Actions step summary with:
+ ### Recent reference implementation commits
-- Whether changes were detected
-- Commit count and range
-- Recent reference implementation commits
-- Link to the created issue (if any)
+ ```
+
+ ```
-## Flow Diagram
+ ### Instructions
-```
-┌─────────────────────┐
-│ Schedule / Manual │
-└──────────┬──────────┘
- │
- ▼
-┌──────────────────────────┐
-│ Read .lastmerge │
-│ Clone reference impl SDK │
-│ Compare commits │
-└──────────┬───────────────┘
- │
- ┌─────┴─────┐
- │ │
- changes? no changes
- │ │
- ▼ ▼
-┌──────────┐ ┌──────────────────┐
-│ Close old│ │ Close stale │
-│ issues │ │ issues │
-└────┬─────┘ └──────────────────┘
- │
- ▼
-┌──────────────────────────┐
-│ Create issue assigned to │
-│ copilot │
-└──────────────────────────┘
- │
- ▼
-┌──────────────────────────┐
-│ Agent follows prompt to │
-│ port changes → PR │
-└──────────────────────────┘
-```
+ Follow the [agentic-merge-reference-impl](.github/prompts/agentic-merge-reference-impl.prompt.md) prompt to port these changes to the Java SDK.
+ ```
+4. After creating the issue, use the `assign_to_agent` safe-output tool to assign Copilot to the newly created issue.
-## Related Files
+## Important constraints
-| File | Purpose |
-|---|---|
-| `.lastmerge` | Stores the SHA of the last merged reference implementation commit |
-| [agentic-merge-reference-impl.prompt.md](../prompts/agentic-merge-reference-impl.prompt.md) | Detailed instructions the Copilot agent follows to port changes |
-| `.github/scripts/reference-impl-sync/` | Helper scripts used by the merge prompt |
+- **Do NOT edit any files**, create branches, or push code.
+- **Do NOT invoke any skills** such as `agentic-merge-agentic-merge-reference-impl` or `commit-as-pull-request`.
+- **Do NOT attempt to merge or port reference implementation changes.** That is done by a separate agent that picks up the issue you create.
+- You **MUST** call at least one safe-output tool (`create_issue`, `close_issue`, `noop`, etc.) before finishing.
From 123bb06c237e2b523d9fc954edc36249fd517d97 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 16 Apr 2026 23:02:30 +0000
Subject: [PATCH 10/32] Apply review suggestions: fix assignee, grammar, and
refererce-impl typo
Agent-Logs-Url: https://github.com/github/copilot-sdk-java/sessions/b635280e-2e95-4f3d-a5d9-a261f99c6e74
Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
---
.github/workflows/weekly-reference-impl-sync.md | 10 +++++-----
docs/adr/adr-001-semver-pre-general-availability.md | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/weekly-reference-impl-sync.md b/.github/workflows/weekly-reference-impl-sync.md
index 711f16ccb..1d1f9a4fd 100644
--- a/.github/workflows/weekly-reference-impl-sync.md
+++ b/.github/workflows/weekly-reference-impl-sync.md
@@ -24,7 +24,7 @@ tools:
safe-outputs:
create-issue:
title-prefix: "[reference-impl-sync] "
- assignees: [copilot]
+ assignees: [copilot-swe-agent]
labels: [reference-impl-sync]
expires: 6
close-issue:
@@ -59,8 +59,8 @@ Clone the reference implementation repository and compare commits:
```bash
LAST_MERGE=$(cat .lastmerge)
-git clone --quiet https://github.com/github/copilot-sdk.git /tmp/gh-aw/agent/refererce-impl
-cd /tmp/gh-aw/agent/refererce-impl
+git clone --quiet https://github.com/github/copilot-sdk.git /tmp/gh-aw/agent/reference-impl
+cd /tmp/gh-aw/agent/reference-impl
REFERENCE_IMPL_HEAD=$(git rev-parse HEAD)
```
@@ -84,8 +84,8 @@ Go to Step 3b.
### Step 3b: Changes detected
-1. Search for any open issues with the `refererce-impl-sync` label using the GitHub MCP tools.
-2. Close each existing open `refererce-impl-sync` issue using the `close_issue` safe-output tool with a comment: "Superseded by a newer reference implementation sync check."
+1. Search for any open issues with the `reference-impl-sync` label using the GitHub MCP tools.
+2. Close each existing open `reference-impl-sync` issue using the `close_issue` safe-output tool with a comment: "Superseded by a newer reference implementation sync check."
3. Create a new issue using the `create_issue` safe-output tool with:
- **Title:** `Reference Implementation sync: new commits ()`
- **Body:** Include the following information:
diff --git a/docs/adr/adr-001-semver-pre-general-availability.md b/docs/adr/adr-001-semver-pre-general-availability.md
index 33bdcc86c..25008b0f5 100644
--- a/docs/adr/adr-001-semver-pre-general-availability.md
+++ b/docs/adr/adr-001-semver-pre-general-availability.md
@@ -20,7 +20,7 @@ We took an architectural decision to enable us to pursue investigating this poss
Chosen option: "Track SemVer of reference implementation, with one exception.", because this enables us to pursue Virtual Threads without delaying the first public release of `copilot-sdk-java`. Also, we're supposed to be aggressively modernizing our customers.
-To some extent, I would use qualifiers to mark a release as having some feature that is awaiting an reference implementation full release before it goes full ga, i.e you put out 0.1.46-virtualthreads.3 until reference implementation is ready to move to 0.2.0 then you release your virtual threads change and go 0.2.0. So I would make your agreement that your version numbers would match with the exception of qualifiers that you might add in exceptional circumstances.
+To some extent, I would use qualifiers to mark a release as having some feature that is awaiting a reference implementation full release before it goes full ga, i.e you put out 0.1.46-virtualthreads.3 until reference implementation is ready to move to 0.2.0 then you release your virtual threads change and go 0.2.0. So I would make your agreement that your version numbers would match with the exception of qualifiers that you might add in exceptional circumstances.
## Related work items
From a512425d4182f9ad73b43528c99191474835f3e0 Mon Sep 17 00:00:00 2001
From: Ed Burns
Date: Thu, 16 Apr 2026 22:55:30 -0400
Subject: [PATCH 11/32] Recompile agentic workflow lock file from updated .md
source
modified: .github/aw/actions-lock.json
- Adds new pinned entry for `actions/github-script@v9` (sha `373c709c...`)
- Updates `github/gh-aw-actions/setup` pin from `v0.63.1` to `v0.68.3` with new sha
modified: .github/workflows/weekly-reference-impl-sync.lock.yml
- Regenerated by `gh aw compile` (v0.68.3) from the `.md` source that was hand-edited in PR #77 without recompiling
- Compiler upgraded from v0.51.6 to v0.68.3; schema version v1 to v3
- Frontmatter hash updated to reflect current `.md` content
- `create_issue` assignee now correctly reflects `copilot-swe-agent` (was `copilot`)
- `assign_to_agent` now includes `model: claude-opus-4.6`
- Safe-outputs config updated with new tool entries (`create_report_incomplete_issue`, `report_incomplete`, `noop`)
- Action pin references updated to match newer gh-aw-actions versions
Signed-off-by: Ed Burns
Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
---
.github/aw/actions-lock.json | 11 +-
.../weekly-reference-impl-sync.lock.yml | 1337 +++++++++--------
2 files changed, 690 insertions(+), 658 deletions(-)
diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json
index 0da84b9c6..1b8b4b56b 100644
--- a/.github/aw/actions-lock.json
+++ b/.github/aw/actions-lock.json
@@ -5,6 +5,11 @@
"version": "v8",
"sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
},
+ "actions/github-script@v9": {
+ "repo": "actions/github-script",
+ "version": "v9",
+ "sha": "373c709c69115d41ff229c7e5df9f8788daa9553"
+ },
"actions/setup-java@v4": {
"repo": "actions/setup-java",
"version": "v4",
@@ -15,10 +20,10 @@
"version": "v4",
"sha": "49933ea5288caeca8642d1e84afbd3f7d6820020"
},
- "github/gh-aw-actions/setup@v0.63.1": {
+ "github/gh-aw-actions/setup@v0.68.3": {
"repo": "github/gh-aw-actions/setup",
- "version": "v0.63.1",
- "sha": "53e09ec0be6271e81a69f51ef93f37212c8834b0"
+ "version": "v0.68.3",
+ "sha": "ba90f2186d7ad780ec640f364005fa24e797b360"
},
"github/gh-aw/actions/setup@v0.51.6": {
"repo": "github/gh-aw/actions/setup",
diff --git a/.github/workflows/weekly-reference-impl-sync.lock.yml b/.github/workflows/weekly-reference-impl-sync.lock.yml
index 25de1e1e8..49bfd3ac0 100644
--- a/.github/workflows/weekly-reference-impl-sync.lock.yml
+++ b/.github/workflows/weekly-reference-impl-sync.lock.yml
@@ -1,4 +1,5 @@
-#
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"54f733578d3011b148c7aff09a0e72085d787a777a996488f08aeffdf52ec93b","compiler_version":"v0.68.3","strict":true,"agent_id":"copilot"}
+# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"ba90f2186d7ad780ec640f364005fa24e797b360","version":"v0.68.3"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.20"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.19"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0"},{"image":"node:lts-alpine"}]}
# ___ _ _
# / _ \ | | (_)
# | |_| | __ _ ___ _ __ | |_ _ ___
@@ -13,7 +14,7 @@
# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
#
-# This file was automatically generated by gh-aw (v0.51.6). DO NOT EDIT.
+# This file was automatically generated by gh-aw (v0.68.3). DO NOT EDIT.
#
# To update this file, edit the corresponding .md file and run:
# gh aw compile
@@ -24,88 +25,135 @@
# Weekly reference implementation sync workflow. Checks for new commits in the official
# Copilot SDK (github/copilot-sdk) and assigns to Copilot to port changes.
#
-# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"fc14b09206c7aeafcd52c843adce996a1c14cf15875f9b647ef71f631b3b296e","compiler_version":"v0.51.6"}
+# Secrets used:
+# - COPILOT_GITHUB_TOKEN
+# - GH_AW_AGENT_TOKEN
+# - GH_AW_GITHUB_MCP_SERVER_TOKEN
+# - GH_AW_GITHUB_TOKEN
+# - GITHUB_TOKEN
+#
+# Custom actions used:
+# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+# - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+# - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+# - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+# - github/gh-aw-actions/setup@ba90f2186d7ad780ec640f364005fa24e797b360 # v0.68.3
+#
+# Container images used:
+# - ghcr.io/github/gh-aw-firewall/agent:0.25.20
+# - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20
+# - ghcr.io/github/gh-aw-firewall/squid:0.25.20
+# - ghcr.io/github/gh-aw-mcpg:v0.2.19
+# - ghcr.io/github/github-mcp-server:v0.32.0
+# - node:lts-alpine
-name: "Weekly Reference Implementation Sync Agentic Workflow"
+name: "Weekly Reference Implementation Sync"
"on":
schedule:
- - cron: "39 8 * * 2"
+ - cron: "40 11 * * 0"
# Friendly format: weekly (scattered)
workflow_dispatch:
+ inputs:
+ aw_context:
+ default: ""
+ description: Agent caller context (used internally by Agentic Workflows).
