Skip to content

Commit 5a58a8f

Browse files
Merge branch 'main' into simplify/remove-duplicate-getdiscussionid-71a4ced1158b8298
2 parents 3263aa8 + 435f265 commit 5a58a8f

29 files changed

Lines changed: 181 additions & 32 deletions

.github/aw/skills.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,25 @@ List available skills before choosing a strategy.
1818

1919
---
2020

21+
## Frontmatter `skills:` (SHA-Pinned Installs)
22+
23+
Declare external skills to install at activation time with the top-level `skills:` array. At activation, `gh aw` installs each via `gh skill install` and wires it into the engine — no manual vendoring.
24+
25+
```yaml
26+
skills:
27+
- owner/repo@<40-char-sha> # repository-wide install
28+
- owner/repo/skill/path@<40-char-sha> # path-scoped install
29+
- skill: owner/repo@<40-char-sha> # object form: per-skill auth
30+
github-token: ${{ secrets.SKILLS_TOKEN }}
31+
```
32+
33+
- Static references must be pinned to a full 40-character lowercase commit SHA; `${{ ... }}` expressions are allowed in the ref position and resolved at runtime.
34+
- Object entries set per-skill auth via `github-token` or `github-app`.
35+
36+
This is distinct from the prompt-side strategies below (hint / fusion / inline), which shape skill *content* into the prompt rather than installing skill packages.
37+
38+
---
39+
2140
## Strategy 0 — Agent Finder (Discovery First)
2241

2342
**Use when**: the relevant skill is not obvious, the repository may not contain the right skill yet, or you want to discover installable skills before loading local ones.

.github/aw/syntax-agentic.md

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -17,18 +17,21 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor
1717
- Values limited to 1024 characters
1818
- Example: `metadata: { team: "platform", priority: "high" }`
1919
- **`github-token:`** - Default GitHub token for workflow (must use `${{ secrets.* }}` syntax)
20-
- **`on.roles:`** - Repository access roles that can trigger workflow (array or "all")
21-
- Default: `[admin, maintainer, write]`
22-
- Available roles: `admin`, `maintainer`, `write`, `read`, `all`
23-
- **`bots:`** - Bot identifiers allowed to trigger workflow regardless of role permissions (array)
24-
- Example: `bots: [dependabot[bot], renovate[bot], github-actions[bot]]`
25-
- Bot must be active (installed) on repository to trigger workflow
20+
- **`on.roles:`** - Repository access roles that can trigger workflow (array or `"all"`). Default `[admin, maintainer, write]`; available roles: `admin`, `maintainer`, `write`, `read`, `all`.
21+
- **`bots:`** - Bot identifiers allowed to trigger workflow regardless of role permissions (array; e.g. `[dependabot[bot], renovate[bot], github-actions[bot]]`). The bot must be active (installed) on the repository to trigger.
2622
- **`strict:`** - Enable enhanced validation for production workflows (boolean, defaults to `true`; strongly recommended)
2723
- Prefer `strict: true`; `strict: false` is dangerous, should be extremely rare, and must be carefully security reviewed before use
2824
- **`max-turns:`** - AWF turn cap applied consistently across all agentic engines (integer or expression, e.g. `${{ inputs.max-turns }}`). The engine-level `engine.max-turns` is a deprecated alias kept for backward compatibility — prefer this top-level field. Not supported by the `gemini` engine.
2925
- **`max-runs:`** - Deprecated legacy alias for the AWF invocation cap (`apiProxy.maxRuns`, defaults to `500` when omitted). Use `max-turns` instead; run `gh aw fix` to migrate.
3026
- **`max-ai-credits:`** - Per-run AI Credits (AIC) budget enforced by the AWF firewall (integer or `K`/`M` short-form string like `100M`; default `1000`). Set a negative value to disable enforcement and token steering. See [token-optimization.md](token-optimization.md).
3127
- **`max-turn-cache-misses:`** - Maximum consecutive AWF cache misses allowed before the API proxy blocks further requests (integer, default `5`). Maps to `apiProxy.maxCacheMisses`; precedence is frontmatter → `GH_AW_DEFAULT_MAX_TURN_CACHE_MISSES` env override → built-in default.
28+
- **`models:`** - Model policy and optional pricing (object). Experimental policy fields `allowed` / `blocked` (lists of model names or patterns) restrict which models the workflow may use; they map to AWF `apiProxy.allowedModels` / `disallowedModels` and merge as unions across imports. Environment-variable overrides are supported. The separate `providers` field supplies custom pricing (see [token-optimization.md](token-optimization.md)).
29+
30+
```yaml
31+
models:
32+
allowed: ["gpt-5", "claude-*"]
33+
blocked: ["*-preview"]
34+
```
3235
- **`max-daily-ai-credits:`** - Per-user 24-hour AI Credits (AIC) guardrail: activation blocks execution once the triggering user's aggregated AI Credits for this workflow over the last 24h exceed the threshold (integer or `K`/`M` short-form string, or `-1`). Enabled by default with a system default threshold; set `-1` to disable or an explicit value to override. See [token-optimization.md](token-optimization.md).
3336
- **`user-rate-limit:`** - Rate limiting configuration to prevent users from triggering the workflow too frequently (object)
3437
- **`max-runs-per-window:`** - Maximum runs allowed per user per time window (required, integer 1-10)
@@ -45,10 +48,7 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor
4548
ignored-roles: [admin, maintain]
4649
```
4750

48-
- **`check-for-updates:`** - Control whether the activation job checks if the compiled `gh-aw` version is still supported (boolean, default: `true`)
49-
- When `true` (default): blocked versions fail fast; below-recommended versions emit a warning
50-
- When `false`: skips the version check; the compiler emits a warning at compile time
51-
- Use `check-for-updates: false` only when deploying in isolated environments where version update checks are not feasible
51+
- **`check-for-updates:`** - Whether the activation job checks that the compiled `gh-aw` version is still supported (boolean, default `true`). When `true`, blocked versions fail fast and below-recommended versions warn. Set `false` only for isolated environments (compiler then warns at compile time).
5252

5353
- **`features:`** - Feature flags for experimental or optional features (object)
5454
- Each flag is a key-value pair; boolean flags (`true`/`false`) or string values are accepted
@@ -346,6 +346,7 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor
346346
agent: false
347347
```
348348

