fix: preserve local relative imports during gh aw update#23809
Merged
fix: preserve local relative imports during gh aw update#23809
Conversation
When `gh aw update` processes a workflow whose source uses relative `imports:` paths (and optionally `@include` directives), it previously rewrote *every* relative path to a cross-repo workflowspec (owner/repo/path@sha), even when the target file already existed in the consumer's local `.github/workflows/` tree. At runtime the runner then failed to find the file because the downloaded import lives in the gitignored `.github/aw/imports/` cache. Fix: add a `localWorkflowDir string` parameter to `processImportsWithWorkflowSpec` and `processIncludesInContent`. When non-empty, any relative import/include path whose file exists on disk under `localWorkflowDir` is left unchanged instead of being rewritten. The fix is threaded through all call sites: - override mode in `update_workflows.go` passes `filepath.Dir(wf.Path)` - merge mode passes `wf.Path` to `MergeWorkflowContent`, which derives the dir and passes it on - `hasLocalModifications` also receives the dir so that the remote↔local comparison is accurate (relative paths on both sides compare equal, eliminating false-positive "local modification" detections) Add three new unit tests that verify: - relative paths are preserved when local files exist - relative paths are still rewritten when local files are absent - `@include` directives are also preserved when local files exist Add CI integration test `integration-update` that: 1. adds `githubnext/agentics/workflows/daily-team-status` to a fresh test workspace 2. creates local copies of its shared import files 3. runs `gh aw update --force --no-compile` 4. asserts that relative import paths were not rewritten Agent-Logs-Url: https://github.com/github/gh-aw/sessions/423ed45c-12b0-487d-9758-4a395d34e28e Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Extract isLocalFileForUpdate() helper that validates the resolved path remains within localWorkflowDir using filepath.Abs comparison to guard against path traversal in import paths (e.g. ../../etc/passwd) - Add unit test TestIsLocalFileForUpdate_PathTraversal to confirm the guard works - Replace fragile AWK pattern in ci.yml with Python-based YAML parsing for extracting relative import paths from the workflow frontmatter Agent-Logs-Url: https://github.com/github/gh-aw/sessions/423ed45c-12b0-487d-9758-4a395d34e28e Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix
fix: preserve local relative imports during gh aw update
Apr 1, 2026
gh aw update to preserve local imports
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes gh aw update rewriting local relative imports: paths and @include/{{#import}} directives into pinned cross-repo workflowspec references even when the referenced files exist locally, which could break runtime execution.
Changes:
- Add
localWorkflowDirplumbing through import/include processing so existing local relative paths are preserved during update. - Thread local workflow path/dir through update merge and modification-detection logic to avoid false-positive “local modifications”.
- Add unit tests and a CI integration job to verify relative paths survive
gh aw update --forcewhen local files exist.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
pkg/cli/imports.go |
Preserves relative imports/includes when the referenced file exists under the local workflow directory; adds traversal guard helper. |
pkg/cli/update_merge.go |
Passes local workflow dir/path through modification detection and merge flows to keep comparisons/rewrites symmetric. |
pkg/cli/update_workflows.go |
Supplies the local workflow directory at update call sites (up-to-date check, merge, override). |
pkg/cli/update_command_test.go |
Updates tests for new merge/modification function signatures. |
pkg/cli/imports_test.go |
Adds tests for preserving local paths, rewriting when missing, include preservation, and traversal rejection. |
.github/workflows/ci.yml |
Adds an integration job that asserts local relative imports are preserved after gh aw update --force. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+441
to
+442
| _, statErr := os.Stat(localPath) | ||
| return statErr == nil |
There was a problem hiding this comment.
isLocalFileForUpdate treats any existing path as a valid “local file”, but os.Stat will also succeed for directories. That can cause imports:/@include entries that point at a directory (or other non-regular file types) to be preserved even though they aren’t valid include targets. Consider checking the returned FileInfo and requiring a regular file (and not a directory) before returning true.
