chore: sync actions from gh-aw@v0.68.4 (#77)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: github-actions[bot]

setup/js/add_reviewer.cjs

@@ -3,8 +3,18 @@
 
 /**
  * @typedef {import('./types/handler-factory').HandlerFactoryFunction} HandlerFactoryFunction
+ * @typedef {import('./types/handler-factory').HandlerConfig} HandlerConfig
+ * @typedef {import('./types/handler-factory').ResolvedTemporaryIds} ResolvedTemporaryIds
+ * @typedef {import('./types/handler-factory').HandlerResult} HandlerResult
  */
 
+/**
+ * @typedef {{ reviewers?: Array<string|null|undefined|false>, pull_request_number?: number|string }} AddReviewerMessage
+ */
+
+/** @type {string} Safe output type handled by this module */
+const HANDLER_TYPE = "add_reviewer";
+
 const { processItems } = require("./safe_output_processor.cjs");
 const { getErrorMessage } = require("./error_helpers.cjs");
 const { getPullRequestNumber } = require("./pr_helpers.cjs");
@@ -32,9 +42,9 @@ async function main(config = {}) {
   let processedCount = 0;
 
   /**
-   * @param {Object} message - The add_reviewer message to process
-   * @param {Object} resolvedTemporaryIds - Map of temporary IDs to {repo, number}
-   * @returns {Promise<Object>} Result with success/error status
+   * @param {AddReviewerMessage} message - The add_reviewer message to process
+   * @param {ResolvedTemporaryIds} resolvedTemporaryIds - Map of temporary IDs to {repo, number}
+   * @returns {Promise<HandlerResult>} Result with success/error status
    */
   return async function handleAddReviewer(message, resolvedTemporaryIds) {
     if (processedCount >= maxCount) {

setup/js/close_expired_discussions.cjs

@@ -5,6 +5,7 @@ const { executeExpiredEntityCleanup } = require("./expired_entity_main_flow.cjs"
 const { generateExpiredEntityFooter } = require("./generate_footer.cjs");
 const { sanitizeContent } = require("./sanitize_content.cjs");
 const { getWorkflowMetadata } = require("./workflow_metadata_helpers.cjs");
+const { resolveExecutionOwnerRepo } = require("./repo_helpers.cjs");
 
 /**
  * Add comment to a GitHub Discussion using GraphQL
@@ -90,8 +91,8 @@ async function hasExpirationComment(github, discussionId) {
 }
 
 async function main() {
-  const owner = context.repo.owner;
-  const repo = context.repo.repo;
+  const { owner, repo } = resolveExecutionOwnerRepo();
+  core.info(`Operating on repository: ${owner}/${repo}`);
 
   // Get workflow metadata for footer
   const { workflowName, workflowId, runUrl } = getWorkflowMetadata(owner, repo);

setup/js/close_expired_issues.cjs

@@ -5,6 +5,7 @@ const { executeExpiredEntityCleanup } = require("./expired_entity_main_flow.cjs"
 const { generateExpiredEntityFooter } = require("./generate_footer.cjs");
 const { sanitizeContent } = require("./sanitize_content.cjs");
 const { getWorkflowMetadata } = require("./workflow_metadata_helpers.cjs");
+const { resolveExecutionOwnerRepo } = require("./repo_helpers.cjs");
 
 /**
  * Add comment to a GitHub Issue using REST API
@@ -47,8 +48,8 @@ async function closeIssue(github, owner, repo, issueNumber) {
 }
 
 async function main() {
-  const owner = context.repo.owner;
-  const repo = context.repo.repo;
+  const { owner, repo } = resolveExecutionOwnerRepo();
+  core.info(`Operating on repository: ${owner}/${repo}`);
 
   // Get workflow metadata for footer
   const { workflowName, workflowId, runUrl } = getWorkflowMetadata(owner, repo);

setup/js/close_expired_pull_requests.cjs

@@ -5,6 +5,7 @@ const { executeExpiredEntityCleanup } = require("./expired_entity_main_flow.cjs"
 const { generateExpiredEntityFooter } = require("./generate_footer.cjs");
 const { sanitizeContent } = require("./sanitize_content.cjs");
 const { getWorkflowMetadata } = require("./workflow_metadata_helpers.cjs");
+const { resolveExecutionOwnerRepo } = require("./repo_helpers.cjs");
 
 /**
  * Add comment to a GitHub Pull Request using REST API
@@ -46,8 +47,8 @@ async function closePullRequest(github, owner, repo, prNumber) {
 }
 
 async function main() {
-  const owner = context.repo.owner;
-  const repo = context.repo.repo;
+  const { owner, repo } = resolveExecutionOwnerRepo();
+  core.info(`Operating on repository: ${owner}/${repo}`);
 
   // Get workflow metadata for footer
   const { workflowName, workflowId, runUrl } = getWorkflowMetadata(owner, repo);

setup/js/convert_gateway_config_claude.cjs

@@ -0,0 +1,120 @@
+// @ts-check
+"use strict";
+
+// Ensures global.core is available when running outside github-script context
+require("./shim.cjs");
+
+/**
+ * convert_gateway_config_claude.cjs
+ *
+ * Converts the MCP gateway's standard HTTP-based configuration to the JSON
+ * format expected by Claude. Reads the gateway output JSON, filters out
+ * CLI-mounted servers, sets type:"http", rewrites URLs to use the correct
+ * domain, and writes the result to ${RUNNER_TEMP}/gh-aw/mcp-config/mcp-servers.json.
+ *
+ * Required environment variables:
+ * - MCP_GATEWAY_OUTPUT: Path to gateway output configuration file
+ * - MCP_GATEWAY_DOMAIN: Domain for MCP server URLs (e.g., host.docker.internal)
+ * - MCP_GATEWAY_PORT: Port for MCP gateway (e.g., 80)
+ * - RUNNER_TEMP: GitHub Actions runner temp directory
+ *
+ * Optional:
+ * - GH_AW_MCP_CLI_SERVERS: JSON array of server names to exclude from agent config
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+const OUTPUT_PATH = path.join(process.env.RUNNER_TEMP || "/tmp", "gh-aw/mcp-config/mcp-servers.json");
+
+/**
+ * Rewrite a gateway URL to use the configured domain and port.
+ * Replaces http://<anything>/mcp/ with http://<domain>:<port>/mcp/.
+ *
+ * @param {string} url - Original URL from gateway output
+ * @param {string} urlPrefix - Target URL prefix (e.g., http://host.docker.internal:80)
+ * @returns {string} Rewritten URL
+ */
+function rewriteUrl(url, urlPrefix) {
+  return url.replace(/^http:\/\/[^/]+\/mcp\//, `${urlPrefix}/mcp/`);
+}
+
+function main() {
+  const gatewayOutput = process.env.MCP_GATEWAY_OUTPUT;
+  const domain = process.env.MCP_GATEWAY_DOMAIN;
+  const port = process.env.MCP_GATEWAY_PORT;
+
+  if (!gatewayOutput) {
+    core.error("ERROR: MCP_GATEWAY_OUTPUT environment variable is required");
+    process.exit(1);
+  }
+  if (!fs.existsSync(gatewayOutput)) {
+    core.error(`ERROR: Gateway output file not found: ${gatewayOutput}`);
+    process.exit(1);
+  }
+  if (!domain) {
+    core.error("ERROR: MCP_GATEWAY_DOMAIN environment variable is required");
+    process.exit(1);
+  }
+  if (!port) {
+    core.error("ERROR: MCP_GATEWAY_PORT environment variable is required");
+    process.exit(1);
+  }
+
+  core.info("Converting gateway configuration to Claude format...");
+  core.info(`Input: ${gatewayOutput}`);
+  core.info(`Target domain: ${domain}:${port}`);
+
+  const urlPrefix = `http://${domain}:${port}`;
+
+  /** @type {Set<string>} */
+  const cliServers = new Set(JSON.parse(process.env.GH_AW_MCP_CLI_SERVERS || "[]"));
+  if (cliServers.size > 0) {
+    core.info(`CLI-mounted servers to filter: ${[...cliServers].join(", ")}`);
+  }
+
+  /** @type {Record<string, unknown>} */
+  const config = JSON.parse(fs.readFileSync(gatewayOutput, "utf8"));
+  const rawServers = config.mcpServers;
+  const servers =
+    /** @type {Record<string, Record<string, unknown>>} */
+    rawServers && typeof rawServers === "object" && !Array.isArray(rawServers) ? rawServers : {};
+
+  /** @type {Record<string, Record<string, unknown>>} */
+  const result = {};
+  for (const [name, value] of Object.entries(servers)) {
+    if (cliServers.has(name)) continue;
+    const entry = { ...value };
+    // Claude uses "type": "http" for HTTP-based MCP servers
+    entry.type = "http";
+    // Fix the URL to use the correct domain
+    if (typeof entry.url === "string") {
+      entry.url = rewriteUrl(entry.url, urlPrefix);
+    }
+    result[name] = entry;
+  }
+
+  const output = JSON.stringify({ mcpServers: result }, null, 2);
+
+  const serverCount = Object.keys(result).length;
+  const totalCount = Object.keys(servers).length;
+  const filteredCount = totalCount - serverCount;
+  core.info(`Servers: ${serverCount} included, ${filteredCount} filtered (CLI-mounted)`);
+
+  // Ensure output directory exists
+  fs.mkdirSync(path.dirname(OUTPUT_PATH), { recursive: true });
+
+  // Write with owner-only permissions (0o600) to protect the gateway bearer token.
+  // An attacker who reads mcp-servers.json could bypass --allowed-tools by issuing
+  // raw JSON-RPC calls directly to the gateway.
+  fs.writeFileSync(OUTPUT_PATH, output, { mode: 0o600 });
+
+  core.info(`Claude configuration written to ${OUTPUT_PATH}`);
+  core.info("");
+  core.info("Converted configuration:");
+  core.info(output);
+}
+
+main();
+
+module.exports = { rewriteUrl };

setup/js/convert_gateway_config_codex.cjs

@@ -0,0 +1,114 @@
+// @ts-check
+"use strict";
+
+// Ensures global.core is available when running outside github-script context
+require("./shim.cjs");
+
+/**
+ * convert_gateway_config_codex.cjs
+ *
+ * Converts the MCP gateway's standard HTTP-based configuration to the TOML
+ * format expected by Codex. Reads the gateway output JSON, filters out
+ * CLI-mounted servers, resolves host.docker.internal to 172.30.0.1 for Rust
+ * DNS compatibility, and writes the result to ${RUNNER_TEMP}/gh-aw/mcp-config/config.toml.
+ *
+ * Required environment variables:
+ * - MCP_GATEWAY_OUTPUT: Path to gateway output configuration file
+ * - MCP_GATEWAY_DOMAIN: Domain for MCP server URLs (e.g., host.docker.internal)
+ * - MCP_GATEWAY_PORT: Port for MCP gateway (e.g., 80)
+ * - RUNNER_TEMP: GitHub Actions runner temp directory
+ *
+ * Optional:
+ * - GH_AW_MCP_CLI_SERVERS: JSON array of server names to exclude from agent config
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+const OUTPUT_PATH = path.join(process.env.RUNNER_TEMP || "/tmp", "gh-aw/mcp-config/config.toml");
+
+function main() {
+  const gatewayOutput = process.env.MCP_GATEWAY_OUTPUT;
+  const domain = process.env.MCP_GATEWAY_DOMAIN;
+  const port = process.env.MCP_GATEWAY_PORT;
+
+  if (!gatewayOutput) {
+    core.error("ERROR: MCP_GATEWAY_OUTPUT environment variable is required");
+    process.exit(1);
+  }
+  if (!fs.existsSync(gatewayOutput)) {
+    core.error(`ERROR: Gateway output file not found: ${gatewayOutput}`);
+    process.exit(1);
+  }
+  if (!domain) {
+    core.error("ERROR: MCP_GATEWAY_DOMAIN environment variable is required");
+    process.exit(1);
+  }
+  if (!port) {
+    core.error("ERROR: MCP_GATEWAY_PORT environment variable is required");
+    process.exit(1);
+  }
+
+  core.info("Converting gateway configuration to Codex TOML format...");
+  core.info(`Input: ${gatewayOutput}`);
+  core.info(`Target domain: ${domain}:${port}`);
+
+  // For host.docker.internal, resolve to the gateway IP to avoid DNS resolution
+  // issues in Rust
+  let resolvedDomain = domain;
+  if (domain === "host.docker.internal") {
+    // AWF network gateway IP is always 172.30.0.1
+    resolvedDomain = "172.30.0.1";
+    core.info(`Resolving host.docker.internal to gateway IP: ${resolvedDomain}`);
+  }
+
+  const urlPrefix = `http://${resolvedDomain}:${port}`;
+
+  /** @type {Set<string>} */
+  const cliServers = new Set(JSON.parse(process.env.GH_AW_MCP_CLI_SERVERS || "[]"));
+  if (cliServers.size > 0) {
+    core.info(`CLI-mounted servers to filter: ${[...cliServers].join(", ")}`);
+  }
+
+  /** @type {Record<string, unknown>} */
+  const config = JSON.parse(fs.readFileSync(gatewayOutput, "utf8"));
+  const rawServers = config.mcpServers;
+  const servers =
+    /** @type {Record<string, Record<string, unknown>>} */
+    rawServers && typeof rawServers === "object" && !Array.isArray(rawServers) ? rawServers : {};
+
+  // Build the TOML output
+  let toml = '[history]\npersistence = "none"\n\n';
+
+  for (const [name, value] of Object.entries(servers)) {
+    if (cliServers.has(name)) continue;
+    const url = `${urlPrefix}/mcp/${name}`;
+    const headers = /** @type {Record<string, string>} */ value.headers || {};
+    const authKey = headers.Authorization || "";
+    toml += `[mcp_servers.${name}]\n`;
+    toml += `url = "${url}"\n`;
+    toml += `http_headers = { Authorization = "${authKey}" }\n`;
+    toml += "\n";
+  }
+
+  const includedCount = Object.keys(servers).length - [...Object.keys(servers)].filter(k => cliServers.has(k)).length;
+  const filteredCount = Object.keys(servers).length - includedCount;
+  core.info(`Servers: ${includedCount} included, ${filteredCount} filtered (CLI-mounted)`);
+
+  // Ensure output directory exists
+  fs.mkdirSync(path.dirname(OUTPUT_PATH), { recursive: true });
+
+  // Write with owner-only permissions (0o600) to protect the gateway bearer token.
+  // An attacker who reads config.toml could issue raw JSON-RPC calls directly
+  // to the gateway.
+  fs.writeFileSync(OUTPUT_PATH, toml, { mode: 0o600 });
+
+  core.info(`Codex configuration written to ${OUTPUT_PATH}`);
+  core.info("");
+  core.info("Converted configuration:");
+  core.info(toml);
+}
+
+main();
+
+module.exports = {};