349+
- **`sandbox.agent.sudo`** (boolean) controls whether AWF runs in root mode. Default is `false`: AWF runs rootless in network-isolation egress mode (`--network-isolation`), with MCP sidecars attached as bridge containers on the internal `awf-net` network. Set `sudo: true` for the legacy root mode; in strict mode explicit `sudo: true` is an error (warning otherwise).
349350
- **Strict mode**: `sandbox.agent` blocks without an explicit `id: awf` are rejected in strict mode. Any non-nil, non-disabled agent config without `id`/`type` defaults to AWF at runtime.
350351

351352
- **`tools:`** - Tool configuration for the coding agent (`github`, `agentic-workflows`, `edit`, `web-fetch`, `web-search`, `bash`, `playwright`, custom MCP server names, plus `timeout`/`startup-timeout`/`cli-proxy`). See [syntax-tools-imports.md](syntax-tools-imports.md#tool-configuration) for the full schema (GitHub `mode`/`toolsets`/integrity fields, bash allowlist decision rule, Playwright CLI mode).

.github/aw/syntax-core.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,12 @@ The YAML frontmatter supports these fields:
105105
- Exceptions: `id-token: write` is allowed to enable OIDC token minting; `copilot-requests: write` is recommended when targeting the Copilot coding agent so it can authenticate with `${{ github.token }}`
106106
- **`runs-on:`** - Runner type for the main agent job (string, array, or object)
107107
- **`runs-on-slim:`** - Runner type for all framework/generated jobs (activation, safe-outputs, unlock, etc.). Defaults to `ubuntu-slim`. `safe-outputs.runs-on` takes precedence for safe-output jobs specifically.
108+
- **`runner:`** - Runner topology configuration (object). `topology: arc-dind` (only enum value) targets GitHub ARC runners with rootless Docker-in-Docker: gh-aw emits the topology in the AWF config, redirects the tool cache to a shared volume, and validates that no generated step requires root. AWF then activates split-filesystem handling, network isolation, sysroot staging, and DinD pre-staging automatically.
109+
110+
```yaml
111+
runner:
112+
topology: arc-dind
113+
```
108114
- **`timeout-minutes:`** - Agent execution step timeout in minutes (integer or GitHub Actions expression, defaults to 20 minutes; custom and safe-output jobs use the GitHub Actions platform default of 360 minutes unless explicitly set). Expressions are useful in compiled workflows that define `workflow_call` inputs, for example `timeout-minutes: ${{ inputs.timeout }}`. This setting applies to the workflow being compiled, not to plain GitHub Actions caller jobs that use job-level `uses:` (GitHub does not allow `timeout-minutes` on those caller jobs).
109115
- **`concurrency:`** - Concurrency control (string or object)
110116
- **`queue:`** - Pending run queue behavior for the concurrency group (`single` or `max`, defaults to `single`). `single` keeps one pending run and replaces older pending runs; `max` allows up to 100 pending runs in FIFO order (useful for conclusion jobs that must not be dropped).

.github/workflows/blog-auditor.lock.yml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/cloclo.lock.yml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/daily-model-inventory.lock.yml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/daily-multi-device-docs-tester.lock.yml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/docs-noob-tester.lock.yml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/slide-deck-maintainer.lock.yml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/smoke-claude.lock.yml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)