From 407173da7aa70bdc38bb105284447e3322e2cb6d Mon Sep 17 00:00:00 2001 From: Dan Wahlin Date: Tue, 31 Mar 2026 14:55:37 -0700 Subject: [PATCH] fix: add protected-files: allowed for traffic CSV files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The allowed-files and protected-files checks are orthogonal — both must pass independently. Adding protected-files: allowed permits the workflow to modify files under .github/ that are listed in allowed-files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/traffic-updater.lock.yml | 54 +++++++++++----------- .github/workflows/traffic-updater.md | 1 + 2 files changed, 28 insertions(+), 27 deletions(-) diff --git a/.github/workflows/traffic-updater.lock.yml b/.github/workflows/traffic-updater.lock.yml index 734b094..b697e3a 100644 --- a/.github/workflows/traffic-updater.lock.yml +++ b/.github/workflows/traffic-updater.lock.yml @@ -22,7 +22,7 @@ # # Weekly collection of repo traffic data (views and unique visitors). Appends the previous week's daily numbers to CSV files. # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"bbcb3ff070db423c2b80677fb833fdae921c4628bf9cdc2a4faedf04d31238f7","compiler_version":"v0.64.4","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"79ca363e77357522f55d9eabb28c115e787611dcceeb96723150949970a07b07","compiler_version":"v0.64.4","strict":true,"agent_id":"copilot"} name: "Traffic Updater" "on": @@ -126,19 +126,19 @@ jobs: run: | bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh { - cat << 'GH_AW_PROMPT_489fa69f1711f74f_EOF' + cat << 'GH_AW_PROMPT_3d9464b7f988acde_EOF' - GH_AW_PROMPT_489fa69f1711f74f_EOF + GH_AW_PROMPT_3d9464b7f988acde_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_489fa69f1711f74f_EOF' + cat << 'GH_AW_PROMPT_3d9464b7f988acde_EOF' Tools: create_pull_request, missing_tool, missing_data, noop - GH_AW_PROMPT_489fa69f1711f74f_EOF + GH_AW_PROMPT_3d9464b7f988acde_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_create_pull_request.md" - cat << 'GH_AW_PROMPT_489fa69f1711f74f_EOF' + cat << 'GH_AW_PROMPT_3d9464b7f988acde_EOF' The following GitHub context information is available for this workflow: @@ -168,14 +168,14 @@ jobs: {{/if}} - GH_AW_PROMPT_489fa69f1711f74f_EOF + GH_AW_PROMPT_3d9464b7f988acde_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_489fa69f1711f74f_EOF' + cat << 'GH_AW_PROMPT_3d9464b7f988acde_EOF' - GH_AW_PROMPT_489fa69f1711f74f_EOF - cat << 'GH_AW_PROMPT_489fa69f1711f74f_EOF' + GH_AW_PROMPT_3d9464b7f988acde_EOF + cat << 'GH_AW_PROMPT_3d9464b7f988acde_EOF' {{#runtime-import .github/workflows/traffic-updater.md}} - GH_AW_PROMPT_489fa69f1711f74f_EOF + GH_AW_PROMPT_3d9464b7f988acde_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -329,12 +329,12 @@ jobs: mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_b8a5772dc5d2f723_EOF' - {"create_pull_request":{"allowed_files":[".github/uvs.csv",".github/views.csv"],"base_branch":"main","fallback_as_issue":false,"labels":["automated-update","traffic-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"],"title_prefix":"[bot] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"}} - GH_AW_SAFE_OUTPUTS_CONFIG_b8a5772dc5d2f723_EOF + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_e8583dbb7b347f7d_EOF' + {"create_pull_request":{"allowed_files":[".github/uvs.csv",".github/views.csv"],"base_branch":"main","fallback_as_issue":false,"labels":["automated-update","traffic-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_files_policy":"allowed","protected_path_prefixes":[".github/",".agents/"],"title_prefix":"[bot] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"}} + GH_AW_SAFE_OUTPUTS_CONFIG_e8583dbb7b347f7d_EOF - name: Write Safe Outputs Tools run: | - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_a71940aae6eb50f3_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_23f9e2286906001f_EOF' { "description_suffixes": { "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[bot] \". Labels [\"automated-update\" \"traffic-data\"] will be automatically added." @@ -342,8 +342,8 @@ jobs: "repo_params": {}, "dynamic_tools": [] } - GH_AW_SAFE_OUTPUTS_TOOLS_META_a71940aae6eb50f3_EOF - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_80be3fb33b3c4ee1_EOF' + GH_AW_SAFE_OUTPUTS_TOOLS_META_23f9e2286906001f_EOF + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_9999cbee3c2832bb_EOF' { "create_pull_request": { "defaultMax": 1, @@ -439,7 +439,7 @@ jobs: } } } - GH_AW_SAFE_OUTPUTS_VALIDATION_80be3fb33b3c4ee1_EOF + GH_AW_SAFE_OUTPUTS_VALIDATION_9999cbee3c2832bb_EOF node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config @@ -482,7 +482,7 @@ jobs: - name: Setup MCP Scripts Config run: | mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs - cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_5cba0518595f8090_EOF' + cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_4b61ed432dca77b0_EOF' { "serverName": "mcpscripts", "version": "1.0.0", @@ -503,8 +503,8 @@ jobs: } ] } - GH_AW_MCP_SCRIPTS_TOOLS_5cba0518595f8090_EOF - cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_f34d83f7b0066f59_EOF' + GH_AW_MCP_SCRIPTS_TOOLS_4b61ed432dca77b0_EOF + cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_020303d66b428399_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -518,12 +518,12 @@ jobs: console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); - GH_AW_MCP_SCRIPTS_SERVER_f34d83f7b0066f59_EOF + GH_AW_MCP_SCRIPTS_SERVER_020303d66b428399_EOF chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/fetch-traffic.sh << 'GH_AW_MCP_SCRIPTS_SH_FETCH-TRAFFIC_46e2732d619ae5e7_EOF' + cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/fetch-traffic.sh << 'GH_AW_MCP_SCRIPTS_SH_FETCH-TRAFFIC_c91856f9c1bf8371_EOF' #!/bin/bash # Auto-generated mcp-script tool: fetch-traffic # Fetch the last 14 days of traffic views for this repository from the GitHub API. Returns JSON with a views array containing timestamp, count, and uniques per day. @@ -533,7 +533,7 @@ jobs: gh api repos/$GITHUB_REPOSITORY/traffic/views - GH_AW_MCP_SCRIPTS_SH_FETCH-TRAFFIC_46e2732d619ae5e7_EOF + GH_AW_MCP_SCRIPTS_SH_FETCH-TRAFFIC_c91856f9c1bf8371_EOF chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/fetch-traffic.sh - name: Generate MCP Scripts Server Config @@ -600,7 +600,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.9' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_0d9456c93b240471_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_2bef435bc3261eae_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -655,7 +655,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_0d9456c93b240471_EOF + GH_AW_MCP_CONFIG_2bef435bc3261eae_EOF - name: Download activation artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -1233,7 +1233,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,localhost,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"allowed_files\":[\".github/uvs.csv\",\".github/views.csv\"],\"base_branch\":\"main\",\"fallback_as_issue\":false,\"labels\":[\"automated-update\",\"traffic-data\"],\"max\":1,\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"title_prefix\":\"[bot] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"allowed_files\":[\".github/uvs.csv\",\".github/views.csv\"],\"base_branch\":\"main\",\"fallback_as_issue\":false,\"labels\":[\"automated-update\",\"traffic-data\"],\"max\":1,\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"AGENTS.md\"],\"protected_files_policy\":\"allowed\",\"protected_path_prefixes\":[\".github/\",\".agents/\"],\"title_prefix\":\"[bot] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"}}" GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }} with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/traffic-updater.md b/.github/workflows/traffic-updater.md index 5b2e4d7..dc280c0 100644 --- a/.github/workflows/traffic-updater.md +++ b/.github/workflows/traffic-updater.md @@ -26,6 +26,7 @@ safe-outputs: title-prefix: "[bot] " base-branch: main fallback-as-issue: false + protected-files: allowed allowed-files: - ".github/uvs.csv" - ".github/views.csv"