diff --git a/.claude/skills/gh-aw-report/knowledge-base.md b/.claude/skills/gh-aw-report/knowledge-base.md index 769a15b..32c01ec 100644 --- a/.claude/skills/gh-aw-report/knowledge-base.md +++ b/.claude/skills/gh-aw-report/knowledge-base.md @@ -156,5 +156,29 @@ Workflow reruns capped at 50 (2026-04-10). OIDC for Dependabot/code scanning. Co - **Copilot cloud agent per-org control** (April 15, 2026): Can now be enabled for selected organizations via AI Controls page → "Agent" → "Copilot Cloud Agent" - **REST API version 2026-03-10**: Available with breaking changes to the REST API +--- + +## [2026-04-19] Daily Intelligence — AWF v0.25.25 / MCP Gateway v0.2.25 / Port 8080 Fix + +### gh-aw Version Bumps (2026-04-19) +- **AWF (Actions Workflow Framework)**: v0.25.24 → **v0.25.25** (routine bump, PR #27102) +- **MCP Gateway**: v0.2.24 → **v0.2.25** (routine bump, PR #27102) + +### Critical Bug Fix — MCP Gateway Port 8080 (2026-04-19) +- **Symptom**: Silent MCP tool-call failures and safe-output timeouts +- **Root cause**: PR #27058 moved MCP gateway from port 80 to port **8080** (non-privileged). AWF `--enable-host-access` only whitelists ports 80 and 443 by default, blocking gateway traffic on 8080. +- **Fix**: Added `--allow-host-ports 80,443,` to compiled AWF command, gated by minimum AWF version; respects custom `sandbox.mcp.port` config. Merged 2026-04-19 in PR #27080. +- **Resolution**: Update to gh-aw v0.25.25+ (`gh aw upgrade`). +- Source: https://github.com/github/gh-aw/commit/a77850ea08d6b59e87b5ba41e78a1b5ee60b755d + +### New copilot-opt Workflow (2026-04-19) +- gh-aw internal workflow that analyzes 14-day session history and generates 3 evidence-backed Copilot optimization issues +- Uses Haiku model + lean toolset + prompt compaction for token efficiency +- Source: https://github.com/github/gh-aw/commit/1378d27a7efc20f30e8fedd484fab57beea7db26 + +### Exported Constants (2026-04-19) +- New constants exported from pkg: `guard-policy`, `BYOK`, AWF version string +- Source: https://github.com/github/gh-aw/commit/c842421a058e688346db5491ce80e44179df6d01 + --- diff --git a/.claude/skills/gh-aw-report/references/gh-aw-architecture.md b/.claude/skills/gh-aw-report/references/gh-aw-architecture.md index 2c5ed57..a86850a 100644 --- a/.claude/skills/gh-aw-report/references/gh-aw-architecture.md +++ b/.claude/skills/gh-aw-report/references/gh-aw-architecture.md @@ -9,7 +9,7 @@ Stable architectural facts about the GitHub Agentic Workflows ecosystem. Used by - **Install**: `gh extension install github/gh-aw` - **Purpose**: Compile markdown workflow definitions into GitHub Actions `.lock.yml` files - **Key commands**: `gh aw compile`, `gh aw validate`, `gh aw upgrade`, `gh aw mcp inspect`, `gh aw mcp list` -- **AWF (Actions Workflow Framework)**: Default version **v0.25.24** (as of 2026-04-18) +- **AWF (Actions Workflow Framework)**: Default version **v0.25.25** (as of 2026-04-19; v0.25.24 [SUPERSEDED]) ### Workflow File Structure - **Source**: `.github/workflows/.md` — markdown with YAML frontmatter @@ -81,7 +81,9 @@ Stable architectural facts about the GitHub Agentic Workflows ecosystem. Used by - **`base_ref` parameter:** On Copilot PR tools for stacked PR / feature branch workflows - **Insiders mode:** Opt-in experimental features via `/insiders` URL or config header - **HTTP mode:** Enterprise deployment with per-request OAuth token forwarding -- **MCP Gateway:** Centralized access management for MCP servers (**v0.2.24** as of 2026-04-18; runs as runner user with uid/gid Docker