+ required: false
+ type: string
permissions: {}
concurrency:
group: "gh-aw-${{ github.workflow }}"
-run-name: "Weekly Reference Implementation Sync Agentic Workflow"
+run-name: "Weekly Reference Implementation Sync"
jobs:
activation:
runs-on: ubuntu-slim
permissions:
+ actions: read
contents: read
outputs:
comment_id: ""
comment_repo: ""
+ lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }}
model: ${{ steps.generate_aw_info.outputs.model }}
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
+ setup-trace-id: ${{ steps.setup.outputs.trace-id }}
+ stale_lock_file_failed: ${{ steps.check-lock-file.outputs.stale_lock_file_failed == 'true' }}
steps:
- name: Setup Scripts
- uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
+ id: setup
+ uses: github/gh-aw-actions/setup@ba90f2186d7ad780ec640f364005fa24e797b360 # v0.68.3
with:
- destination: /opt/gh-aw/actions
+ destination: ${{ runner.temp }}/gh-aw/actions
+ job-name: ${{ github.job }}
- name: Generate agentic run info
id: generate_aw_info
env:
GH_AW_INFO_ENGINE_ID: "copilot"
GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
- GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }}
- GH_AW_INFO_VERSION: ""
- GH_AW_INFO_AGENT_VERSION: "0.0.420"
- GH_AW_INFO_CLI_VERSION: "v0.51.6"
- GH_AW_INFO_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }}
+ GH_AW_INFO_VERSION: "1.0.21"
+ GH_AW_INFO_AGENT_VERSION: "1.0.21"
+ GH_AW_INFO_CLI_VERSION: "v0.68.3"
+ GH_AW_INFO_WORKFLOW_NAME: "Weekly Reference Implementation Sync"
GH_AW_INFO_EXPERIMENTAL: "false"
GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
GH_AW_INFO_STAGED: "false"
GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]'
GH_AW_INFO_FIREWALL_ENABLED: "true"
- GH_AW_INFO_AWF_VERSION: "v0.23.0"
+ GH_AW_INFO_AWF_VERSION: "v0.25.20"
GH_AW_INFO_AWMG_VERSION: ""
GH_AW_INFO_FIREWALL_TYPE: "squid"
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ GH_AW_COMPILED_STRICT: "true"
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
with:
script: |
- const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs');
await main(core, context);
- name: Validate COPILOT_GITHUB_TOKEN secret
id: validate-secret
- run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh" COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Checkout .github and .agents folders
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
+ persist-credentials: false
sparse-checkout: |
.github
.agents
sparse-checkout-cone-mode: true
fetch-depth: 1
- persist-credentials: false
- - name: Check workflow file timestamps
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ - name: Check workflow lock file
+ id: check-lock-file
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
GH_AW_WORKFLOW_FILE: "weekly-reference-impl-sync.lock.yml"
+ GH_AW_CONTEXT_WORKFLOW_REF: "${{ github.workflow_ref }}"
with:
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_timestamp_api.cjs');
+ await main();
+ - name: Check compile-agentic version
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+ env:
+ GH_AW_COMPILED_VERSION: "v0.68.3"
+ with:
+ script: |
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/check_version_updates.cjs');
await main();
- name: Create prompt with built-in context
env:
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
+ GH_AW_SAFE_OUTPUTS: ${{ runner.temp }}/gh-aw/safeoutputs/outputs.jsonl
GH_AW_GITHUB_ACTOR: ${{ github.actor }}
GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
@@ -114,19 +162,20 @@ jobs:
GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
+ # poutine:ignore untrusted_checkout_exec
run: |
- bash /opt/gh-aw/actions/create_prompt_first.sh
+ bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
{
- cat << 'GH_AW_PROMPT_EOF'
+ cat << 'GH_AW_PROMPT_9a049ffd9b204d97_EOF'
- GH_AW_PROMPT_EOF
- cat "/opt/gh-aw/prompts/xpia.md"
- cat "/opt/gh-aw/prompts/temp_folder_prompt.md"
- cat "/opt/gh-aw/prompts/markdown.md"
- cat "/opt/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_EOF'
+ GH_AW_PROMPT_9a049ffd9b204d97_EOF
+ cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
+ cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
+ cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
+ cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
+ cat << 'GH_AW_PROMPT_9a049ffd9b204d97_EOF'
- Tools: add_comment, create_issue, close_issue, assign_to_agent, missing_tool, missing_data, noop
+ Tools: add_comment(max:10), create_issue, close_issue(max:10), assign_to_agent, missing_tool, missing_data, noop
The following GitHub context information is available for this workflow:
@@ -156,26 +205,25 @@ jobs:
{{/if}}
- GH_AW_PROMPT_EOF
- cat << 'GH_AW_PROMPT_EOF'
+ GH_AW_PROMPT_9a049ffd9b204d97_EOF
+ cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
+ cat << 'GH_AW_PROMPT_9a049ffd9b204d97_EOF'
- GH_AW_PROMPT_EOF
- cat << 'GH_AW_PROMPT_EOF'
{{#runtime-import .github/workflows/weekly-reference-impl-sync.md}}
- GH_AW_PROMPT_EOF
+ GH_AW_PROMPT_9a049ffd9b204d97_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
with:
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs');
await main();
- name: Substitute placeholders
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
GH_AW_GITHUB_ACTOR: ${{ github.actor }}
@@ -188,10 +236,10 @@ jobs:
GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
with:
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
- const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
+ const substitutePlaceholders = require('${{ runner.temp }}/gh-aw/actions/substitute_placeholders.cjs');
// Call the substitution function
return await substitutePlaceholders({
@@ -210,19 +258,23 @@ jobs:
- name: Validate prompt placeholders
env:
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh
+ # poutine:ignore untrusted_checkout_exec
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_prompt_placeholders.sh"
- name: Print prompt
env:
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- run: bash /opt/gh-aw/actions/print_prompt_summary.sh
+ # poutine:ignore untrusted_checkout_exec
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh"
- name: Upload activation artifact
if: success()
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: activation
path: |
/tmp/gh-aw/aw_info.json
/tmp/gh-aw/aw-prompts/prompt.txt
+ /tmp/gh-aw/github_rate_limits.jsonl
+ if-no-files-found: ignore
retention-days: 1
agent:
@@ -240,425 +292,292 @@ jobs:
GH_AW_ASSETS_BRANCH: ""
GH_AW_ASSETS_MAX_SIZE_KB: 0
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
- GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
- GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
- GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
GH_AW_WORKFLOW_ID_SANITIZED: weeklyreferenceimplsync
outputs:
+ agentic_engine_timeout: ${{ steps.detect-copilot-errors.outputs.agentic_engine_timeout || 'false' }}
checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
- detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
- detection_success: ${{ steps.detection_conclusion.outputs.success }}
+ effective_tokens: ${{ steps.parse-mcp-gateway.outputs.effective_tokens }}
has_patch: ${{ steps.collect_output.outputs.has_patch }}
+ inference_access_error: ${{ steps.detect-copilot-errors.outputs.inference_access_error || 'false' }}
+ mcp_policy_error: ${{ steps.detect-copilot-errors.outputs.mcp_policy_error || 'false' }}
model: ${{ needs.activation.outputs.model }}
+ model_not_supported_error: ${{ steps.detect-copilot-errors.outputs.model_not_supported_error || 'false' }}
output: ${{ steps.collect_output.outputs.output }}
output_types: ${{ steps.collect_output.outputs.output_types }}
+ setup-trace-id: ${{ steps.setup.outputs.trace-id }}
steps:
- name: Setup Scripts
- uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
+ id: setup
+ uses: github/gh-aw-actions/setup@ba90f2186d7ad780ec640f364005fa24e797b360 # v0.68.3
with:
- destination: /opt/gh-aw/actions
+ destination: ${{ runner.temp }}/gh-aw/actions
+ job-name: ${{ github.job }}
+ trace-id: ${{ needs.activation.outputs.setup-trace-id }}
+ - name: Set runtime paths
+ id: set-runtime-paths
+ run: |
+ {
+ echo "GH_AW_SAFE_OUTPUTS=${RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl"
+ echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/config.json"
+ echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/tools.json"
+ } >> "$GITHUB_OUTPUT"
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Create gh-aw temp directory
- run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/create_gh_aw_tmp_dir.sh"
+ - name: Configure gh CLI for GitHub Enterprise
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh"
+ env:
+ GH_TOKEN: ${{ github.token }}
- name: Configure Git credentials
env:
REPO_NAME: ${{ github.repository }}
SERVER_URL: ${{ github.server_url }}
+ GITHUB_TOKEN: ${{ github.token }}
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
git config --global am.keepcr true
# Re-authenticate git with GitHub token
SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
+ git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
echo "Git configured with standard GitHub Actions identity"
- name: Checkout PR branch
id: checkout-pr
if: |
- (github.event.pull_request) || (github.event.issue.pull_request)
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ github.event.pull_request || github.event.issue.pull_request
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
with:
github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs');
await main();
- name: Install GitHub Copilot CLI
- run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.420
- - name: Install awf binary
- run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.21
+ env:
+ GH_HOST: github.com
+ - name: Install AWF binary
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.20
- name: Determine automatic lockdown mode for GitHub MCP Server
id: determine-automatic-lockdown
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
with:
script: |
- const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
+ const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Download container images
- run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.6 ghcr.io/github/github-mcp-server:v0.31.0 node:lts-alpine
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.20 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20 ghcr.io/github/gh-aw-firewall/squid:0.25.20 ghcr.io/github/gh-aw-mcpg:v0.2.19 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine
- name: Write Safe Outputs Config
run: |
- mkdir -p /opt/gh-aw/safeoutputs
+ mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF'
- {"add_comment":{"max":10,"target":"*"},"assign_to_agent":{"default_agent":"copilot","max":1,"target":"*"},"close_issue":{"max":10,"required_labels":["reference-impl-sync"],"target":"*"},"create_issue":{"expires":144,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}}
- GH_AW_SAFE_OUTPUTS_CONFIG_EOF
- cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF'
- [
- {
- "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[reference-impl-sync] \". Labels [reference-impl-sync] will be automatically added. Assignees [copilot] will be automatically assigned.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "body": {
- "description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate.",
- "type": "string"
- },
- "labels": {
- "description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository.",
- "items": {
- "type": "string"
- },
- "type": "array"
- },
- "parent": {
- "description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from a previously created issue in the same workflow run.",
- "type": [
- "number",
- "string"
- ]
- },
- "temporary_id": {
- "description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 3 to 8 alphanumeric characters (e.g., 'aw_abc1', 'aw_Test123'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.",
- "pattern": "^aw_[A-Za-z0-9]{3,8}$",
- "type": "string"
- },
- "title": {
- "description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive.",
- "type": "string"
- }
- },
- "required": [
- "title",
- "body"
- ],
- "type": "object"
- },
- "name": "create_issue"
- },
+ cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_2a317c5680ea1925_EOF'
+ {"add_comment":{"max":10,"target":"*"},"assign_to_agent":{"max":1,"model":"claude-opus-4.6","name":"copilot","target":"*"},"close_issue":{"max":10,"required_labels":["reference-impl-sync"],"target":"*"},"create_issue":{"assignees":["copilot-swe-agent"],"expires":144,"labels":["reference-impl-sync"],"max":1,"title_prefix":"[reference-impl-sync] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"report_incomplete":{}}
+ GH_AW_SAFE_OUTPUTS_CONFIG_2a317c5680ea1925_EOF
+ - name: Write Safe Outputs Tools
+ env:
+ GH_AW_TOOLS_META_JSON: |
{
- "description": "Close a GitHub issue with a closing comment. You can and should always add a comment when closing an issue to explain the action or provide context. This tool is ONLY for closing issues - use update_issue if you need to change the title, body, labels, or other metadata without closing. Use close_issue when work is complete, the issue is no longer relevant, or it's a duplicate. The closing comment should explain the resolution or reason for closing. If the issue is already closed, a comment will still be posted. CONSTRAINTS: Maximum 10 issue(s) can be closed. Target: *.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "body": {
- "description": "Closing comment explaining why the issue is being closed and summarizing any resolution, workaround, or conclusion.",
- "type": "string"
- },
- "issue_number": {
- "description": "Issue number to close. This is the numeric ID from the GitHub URL (e.g., 901 in github.com/owner/repo/issues/901). If omitted, closes the issue that triggered this workflow (requires an issue event trigger).",
- "type": [
- "number",
- "string"
- ]
- }
- },
- "required": [
- "body"
- ],
- "type": "object"
+ "description_suffixes": {
+ "add_comment": " CONSTRAINTS: Maximum 10 comment(s) can be added. Target: *. Supports reply_to_id for discussion threading.",
+ "assign_to_agent": " CONSTRAINTS: Maximum 1 issue(s) can be assigned to agent.",
+ "close_issue": " CONSTRAINTS: Maximum 10 issue(s) can be closed. Target: *.",
+ "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[reference-impl-sync] \". Labels [\"reference-impl-sync\"] will be automatically added. Assignees [\"copilot-swe-agent\"] will be automatically assigned."
},
- "name": "close_issue"
- },
+ "repo_params": {},
+ "dynamic_tools": []
+ }
+ GH_AW_VALIDATION_JSON: |
{
- "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 10 comment(s) can be added. Target: *.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
+ "add_comment": {
+ "defaultMax": 1,
+ "fields": {
"body": {
- "description": "The comment text in Markdown format. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation. CONSTRAINTS: The complete comment (your body text + automatically added footer) must not exceed 65536 characters total. Maximum 10 mentions (@username), maximum 50 links (http/https URLs). A footer (~200-500 characters) is automatically appended with workflow attribution, so leave adequate space. If these limits are exceeded, the tool call will fail with a detailed error message indicating which constraint was violated.",
- "type": "string"
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 65000
},
"item_number": {
- "description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). If omitted, the tool auto-targets the issue, PR, or discussion that triggered this workflow. Auto-targeting only works for issue, pull_request, discussion, and comment event triggers — it does NOT work for schedule, workflow_dispatch, push, or workflow_run triggers. For those trigger types, always provide item_number explicitly, or the comment will be silently discarded.",
- "type": "number"
+ "issueOrPRNumber": true
+ },
+ "reply_to_id": {
+ "type": "string",
+ "maxLength": 256
+ },
+ "repo": {
+ "type": "string",
+ "maxLength": 256
}
- },
- "required": [
- "body"
- ],
- "type": "object"
+ }
},
- "name": "add_comment"
- },
- {
- "description": "Assign the GitHub Copilot coding agent to work on an issue or pull request. The agent will analyze the issue/PR and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot. Example usage: assign_to_agent(issue_number=123, agent=\"copilot\") or assign_to_agent(pull_number=456, agent=\"copilot\", pull_request_repo=\"owner/repo\") CONSTRAINTS: Maximum 1 issue(s) can be assigned to agent.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
+ "assign_to_agent": {
+ "defaultMax": 1,
+ "fields": {
"agent": {
- "description": "Agent identifier to assign. Defaults to 'copilot' (the Copilot coding agent) if not specified.",
- "type": "string"
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 128
},
"issue_number": {
- "description": "Issue number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both.",
- "type": [
- "number",
- "string"
- ]
+ "issueNumberOrTemporaryId": true
},
"pull_number": {
- "description": "Pull request number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both.",
- "type": [
- "number",
- "string"
- ]
+ "optionalPositiveInteger": true
},
"pull_request_repo": {
- "description": "Target repository where the pull request should be created, in 'owner/repo' format. If omitted, the PR will be created in the same repository as the issue. This allows issues and code to live in different repositories. The global pull-request-repo configuration (if set) is automatically allowed; additional repositories must be listed in allowed-pull-request-repos.",
- "type": "string"
+ "type": "string",
+ "maxLength": 256
+ },
+ "repo": {
+ "type": "string",
+ "maxLength": 256
}
},
- "type": "object"
+ "customValidation": "requiresOneOf:issue_number,pull_number"
},
- "name": "assign_to_agent"
- },
- {
- "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "alternatives": {
- "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
- "type": "string"
+ "close_issue": {
+ "defaultMax": 1,
+ "fields": {
+ "body": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 65000
},
- "reason": {
- "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).",
- "type": "string"
+ "issue_number": {
+ "optionalPositiveInteger": true
},
- "tool": {
- "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.",
- "type": "string"
+ "repo": {
+ "type": "string",
+ "maxLength": 256
}
- },
- "required": [
- "reason"
- ],
- "type": "object"
+ }
},
- "name": "missing_tool"
- },
- {
- "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
- "message": {
- "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').",
+ "create_issue": {
+ "defaultMax": 1,
+ "fields": {
+ "body": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 65000
+ },
+ "labels": {
+ "type": "array",
+ "itemType": "string",
+ "itemSanitize": true,
+ "itemMaxLength": 128
+ },
+ "parent": {
+ "issueOrPRNumber": true
+ },
+ "repo": {
+ "type": "string",
+ "maxLength": 256
+ },
+ "temporary_id": {
"type": "string"
+ },
+ "title": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 128
}
- },
- "required": [
- "message"
- ],
- "type": "object"
+ }
},
- "name": "noop"
- },
- {
- "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.",
- "inputSchema": {
- "additionalProperties": false,
- "properties": {
+ "missing_data": {
+ "defaultMax": 20,
+ "fields": {
"alternatives": {
- "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
- "type": "string"
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 256
},
"context": {
- "description": "Additional context about the missing data or where it should come from (max 256 characters).",
- "type": "string"
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 256
},
"data_type": {
- "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.",
- "type": "string"
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 128
},
"reason": {
- "description": "Explanation of why this data is needed to complete the task (max 256 characters).",
- "type": "string"
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 256
}
- },
- "required": [],
- "type": "object"
- },
- "name": "missing_data"
- }
- ]
- GH_AW_SAFE_OUTPUTS_TOOLS_EOF
- cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF'
- {
- "add_comment": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "item_number": {
- "issueOrPRNumber": true
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- }
- }
- },
- "assign_to_agent": {
- "defaultMax": 1,
- "fields": {
- "agent": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- },
- "issue_number": {
- "issueNumberOrTemporaryId": true
- },
- "pull_number": {
- "optionalPositiveInteger": true
- },
- "pull_request_repo": {
- "type": "string",
- "maxLength": 256
- },
- "repo": {
- "type": "string",
- "maxLength": 256
}
},
- "customValidation": "requiresOneOf:issue_number,pull_number"
- },
- "close_issue": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "issue_number": {
- "optionalPositiveInteger": true
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- }
- }
- },
- "create_issue": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "labels": {
- "type": "array",
- "itemType": "string",
- "itemSanitize": true,
- "itemMaxLength": 128
- },
- "parent": {
- "issueOrPRNumber": true
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- },
- "temporary_id": {
- "type": "string"
- },
- "title": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- }
- }
- },
- "missing_data": {
- "defaultMax": 20,
- "fields": {
- "alternatives": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "context": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "data_type": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- },
- "reason": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
+ "missing_tool": {
+ "defaultMax": 20,
+ "fields": {
+ "alternatives": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 512
+ },
+ "reason": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 256
+ },
+ "tool": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 128
+ }
}
- }
- },
- "missing_tool": {
- "defaultMax": 20,
- "fields": {
- "alternatives": {
- "type": "string",
- "sanitize": true,
- "maxLength": 512
- },
- "reason": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "tool": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
+ },
+ "noop": {
+ "defaultMax": 1,
+ "fields": {
+ "message": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 65000
+ }
}
- }
- },
- "noop": {
- "defaultMax": 1,
- "fields": {
- "message": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
+ },
+ "report_incomplete": {
+ "defaultMax": 5,
+ "fields": {
+ "details": {
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 65000
+ },
+ "reason": {
+ "required": true,
+ "type": "string",
+ "sanitize": true,
+ "maxLength": 1024
+ }
}
}
}
- }
- GH_AW_SAFE_OUTPUTS_VALIDATION_EOF
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+ with:
+ script: |
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_safe_outputs_tools.cjs');
+ await main();
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
run: |
@@ -681,29 +600,32 @@ jobs:
id: safe-outputs-start
env:
DEBUG: '*'
+ GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
- GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
- GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
+ GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/tools.json
+ GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/config.json
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
run: |
# Environment variables are set above to prevent template injection
export DEBUG
+ export GH_AW_SAFE_OUTPUTS
export GH_AW_SAFE_OUTPUTS_PORT
export GH_AW_SAFE_OUTPUTS_API_KEY
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
- bash /opt/gh-aw/actions/start_safe_outputs_server.sh
+ bash "${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh"
- name: Start MCP Gateway
id: start-mcp-gateway
env:
- GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
+ GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
- GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
+ GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
+ GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
set -eo pipefail
@@ -721,20 +643,26 @@ jobs:
export DEBUG="*"
export GH_AW_ENGINE="copilot"
- export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.6'
+ export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.19'
mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_ee30822602a32ffa_EOF | bash "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh"
{
"mcpServers": {
"github": {
"type": "stdio",
- "container": "ghcr.io/github/github-mcp-server:v0.31.0",
+ "container": "ghcr.io/github/github-mcp-server:v0.32.0",
"env": {
- "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN",
+ "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
"GITHUB_READ_ONLY": "1",
"GITHUB_TOOLSETS": "context,repos,issues"
+ },
+ "guard-policies": {
+ "allow-only": {
+ "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
+ "repos": "$GITHUB_MCP_GUARD_REPOS"
+ }
}
},
"safeoutputs": {
@@ -742,6 +670,13 @@ jobs:
"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
"headers": {
"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
+ },
+ "guard-policies": {
+ "write-sink": {
+ "accept": [
+ "*"
+ ]
+ }
}
}
},
@@ -752,67 +687,70 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_EOF
+ GH_AW_MCP_CONFIG_ee30822602a32ffa_EOF
- name: Download activation artifact
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: activation
path: /tmp/gh-aw
- name: Clean git credentials
- run: bash /opt/gh-aw/actions/clean_git_credentials.sh
+ continue-on-error: true
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials.sh"
- name: Execute GitHub Copilot CLI
id: agentic_execution
# Copilot CLI tool arguments (sorted):
timeout-minutes: 20
run: |
set -o pipefail
+ touch /tmp/gh-aw/agent-step-summary.md
+ (umask 177 && touch /tmp/gh-aw/agent-stdio.log)
# shellcheck disable=SC1003
- sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
- -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
+ sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --image-tag 0.25.20 --skip-pull --enable-api-proxy \
+ -- /bin/bash -c 'node ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
env:
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+ COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }}
GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
- GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }}
+ GH_AW_PHASE: agent
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
+ GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
+ GH_AW_VERSION: v0.68.3
GITHUB_API_URL: ${{ github.api_url }}
+ GITHUB_AW: true
GITHUB_HEAD_REF: ${{ github.head_ref }}
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
GITHUB_REF_NAME: ${{ github.ref_name }}
GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
+ GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
GITHUB_WORKSPACE: ${{ github.workspace }}
+ GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
+ GIT_AUTHOR_NAME: github-actions[bot]
+ GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
+ GIT_COMMITTER_NAME: github-actions[bot]
XDG_CONFIG_HOME: /home/runner
+ - name: Detect Copilot errors
+ id: detect-copilot-errors
+ if: always()
+ continue-on-error: true
+ run: node "${RUNNER_TEMP}/gh-aw/actions/detect_copilot_errors.cjs"
- name: Configure Git credentials
env:
REPO_NAME: ${{ github.repository }}
SERVER_URL: ${{ github.server_url }}
+ GITHUB_TOKEN: ${{ github.token }}
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
git config --global am.keepcr true
# Re-authenticate git with GitHub token
SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
+ git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
echo "Git configured with standard GitHub Actions identity"
- name: Copy Copilot session state files to logs
if: always()
continue-on-error: true
- run: |
- # Copy Copilot session state files to logs folder for artifact collection
- # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
- SESSION_STATE_DIR="$HOME/.copilot/session-state"
- LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
-
- if [ -d "$SESSION_STATE_DIR" ]; then
- echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
- mkdir -p "$LOGS_DIR"
- cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true
- echo "Session state files copied successfully"
- else
- echo "No session-state directory found at $SESSION_STATE_DIR"
- fi
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/copy_copilot_session_state.sh"
- name: Stop MCP Gateway
if: always()
continue-on-error: true
@@ -821,15 +759,15 @@ jobs:
MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
run: |
- bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
+ bash "${RUNNER_TEMP}/gh-aw/actions/stop_mcp_gateway.sh" "$GATEWAY_PID"
- name: Redact secrets in logs
if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
with:
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/redact_secrets.cjs');
await main();
env:
GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
@@ -837,62 +775,51 @@ jobs:
SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- - name: Upload Safe Outputs
+ - name: Append agent step summary
if: always()
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: safe-output
- path: ${{ env.GH_AW_SAFE_OUTPUTS }}
- if-no-files-found: warn
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/append_agent_step_summary.sh"
+ - name: Copy Safe Outputs
+ if: always()
+ env:
+ GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
+ run: |
+ mkdir -p /tmp/gh-aw
+ cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null || true
- name: Ingest agent output
id: collect_output
if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
- GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
- GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
+ GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
+ GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_API_URL: ${{ github.api_url }}
with:
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/collect_ndjson_output.cjs');
await main();
- - name: Upload sanitized agent output
- if: always() && env.GH_AW_AGENT_OUTPUT
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: agent-output
- path: ${{ env.GH_AW_AGENT_OUTPUT }}
- if-no-files-found: warn
- - name: Upload engine output files
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
- with:
- name: agent_outputs
- path: |
- /tmp/gh-aw/sandbox/agent/logs/
- /tmp/gh-aw/redacted-urls.log
- if-no-files-found: ignore
- name: Parse agent logs for step summary
if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
with:
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_copilot_log.cjs');
await main();
- name: Parse MCP Gateway logs for step summary
if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ id: parse-mcp-gateway
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
with:
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_mcp_gateway_log.cjs');
await main();
- name: Print firewall logs
if: always()
@@ -909,26 +836,236 @@ jobs:
else
echo 'AWF binary not installed, skipping firewall log summary'
fi
+ - name: Parse token usage for step summary
+ if: always()
+ continue-on-error: true
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+ with:
+ script: |
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_token_usage.cjs');
+ await main();
+ - name: Write agent output placeholder if missing
+ if: always()
+ run: |
+ if [ ! -f /tmp/gh-aw/agent_output.json ]; then
+ echo '{"items":[]}' > /tmp/gh-aw/agent_output.json
+ fi
- name: Upload agent artifacts
if: always()
continue-on-error: true
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
- name: agent-artifacts
+ name: agent
path: |
/tmp/gh-aw/aw-prompts/prompt.txt
+ /tmp/gh-aw/sandbox/agent/logs/
+ /tmp/gh-aw/redacted-urls.log
/tmp/gh-aw/mcp-logs/
- /tmp/gh-aw/sandbox/firewall/logs/
+ /tmp/gh-aw/agent_usage.json
/tmp/gh-aw/agent-stdio.log
/tmp/gh-aw/agent/
+ /tmp/gh-aw/github_rate_limits.jsonl
+ /tmp/gh-aw/safeoutputs.jsonl
+ /tmp/gh-aw/agent_output.json
+ /tmp/gh-aw/aw-*.patch
+ /tmp/gh-aw/aw-*.bundle
+ /tmp/gh-aw/sandbox/firewall/logs/
+ /tmp/gh-aw/sandbox/firewall/audit/
if-no-files-found: ignore
- # --- Threat Detection (inline) ---
+
+ conclusion:
+ needs:
+ - activation
+ - agent
+ - detection
+ - safe_outputs
+ if: >
+ always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' ||
+ needs.activation.outputs.stale_lock_file_failed == 'true')
+ runs-on: ubuntu-slim
+ permissions:
+ contents: read
+ discussions: write
+ issues: write
+ pull-requests: write
+ concurrency:
+ group: "gh-aw-conclusion-weekly-reference-impl-sync"
+ cancel-in-progress: false
+ outputs:
+ incomplete_count: ${{ steps.report_incomplete.outputs.incomplete_count }}
+ noop_message: ${{ steps.noop.outputs.noop_message }}
+ tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
+ total_count: ${{ steps.missing_tool.outputs.total_count }}
+ steps:
+ - name: Setup Scripts
+ id: setup
+ uses: github/gh-aw-actions/setup@ba90f2186d7ad780ec640f364005fa24e797b360 # v0.68.3
+ with:
+ destination: ${{ runner.temp }}/gh-aw/actions
+ job-name: ${{ github.job }}
+ trace-id: ${{ needs.activation.outputs.setup-trace-id }}
+ - name: Download agent output artifact
+ id: download-agent-output
+ continue-on-error: true
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+ with:
+ name: agent
+ path: /tmp/gh-aw/
+ - name: Setup agent output environment variable
+ id: setup-agent-output-env
+ if: steps.download-agent-output.outcome == 'success'
+ run: |
+ mkdir -p /tmp/gh-aw/
+ find "/tmp/gh-aw/" -type f -print
+ echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
+ - name: Process no-op messages
+ id: noop
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
+ GH_AW_NOOP_MAX: "1"
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync"
+ GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+ GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
+ GH_AW_NOOP_REPORT_AS_ISSUE: "false"
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs');
+ await main();
+ - name: Log detection run
+ id: detection_runs
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync"
+ GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+ GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
+ GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_detection_runs.cjs');
+ await main();
+ - name: Record missing tool
+ id: missing_tool
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
+ GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync"
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/missing_tool.cjs');
+ await main();
+ - name: Record incomplete
+ id: report_incomplete
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
+ GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync"
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/report_incomplete_handler.cjs');
+ await main();
+ - name: Handle agent failure
+ id: handle_agent_failure
+ if: always()
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+ env:
+ GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync"
+ GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+ GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
+ GH_AW_WORKFLOW_ID: "weekly-reference-impl-sync"
+ GH_AW_ENGINE_ID: "copilot"
+ GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
+ GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
+ GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }}
+ GH_AW_MCP_POLICY_ERROR: ${{ needs.agent.outputs.mcp_policy_error }}
+ GH_AW_AGENTIC_ENGINE_TIMEOUT: ${{ needs.agent.outputs.agentic_engine_timeout }}
+ GH_AW_MODEL_NOT_SUPPORTED_ERROR: ${{ needs.agent.outputs.model_not_supported_error }}
+ GH_AW_ASSIGNMENT_ERRORS: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_errors }}
+ GH_AW_ASSIGNMENT_ERROR_COUNT: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_error_count }}
+ GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }}
+ GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }}
+ GH_AW_GROUP_REPORTS: "false"
+ GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
+ GH_AW_TIMEOUT_MINUTES: "20"
+ with:
+ github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+ script: |
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_agent_failure.cjs');
+ await main();
+
+ detection:
+ needs:
+ - activation
+ - agent
+ if: >
+ always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true')
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ outputs:
+ detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
+ detection_reason: ${{ steps.detection_conclusion.outputs.reason }}
+ detection_success: ${{ steps.detection_conclusion.outputs.success }}
+ steps:
+ - name: Setup Scripts
+ id: setup
+ uses: github/gh-aw-actions/setup@ba90f2186d7ad780ec640f364005fa24e797b360 # v0.68.3
+ with:
+ destination: ${{ runner.temp }}/gh-aw/actions
+ job-name: ${{ github.job }}
+ trace-id: ${{ needs.activation.outputs.setup-trace-id }}
+ - name: Download agent output artifact
+ id: download-agent-output
+ continue-on-error: true
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+ with:
+ name: agent
+ path: /tmp/gh-aw/
+ - name: Setup agent output environment variable
+ id: setup-agent-output-env
+ if: steps.download-agent-output.outcome == 'success'
+ run: |
+ mkdir -p /tmp/gh-aw/
+ find "/tmp/gh-aw/" -type f -print
+ echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
+ - name: Checkout repository for patch context
+ if: needs.agent.outputs.has_patch == 'true'
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+ # --- Threat Detection ---
+ - name: Clean stale firewall files from agent artifact
+ run: |
+ rm -rf /tmp/gh-aw/sandbox/firewall/logs
+ rm -rf /tmp/gh-aw/sandbox/firewall/audit
+ - name: Download container images
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.20 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20 ghcr.io/github/gh-aw-firewall/squid:0.25.20
- name: Check if detection needed
id: detection_guard
if: always()
env:
- OUTPUT_TYPES: ${{ steps.collect_output.outputs.output_types }}
- HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
+ OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }}
+ HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
run: |
if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then
echo "run_detection=true" >> "$GITHUB_OUTPUT"
@@ -952,194 +1089,93 @@ jobs:
for f in /tmp/gh-aw/aw-*.patch; do
[ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
done
+ for f in /tmp/gh-aw/aw-*.bundle; do
+ [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
+ done
echo "Prepared threat detection files:"
ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- name: Setup threat detection
if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
- WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ WORKFLOW_NAME: "Weekly Reference Implementation Sync"
WORKFLOW_DESCRIPTION: "Weekly reference implementation sync workflow. Checks for new commits in the official\nCopilot SDK (github/copilot-sdk) and assigns to Copilot to port changes."
- HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
+ HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
with:
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/setup_threat_detection.cjs');
await main();
- name: Ensure threat-detection directory and log
if: always() && steps.detection_guard.outputs.run_detection == 'true'
run: |
mkdir -p /tmp/gh-aw/threat-detection
touch /tmp/gh-aw/threat-detection/detection.log
+ - name: Install GitHub Copilot CLI
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.21
+ env:
+ GH_HOST: github.com
+ - name: Install AWF binary
+ run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.20
- name: Execute GitHub Copilot CLI
if: always() && steps.detection_guard.outputs.run_detection == 'true'
id: detection_agentic_execution
# Copilot CLI tool arguments (sorted):
- # --allow-tool shell(cat)
- # --allow-tool shell(grep)
- # --allow-tool shell(head)
- # --allow-tool shell(jq)
- # --allow-tool shell(ls)
- # --allow-tool shell(tail)
- # --allow-tool shell(wc)
timeout-minutes: 20
run: |
set -o pipefail
+ touch /tmp/gh-aw/agent-step-summary.md
+ (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
# shellcheck disable=SC1003
- sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
- -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
+ sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,telemetry.enterprise.githubcopilot.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --image-tag 0.25.20 --skip-pull --enable-api-proxy \
+ -- /bin/bash -c 'node ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
env:
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }}
+ COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }}
+ GH_AW_PHASE: detection
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ GH_AW_VERSION: v0.68.3
GITHUB_API_URL: ${{ github.api_url }}
+ GITHUB_AW: true
GITHUB_HEAD_REF: ${{ github.head_ref }}
GITHUB_REF_NAME: ${{ github.ref_name }}
GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
+ GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
GITHUB_WORKSPACE: ${{ github.workspace }}
+ GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
+ GIT_AUTHOR_NAME: github-actions[bot]
+ GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
+ GIT_COMMITTER_NAME: github-actions[bot]
XDG_CONFIG_HOME: /home/runner
- - name: Parse threat detection results
- id: parse_detection_results
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs');
- await main();
- name: Upload threat detection log
if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
- name: threat-detection.log
+ name: detection
path: /tmp/gh-aw/threat-detection/detection.log
if-no-files-found: ignore
- - name: Set detection conclusion
+ - name: Parse and conclude threat detection
id: detection_conclusion
if: always()
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
- DETECTION_SUCCESS: ${{ steps.parse_detection_results.outputs.success }}
- run: |
- if [[ "$RUN_DETECTION" != "true" ]]; then
- echo "conclusion=skipped" >> "$GITHUB_OUTPUT"
- echo "success=true" >> "$GITHUB_OUTPUT"
- echo "Detection was not needed, marking as skipped"
- elif [[ "$DETECTION_SUCCESS" == "true" ]]; then
- echo "conclusion=success" >> "$GITHUB_OUTPUT"
- echo "success=true" >> "$GITHUB_OUTPUT"
- echo "Detection passed successfully"
- else
- echo "conclusion=failure" >> "$GITHUB_OUTPUT"
- echo "success=false" >> "$GITHUB_OUTPUT"
- echo "Detection found issues"
- fi
-
- conclusion:
- needs:
- - activation
- - agent
- - safe_outputs
- if: (always()) && (needs.agent.result != 'skipped')
- runs-on: ubuntu-slim
- permissions:
- contents: read
- discussions: write
- issues: write
- pull-requests: write
- outputs:
- noop_message: ${{ steps.noop.outputs.noop_message }}
- tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
- total_count: ${{ steps.missing_tool.outputs.total_count }}
- steps:
- - name: Setup Scripts
- uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
- with:
- destination: /opt/gh-aw/actions
- - name: Download agent output artifact
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
- with:
- name: agent-output
- path: /tmp/gh-aw/safeoutputs/
- - name: Setup agent output environment variable
- run: |
- mkdir -p /tmp/gh-aw/safeoutputs/
- find "/tmp/gh-aw/safeoutputs/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
- - name: Process No-Op Messages
- id: noop
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_NOOP_MAX: "1"
- GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ GH_AW_DETECTION_CONTINUE_ON_ERROR: "true"
with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/noop.cjs');
- await main();
- - name: Record Missing Tool
- id: missing_tool
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/missing_tool.cjs');
- await main();
- - name: Handle Agent Failure
- id: handle_agent_failure
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
- GH_AW_WORKFLOW_ID: "weekly-reference-impl-sync"
- GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
- GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
- GH_AW_ASSIGNMENT_ERRORS: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_errors }}
- GH_AW_ASSIGNMENT_ERROR_COUNT: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_error_count }}
- GH_AW_GROUP_REPORTS: "false"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs');
- await main();
- - name: Handle No-Op Message
- id: handle_noop_message
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
- GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }}
- GH_AW_NOOP_REPORT_AS_ISSUE: "false"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs');
await main();
safe_outputs:
- needs: agent
- if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true')
+ needs:
+ - activation
+ - agent
+ - detection
+ if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
runs-on: ubuntu-slim
permissions:
contents: read
@@ -1148,14 +1184,18 @@ jobs:
pull-requests: write
timeout-minutes: 15
env:
- GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/${{ github.workflow }}"
+ GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-reference-impl-sync"
+ GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
+ GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
+ GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens }}
GH_AW_ENGINE_ID: "copilot"
+ GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
GH_AW_WORKFLOW_ID: "weekly-reference-impl-sync"
- GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync Agentic Workflow"
+ GH_AW_WORKFLOW_NAME: "Weekly Reference Implementation Sync"
outputs:
- assign_to_agent_assigned: ${{ steps.assign_to_agent.outputs.assigned }}
- assign_to_agent_assignment_error_count: ${{ steps.assign_to_agent.outputs.assignment_error_count }}
- assign_to_agent_assignment_errors: ${{ steps.assign_to_agent.outputs.assignment_errors }}
+ assign_to_agent_assigned: ${{ steps.process_safe_outputs.outputs.assign_to_agent_assigned }}
+ assign_to_agent_assignment_error_count: ${{ steps.process_safe_outputs.outputs.assign_to_agent_assignment_error_count }}
+ assign_to_agent_assignment_errors: ${{ steps.process_safe_outputs.outputs.assign_to_agent_assignment_errors }}
code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
comment_id: ${{ steps.process_safe_outputs.outputs.comment_id }}
@@ -1168,72 +1208,59 @@ jobs:
process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
steps:
- name: Setup Scripts
- uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6
+ id: setup
+ uses: github/gh-aw-actions/setup@ba90f2186d7ad780ec640f364005fa24e797b360 # v0.68.3
with:
- destination: /opt/gh-aw/actions
+ destination: ${{ runner.temp }}/gh-aw/actions
+ job-name: ${{ github.job }}
+ trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- name: Download agent output artifact
+ id: download-agent-output
continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
- name: agent-output
- path: /tmp/gh-aw/safeoutputs/
+ name: agent
+ path: /tmp/gh-aw/
- name: Setup agent output environment variable
+ id: setup-agent-output-env
+ if: steps.download-agent-output.outcome == 'success'
+ run: |
+ mkdir -p /tmp/gh-aw/
+ find "/tmp/gh-aw/" -type f -print
+ echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
+ - name: Configure GH_HOST for enterprise compatibility
+ id: ghes-host-config
+ shell: bash
run: |
- mkdir -p /tmp/gh-aw/safeoutputs/
- find "/tmp/gh-aw/safeoutputs/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
+ # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
+ # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
+ GH_HOST="${GITHUB_SERVER_URL#https://}"
+ GH_HOST="${GH_HOST#http://}"
+ echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
- name: Process Safe Outputs
id: process_safe_outputs
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
+ GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
+ GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,docs.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_API_URL: ${{ github.api_url }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":10,\"target\":\"*\"},\"close_issue\":{\"max\":10,\"required_labels\":[\"reference-impl-sync\"],\"target\":\"*\"},\"create_issue\":{\"assignees\":[\"copilot\"],\"expires\":144,\"labels\":[\"reference-impl-sync\"],\"max\":1,\"title_prefix\":\"[reference-impl-sync] \"},\"missing_data\":{},\"missing_tool\":{}}"
- GH_AW_ASSIGN_COPILOT: "true"
+ GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":10,\"target\":\"*\"},\"assign_to_agent\":{\"max\":1,\"model\":\"claude-opus-4.6\",\"name\":\"copilot\",\"target\":\"*\"},\"close_issue\":{\"max\":10,\"required_labels\":[\"reference-impl-sync\"],\"target\":\"*\"},\"create_issue\":{\"assignees\":[\"copilot-swe-agent\"],\"expires\":144,\"labels\":[\"reference-impl-sync\"],\"max\":1,\"title_prefix\":\"[reference-impl-sync] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"},\"report_incomplete\":{}}"
+ GH_AW_ASSIGN_TO_AGENT_TOKEN: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
with:
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs');
+ const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io, getOctokit);
+ const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs');
await main();
- - name: Assign Copilot to created issues
- if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != ''
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_ISSUES_TO_ASSIGN_COPILOT: ${{ steps.process_safe_outputs.outputs.issues_to_assign_copilot }}
- with:
- github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs');
- await main();
- - name: Assign to agent
- id: assign_to_agent
- if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'assign_to_agent'))
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_AGENT_MAX_COUNT: 1
- GH_AW_AGENT_DEFAULT: "copilot"
- GH_AW_AGENT_DEFAULT_MODEL: "claude-opus-4.6"
- GH_AW_AGENT_TARGET: "*"
- GH_AW_TEMPORARY_ID_MAP: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
- with:
- github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs');
- await main();
- - name: Upload safe output items manifest
+ - name: Upload Safe Outputs Items
if: always()
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
- name: safe-output-items
- path: /tmp/safe-output-items.jsonl
- if-no-files-found: warn
+ name: safe-outputs-items
+ path: |
+ /tmp/gh-aw/safe-output-items.jsonl
+ /tmp/gh-aw/temporary-id-map.json
+ if-no-files-found: ignore
From 3e3ae55b3c2fa82da37d5efc315f55d455e918ed Mon Sep 17 00:00:00 2001
From: Ed Burns
Date: Fri, 17 Apr 2026 13:24:29 -0400
Subject: [PATCH 12/32] Add classical code generation workflow for typed event
and RPC classes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Introduces a TypeScript-based code generator (scripts/codegen/java.ts) that reads
api.schema.json and session-events.schema.json to produce:
- Typed session event classes (sealed hierarchy under AbstractSessionEvent)
- Typed RPC wrapper classes (ServerRpc, SessionRpc) for JSON-RPC methods
- Jackson-annotated records with @JsonCreator, @JsonProperty, @JsonInclude
Migrates the hand-written events package to auto-generated types, wires the
generated RPC wrappers into CopilotClient and CopilotSession, and adds
comprehensive tests including E2E coverage.
Also includes: Windows CLI path resolution fixes, shared TestUtil extraction,
lazy getRpc() initialization, race condition fix in SessionEventsE2ETest, and
a guard preventing agentic sync from modifying src/generated/java/ files.
Fix review comments: getRpc() IllegalStateException, UnknownSessionEvent wire type, anyOf heuristic, remove unused var
Agent-Logs-Url: https://github.com/github/copilot-sdk-java/sessions/9b8b782c-22ad-450f-885d-2b11d5808a0c
Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
Revert "Fix review comments: getRpc() IllegalStateException, UnknownSessionEvent wire type, anyOf heuristic, remove unused var"
This reverts commit ef1de834e6c54daca56ecb326263841087995fe0.
Fix Big Risk 1. `sendExpandedToolResult()` bypasses the typed wrapper (HIGH)
scripts/codegen/java.ts
- Remove the special-case `anyOf` rule that picked `String` when exactly 2 non-null branches included a string type. Multi-branch `anyOf` now falls through to `Object`, matching the C# reference generator's behavior.
src/generated/java/com/github/copilot/sdk/generated/rpc/SessionToolsHandlePendingToolCallParams.java
- Change the `result` field type from `String` to `Object` (regenerated output reflecting the `anyOf` rule fix in `java.ts`).
src/main/java/com/github/copilot/sdk/CopilotSession.java
- Replace the `sendExpandedToolResult(requestId, toolResult)` call with a direct typed-wrapper call: `getRpc().tools.handlePendingToolCall(new SessionToolsHandlePendingToolCallParams(...))`.
- Delete the `sendExpandedToolResult()` private method and its Javadoc block, which are no longer needed now that the `result` field accepts `Object`.
Signed-off-by: Ed Burns
On branch copilot/add-classical-code-gen-workflow-ready-for-review
modified: scripts/codegen/java.ts
- Put `visible = true` on `SessionEventEvent`.
- Add `type` property. on `UnknownSessionEvent`.
modified: src/generated/java/com/github/copilot/sdk/generated/SessionEvent.java
modified: src/generated/java/com/github/copilot/sdk/generated/UnknownSessionEvent.java
- Regenerated.
modified: src/main/java/com/github/copilot/sdk/CopilotSession.java
- Use Double Check Locked to fix Big Risk #2 2. Lazy `SessionRpc` initialization is not thread-safe (HIGH)
modified: src/test/java/com/github/copilot/sdk/ForwardCompatibilityTest.java
modified: src/test/java/com/github/copilot/sdk/SessionEventDeserializationTest.java
- Refine tests based on changes.