Suggested change
| _, statErr := os.Stat(localPath) | |
| return statErr == nil | |
| fi, statErr := os.Stat(localPath) | |
| if statErr != nil { | |
| return false | |
| } | |
| return fi.Mode().IsRegular() |
Comment on lines
+397
to
+403
| for _, rel := range []string{"shared/team-config.md", "shared/aor-index.md"} { | ||
| dir := tmpDir + "/" + rel[:strings.LastIndex(rel, "/")] | ||
| if err := os.MkdirAll(dir, 0755); err != nil { | ||
| t.Fatalf("Failed to create dir %s: %v", dir, err) | ||
| } | ||
| if err := os.WriteFile(tmpDir+"/"+rel, []byte("# Shared content"), 0644); err != nil { | ||
| t.Fatalf("Failed to create file %s: %v", rel, err) |
There was a problem hiding this comment.
These tests build paths using hard-coded "/" separators and string slicing (e.g., tmpDir+"/"+rel). This is not portable across OSes (notably Windows) and is inconsistent with the rest of the codebase’s use of filepath. Use filepath.Join, filepath.Dir, and friends when creating directories/files in tests.
| if grep -q "^imports:" "$WORKFLOW"; then | ||
| echo "✅ Workflow has an imports field" >> $GITHUB_STEP_SUMMARY | ||
| # Collect relative import paths (those without "@" — not yet cross-repo refs). | ||
| # Python is used for robust YAML-aware parsing instead of fragile AWK patterns. |
There was a problem hiding this comment.
The comment says “Python is used for robust YAML-aware parsing”, but the script is using a regex over the raw file contents (not a YAML parser). This is misleading for future maintenance; either adjust the comment or switch to an actual YAML parser (e.g., python3 -c 'import yaml' or yq) if true YAML parsing is intended.
Suggested change
| # Python is used for robust YAML-aware parsing instead of fragile AWK patterns. | |
| # Python is used here with a regex to extract imports from the YAML text (more maintainable than inline AWK), | |
| # but it does not perform full YAML-aware parsing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
gh aw updatewas rewriting every relativeimports:path (and@includedirective) to a pinned cross-repo workflowspec (owner/repo/path@sha), even when the target file already existed locally. At runtime the runner then fails because the downloaded import lives in the gitignored.github/aw/imports/cache, not on disk.Changes
pkg/cli/imports.go— addlocalWorkflowDir stringtoprocessImportsWithWorkflowSpecandprocessIncludesInContent; when non-empty and the file exists under that directory, the relative path is left unchanged. ExtractisLocalFileForUpdate()helper withfilepath.Absboundary check to block path-traversal inputs.pkg/cli/update_merge.go— threadlocalWorkflowDir/localWorkflowPaththroughhasLocalModificationsandMergeWorkflowContentso both merge and override code paths benefit from the fix. Accurate comparison inhasLocalModificationsalso eliminates false-positive "local modification" detections caused by the old asymmetric path expansion.pkg/cli/update_workflows.go— passfilepath.Dir(wf.Path)at all three call sites (up-to-date check, merge mode, override mode).pkg/cli/imports_test.go— updated existing call sites; added tests for preservation when local file exists, rewrite when it doesn't,@includepreservation, and path-traversal rejection..github/workflows/ci.yml— addintegration-updatejob: addsgithubnext/agentics/workflows/daily-team-status, creates local copies of its shared import files, runsgh aw update --force, and asserts relative paths survive.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git hABf00jLo GO111MODULE ache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name go1.25.0 -c=4 -nolocalimports -importcfg(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git b/workflows /color.go x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git '**/*.ts' '**/*.git GO111MODULE x_amd64/vet /usr/bin/git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/go-build3306155985/b213/_pkg_.a l /usr/bin/git -p github.com/modelrev-parse -lang=go1.25 git rev-�� --show-toplevel -dwarf=false ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet go1.25.0 -c=4 -nolocalimports ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha g_.a til.go 64/pkg/tool/linux_amd64/compile GOINSECURE .o 64/src/internal/--get-regexp 64/pkg/tool/linu^remote\..*\.gh-resolved$ k/gh�� plorer.md GO111MODULE ache/go/1.25.0/x64/pkg/tool/linu-lang=go1.25 GOINSECURE go-sdk/jsonrpc erignore ache/go/1.25.0/x64/pkg/tool/linu-goversion(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha xterm-color x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel N5LmOOU/hrSn6euVq3--OT5MAiEX /usr/bin/git 6155985/b119/_pkgit aIzA/II2sfoyj04trev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel sh n-dir/node j8QY/WMvRS8dUhglgit sh x_amd64/vet git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha y go /usr/bin/git -json GO111MODULE x_amd64/compile git rev-�� --git-dir x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/compile git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -test.paniconexit0 -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git remo�� remove origin /usr/bin/git -json GO111MODULE