mapping since v0.2.x) +- **MCP Gateway:** Centralized access management for MCP servers (**v0.2.25** as of 2026-04-19; v0.2.24 [SUPERSEDED]) + - Runs as runner user with uid/gid Docker mapping since v0.2.x (fixes "Redact secrets in logs" warnings) + - **Port changed** from 80 → **8080** (non-privileged) in a prior PR; AWF `--allow-host-ports` added to whitelist port 8080 ## Claude Code (Anthropic) diff --git a/outputs/gh-aw-reports/2026-04-19.md b/outputs/gh-aw-reports/2026-04-19.md new file mode 100644 index 0000000..42abde5 --- /dev/null +++ b/outputs/gh-aw-reports/2026-04-19.md @@ -0,0 +1,119 @@ +# gh-aw Intelligence Report — 2026-04-19 + +**Period:** 2026-04-18 → 2026-04-19 +**Sources:** GitHub API (gh-aw, github-mcp-server, agentics, zircote/github-agentic-workflows) +**Web search:** Blocked by network firewall — GitHub API data only + +--- + +## 1. gh-aw CLI Updates + +### AWF v0.25.25 + MCP Gateway v0.2.25 (2026-04-19) + +Routine version bump merged today (PR #27102): +- **AWF (Actions Workflow Framework):** v0.25.24 → **v0.25.25** +- **MCP Gateway:** v0.2.24 → **v0.2.25** + +Source: https://github.com/github/gh-aw/commit/ca1d545a9b9f1a4623f30cfa1aae322fbf12db77 + +--- + +## 2. Critical Bug Fix — MCP Gateway Port 8080 + +**Severity: High** — Silent production failures + +A previous gh-aw change (PR #27058) moved the MCP gateway from **port 80 to port 8080** (non-privileged). However, AWF's `--enable-host-access` flag only whitelists ports 80 and 443 by default. This caused the agent inside AWF to be unable to reach the MCP gateway, resulting in: + +- **Silent MCP tool-call failures** (agent receives no tools) +- **Safe-output timeouts** (safe-outputs communicate via MCP gateway) + +**Fix (merged 2026-04-19):** Added `--allow-host-ports 80,443,` to the compiled AWF command, gated by minimum AWF version. Also respects custom `sandbox.mcp.port` configuration. + +Source: https://github.com/github/gh-aw/commit/a77850ea08d6b59e87b5ba41e78a1b5ee60b755d + +**Impact:** Any gh-aw version between the port change and v0.25.25 would silently fail MCP calls. Updating to the latest gh-aw (`gh aw upgrade`) resolves this. + +--- + +## 3. New Workflow — copilot-opt + +A new gh-aw internal workflow `copilot-opt` has been added (commit 1378d27) that: +- Analyzes 14-day session history +- Generates 3 evidence-backed Copilot optimization issue recommendations +- Uses lean toolset + Haiku model + pre-aggregation for token efficiency + +Token optimizer was also improved with cli-proxy path, lean toolset, and prompt compaction. + +Source: https://github.com/github/gh-aw/commit/1378d27a7efc20f30e8fedd484fab57beea7db26 + +--- + +## 4. Exported Constants — guard-policy, BYOK, AWF Version + +New constants exported from `pkg/constants`: +- `guard-policy` — AWF network guard policy identifiers +- `BYOK` (Bring Your Own Key) — token configuration constants +- AWF version string constants + +Source: https://github.com/github/gh-aw/commit/c842421a058e688346db5491ce80e44179df6d01 + +--- + +## 5. API Rename — ResolveLatestActionPin + +`GetCachedActionPin` renamed to `ResolveLatestActionPin` in `pkg/actionpins`. This is an internal API change; no impact on workflow authors. + +Source: https://github.com/github/gh-aw/commit/7533280119bfffdd4f020ca893dcc818935e4600 + +--- + +## 6. GitHub MCP Server — v1.0.0 Still Current + +No new releases since v1.0.0 (2026-04-16). The stable 1.0 release with: +- `set_issue_fields` tool (issues_granular toolset) +- MCP Apps migrated from insiders to `remote_mcp_ui_apps` feature