Merge branch 'main' into copilot/fix-copilot-access-azure-apis

Author: Mossaka

.github/workflows/ci.yml

@@ -557,6 +557,32 @@ jobs:
           path: gh-aw
           retention-days: 14
 
+      - name: Report binary download instructions
+        run: |
+          RUN_ID="${{ github.run_id }}"
+          REPO="${{ github.repository }}"
+          echo "## 📦 gh-aw Binary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "The \`gh-aw\` Linux (amd64) binary has been uploaded as an artifact." >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Download with GitHub CLI" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "gh run download ${RUN_ID} --repo ${REPO} --name gh-aw-linux-amd64" >> $GITHUB_STEP_SUMMARY
+          echo "chmod +x gh-aw" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Download with curl" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "# Requires a GitHub token with actions:read scope" >> $GITHUB_STEP_SUMMARY
+          echo "ARTIFACT_ID=\$(curl -fsSL -H \"Authorization: Bearer \$GH_TOKEN\" \\" >> $GITHUB_STEP_SUMMARY
+          echo "  \"https://api.github.com/repos/${REPO}/actions/runs/${RUN_ID}/artifacts\" \\" >> $GITHUB_STEP_SUMMARY
+          echo "  | jq -r '.artifacts[] | select(.name==\"gh-aw-linux-amd64\") | .id')" >> $GITHUB_STEP_SUMMARY
+          echo "curl -fsSL -H \"Authorization: Bearer \$GH_TOKEN\" \\" >> $GITHUB_STEP_SUMMARY
+          echo "  -L \"https://api.github.com/repos/${REPO}/actions/artifacts/\$ARTIFACT_ID/zip\" \\" >> $GITHUB_STEP_SUMMARY
+          echo "  -o gh-aw-linux-amd64.zip" >> $GITHUB_STEP_SUMMARY
+          echo "unzip gh-aw-linux-amd64.zip && chmod +x gh-aw" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+
       - name: Rebuild lock files
         run: make recompile
         env:

docs/src/content/docs/setup/cli.md

@@ -79,9 +79,11 @@ Commands that support `--create-pull-request` (such as `gh aw add`, `gh aw add-w
 
 `gh aw audit` and `gh aw add-wizard` also auto-detect the GHES host from the git remote, so running them inside a GHES repository works without setting `GH_HOST` manually.
 
-#### Configuring `gh` CLI in workflow steps on GHES
+#### Configuring `gh` CLI on GHES
 
-When agentic workflows run on GitHub Enterprise Server and use custom `steps:` that invoke `gh` CLI commands, source the bundled helper script to configure `gh` for the enterprise host:
+The compiled agent job automatically runs `configure_gh_for_ghe.sh` before the agent starts executing. The script detects the GitHub host from the `GITHUB_SERVER_URL` environment variable (set by GitHub Actions on GHES) and configures `gh` to authenticate against it. No configuration is required for the agent to use `gh` CLI commands on your GHES instance.
+
+For custom `steps:` that run outside the agent sandbox (for example, pre-agent data gathering or post-agent reporting), source the helper script manually:
 
 ```yaml wrap
 steps:
@@ -96,7 +98,7 @@ steps:
       gh pr list --state open --limit 200 --json number,title
 ```
 
-The script automatically detects the GitHub host from the `GITHUB_SERVER_URL` environment variable (set by GitHub Actions on GHES) and configures `gh` to authenticate against it. No manual configuration is needed for standard GHES deployments. The script is installed to `/opt/gh-aw/actions/configure_gh_for_ghe.sh` by the setup action.
+The script is installed to `/opt/gh-aw/actions/configure_gh_for_ghe.sh` by the setup action.
 
 > [!NOTE]
 > Custom steps run outside the agent firewall sandbox and have access to standard GitHub Actions environment variables including `GITHUB_SERVER_URL`, `GITHUB_TOKEN`, and `GH_TOKEN`.

pkg/cli/codemod_github_app.go

@@ -37,6 +37,7 @@ func hasDeprecatedAppField(frontmatter map[string]any) bool {
 			if githubAny, hasGitHub := toolsMap["github"]; hasGitHub {
 				if githubMap, ok := githubAny.(map[string]any); ok {
 					if _, hasApp := githubMap["app"]; hasApp {
+						githubAppCodemodLog.Print("Deprecated 'app' field found in tools.github")
 						return true
 					}
 				}
@@ -48,6 +49,7 @@ func hasDeprecatedAppField(frontmatter map[string]any) bool {
 	if soAny, hasSO := frontmatter["safe-outputs"]; hasSO {
 		if soMap, ok := soAny.(map[string]any); ok {
 			if _, hasApp := soMap["app"]; hasApp {
+				githubAppCodemodLog.Print("Deprecated 'app' field found in safe-outputs")
 				return true
 			}
 		}
@@ -57,13 +59,15 @@ func hasDeprecatedAppField(frontmatter map[string]any) bool {
 	if checkoutAny, hasCheckout := frontmatter["checkout"]; hasCheckout {
 		if checkoutMap, ok := checkoutAny.(map[string]any); ok {
 			if _, hasApp := checkoutMap["app"]; hasApp {
+				githubAppCodemodLog.Print("Deprecated 'app' field found in checkout")
 				return true
 			}
 		}
 		if checkoutArr, ok := checkoutAny.([]any); ok {
 			for _, item := range checkoutArr {
 				if itemMap, ok := item.(map[string]any); ok {
 					if _, hasApp := itemMap["app"]; hasApp {
+						githubAppCodemodLog.Print("Deprecated 'app' field found in checkout array item")
 						return true
 					}
 				}

pkg/workflow/compiler_yaml_ai_execution.go

@@ -9,6 +9,7 @@ import (
 func (c *Compiler) generateEngineExecutionSteps(yaml *strings.Builder, data *WorkflowData, engine CodingAgentEngine, logFile string) {
 
 	steps := engine.GetExecutionSteps(data, logFile)
+	compilerYamlLog.Printf("Generating engine execution steps: engine=%s, steps=%d", engine.GetID(), len(steps))
 
 	for _, step := range steps {
 		for _, line := range step {

pkg/workflow/github_tool_to_toolset.go

@@ -22,6 +22,7 @@ func init() {
 	if err := json.Unmarshal(githubToolToToolsetJSON, &GitHubToolToToolsetMap); err != nil {
 		panic("failed to load GitHub tool to toolset mapping: " + err.Error())
 	}
+	githubToolToToolsetLog.Printf("Loaded GitHub tool-to-toolset mapping: %d entries", len(GitHubToolToToolsetMap))
 }
 
 // GitHubToolToToolsetMap is the last declaration in this file; ValidateGitHubToolsAgainstToolsets

pkg/workflow/lock_schema.go

@@ -87,6 +87,8 @@ func formatSupportedVersions() string {
 // GenerateLockMetadata creates a LockMetadata struct for embedding in lock files
 // For release builds, the compiler version is included in the metadata
 func GenerateLockMetadata(frontmatterHash string, stopTime string, strict bool) *LockMetadata {
+	lockSchemaLog.Printf("Generating lock metadata: schema=%s, strict=%t, hasStopTime=%t", LockSchemaV2, strict, stopTime != "")
+
 	metadata := &LockMetadata{
 		SchemaVersion:   LockSchemaV2,
 		FrontmatterHash: frontmatterHash,
@@ -97,6 +99,7 @@ func GenerateLockMetadata(frontmatterHash string, stopTime string, strict bool)
 	// Include compiler version only for release builds
 	if IsRelease() {
 		metadata.CompilerVersion = GetVersion()
+		lockSchemaLog.Printf("Including compiler version in lock metadata: %s", metadata.CompilerVersion)
 	}
 
 	return metadata

pkg/workflow/safe_outputs_config_helpers.go

@@ -199,6 +199,9 @@ func generateHideCommentConfig(max *string, defaultMax int, allowedReasons []str
 // - "allowed_repos" uses underscore to match JavaScript handler expectations (see repo_helpers.cjs)
 // This inconsistency is intentional to maintain compatibility with existing handler code.
 func generateTargetConfigWithRepos(targetConfig SafeOutputTargetConfig, max *string, defaultMax int, additionalFields map[string]any) map[string]any {
+	safeOutputsConfigGenLog.Printf("Generating target config: target=%s, targetRepo=%s, allowedReposCount=%d, additionalFieldsCount=%d",
+		targetConfig.Target, targetConfig.TargetRepoSlug, len(targetConfig.AllowedRepos), len(additionalFields))
+
 	config := generateMaxConfig(max, defaultMax)
 
 	// Add target if specified