x_amd64/compile git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git 2307-40358/test-git om/goccy/go-yamlrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git 6155985/b097/_pkgit tXPM/MCve_MXCUoXrev-parse 0/x64/bin/node git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha optimization)..."; \ BEFORE=$(wc -c < gh-aw.wasm); \ wasm-opt -Oz --enable-bulk-memory gh-aw.wasm -o gh-aw.opt.wasm && \ mv gh-aw.opt.wasm gh-aw.wasm; \ AFTER=$(wc -c < g -c=4 -nolocalimports -importcfg /tmp/go-build3306155985/b241/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.35.0/internal/tag/tag.go env -json GO111MODULE ode_modules/.bin-lang=go1.25 GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json .go 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env json' --ignore-p-p GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/shared-actions-test3526543319 rev-parse /usr/bin/git -json GO111MODULE x_amd64/compile git conf�� --get remote.origin.url /usr/bin/git -json GO111MODULE x_amd64/compile git(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel go r,url,status,conclusion,workflowName,createdAt,startedAt,updated-nilfunc -json flow-12345 x_amd64/compile git conf�� --get remote.origin.url /usr/bin/git -json GO111MODULE x_amd64/compile git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/TestCompileErrorFormatting559723611/001 config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git chec�� .github/workflows/test.md go /usr/bin/git -json GO111MODULE x_amd64/compile git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha licyMinIntegrityOnlymin-integrity_only_defaults_repo473557467/001 -trimpath 3196060/b405/_pkg_.a l /tmp/go-build330rev-parse -I /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build3306155985/b151/_pkg_.a -trimpath 0/x64/bin/node -p crypto/internal/rev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu-buildtags(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 6155985/b176/importcfg -trimpath 3196060/b398/vet.cfg -I /tmp/go-build330rev-parse -I /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build3306155985/b177/_pkg_.a -trimpath /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -p mime -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuREDACTED(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu-extld=gcc env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linu-lang=go1.25 GOINSECURE 1M/nyLBqnnsx0sfOrev-parse GOMODCACHE 64/pkg/tool/linu-dwarf=false env g_.a GO111MODULE 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD FFiles,SFiles,Sw--show-toplevel 64/pkg/tool/linu/tmp/go-build3973196060/b454/_testmain.go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a t.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json @v1.19.2/token/token.go 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3306155985/b245/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.35.0/message/catalog/catalog.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env on' --ignore-pat-s GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url env ty-test.md GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel go /usr/bin/git .version=465986agit GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/styles/theme.go /usr/bin/git 85985689/001 GO111MODULE 64/pkg/tool/linu--verify git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a @v1.1.3/cpu/arm64/arm64.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json son/json.go 64/bin/go GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json sonrpc2/conn.go odules/npm/node_-lang=go1.25 GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE node GOINSECURE GOMOD GOMODCACHE s not exist yet"-buildtags ode_�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD wasm.s go ode_�� -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json act.go _modules/.bin/no-lang=go1.25 GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 8A/RFr094xa-M6ehmK-ZS-f/-nXLG8d-CyxHzcGHNa9W env g_.a rotocol/go-sdk@v1.4.1/internal/mcpgodebug/mcpgodebug.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3119901302/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE id GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build3306155985/b235/importcfg -pack /home/REDACTED/go/pkg/mod/github.com/santhosh-tekuri/jsonschema/v6@v6.0.2/kind/kind.go env -json GO111MODULE ode_modules/.bin-lang=go1.25 GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build3306155985/b136/importcfg -pack /home/REDACTED/go/pkg/mod/github.com/modelcontextprotocol/go-sdk@v1.4.1/auth/auth.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build3973196060/b396/cli.test /tmp/go-build3973196060/b396/cli.test -test.testlogfile=/tmp/go-build3973196060/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build3306155985/b197/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -goversion go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3306155985/b207/importcfg -pack env -json GO111MODULE odules/npm/node_-lang=go1.25 GOINSECURE GOMOD GOMODCACHE go(http block)If you need me to access, download, or install something from one of these locations, you can either: