Documentation
¶
Index ¶
Constants ¶
const ActivatedOutput = "activated"
const ActivationJobName = "activation"
const AgentJobName = "agent"
const AgentOutputArtifactName = "agent_output.json"
const CLIExtensionPrefix = "gh aw"
CLIExtensionPrefix is the prefix used in user-facing output to refer to the CLI extension
const CheckCommandPositionStepID = "check_command_position"
const CheckMembershipStepID = "check_membership"
Step IDs for pre-activation job
const CheckSkipIfMatchStepID = "check_skip_if_match"
const CheckStopTimeStepID = "check_stop_time"
const CommandPositionOkOutput = "command_position_ok"
const DefaultActivationJobRunnerImage = "ubuntu-slim"
DefaultActivationJobRunnerImage is the default runner image for activation and pre-activation jobs See https://github.blog/changelog/2025-10-28-1-vcpu-linux-runner-now-available-in-github-actions-in-public-preview/
const DefaultAgenticWorkflowTimeout = 20 * time.Minute
DefaultAgenticWorkflowTimeout is the default timeout for agentic workflow execution
const DefaultAgenticWorkflowTimeoutMinutes = int(DefaultAgenticWorkflowTimeout / time.Minute)
DefaultAgenticWorkflowTimeoutMinutes is the default timeout for agentic workflow execution in minutes Deprecated: Use DefaultAgenticWorkflowTimeout instead
const DefaultCopilotDetectionModel = "gpt-5-mini"
DefaultCopilotDetectionModel is the default model for the Copilot engine when used in the detection job
const DefaultMCPRegistryURL = "https://api.mcp.github.com/v0"
DefaultMCPRegistryURL is the default MCP registry URL
const DefaultMCPStartupTimeout = 120 * time.Second
DefaultMCPStartupTimeout is the default timeout for MCP server startup
const DefaultMCPStartupTimeoutSeconds = int(DefaultMCPStartupTimeout / time.Second)
DefaultMCPStartupTimeoutSeconds is the default timeout for MCP server startup in seconds Deprecated: Use DefaultMCPStartupTimeout instead
const DefaultToolTimeout = 60 * time.Second
DefaultToolTimeout is the default timeout for tool/MCP server operations
const DefaultToolTimeoutSeconds = int(DefaultToolTimeout / time.Second)
DefaultToolTimeoutSeconds is the default timeout for tool/MCP server operations in seconds Deprecated: Use DefaultToolTimeout instead
const DetectionJobName = "detection"
const IsTeamMemberOutput = "is_team_member"
Output names for pre-activation job steps
const PreActivationJobName = "pre_activation"
const SafeInputsMCPServerID = "safeinputs"
SafeInputsMCPServerID is the identifier for the safe-inputs MCP server
const SafeInputsMCPVersion = "1.0.0"
SafeInputsMCPVersion is the version of the safe-inputs MCP server
const SafeOutputArtifactName = "safe_output.jsonl"
const SafeOutputsMCPServerID = "safeoutputs"
SafeOutputsMCPServerID is the identifier for the safe-outputs MCP server
const SkipCheckOkOutput = "skip_check_ok"
const StopTimeOkOutput = "stop_time_ok"
Variables ¶
var AgenticEngines = []string{"claude", "codex", "copilot"}
var AllowedExpressions = []string{ "github.event.after", "github.event.before", "github.event.check_run.id", "github.event.check_suite.id", "github.event.comment.id", "github.event.deployment.id", "github.event.deployment_status.id", "github.event.head_commit.id", "github.event.installation.id", "github.event.issue.number", "github.event.discussion.number", "github.event.pull_request.number", "github.event.milestone.number", "github.event.check_run.number", "github.event.check_suite.number", "github.event.workflow_job.run_id", "github.event.workflow_run.number", "github.event.label.id", "github.event.milestone.id", "github.event.organization.id", "github.event.page.id", "github.event.project.id", "github.event.project_card.id", "github.event.project_column.id", "github.event.release.assets[0].id", "github.event.release.id", "github.event.release.tag_name", "github.event.repository.id", "github.event.repository.default_branch", "github.event