Signed-off-by: Ed Burns
On branch copilot/add-classical-code-gen-workflow-ready-for-review
modified: pom.xml
- Add profiles for generating code and updating the schemas from which the code is generated.
modified: scripts/codegen/java.ts
- Address copilot comment:
> requiredSet is computed but never used in renderNestedType(), which makes the generator harder to maintain (and can confuse future changes around nullability/boxing). Remove it or use it to drive required-vs-optional component typing if that’s the intent.
Signed-off-by: Ed Burns
Add AI code review to update-copilot-dependency workflow
---
.gitattributes | 3 +-
.github/copilot-instructions.md | 2 +-
.../agentic-merge-reference-impl.prompt.md | 45 +-
...agent-merge-reference-impl-instructions.md | 14 +
.github/workflows/codegen-check.yml | 44 +
.../workflows/update-copilot-dependency.yml | 144 ++
.gitignore | 3 +-
README.md | 4 +-
config/checkstyle/checkstyle.xml | 4 +-
config/spotbugs/spotbugs-exclude.xml | 4 +-
docs/WORKFLOWS.md | 38 +
jbang-example.java | 4 +-
pom.xml | 121 ++
scripts/codegen/.gitignore | 1 +
scripts/codegen/java.ts | 1322 +++++++++++++++++
scripts/codegen/package-lock.json | 645 ++++++++
scripts/codegen/package.json | 14 +
.../copilot/sdk/generated/AbortEvent.java | 42 +
.../sdk/generated/AssistantIntentEvent.java | 42 +
.../generated/AssistantMessageDeltaEvent.java | 46 +
.../sdk/generated/AssistantMessageEvent.java | 104 ++
.../AssistantReasoningDeltaEvent.java | 44 +
.../generated/AssistantReasoningEvent.java | 44 +
.../AssistantStreamingDeltaEvent.java | 42 +
.../sdk/generated/AssistantTurnEndEvent.java | 42 +
.../generated/AssistantTurnStartEvent.java | 44 +
.../sdk/generated/AssistantUsageEvent.java | 125 ++
.../generated/CapabilitiesChangedEvent.java | 51 +
.../sdk/generated/CommandCompletedEvent.java | 42 +
.../sdk/generated/CommandExecuteEvent.java | 48 +
.../sdk/generated/CommandQueuedEvent.java | 44 +
.../sdk/generated/CommandsChangedEvent.java | 51 +
.../generated/ElicitationCompletedEvent.java | 69 +
.../generated/ElicitationRequestedEvent.java | 89 ++
.../generated/ExitPlanModeCompletedEvent.java | 50 +
.../generated/ExitPlanModeRequestedEvent.java | 51 +
.../generated/ExternalToolCompletedEvent.java | 42 +
.../generated/ExternalToolRequestedEvent.java | 54 +
.../copilot/sdk/generated/HookEndEvent.java | 61 +
.../copilot/sdk/generated/HookStartEvent.java | 46 +
.../sdk/generated/McpOauthCompletedEvent.java | 42 +
.../sdk/generated/McpOauthRequiredEvent.java | 59 +
.../PendingMessagesModifiedEvent.java | 39 +
.../generated/PermissionCompletedEvent.java | 81 +
.../generated/PermissionRequestedEvent.java | 46 +
.../sdk/generated/SamplingCompletedEvent.java | 42 +
.../sdk/generated/SamplingRequestedEvent.java | 46 +
.../SessionBackgroundTasksChangedEvent.java | 39 +
.../SessionCompactionCompleteEvent.java | 83 ++
.../SessionCompactionStartEvent.java | 46 +
.../generated/SessionContextChangedEvent.java | 74 +
.../SessionCustomAgentsUpdatedEvent.java | 69 +
.../sdk/generated/SessionErrorEvent.java | 52 +
.../copilot/sdk/generated/SessionEvent.java | 215 +++
.../SessionExtensionsLoadedEvent.java | 101 ++
.../sdk/generated/SessionHandoffEvent.java | 88 ++
.../sdk/generated/SessionIdleEvent.java | 42 +
.../sdk/generated/SessionInfoEvent.java | 46 +
.../SessionMcpServerStatusChangedEvent.java | 72 +
.../SessionMcpServersLoadedEvent.java | 85 ++
.../generated/SessionModeChangedEvent.java | 44 +
.../generated/SessionModelChangeEvent.java | 48 +
.../generated/SessionPlanChangedEvent.java | 64 +
.../SessionRemoteSteerableChangedEvent.java | 42 +
.../sdk/generated/SessionResumeEvent.java | 96 ++
.../sdk/generated/SessionShutdownEvent.java | 137 ++
.../generated/SessionSkillsLoadedEvent.java | 61 +
.../generated/SessionSnapshotRewindEvent.java | 44 +
.../sdk/generated/SessionStartEvent.java | 102 ++
.../generated/SessionTaskCompleteEvent.java | 44 +
.../generated/SessionTitleChangedEvent.java | 42 +
.../generated/SessionToolsUpdatedEvent.java | 41 +
.../sdk/generated/SessionTruncationEvent.java | 56 +
.../sdk/generated/SessionUsageInfoEvent.java | 54 +
.../sdk/generated/SessionWarningEvent.java | 46 +
.../SessionWorkspaceFileChangedEvent.java | 64 +
.../sdk/generated/SkillInvokedEvent.java | 55 +
.../sdk/generated/SubagentCompletedEvent.java | 54 +
.../generated/SubagentDeselectedEvent.java | 39 +
.../sdk/generated/SubagentFailedEvent.java | 56 +
.../sdk/generated/SubagentSelectedEvent.java | 47 +
.../sdk/generated/SubagentStartedEvent.java | 48 +
.../sdk/generated/SystemMessageEvent.java | 80 +
.../generated/SystemNotificationEvent.java | 44 +
.../generated/ToolExecutionCompleteEvent.java | 84 ++
.../ToolExecutionPartialResultEvent.java | 44 +
.../generated/ToolExecutionProgressEvent.java | 44 +
.../generated/ToolExecutionStartEvent.java | 52 +
.../sdk/generated/ToolUserRequestedEvent.java | 46 +
.../sdk/generated/UnknownSessionEvent.java | 31 +
.../generated/UserInputCompletedEvent.java | 46 +
.../generated/UserInputRequestedEvent.java | 51 +
.../sdk/generated/UserMessageEvent.java | 77 +
.../generated/rpc/AccountGetQuotaResult.java | 46 +
.../sdk/generated/rpc/McpConfigAddParams.java | 29 +
.../generated/rpc/McpConfigListResult.java | 28 +
.../generated/rpc/McpConfigRemoveParams.java | 27 +
.../generated/rpc/McpConfigUpdateParams.java | 29 +
.../sdk/generated/rpc/McpDiscoverParams.java | 27 +
.../sdk/generated/rpc/McpDiscoverResult.java | 66 +
.../sdk/generated/rpc/ModelsListResult.java | 118 ++
.../copilot/sdk/generated/rpc/PingParams.java | 27 +
.../copilot/sdk/generated/rpc/PingResult.java | 31 +
.../copilot/sdk/generated/rpc/RpcCaller.java | 39 +
.../copilot/sdk/generated/rpc/RpcMapper.java | 28 +
.../sdk/generated/rpc/ServerAccountApi.java | 36 +
.../sdk/generated/rpc/ServerMcpApi.java | 40 +
.../sdk/generated/rpc/ServerMcpConfigApi.java | 60 +
.../sdk/generated/rpc/ServerModelsApi.java | 36 +
.../copilot/sdk/generated/rpc/ServerRpc.java | 63 +
.../sdk/generated/rpc/ServerSessionFsApi.java | 36 +
.../sdk/generated/rpc/ServerSessionsApi.java | 38 +
.../sdk/generated/rpc/ServerToolsApi.java | 36 +
.../sdk/generated/rpc/SessionAgentApi.java | 84 ++
.../rpc/SessionAgentDeselectParams.java | 27 +
.../rpc/SessionAgentDeselectResult.java | 24 +
.../rpc/SessionAgentGetCurrentParams.java | 27 +
.../rpc/SessionAgentGetCurrentResult.java | 39 +
.../generated/rpc/SessionAgentListParams.java | 27 +
.../generated/rpc/SessionAgentListResult.java | 40 +
.../rpc/SessionAgentReloadParams.java | 27 +
.../rpc/SessionAgentReloadResult.java | 40 +
.../rpc/SessionAgentSelectParams.java | 29 +
.../rpc/SessionAgentSelectResult.java | 40 +
.../sdk/generated/rpc/SessionCommandsApi.java | 42 +
...ionCommandsHandlePendingCommandParams.java | 31 +
...ionCommandsHandlePendingCommandResult.java | 27 +
.../generated/rpc/SessionExtensionsApi.java | 76 +
.../rpc/SessionExtensionsDisableParams.java | 29 +
.../rpc/SessionExtensionsDisableResult.java | 24 +
.../rpc/SessionExtensionsEnableParams.java | 29 +
.../rpc/SessionExtensionsEnableResult.java | 24 +
.../rpc/SessionExtensionsListParams.java | 27 +
.../rpc/SessionExtensionsListResult.java | 88 ++
.../rpc/SessionExtensionsReloadParams.java | 27 +
.../rpc/SessionExtensionsReloadResult.java | 24 +
.../sdk/generated/rpc/SessionFleetApi.java | 44 +
.../rpc/SessionFleetStartParams.java | 29 +
.../rpc/SessionFleetStartResult.java | 27 +
.../rpc/SessionFsAppendFileParams.java | 33 +
.../generated/rpc/SessionFsExistsParams.java | 29 +
.../generated/rpc/SessionFsExistsResult.java | 27 +
.../generated/rpc/SessionFsMkdirParams.java | 33 +
.../rpc/SessionFsReadFileParams.java | 29 +
.../rpc/SessionFsReadFileResult.java | 27 +
.../generated/rpc/SessionFsReaddirParams.java | 29 +
.../generated/rpc/SessionFsReaddirResult.java | 28 +
.../rpc/SessionFsReaddirWithTypesParams.java | 29 +
.../rpc/SessionFsReaddirWithTypesResult.java | 58 +
.../generated/rpc/SessionFsRenameParams.java | 31 +
.../sdk/generated/rpc/SessionFsRmParams.java | 33 +
.../rpc/SessionFsSetProviderParams.java | 51 +
.../rpc/SessionFsSetProviderResult.java | 27 +
.../generated/rpc/SessionFsStatParams.java | 29 +
.../generated/rpc/SessionFsStatResult.java | 35 +
.../rpc/SessionFsWriteFileParams.java | 33 +
.../sdk/generated/rpc/SessionHistoryApi.java | 54 +
.../rpc/SessionHistoryCompactParams.java | 27 +
.../rpc/SessionHistoryCompactResult.java | 52 +
.../rpc/SessionHistoryTruncateParams.java | 29 +
.../rpc/SessionHistoryTruncateResult.java | 27 +
.../sdk/generated/rpc/SessionLogParams.java | 57 +
.../sdk/generated/rpc/SessionLogResult.java | 28 +
.../sdk/generated/rpc/SessionMcpApi.java | 76 +
.../rpc/SessionMcpDisableParams.java | 29 +
.../rpc/SessionMcpDisableResult.java | 24 +
.../generated/rpc/SessionMcpEnableParams.java | 29 +
.../generated/rpc/SessionMcpEnableResult.java | 24 +
.../generated/rpc/SessionMcpListParams.java | 27 +
.../generated/rpc/SessionMcpListResult.java | 70 +
.../generated/rpc/SessionMcpReloadParams.java | 27 +
.../generated/rpc/SessionMcpReloadResult.java | 24 +
.../sdk/generated/rpc/SessionModeApi.java | 50 +
.../generated/rpc/SessionModeGetParams.java | 27 +
.../generated/rpc/SessionModeGetResult.java | 49 +
.../generated/rpc/SessionModeSetParams.java | 51 +
.../generated/rpc/SessionModeSetResult.java | 49 +
.../sdk/generated/rpc/SessionModelApi.java | 50 +
.../rpc/SessionModelGetCurrentParams.java | 27 +
.../rpc/SessionModelGetCurrentResult.java | 27 +
.../rpc/SessionModelSwitchToParams.java | 78 +
.../rpc/SessionModelSwitchToResult.java | 27 +
.../generated/rpc/SessionPermissionsApi.java | 42 +
...sHandlePendingPermissionRequestParams.java | 30 +
...sHandlePendingPermissionRequestResult.java | 27 +
.../sdk/generated/rpc/SessionPlanApi.java | 58 +
.../rpc/SessionPlanDeleteParams.java | 27 +
.../rpc/SessionPlanDeleteResult.java | 24 +
.../generated/rpc/SessionPlanReadParams.java | 27 +
.../generated/rpc/SessionPlanReadResult.java | 31 +
.../rpc/SessionPlanUpdateParams.java | 29 +
.../rpc/SessionPlanUpdateResult.java | 24 +
.../sdk/generated/rpc/SessionPluginsApi.java | 40 +
.../rpc/SessionPluginsListParams.java | 27 +
.../rpc/SessionPluginsListResult.java | 42 +
.../copilot/sdk/generated/rpc/SessionRpc.java | 104 ++
.../sdk/generated/rpc/SessionShellApi.java | 52 +
.../generated/rpc/SessionShellExecParams.java | 33 +
.../generated/rpc/SessionShellExecResult.java | 27 +
.../generated/rpc/SessionShellKillParams.java | 53 +
.../generated/rpc/SessionShellKillResult.java | 27 +
.../sdk/generated/rpc/SessionSkillsApi.java | 76 +
.../rpc/SessionSkillsDisableParams.java | 29 +
.../rpc/SessionSkillsDisableResult.java | 24 +
.../rpc/SessionSkillsEnableParams.java | 29 +
.../rpc/SessionSkillsEnableResult.java | 24 +
.../rpc/SessionSkillsListParams.java | 27 +
.../rpc/SessionSkillsListResult.java | 46 +
.../rpc/SessionSkillsReloadParams.java | 27 +
.../rpc/SessionSkillsReloadResult.java | 24 +
.../sdk/generated/rpc/SessionToolsApi.java | 42 +
...ssionToolsHandlePendingToolCallParams.java | 33 +
...ssionToolsHandlePendingToolCallResult.java | 27 +
.../sdk/generated/rpc/SessionUiApi.java | 52 +
.../rpc/SessionUiElicitationParams.java | 46 +
.../rpc/SessionUiElicitationResult.java | 52 +
...ssionUiHandlePendingElicitationParams.java | 65 +
...ssionUiHandlePendingElicitationResult.java | 27 +
.../sdk/generated/rpc/SessionUsageApi.java | 40 +
.../rpc/SessionUsageGetMetricsParams.java | 27 +
.../rpc/SessionUsageGetMetricsResult.java | 95 ++
.../generated/rpc/SessionWorkspaceApi.java | 60 +
.../rpc/SessionWorkspaceCreateFileParams.java | 31 +
.../rpc/SessionWorkspaceCreateFileResult.java | 24 +
.../rpc/SessionWorkspaceListFilesParams.java | 27 +
.../rpc/SessionWorkspaceListFilesResult.java | 28 +
.../rpc/SessionWorkspaceReadFileParams.java | 29 +
.../rpc/SessionWorkspaceReadFileResult.java | 27 +
.../sdk/generated/rpc/SessionsForkParams.java | 29 +
.../sdk/generated/rpc/SessionsForkResult.java | 27 +
.../sdk/generated/rpc/ToolsListParams.java | 27 +
.../sdk/generated/rpc/ToolsListResult.java | 45 +
.../com/github/copilot/sdk/CopilotClient.java | 31 +-
.../github/copilot/sdk/CopilotSession.java | 270 ++--
.../github/copilot/sdk/EventErrorHandler.java | 4 +-
.../copilot/sdk/RpcHandlerDispatcher.java | 5 +-
.../github/copilot/sdk/events/AbortEvent.java | 37 -
.../sdk/events/AbstractSessionEvent.java | 179 ---
.../sdk/events/AssistantIntentEvent.java | 37 -
.../events/AssistantMessageDeltaEvent.java | 39 -
.../sdk/events/AssistantMessageEvent.java | 95 --
.../events/AssistantReasoningDeltaEvent.java | 38 -
.../sdk/events/AssistantReasoningEvent.java | 38 -
.../events/AssistantStreamingDeltaEvent.java | 37 -
.../sdk/events/AssistantTurnEndEvent.java | 37 -
.../sdk/events/AssistantTurnStartEvent.java | 38 -
.../sdk/events/AssistantUsageEvent.java | 78 -
.../sdk/events/CapabilitiesChangedEvent.java | 44 -
.../sdk/events/CommandCompletedEvent.java | 37 -
.../sdk/events/CommandExecuteEvent.java | 43 -
.../sdk/events/CommandQueuedEvent.java | 38 -
.../sdk/events/ElicitationRequestedEvent.java | 54 -
.../events/ExitPlanModeCompletedEvent.java | 37 -
.../events/ExitPlanModeRequestedEvent.java | 39 -
.../events/ExternalToolCompletedEvent.java | 40 -
.../events/ExternalToolRequestedEvent.java | 43 -
.../copilot/sdk/events/HookEndEvent.java | 43 -
.../copilot/sdk/events/HookStartEvent.java | 38 -
.../events/PendingMessagesModifiedEvent.java | 37 -
.../sdk/events/PermissionCompletedEvent.java | 45 -
.../sdk/events/PermissionRequestedEvent.java | 44 -
.../SessionCompactionCompleteEvent.java | 54 -
.../events/SessionCompactionStartEvent.java | 37 -
.../events/SessionContextChangedEvent.java | 37 -
.../copilot/sdk/events/SessionErrorEvent.java | 39 -
.../sdk/events/SessionEventParser.java | 144 --
.../sdk/events/SessionHandoffEvent.java | 47 -
.../copilot/sdk/events/SessionIdleEvent.java | 37 -
.../copilot/sdk/events/SessionInfoEvent.java | 37 -
.../sdk/events/SessionModeChangedEvent.java | 38 -
.../sdk/events/SessionModelChangeEvent.java | 38 -
.../sdk/events/SessionPlanChangedEvent.java | 37 -
.../sdk/events/SessionResumeEvent.java | 40 -
.../sdk/events/SessionShutdownEvent.java | 71 -
.../events/SessionSnapshotRewindEvent.java | 40 -
.../copilot/sdk/events/SessionStartEvent.java | 41 -
.../sdk/events/SessionTaskCompleteEvent.java | 37 -
.../sdk/events/SessionTruncationEvent.java | 44 -
.../sdk/events/SessionUsageInfoEvent.java | 39 -
.../SessionWorkspaceFileChangedEvent.java | 38 -
.../copilot/sdk/events/SkillInvokedEvent.java | 46 -
.../sdk/events/SubagentCompletedEvent.java | 38 -
.../sdk/events/SubagentDeselectedEvent.java | 37 -
.../sdk/events/SubagentFailedEvent.java | 38 -
.../sdk/events/SubagentSelectedEvent.java | 44 -
.../sdk/events/SubagentStartedEvent.java | 39 -
.../sdk/events/SystemMessageEvent.java | 40 -
.../sdk/events/SystemNotificationEvent.java | 37 -
.../events/ToolExecutionCompleteEvent.java | 60 -
.../ToolExecutionPartialResultEvent.java | 38 -
.../events/ToolExecutionProgressEvent.java | 42 -
.../sdk/events/ToolExecutionStartEvent.java | 40 -
.../sdk/events/ToolUserRequestedEvent.java | 38 -
.../sdk/events/UnknownSessionEvent.java | 74 -
.../copilot/sdk/events/UserMessageEvent.java | 62 -
.../copilot/sdk/events/package-info.java | 91 --
.../copilot/sdk/json/ResumeSessionConfig.java | 8 +-
.../copilot/sdk/json/SessionConfig.java | 8 +-
.../com/github/copilot/sdk/package-info.java | 4 +-
src/site/markdown/advanced.md | 4 +-
src/site/markdown/cookbook/error-handling.md | 8 +-
.../markdown/cookbook/managing-local-files.md | 8 +-
.../markdown/cookbook/multiple-sessions.md | 2 +-
.../markdown/cookbook/persisting-sessions.md | 6 +-
.../markdown/cookbook/pr-visualization.md | 4 +-
src/site/markdown/documentation.md | 6 +-
src/site/markdown/getting-started.md | 12 +-
src/site/markdown/index.md | 8 +-
.../copilot/sdk/ClosedSessionGuardTest.java | 2 +-
.../github/copilot/sdk/CompactionTest.java | 12 +-
.../github/copilot/sdk/ConfigCloneTest.java | 6 +-
.../github/copilot/sdk/CopilotClientTest.java | 77 +-
.../copilot/sdk/CopilotSessionTest.java | 51 +-
.../github/copilot/sdk/ErrorHandlingTest.java | 10 +-
.../copilot/sdk/ExecutorWiringTest.java | 2 +-
.../copilot/sdk/ForwardCompatibilityTest.java | 57 +-
.../github/copilot/sdk/McpAndAgentsTest.java | 2 +-
.../github/copilot/sdk/MetadataApiTest.java | 76 +-
.../github/copilot/sdk/PermissionsTest.java | 4 +-
.../github/copilot/sdk/RpcWrappersTest.java | 471 ++++++
...a => SessionEventDeserializationTest.java} | 338 +++--
.../copilot/sdk/SessionEventHandlingTest.java | 27 +-
.../copilot/sdk/SessionEventsE2ETest.java | 41 +-
.../com/github/copilot/sdk/SkillsTest.java | 2 +-
.../copilot/sdk/StreamingFidelityTest.java | 14 +-
.../java/com/github/copilot/sdk/TestUtil.java | 101 ++
.../copilot/sdk/TimeoutEdgeCaseTest.java | 2 +-
.../com/github/copilot/sdk/ToolsTest.java | 2 +-
.../copilot/sdk/ZeroTimeoutContractTest.java | 2 +-
329 files changed, 13313 insertions(+), 3485 deletions(-)
create mode 100644 .github/workflows/codegen-check.yml
create mode 100644 .github/workflows/update-copilot-dependency.yml
create mode 100644 scripts/codegen/.gitignore
create mode 100644 scripts/codegen/java.ts
create mode 100644 scripts/codegen/package-lock.json
create mode 100644 scripts/codegen/package.json
