…orts (#24155)

…utputs (#24182)

* Initial plan

* fix(ci-cleaner): add mandatory exit protocol to ensure safe outputs are always produced

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e198ac68-27c1-421b-af25-e35d1913ca99

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Initial plan

* chore: Update GitHub Actions versions - 2026-04-02

- docker/login-action v4 → v4.1.0 in release.md
- actions/upload-artifact v4 → v7 in shared/apm.md
- actions/download-artifact v4 → v8.0.1 in shared/apm.md
- github/stale-repos v9.0.6 → v9.0.7 in stale-repo-identifier.md
- super-linter/super-linter v8.5.0 → v8.6.0 in super-linter.md
- Updated actions-lock.json with new SHA pins
- Recompiled workflow lock files

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ebf63748-376e-4936-904d-1d58547d242b

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>

* Initial plan

* feat: add debug logging to 4 Go files (Go Logger Enhancement)

Add file-level debug loggers and meaningful log calls to 4 Go files
that previously had no logging:

- pkg/workflow/compiler_yaml_step_conversion.go: log step field count
  on ConvertStepToYAML entry/exit and step name in renderStepFromMap
- pkg/cli/trial_confirmation.go: log workflow count, repo params,
  host repo existence check result, and user confirmation outcome
- pkg/cli/helpers.go: log file path on readSourceRepoFromFile entry,
  read failures, and successfully extracted source repo value
- pkg/workflow/playwright_tools.go: log count of Playwright tools
  returned by GetPlaywrightTools

All loggers follow the 'pkg:filename' naming convention from AGENTS.md.
Logger arguments have no side effects per project guidelines.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ab42ea9c-29b9-448e-9cbd-46b687a0c3f9

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Update DefaultFirewallVersion from v0.25.11 to v0.25.13.

Closes #24184

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Initial plan

* feat: add Copilot and Claude token usage analyzers and optimizers

Create 4 workflows forming a two-stage token optimization pipeline:

Stage 1 - Daily analyzers:
- copilot-token-usage-analyzer.md: Discovers Copilot workflow runs from
  last 24h, downloads token-usage.jsonl artifacts, creates issue with
  per-workflow statistics (tokens, cost, cache hit rate, turns)
- claude-token-usage-analyzer.md: Same for Claude, adds Anthropic-
  specific cache efficiency analysis (write rate, amortization, TTL)

Stage 2 - Optimizers (triggered by workflow_run):
- copilot-token-optimizer.md: Reads usage report, finds most expensive
  workflow, downloads artifacts, compares declared vs used tools,
  creates optimization issue with specific recommendations
- claude-token-optimizer.md: Same for Claude, adds Anthropic pricing
  nuances (output token cost, cache write break-even analysis)

Key design decisions:
- bash + gh CLI for artifact downloads (fast, reliable)
- strict: true on optimizers for safe output validation
- workflow_run trigger chains optimizer to analyzer (not a second cron)
- close-older-issues: true prevents issue accumulation
- skip-if-match caps at one open optimization issue per provider
- network: defaults for artifact downloads (blob.core.windows.net)

Closes #[issue_number]

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5bf4555f-10f4-46a0-ac16-24b13fe7e27f

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

…#24196)

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ce790b60-0ef3-4dcc-b31a-13a21079fc23

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

…isclosure (#24201)

…ction (#24198)

…24221)

* fix: clear stale GH_HOST and remove false fork PR detection

Two bugs interacted to cause PR checkout failures on github.com repos:

1. configure_gh_for_ghe.sh: For github.com, the script returned early
   without clearing GH_HOST. A stale value (e.g., localhost:18443 from
   a prior DIFC proxy run) persisted, causing 'gh pr checkout' to fail
   with 'none of the git remotes correspond to GH_HOST'. Now explicitly
   unsets stale GH_HOST values on the github.com path.

2. pr_helpers.cjs: detectForkPR() checked head.repo.fork to detect fork
   PRs, but this flag indicates whether the *repository itself* is a fork
   (common in OSS), not whether the PR is cross-repo. This caused false
   positives that forced the slow 'gh pr checkout' path (which depends on
   GH_HOST) instead of fast 'git fetch' (which doesn't). Removed the
   fork flag check; now only uses full_name comparison.

Fixes #24208
Closes #24217
Closes #24218

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: update push_to_pr_branch test for corrected fork detection

The test 'should detect fork PR via fork flag and fail early' assumed
that head.repo.fork=true with same full_name meant a cross-repo fork PR.
After fixing detectForkPR() to only use full_name comparison (#24208),
same-repo PRs in forked repositories are correctly treated as non-fork,
allowing push to proceed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: update checkout_pr_branch tests for corrected fork detection

The mock detectForkPR() in checkout_pr_branch.test.cjs replicated the
old fork-flag-based logic, making tests inconsistent with production.
Updated the mock to match the corrected full_name-only comparison and
updated assertions to verify that same-repo PRs in forked repositories
use the fast git fetch path.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: fix check_workflow_timestamp_api tests for updated error messages

Tests asserted 'integrity check failed' but the error message was
changed to 'is outdated or unverifiable' in #24198. Updated all 6
assertions to match the current production error format.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…#24220)

* Initial plan

* fix: unset stale GH_HOST when github_host is github.com

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/30a6422b-97fb-4c86-bb2a-187e682fd2d2

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* fix: omit stale GH_HOST value from log and clear rather than set in GITHUB_ENV

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f7fa60de-4903-4101-bfa5-3211d8b0c0e0

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>

…token` fields (#24215)

* Initial plan

* feat: support expression-based github-token from auth job outputs

Relax the JSON schema validation for `github-token` fields to also
allow `${{ needs.JOB.outputs.OUTPUT }}` expressions in addition to
the existing `${{ secrets.NAME }}` pattern.

This enables secure short-lived credential flows (e.g. Octo STS or
actions/create-github-app-token) without requiring a custom
safe-outputs.jobs wrapper.

Updated files:
- pkg/parser/schemas/main_workflow_schema.json: extend github_token
  pattern to accept needs.*.outputs.* expressions
- specs/security-architecture-spec.md: update OI-10, PM-13, PM-15
  to mention job output expressions as valid token formats
- pkg/workflow/github_token_validation_test.go: add integration test
  cases for ${{ needs.auth.outputs.token }}

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9fb17f81-0912-417c-914b-268bc1098fb3

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* fix: restrict needs.*.outputs.* pattern to identifier-only names (no hyphens in dot notation)

Job IDs and output names with hyphens cannot be reliably accessed via
dot notation in GitHub Actions expressions (they require bracket syntax
like `needs['job-id'].outputs.name`). Restrict the github_token pattern
to `[A-Za-z_][A-Za-z0-9_]*` for both job IDs and output names to avoid
accepting expressions that would fail at runtime.

Remove the hyphenated job ID integration test case that would have
validated an expression that fails at Actions evaluation time.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b92b7d32-d754-414f-8528-cb10edf68454

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>

… instead of GITHUB_WORKFLOW_REF (#24200)

* Initial plan

* fix: use github.workflow_ref context to fix remote workflow_call integrity check

For cross-repo workflow_call invocations, GITHUB_WORKFLOW_REF env var points to
the top-level caller's workflow, not the reusable (callee) workflow. This caused
check_workflow_timestamp_api.cjs to look for lock files in the wrong repository.

The fix injects GH_AW_CONTEXT_WORKFLOW_REF from ${{ github.workflow_ref }} which
correctly identifies the current reusable workflow even in cross-repo scenarios.

Closes #23935

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/536ff9ae-a2dc-4523-923d-77dc878c16ca

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* test: add same-repo scenario tests for GH_AW_CONTEXT_WORKFLOW_REF coverage

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/7e532aa5-50a0-41e2-9fa9-00407921a08e

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* fix: align CJS error messages with main branch to fix CI test failures

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f49e39ad-fc0f-44fc-a75c-4c451342b736

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* merge: merge main and recompile all lock files

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/97c9cdb2-7e8e-4562-a922-8158e8054ccf

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* fix: rename 'Check workflow file timestamps' step to 'Check workflow lock file'

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/aebf385c-f9e8-40e7-a40b-bb37f5e548fd

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>

- Remove redundant shouldCreateComment variable (always true in all switch cases)
- Inline isDiscussionEvent boolean (used only once)
- Simplify comment body construction using array spread + join pattern
- Add test for default 'eyes' reaction when GH_AW_REACTION env var is unset

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…ip (#24229)

* wrap agent failure tip in details/summary for progressive disclosure

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/6c82709f-69d4-407f-8586-9c45523d041c

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* wrap details/summary section in TIP alert for progressive disclosure

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/76485015-9be8-4b4e-ac60-ec46ff1fa2b3

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Initial plan

* chore: update Playwright Browser to v1.59.1 and MCP Gateway to v0.2.12"

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/96fc5e1d-87d8-4007-acfc-e56b65599824

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* fix: update wasm golden files for MCP Gateway v0.2.12

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/1dbfbc0e-c07c-4dac-8dae-3df56203bf08

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>