.review.id", "github.event.review_comment.id", "github.event.sender.id", "github.event.workflow_run.id", "github.event.workflow_run.conclusion", "github.event.workflow_run.html_url", "github.event.workflow_run.head_sha", "github.event.workflow_run.run_number", "github.event.workflow_run.event", "github.event.workflow_run.status", "github.event.issue.state", "github.event.issue.title", "github.event.pull_request.state", "github.event.pull_request.title", "github.event.discussion.title", "github.event.discussion.category.name", "github.event.release.name", "github.event.workflow_job.id", "github.event.deployment.environment", "github.event.pull_request.head.sha", "github.event.pull_request.base.sha", "github.actor", "github.job", "github.owner", "github.repository", "github.run_id", "github.run_number", "github.server_url", "github.workflow", "github.workspace", } // needs., steps. already allowed
AllowedExpressions contains the GitHub Actions expressions that can be used in workflow markdown content see https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context
var DefaultAllowedDomains = []string{"localhost", "localhost:*", "127.0.0.1", "127.0.0.1:*"}
DefaultAllowedDomains defines the default localhost domains with port variations that are always allowed for Playwright browser automation
var DefaultBashTools = []string{
"echo",
"ls",
"pwd",
"cat",
"head",
"tail",
"grep",
"wc",
"sort",
"uniq",
"date",
"yq",
}
DefaultBashTools defines basic bash commands that should be available by default when bash is enabled
var DefaultGitHubTools = DefaultGitHubToolsLocal
DefaultGitHubTools is deprecated. Use DefaultGitHubToolsLocal or DefaultGitHubToolsRemote instead. Kept for backward compatibility and defaults to local mode tools.
var DefaultGitHubToolsLocal = DefaultReadOnlyGitHubTools
DefaultGitHubToolsLocal defines the default read-only GitHub MCP tools for local (Docker) mode. Currently identical to DefaultReadOnlyGitHubTools. Kept separate for backward compatibility and to allow future divergence if local mode requires different defaults.
var DefaultGitHubToolsRemote = DefaultReadOnlyGitHubTools
DefaultGitHubToolsRemote defines the default read-only GitHub MCP tools for remote (hosted) mode. Currently identical to DefaultReadOnlyGitHubTools. Kept separate for backward compatibility and to allow future divergence if remote mode requires different defaults.
var DefaultReadOnlyGitHubTools = []string{
"download_workflow_run_artifact",
"get_job_logs",
"get_workflow_run",
"get_workflow_run_logs",
"get_workflow_run_usage",
"list_workflow_jobs",
"list_workflow_run_artifacts",
"list_workflow_runs",
"list_workflows",
"get_code_scanning_alert",
"list_code_scanning_alerts",
"get_me",
"get_dependabot_alert",
"list_dependabot_alerts",
"get_discussion",
"get_discussion_comments",
"list_discussion_categories",
"list_discussions",
"issue_read",
"list_issues",
"search_issues",
"get_notification_details",
"list_notifications",
"search_orgs",
"get_label",
"list_label",
"get_pull_request",
"get_pull_request_comments",
"get_pull_request_diff",
"get_pull_request_files",
"get_pull_request_reviews",
"get_pull_request_status",
"list_pull_requests",
"pull_request_read",
"search_pull_requests",
"get_commit",
"get_file_contents",
"get_tag",
"list_branches",
"list_commits",
"list_tags",
"search_code",
"search_repositories",
"get_secret_scanning_alert",
"list_secret_scanning_alerts",
"search_users",
"get_latest_release",
"get_pull_request_review_comments",
"get_release_by_tag",
"list_issue_types",
"list_releases",
"list_starred_repositories",
}
DefaultReadOnlyGitHubTools defines the default read-only GitHub MCP tools. This list is shared by both local (Docker) and remote (hosted) modes. Currently, both modes use identical tool lists, but this may diverge in the future if different modes require different default tool sets.