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AbortEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AssistantIntentEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AssistantMessageDeltaEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AssistantMessageEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AssistantReasoningDeltaEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AssistantReasoningEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AssistantStreamingDeltaEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AssistantTurnEndEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AssistantTurnStartEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/AssistantUsageEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/CapabilitiesChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/CommandCompletedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/CommandExecuteEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/CommandQueuedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/CommandsChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ElicitationCompletedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ElicitationRequestedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ExitPlanModeCompletedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ExitPlanModeRequestedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ExternalToolCompletedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ExternalToolRequestedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/HookEndEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/HookStartEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/McpOauthCompletedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/McpOauthRequiredEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/PendingMessagesModifiedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/PermissionCompletedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/PermissionRequestedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SamplingCompletedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SamplingRequestedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionBackgroundTasksChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionCompactionCompleteEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionCompactionStartEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionContextChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionCustomAgentsUpdatedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionErrorEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionExtensionsLoadedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionHandoffEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionIdleEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionInfoEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionMcpServerStatusChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionMcpServersLoadedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionModeChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionModelChangeEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionPlanChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionRemoteSteerableChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionResumeEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionShutdownEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionSkillsLoadedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionSnapshotRewindEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionStartEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionTaskCompleteEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionTitleChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionToolsUpdatedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionTruncationEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionUsageInfoEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionWarningEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SessionWorkspaceFileChangedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SkillInvokedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SubagentCompletedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SubagentDeselectedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SubagentFailedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SubagentSelectedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SubagentStartedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SystemMessageEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/SystemNotificationEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ToolExecutionCompleteEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ToolExecutionPartialResultEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ToolExecutionProgressEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ToolExecutionStartEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/ToolUserRequestedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/UnknownSessionEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/UserInputCompletedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/UserInputRequestedEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/UserMessageEvent.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/AccountGetQuotaResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/McpConfigAddParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/McpConfigListResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/McpConfigRemoveParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/McpConfigUpdateParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/McpDiscoverParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/McpDiscoverResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ModelsListResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/PingParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/PingResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/RpcCaller.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/RpcMapper.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ServerAccountApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ServerMcpApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ServerMcpConfigApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ServerModelsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ServerRpc.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ServerSessionFsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ServerSessionsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ServerToolsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentDeselectParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentDeselectResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentGetCurrentParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentGetCurrentResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentListParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentListResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentReloadParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentReloadResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentSelectParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionAgentSelectResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionCommandsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionCommandsHandlePendingCommandParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionCommandsHandlePendingCommandResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionExtensionsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionExtensionsDisableParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionExtensionsDisableResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionExtensionsEnableParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionExtensionsEnableResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionExtensionsListParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionExtensionsListResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionExtensionsReloadParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionExtensionsReloadResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFleetApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFleetStartParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFleetStartResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsAppendFileParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsExistsParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsExistsResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsMkdirParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsReadFileParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsReadFileResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsReaddirParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsReaddirResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsReaddirWithTypesParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsReaddirWithTypesResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsRenameParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsRmParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsSetProviderParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsSetProviderResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsStatParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsStatResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionFsWriteFileParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionHistoryApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionHistoryCompactParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionHistoryCompactResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionHistoryTruncateParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionHistoryTruncateResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionLogParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionLogResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionMcpApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionMcpDisableParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionMcpDisableResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionMcpEnableParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionMcpEnableResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionMcpListParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionMcpListResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionMcpReloadParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionMcpReloadResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModeApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModeGetParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModeGetResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModeSetParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModeSetResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModelApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModelGetCurrentParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModelGetCurrentResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModelSwitchToParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionModelSwitchToResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPermissionsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPermissionsHandlePendingPermissionRequestParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPermissionsHandlePendingPermissionRequestResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPlanApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPlanDeleteParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPlanDeleteResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPlanReadParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPlanReadResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPlanUpdateParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPlanUpdateResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPluginsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPluginsListParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPluginsListResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionRpc.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionShellApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionShellExecParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionShellExecResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionShellKillParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionShellKillResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionSkillsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionSkillsDisableParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionSkillsDisableResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionSkillsEnableParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionSkillsEnableResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionSkillsListParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionSkillsListResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionSkillsReloadParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionSkillsReloadResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionToolsApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionToolsHandlePendingToolCallParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionToolsHandlePendingToolCallResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionUiApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionUiElicitationParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionUiElicitationResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionUiHandlePendingElicitationParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionUiHandlePendingElicitationResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionUsageApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionUsageGetMetricsParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionUsageGetMetricsResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionWorkspaceApi.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionWorkspaceCreateFileParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionWorkspaceCreateFileResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionWorkspaceListFilesParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionWorkspaceListFilesResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionWorkspaceReadFileParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionWorkspaceReadFileResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionsForkParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/SessionsForkResult.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ToolsListParams.java
create mode 100644 src/generated/java/com/github/copilot/sdk/generated/rpc/ToolsListResult.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AbortEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AbstractSessionEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AssistantIntentEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AssistantMessageDeltaEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AssistantMessageEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AssistantReasoningDeltaEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AssistantReasoningEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AssistantStreamingDeltaEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AssistantTurnEndEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AssistantTurnStartEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/AssistantUsageEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/CapabilitiesChangedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/CommandCompletedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/CommandExecuteEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/CommandQueuedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ElicitationRequestedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ExitPlanModeCompletedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ExitPlanModeRequestedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ExternalToolCompletedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ExternalToolRequestedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/HookEndEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/HookStartEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/PendingMessagesModifiedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/PermissionCompletedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/PermissionRequestedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionCompactionCompleteEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionCompactionStartEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionContextChangedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionErrorEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionEventParser.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionHandoffEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionIdleEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionInfoEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionModeChangedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionModelChangeEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionPlanChangedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionResumeEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionShutdownEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionSnapshotRewindEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionStartEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionTaskCompleteEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionTruncationEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionUsageInfoEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SessionWorkspaceFileChangedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SkillInvokedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SubagentCompletedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SubagentDeselectedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SubagentFailedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SubagentSelectedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SubagentStartedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SystemMessageEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/SystemNotificationEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ToolExecutionCompleteEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ToolExecutionPartialResultEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ToolExecutionProgressEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ToolExecutionStartEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/ToolUserRequestedEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/UnknownSessionEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/UserMessageEvent.java
delete mode 100644 src/main/java/com/github/copilot/sdk/events/package-info.java
create mode 100644 src/test/java/com/github/copilot/sdk/RpcWrappersTest.java
rename src/test/java/com/github/copilot/sdk/{SessionEventParserTest.java => SessionEventDeserializationTest.java} (90%)
create mode 100644 src/test/java/com/github/copilot/sdk/TestUtil.java
diff --git a/.gitattributes b/.gitattributes
index c1965c216..adb3de78e 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,2 @@
-.github/workflows/*.lock.yml linguist-generated=true merge=ours
\ No newline at end of file
+.github/workflows/*.lock.yml linguist-generated=true merge=ours
+src/generated/java/** eol=lf linguist-generated=true
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index c1a2d8dec..08f0a5758 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -77,7 +77,7 @@ mvn test -Dtest=CopilotClientTest
- `com.github.copilot.sdk` - Core classes (CopilotClient, CopilotSession, JsonRpcClient)
- `com.github.copilot.sdk.json` - DTOs, request/response types, handler interfaces (SessionConfig, MessageOptions, ToolDefinition, etc.)
-- `com.github.copilot.sdk.events` - Event types for session streaming (AssistantMessageEvent, SessionIdleEvent, ToolExecutionStartEvent, etc.)
+- `com.github.copilot.sdk.generated` - Generated event types for session streaming (SessionEvent, AssistantMessageEvent, SessionIdleEvent, ToolExecutionStartEvent, etc.)
### Test Infrastructure
diff --git a/.github/prompts/agentic-merge-reference-impl.prompt.md b/.github/prompts/agentic-merge-reference-impl.prompt.md
index 1c19b6f1c..88cc2bdfe 100644
--- a/.github/prompts/agentic-merge-reference-impl.prompt.md
+++ b/.github/prompts/agentic-merge-reference-impl.prompt.md
@@ -2,6 +2,43 @@
You are an expert Java developer tasked with porting changes from the reference implementation of the Copilot SDK (primarily the .NET implementation) to this Java SDK.
+## ❌❌❌ ABSOLUTE PROHIBITION: DO NOT TOUCH GENERATED CODE ❌❌❌
+
+> ### 🚫 THE FILES UNDER `src/generated/java/` ARE FORBIDDEN 🚫
+>
+> **NEVER, UNDER ANY CIRCUMSTANCES, MODIFY ANY FILE IN `src/generated/java/`.**
+>
+> These files are AUTO-GENERATED by `scripts/codegen/java.ts` and MUST NOT be hand-edited.
+> They are regenerated automatically when the `@github/copilot` npm package version is updated.
+>
+> ❌ DO NOT edit `src/generated/java/**/*.java`
+> ❌ DO NOT create new files in `src/generated/java/`
+> ❌ DO NOT delete files from `src/generated/java/`
+> ❌ DO NOT "fix" or "improve" generated code — it will be overwritten
+>
+> **IF ANY CHANGE YOU NEED TO MAKE REQUIRES TOUCHING `src/generated/java/`:**
+>
+> 1. **STOP IMMEDIATELY** — do not make the change
+> 2. **FAIL the agentic sync** — do not attempt to work around this restriction
+> 3. **Push an explanatory commit** with a message such as:
+> ```
+> SYNC BLOCKED: Required change needs generated code update
+>
+> The reference implementation change '' requires updates
+> to the generated RPC/event types in src/generated/java/. These files
+> cannot be hand-edited — they must be regenerated.
+>
+> ACTION REQUIRED: Re-run the update-copilot-dependency.yml workflow
+> to update the @github/copilot npm package and regenerate the Java
+> source files before this sync can be completed.
+> ```
+> 4. **Document in the PR body** which reference implementation changes were blocked and why
+> 5. **Do NOT attempt to work around this restriction** by making equivalent changes elsewhere
+>
+> The correct way to update generated code is:
+> - Trigger the `update-copilot-dependency.yml` workflow with the new `@github/copilot` version
+> - That workflow updates `package.json`, regenerates all files in `src/generated/java/`, and opens a PR
+
## ⚠️ IMPORTANT: Java SDK Design Takes Priority
**The current design and architecture of the Java SDK is the priority.** When porting changes from the reference implementation:
@@ -101,7 +138,7 @@ For each change in the reference implementation diff, determine:
| `dotnet/src/Client.cs` | `src/main/java/com/github/copilot/sdk/CopilotClient.java` |
| `dotnet/src/Session.cs` | `src/main/java/com/github/copilot/sdk/CopilotSession.java` |
| `dotnet/src/Types.cs` | `src/main/java/com/github/copilot/sdk/types/*.java` |
-| `dotnet/src/Generated/*.cs` | `src/main/java/com/github/copilot/sdk/types/*.java` |
+| `dotnet/src/Generated/*.cs` | ❌ **DO NOT TOUCH** `src/generated/java/**` — see top of this file |
| `dotnet/test/*.cs` | `src/test/java/com/github/copilot/sdk/*Test.java` |
| `docs/getting-started.md` | `README.md` and `src/site/markdown/*.md` |
| `docs/*.md` (new files) | `src/site/markdown/*.md` + update `src/site/site.xml` |
@@ -111,6 +148,10 @@ For each change in the reference implementation diff, determine:
## Step 5: Apply Changes to Java SDK
+> ### ❌❌❌ REMINDER: `src/generated/java/` IS FORBIDDEN ❌❌❌
+> Any change that requires modifying `src/generated/java/` MUST stop the sync.
+> See the **ABSOLUTE PROHIBITION** section at the top of this file for required actions.
+
When porting changes:
### ⚠️ Priority: Preserve Java SDK Design
@@ -400,6 +441,7 @@ Before finishing:
## Checklist
+- [ ] ❌ **VERIFIED: No files in `src/generated/java/` were modified** (if any were needed, sync was stopped per ABSOLUTE PROHIBITION above)
- [ ] New branch created from `main`
- [ ] Copilot CLI updated to latest version
- [ ] README.md updated with minimum CLI version requirement
@@ -430,6 +472,7 @@ Before finishing:
## Notes
+- ❌❌❌ **`src/generated/java/` IS FORBIDDEN** — NEVER modify generated files; re-run `update-copilot-dependency.yml` instead ❌❌❌
- The reference implementation SDK is at: `https://github.com/github/copilot-sdk.git`
- Primary reference implementation is in `dotnet/` folder
- This Java SDK targets Java 17+
diff --git a/.github/prompts/coding-agent-merge-reference-impl-instructions.md b/.github/prompts/coding-agent-merge-reference-impl-instructions.md
index cee6ef8a7..c93af9a1a 100644
--- a/.github/prompts/coding-agent-merge-reference-impl-instructions.md
+++ b/.github/prompts/coding-agent-merge-reference-impl-instructions.md
@@ -17,3 +17,17 @@ Add the 'reference-impl-sync' label to the existing PR by running this command i
If after analyzing the reference implementation diff there are no relevant changes to port to the Java SDK,
push an empty commit with a message explaining why no changes were needed, so the PR reflects
the analysis outcome. The repository maintainer will close the PR and issue manually.
+
+❌❌❌ ABSOLUTE PROHIBITION ❌❌❌
+
+NEVER MODIFY ANY FILE UNDER src/generated/java/ — THESE FILES ARE AUTO-GENERATED AND FORBIDDEN.
+
+If any change requires modifying src/generated/java/:
+1. STOP IMMEDIATELY — do not make the change
+2. FAIL the sync with an explanatory commit message
+3. Instruct the maintainer to re-run update-copilot-dependency.yml to regenerate these files
+
+See the ABSOLUTE PROHIBITION section in .github/prompts/agentic-merge-reference-impl.prompt.md
+for the full required procedure and commit message template.
+
+❌❌❌ END ABSOLUTE PROHIBITION ❌❌❌
diff --git a/.github/workflows/codegen-check.yml b/.github/workflows/codegen-check.yml
new file mode 100644
index 000000000..675629c1e
--- /dev/null
+++ b/.github/workflows/codegen-check.yml
@@ -0,0 +1,44 @@
+name: "Codegen Check"
+
+on:
+ push:
+ branches:
+ - main
+ pull_request:
+ paths:
+ - 'scripts/codegen/**'
+ - 'src/generated/java/**'
+ - '.github/workflows/codegen-check.yml'
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ check:
+ name: "Verify generated files are up-to-date"
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+ - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+ with:
+ node-version: 22
+
+ - name: Install codegen dependencies
+ working-directory: ./scripts/codegen
+ run: npm ci
+
+ - name: Run codegen
+ working-directory: ./scripts/codegen
+ run: npm run generate
+
+ - name: Check for uncommitted changes
+ run: |
+ if [ -n "$(git status --porcelain)" ]; then
+ echo "::error::Generated files are out of date. Run 'cd scripts/codegen && npm run generate' and commit the changes."
+ git diff --stat
+ git diff
+ exit 1
+ fi
+ echo "✅ Generated files are up-to-date"
diff --git a/.github/workflows/update-copilot-dependency.yml b/.github/workflows/update-copilot-dependency.yml
new file mode 100644
index 000000000..bb86bfd83
--- /dev/null
+++ b/.github/workflows/update-copilot-dependency.yml
@@ -0,0 +1,144 @@
+name: "Update @github/copilot Dependency"
+
+on:
+ workflow_dispatch:
+ inputs:
+ version:
+ description: 'Target version of @github/copilot (e.g. 1.0.24)'
+ required: true
+ type: string
+
+permissions:
+ contents: write
+ pull-requests: write
+
+jobs:
+ update:
+ name: "Update @github/copilot to ${{ inputs.version }}"
+ runs-on: ubuntu-latest
+ steps:
+ - name: Validate version input
+ env:
+ VERSION: ${{ inputs.version }}
+ run: |
+ if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9._-]+)?$ ]]; then
+ echo "::error::Invalid version format '$VERSION'. Expected semver (e.g. 1.0.24)."
+ exit 1
+ fi
+
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+ - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+ with:
+ node-version: 22
+
+ - name: Update @github/copilot in scripts/codegen
+ env:
+ VERSION: ${{ inputs.version }}
+ working-directory: ./scripts/codegen
+ # npm install updates package.json and package-lock.json to the new
+ # version; npm ci (below) then does a clean, reproducible install from
+ # the updated lock file. Both steps are required: npm install alone
+ # leaves leftover packages, while npm ci alone cannot change the pinned
+ # version in the lock file.
+ run: npm install "@github/copilot@$VERSION"
+
+ - name: Install codegen dependencies
+ working-directory: ./scripts/codegen
+ run: npm ci
+
+ - name: Run codegen
+ working-directory: ./scripts/codegen
+ run: npm run generate
+
+ - uses: ./.github/actions/setup-copilot
+
+ - name: Verify generated code against schema
+ env:
+ COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+ run: |
+ cat > /tmp/verify-codegen-prompt.txt << 'PROMPT_EOF'
+ You are running inside the copilot-sdk-java repository.
+ The code generator has just run and produced Java source files under
+ src/generated/java/com/github/copilot/sdk/generated/rpc/.
+
+ Your task is to spot-check the generated API classes against the source
+ JSON schema to verify the generator produced correct output.
+
+ **Critical constraint: Do NOT modify any files. This is a read-only
+ verification. Use only read/inspect operations.**
+
+ **Steps:**
+ 1. Read the API schema at:
+ scripts/codegen/node_modules/@github/copilot/schemas/api.schema.json
+
+ 2. Pick these 3 generated API classes to verify:
+ - src/generated/java/com/github/copilot/sdk/generated/rpc/SessionToolsApi.java
+ - src/generated/java/com/github/copilot/sdk/generated/rpc/SessionUiApi.java
+ - src/generated/java/com/github/copilot/sdk/generated/rpc/SessionPermissionsApi.java
+
+ 3. For each class, verify:
+ - Every RPC method in the schema's corresponding namespace has a
+ matching Java method in the generated class
+ - Parameter record fields match the JSON schema property names
+ - Java types are consistent with JSON schema types (String for
+ "string", Integer/int for "integer", Boolean/boolean for
+ "boolean", List for "array", Map or a generated class for
+ "object", etc.)
+ - No extra methods exist in the Java class that are not in the
+ schema
+
+ 4. Print a summary table of what was checked and the result for each
+ method.
+
+ 5. If ANY mismatch is found, print the details and exit with a
+ non-zero code.
+ If all checks pass, print "Schema verification passed" and exit 0.
+ PROMPT_EOF
+
+ copilot --yolo --prompt "$(cat /tmp/verify-codegen-prompt.txt)"
+
+ - name: Create pull request
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ VERSION: ${{ inputs.version }}
+ run: |
+ BRANCH="update-copilot-$VERSION"
+ git config user.name "github-actions[bot]"
+ git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+ if git rev-parse --verify "origin/$BRANCH" >/dev/null 2>&1; then
+ git checkout "$BRANCH"
+ git reset --hard HEAD
+ else
+ git checkout -b "$BRANCH"
+ fi
+
+ git add -A
+
+ if git diff --cached --quiet; then
+ echo "No changes detected; skipping commit and PR creation."
+ exit 0
+ fi
+
+ git commit -m "Update @github/copilot to $VERSION
+
+ - Updated @github/copilot in scripts/codegen
+ - Re-ran Java code generator"
+ git push origin "$BRANCH" --force-with-lease
+
+ if gh pr view "$BRANCH" >/dev/null 2>&1; then
+ echo "Pull request for branch '$BRANCH' already exists; updated branch only."
+ else
+ gh pr create \
+ --title "Update @github/copilot to $VERSION" \
+ --body "Automated update of \`@github/copilot\` to version \`$VERSION\`.