flag +- granular toolsets: `issues_granular`, `pull_request_granular` +- `resolve_review_thread` tool (v0.33.0) +- `list_commits`: `path`, `since`, `until` parameters (v0.33.0) + +--- + +## 7. githubnext/agentics + +Minor formatting fixes (2026-04-17, don Syme). No new workflows or patterns. + +--- + +## 8. Community + +No significant community findings today (web search blocked by network firewall). + +--- + +## Gap Analysis + +### GAP-1 (missing, priority 1): production-gotchas.md — MCP gateway port 8080 + +**File:** `skills/aw-author/references/production-gotchas.md` +**Section:** MCP Server Constraints +**Issue:** The critical MCP gateway port change (80 → 8080) and AWF firewall blocking issue is not documented. This is a high-impact production failure causing silent MCP tool-call failures and safe-output timeouts. +**Action:** Add new gotcha entry — implemented in this PR. + +### GAP-2 (outdated, priority 2): gh-aw-architecture.md — AWF/MCP Gateway versions + +**File:** `.claude/skills/gh-aw-report/references/gh-aw-architecture.md` +**Section:** MCP Gateway version +**Issue:** Architecture file still references v0.1.9 (open issue #39). Now bumped to v0.2.25. AWF should be noted as v0.25.25. +**Action:** Update version references — implemented in this PR. + +*Note: Gaps #39–#43 from 2026-04-18 remain open for Copilot implementation.* + +--- + +## Summary + +- **Queries run:** 5 GitHub API (gh-aw, github-mcp-server, agentics, zircote, releases) +- **Web searches:** 0 (network firewall blocked all outbound requests) +- **Key findings:** AWF/Gateway bumped to v0.25.25/v0.2.25; critical MCP port 8080 bug fixed; new copilot-opt workflow +- **Gaps identified:** 2 new (port 8080 gotcha, architecture version) +- **Files changed:** production-gotchas.md, gh-aw-architecture.md, knowledge-base.md (×2) diff --git a/skills/aw-author/references/production-gotchas.md b/skills/aw-author/references/production-gotchas.md index abf3795..15fbf0a 100644 --- a/skills/aw-author/references/production-gotchas.md +++ b/skills/aw-author/references/production-gotchas.md @@ -305,7 +305,29 @@ entrypointArgs: - "apk add --no-cache curl >/dev/null 2>&1 && exec my-server" ``` -### `gh aw mcp inspect/list` Limitation +### MCP Gateway Port 8080 — AWF Firewall Blocks Traffic + +A gh-aw change moved the MCP gateway from port **80** to port **8080** (non-privileged). AWF's `--enable-host-access` only whitelists ports 80 and 443 by default. This leaves port 8080 blocked, causing silent failures. + +**Symptom:** MCP tools are completely unavailable to the agent AND safe-output calls silently time out — the agent appears to run but no tools work and writes never happen. Check `agent-artifacts/mcp-logs/` for connection refused errors on port 8080. + +**Affected versions:** gh-aw versions between the gateway port change (around AWF v0.25.20) and **v0.25.25** (which includes the `--allow-host-ports` fix). + +**Fix:** Update gh-aw to the latest version: + +```bash +gh aw upgrade +``` + +This compiles `--allow-host-ports 80,443,8080` into the AWF command, allowing the agent to reach the MCP gateway. + +**Custom port:** If you use a custom `sandbox.mcp.port` configuration, the fix respects that value. + +**Root cause commit:** https://github.com/github/gh-aw/commit/a77850ea08d6b59e87b5ba41e78a1b5ee60b755d + +--- + + The `gh aw mcp inspect` and `gh aw mcp list` commands do **NOT** follow `imports:` directives. They only see MCP servers declared in the direct frontmatter of the workflow file being inspected.