var IgnoredFrontmatterFields = []string{}
IgnoredFrontmatterFields are fields that should be silently ignored during frontmatter validation NOTE: This is now empty as description and applyTo are properly validated by the schema
var PriorityJobFields = []string{"name", "runs-on", "needs", "if", "permissions", "environment", "concurrency", "outputs", "env", "steps"}
PriorityJobFields defines the conventional field order for GitHub Actions workflow jobs Fields appear in this order first, followed by remaining fields alphabetically
var PriorityStepFields = []string{"name", "id", "if", "run", "uses", "script", "env", "with"}
PriorityStepFields defines the conventional field order for GitHub Actions workflow steps Fields appear in this order first, followed by remaining fields alphabetically
var PriorityWorkflowFields = []string{"on", "permissions", "if", "network", "imports", "safe-outputs", "steps"}
PriorityWorkflowFields defines the conventional field order for top-level GitHub Actions workflow frontmatter Fields appear in this order first, followed by remaining fields alphabetically
var SafeWorkflowEvents = []string{"workflow_dispatch", "schedule"}
SafeWorkflowEvents defines events that are considered safe and don't require permission checks workflow_run is intentionally excluded because it has HIGH security risks: - Privilege escalation (inherits permissions from triggering workflow) - Branch protection bypass (can execute on protected branches via unprotected branches) - Secret exposure (secrets available even when triggered by untrusted code)
Functions ¶
func GetWorkflowDir ¶ added in v0.14.3
func GetWorkflowDir() string
Types ¶
type LineLength ¶ added in v0.30.0
type LineLength int
LineLength represents a line length in characters for expression formatting
const ExpressionBreakThreshold LineLength = 100
ExpressionBreakThreshold is the threshold for breaking long lines at logical points
const MaxExpressionLineLength LineLength = 120
MaxExpressionLineLength is the maximum length for a single line expression before breaking into multiline
type Version ¶ added in v0.30.0
type Version string
Version represents a software version string
const DefaultBunVersion Version = "1.1"
DefaultBunVersion is the default version of Bun for runtime setup
const DefaultClaudeCodeVersion Version = "2.0.57"
DefaultClaudeCodeVersion is the default version of the Claude Code CLI
const DefaultCodexVersion Version = "0.64.0"
DefaultCodexVersion is the default version of the OpenAI Codex CLI
const DefaultCopilotVersion Version = "0.0.365"
DefaultCopilotVersion is the default version of the GitHub Copilot CLI WARNING: UPGRADING COPILOT CLI REQUIRES A FULL INTEGRATION TEST RUN TO ENSURE COMPATIBILITY
const DefaultDenoVersion Version = "2.x"
DefaultDenoVersion is the default version of Deno for runtime setup
const DefaultDotNetVersion Version = "8.0"
DefaultDotNetVersion is the default version of .NET for runtime setup
const DefaultElixirVersion Version = "1.17"
DefaultElixirVersion is the default version of Elixir for runtime setup
const DefaultFirewallVersion Version = "v0.6.0"
DefaultFirewallVersion is the default version of the gh-aw-firewall (AWF) binary
const DefaultGitHubMCPServerVersion Version = "v0.24.0"
DefaultGitHubMCPServerVersion is the default version of the GitHub MCP server Docker image
const DefaultHaskellVersion Version = "9.10"
DefaultHaskellVersion is the default version of GHC for runtime setup
const DefaultJavaVersion Version = "21"
DefaultJavaVersion is the default version of Java for runtime setup
const DefaultNodeVersion Version = "24"
DefaultNodeVersion is the default version of Node.js for runtime setup
const DefaultPlaywrightBrowserVersion Version = "v1.57.0"
DefaultPlaywrightBrowserVersion is the default version of the Playwright browser Docker image
const DefaultPlaywrightMCPVersion Version = "0.0.49"
DefaultPlaywrightMCPVersion is the default version of the @playwright/mcp package
const DefaultPythonVersion Version = "3.12"
DefaultPythonVersion is the default version of Python for runtime setup
const DefaultRubyVersion Version = "3.3"
DefaultRubyVersion is the default version of Ruby for runtime setup
Source Files