+
+ ### Changes
+ - Updated \`@github/copilot\` in \`scripts/codegen/package.json\`
+ - Re-ran Java code generator (\`scripts/codegen\`)
+
+ > Created by the **Update @github/copilot Dependency** workflow." \
+ --base main \
+ --head "$BRANCH"
+ fi
diff --git a/.gitignore b/.gitignore
index f079a3d20..35ea546f0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,10 +5,11 @@ examples-test/
blog-copilotsdk/
.claude/worktrees
smoke-test
-*job-logs.txt
+*job-logs.txt*
temporary-prompts/
changebundle.txt*
.classpath
.project
.settings
+scripts/codegen/node_modules/
*~
diff --git a/README.md b/README.md
index d425fa4eb..95372e91f 100644
--- a/README.md
+++ b/README.md
@@ -67,8 +67,8 @@ implementation 'com.github:copilot-sdk-java:0.2.2-java.1'
```java
import com.github.copilot.sdk.CopilotClient;
-import com.github.copilot.sdk.events.AssistantMessageEvent;
-import com.github.copilot.sdk.events.SessionUsageInfoEvent;
+import com.github.copilot.sdk.generated.AssistantMessageEvent;
+import com.github.copilot.sdk.generated.SessionUsageInfoEvent;
import com.github.copilot.sdk.json.CopilotClientOptions;
import com.github.copilot.sdk.json.MessageOptions;
import com.github.copilot.sdk.json.PermissionHandler;
diff --git a/config/checkstyle/checkstyle.xml b/config/checkstyle/checkstyle.xml
index 33c9ac5f2..9a6f3761b 100644
--- a/config/checkstyle/checkstyle.xml
+++ b/config/checkstyle/checkstyle.xml
@@ -11,9 +11,9 @@
-
+
-
+
diff --git a/config/spotbugs/spotbugs-exclude.xml b/config/spotbugs/spotbugs-exclude.xml
index 7f3b068cb..1c7d415f6 100644
--- a/config/spotbugs/spotbugs-exclude.xml
+++ b/config/spotbugs/spotbugs-exclude.xml
@@ -2,7 +2,7 @@
-
+
diff --git a/docs/WORKFLOWS.md b/docs/WORKFLOWS.md
index 1cbb22b36..3df254890 100644
--- a/docs/WORKFLOWS.md
+++ b/docs/WORKFLOWS.md
@@ -5,6 +5,8 @@
| Workflow | Description | Triggers | Schedule |
|----------|-------------|----------|----------|
| [Build & Test](workflows/build-test.yml) | Builds, lints, and tests the Java SDK | `push` (main), `pull_request`, `merge_group`, `workflow_dispatch` | Sundays at 00:00 UTC |
+| [Codegen Check](workflows/codegen-check.yml) | Verifies that generated Java files are up-to-date with the JSON schemas | `push` (main), `pull_request`, `workflow_dispatch` | — |
+| [Update @github/copilot Dependency](workflows/update-copilot-dependency.yml) | Updates the `@github/copilot` npm package, re-runs code generation, and opens a PR | `workflow_dispatch` | — |
| [Deploy Documentation](workflows/deploy-site.yml) | Generates and deploys versioned docs to GitHub Pages | `workflow_run` (after Build & Test), `release`, `workflow_dispatch` | — |
| [Publish to Maven Central](workflows/publish-maven.yml) | Releases the SDK to Maven Central and creates a GitHub Release | `workflow_dispatch` | — |
| [Weekly Reference Implementation Sync](workflows/weekly-reference-impl-sync.yml) | Checks for new reference implementation commits and creates an issue for Copilot to merge | `workflow_dispatch` | Mondays at 10:00 UTC |
@@ -87,6 +89,42 @@ Auto-generated compiled workflow produced by `gh aw compile` from the correspond
---
+## Codegen Check
+
+**File:** [`codegen-check.yml`](workflows/codegen-check.yml)
+
+Verifies that the generated Java source files in `src/generated/java/` are up-to-date with the JSON schemas distributed in the `@github/copilot` npm package.
+
+Steps:
+1. Installs the codegen dependencies from `scripts/codegen/`
+2. Runs the Java code generator (`npm run generate`)
+3. Fails with a diff if any generated file differs from what is committed
+
+Run this locally with:
+```bash
+cd scripts/codegen && npm ci && npm run generate
+```
+
+If changes appear, commit the updated generated files.
+
+---
+
+## Update @github/copilot Dependency
+
+**File:** [`update-copilot-dependency.yml`](workflows/update-copilot-dependency.yml)
+
+Manual workflow triggered when a new version of the `@github/copilot` npm package is published. Accepts a `version` input (e.g. `1.0.25`).
+
+Steps:
+1. Updates `@github/copilot` in `scripts/codegen/package.json`
+2. Re-runs the Java code generator
+3. Commits the updated `package.json`, `package-lock.json`, and all regenerated Java files
+4. Opens (or updates) a pull request for review
+
+The resulting PR will be automatically validated by the **Codegen Check** workflow.
+
+---
+
## Copilot Setup Steps
**File:** [`copilot-setup-steps.yml`](workflows/copilot-setup-steps.yml)
diff --git a/jbang-example.java b/jbang-example.java
index dd1f80762..dd3f1de78 100644
--- a/jbang-example.java
+++ b/jbang-example.java
@@ -1,8 +1,8 @@
!
//DEPS com.github:copilot-sdk-java:0.2.2-java.1
import com.github.copilot.sdk.CopilotClient;
-import com.github.copilot.sdk.events.AssistantMessageEvent;
-import com.github.copilot.sdk.events.SessionUsageInfoEvent;
+import com.github.copilot.sdk.generated.AssistantMessageEvent;
+import com.github.copilot.sdk.generated.SessionUsageInfoEvent;
import com.github.copilot.sdk.json.MessageOptions;
import com.github.copilot.sdk.json.PermissionHandler;
import com.github.copilot.sdk.json.SessionConfig;
diff --git a/pom.xml b/pom.xml
index b61c36166..562b77ed5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -255,12 +255,35 @@
+
+
+ org.codehaus.mojo
+ build-helper-maven-plugin
+ 3.6.1
+
+
+ add-generated-source
+ generate-sources
+
+ add-source
+
+
+
+ ${project.basedir}/src/generated/java
+
+
+
+
+ com.diffplug.spotlessspotless-maven-plugin2.44.5
+
+ src/generated/java/**/*.java
+ 4.33
@@ -627,5 +650,103 @@
+
+
+ update-schemas-from-npm-artifact
+
+
+
+ org.codehaus.mojo
+ exec-maven-plugin
+ 3.6.2
+
+
+ update-copilot-schema-version
+ generate-sources
+
+ exec
+
+
+ npm
+ ${project.basedir}/scripts/codegen
+
+ install
+ @github/copilot@${copilot.schema.version}
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-enforcer-plugin
+ 3.5.0
+
+
+ require-schema-version
+ validate
+
+ enforce
+
+
+
+
+ copilot.schema.version
+ You must specify -Dcopilot.schema.version=VERSION (e.g. 1.0.25)
+
+
+
+
+
+
+
+
+
+
+
+ codegen
+
+
+
+ org.codehaus.mojo
+ exec-maven-plugin
+ 3.6.2
+
+
+ codegen-npm-install
+ generate-sources
+
+ exec
+
+
+ npm
+ ${project.basedir}/scripts/codegen
+
+ ci
+
+
+
+
+ codegen-generate
+ generate-sources
+
+ exec
+
+
+ npm
+ ${project.basedir}/scripts/codegen
+
+ run
+ generate
+
+
+
+
+
+
+
+
diff --git a/scripts/codegen/.gitignore b/scripts/codegen/.gitignore
new file mode 100644
index 000000000..c2658d7d1
--- /dev/null
+++ b/scripts/codegen/.gitignore
@@ -0,0 +1 @@
+node_modules/
diff --git a/scripts/codegen/java.ts b/scripts/codegen/java.ts
new file mode 100644
index 000000000..84b9e8bf1
--- /dev/null
+++ b/scripts/codegen/java.ts
@@ -0,0 +1,1322 @@
+/*---------------------------------------------------------------------------------------------
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+/**
+ * Java code generator for session-events and RPC types.
+ * Generates Java source files under src/generated/java/ from JSON Schema files.
+ */
+
+import fs from "fs/promises";
+import path from "path";
+import { fileURLToPath } from "url";
+import type { JSONSchema7 } from "json-schema";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+/** Root of the copilot-sdk-java repo */
+const REPO_ROOT = path.resolve(__dirname, "../..");
+
+/** Event types to exclude from generation (internal/legacy types) */
+const EXCLUDED_EVENT_TYPES = new Set(["session.import_legacy"]);
+
+const AUTO_GENERATED_HEADER = `// AUTO-GENERATED FILE - DO NOT EDIT`;
+const GENERATED_FROM_SESSION_EVENTS = `// Generated from: session-events.schema.json`;
+const GENERATED_FROM_API = `// Generated from: api.schema.json`;
+const GENERATED_ANNOTATION = `@javax.annotation.processing.Generated("copilot-sdk-codegen")`;
+const COPYRIGHT = `/*---------------------------------------------------------------------------------------------\n * Copyright (c) Microsoft Corporation. All rights reserved.\n *--------------------------------------------------------------------------------------------*/`;
+
+// ── Naming utilities ─────────────────────────────────────────────────────────
+
+function toPascalCase(name: string): string {
+ return name.split(/[-_.]/).map((p) => p.charAt(0).toUpperCase() + p.slice(1)).join("");
+}
+
+function toJavaClassName(typeName: string): string {
+ return typeName.split(/[._]/).map((p) => p.charAt(0).toUpperCase() + p.slice(1)).join("");
+}
+
+function toCamelCase(name: string): string {
+ const pascal = toPascalCase(name);
+ return pascal.charAt(0).toLowerCase() + pascal.slice(1);
+}
+
+function toEnumConstant(value: string): string {
+ return value.toUpperCase().replace(/[-. ]/g, "_");
+}
+
+// ── Schema path resolution ───────────────────────────────────────────────────
+
+async function getSessionEventsSchemaPath(): Promise {
+ const candidates = [
+ path.join(REPO_ROOT, "scripts/codegen/node_modules/@github/copilot/schemas/session-events.schema.json"),
+ path.join(REPO_ROOT, "nodejs/node_modules/@github/copilot/schemas/session-events.schema.json"),
+ ];
+ for (const p of candidates) {
+ try {
+ await fs.access(p);
+ return p;
+ } catch {
+ // try next
+ }
+ }
+ throw new Error("session-events.schema.json not found. Run 'npm ci' in scripts/codegen first.");
+}
+
+async function getApiSchemaPath(): Promise {
+ const candidates = [
+ path.join(REPO_ROOT, "scripts/codegen/node_modules/@github/copilot/schemas/api.schema.json"),
+ path.join(REPO_ROOT, "nodejs/node_modules/@github/copilot/schemas/api.schema.json"),
+ ];
+ for (const p of candidates) {
+ try {
+ await fs.access(p);
+ return p;
+ } catch {
+ // try next
+ }
+ }
+ throw new Error("api.schema.json not found. Run 'npm ci' in scripts/codegen first.");
+}
+
+// ── File writing ─────────────────────────────────────────────────────────────
+
+async function writeGeneratedFile(relativePath: string, content: string): Promise {
+ const fullPath = path.join(REPO_ROOT, relativePath);
+ await fs.mkdir(path.dirname(fullPath), { recursive: true });
+ await fs.writeFile(fullPath, content, "utf-8");
+ console.log(` ✓ ${relativePath}`);
+ return fullPath;
+}
+
+// ── Java type mapping ─────────────────────────────────────────────────────────
+
+interface JavaTypeResult {
+ javaType: string;
+ imports: Set;
+}
+
+function schemaTypeToJava(
+ schema: JSONSchema7,
+ required: boolean,
+ context: string,
+ propName: string,
+ nestedTypes: Map
+): JavaTypeResult {
+ const imports = new Set();
+
+ if (schema.anyOf) {
+ const hasNull = schema.anyOf.some((s) => typeof s === "object" && (s as JSONSchema7).type === "null");
+ const nonNull = schema.anyOf.filter((s) => typeof s === "object" && (s as JSONSchema7).type !== "null");
+ if (nonNull.length === 1) {
+ const result = schemaTypeToJava(nonNull[0] as JSONSchema7, required && !hasNull, context, propName, nestedTypes);
+ return result;
+ }
+ // Multi-branch anyOf: fall through to Object, matching the C# generator's
+ // behavior. Java has no union types, so Object is the correct erasure for
+ // anyOf[string, object] and similar multi-variant schemas.
+ console.warn(`[codegen] ${context}.${propName}: anyOf with ${nonNull.length} non-null branches — falling back to Object`);
+ return { javaType: "Object", imports };
+ }
+
+ if (schema.type === "string") {
+ if (schema.format === "uuid") {
+ imports.add("java.util.UUID");
+ return { javaType: "UUID", imports };
+ }
+ if (schema.format === "date-time") {
+ imports.add("java.time.OffsetDateTime");
+ return { javaType: "OffsetDateTime", imports };
+ }
+ if (schema.enum && Array.isArray(schema.enum)) {
+ const enumName = `${context}${toPascalCase(propName)}`;
+ nestedTypes.set(enumName, {
+ kind: "enum",
+ name: enumName,
+ values: schema.enum as string[],
+ description: schema.description,
+ });
+ return { javaType: enumName, imports };
+ }
+ return { javaType: "String", imports };
+ }
+
+ if (Array.isArray(schema.type)) {
+ const nonNullTypes = schema.type.filter((t) => t !== "null");
+ if (nonNullTypes.length === 1) {
+ const baseSchema = { ...schema, type: nonNullTypes[0] };
+ return schemaTypeToJava(baseSchema as JSONSchema7, required, context, propName, nestedTypes);
+ }
+ }
+
+ if (schema.type === "integer") {
+ // JSON Schema "integer" maps to Long (boxed — always used for records).
+ // Use primitive long for required fields in mutable-bean contexts if needed.
+ return { javaType: required ? "long" : "Long", imports };
+ }
+
+ if (schema.type === "number") {
+ return { javaType: required ? "double" : "Double", imports };
+ }
+
+ if (schema.type === "boolean") {
+ return { javaType: required ? "boolean" : "Boolean", imports };
+ }
+
+ if (schema.type === "array") {
+ const items = schema.items as JSONSchema7 | undefined;
+ if (items) {
+ const itemResult = schemaTypeToJava(items, true, context, propName + "Item", nestedTypes);
+ imports.add("java.util.List");
+ for (const imp of itemResult.imports) imports.add(imp);
+ return { javaType: `List<${itemResult.javaType}>`, imports };
+ }
+ imports.add("java.util.List");
+ console.warn(`[codegen] ${context}.${propName}: array without typed items — falling back to List