Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-03-23 09:35:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6d48c08215ac0f086be21ad0b48b66d535d3246c
awesome-copilot/.github/workflows/validate-agentic-workflows-pr.yml
Simon Kurtz 919fdb3f8e fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks (#1088) 
* chore: publish from staged

* fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks

Co-authored-by: simonkurtz-MSFT <84809797+simonkurtz-MSFT@users.noreply.github.com>

* chore: publish from staged

* Clean plugins

* Clean plugins

* Clean plugins

* Fix gem-team plugin

* Reset README.plugins.md

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
2026-03-23 10:37:40 +11:00

130 lines
4.4 KiB
YAML
Raw Blame History

name: Validate Agentic Workflow Contributions
on:
pull_request:
branches: [staged]
types: [opened, synchronize, reopened]
paths:
- "workflows/**"
permissions:
contents: read
pull-requests: write
jobs:
check-forbidden-files:
name: Block forbidden files
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
- name: Check for forbidden files
id: check
run: |
# Check for YAML/lock files in workflows/ and any .github/ modifications
# Allow .github/aw/actions-lock.json which is needed for workflow compilation
forbidden=$(git diff --name-only --diff-filter=ACM origin/${{ github.base_ref }}...HEAD -- \
'workflows/**/*.yml' \
'workflows/**/*.yaml' \
'workflows/**/*.lock.yml' \
'.github/*' \
'.github/**' \
| grep -v '^\.github/aw/actions-lock\.json$' \
| grep -v '^\.github/workflows/validate-agentic-workflows-pr\.yml$' \
|| true)
if [ -n "$forbidden" ]; then
echo "❌ Forbidden files detected:"
echo "$forbidden"
echo "files<<EOF" >> "$GITHUB_OUTPUT"
echo "$forbidden" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
exit 1
else
echo "✅ No forbidden files found"
fi
- name: Comment on PR
if: failure()
uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
with:
header: workflow-forbidden-files
message: |
## 🚫 Forbidden files in `workflows/`
Only `.md` markdown files are accepted in the `workflows/` directory. The following are **not allowed**:
- Compiled workflow files (`.yml`, `.yaml`, `.lock.yml`) — could contain untrusted Actions code
- `.github/` modifications — workflow contributions must not modify repository configuration
**Files that must be removed:**
```
${{ steps.check.outputs.files }}
```
Contributors provide the workflow **source** (`.md`) only. Compilation happens downstream via `gh aw compile`.
Please remove these files and push again.
compile-workflows:
name: Compile and validate
needs: check-forbidden-files
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Install gh-aw CLI
uses: github/gh-aw/actions/setup-cli@f7437f4f94c2bc86e7e6eca0f374e303e98bd66c # v0.61.1
- name: Compile workflow files
id: compile
run: |
exit_code=0
found=0
# Find all .md files directly in workflows/
for workflow_file in workflows/*.md; do
[ -f "$workflow_file" ] || continue
found=$((found + 1))
echo "::group::Compiling $workflow_file"
if gh aw compile --validate "$workflow_file"; then
echo "✅ $workflow_file compiled successfully"
else
echo "❌ $workflow_file failed to compile"
exit_code=1
fi
echo "::endgroup::"
done
if [ "$found" -eq 0 ]; then
echo "No workflow .md files found to validate."
else
echo "Validated $found workflow file(s)."
fi
echo "status=$( [ $exit_code -eq 0 ] && echo success || echo failure )" >> "$GITHUB_OUTPUT"
exit $exit_code
- name: Comment on PR if compilation failed
if: failure()
uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
with:
header: workflow-validation
message: |
## ❌ Agentic Workflow compilation failed
One or more workflow files in `workflows/` failed to compile with `gh aw compile --validate`.
Please fix the errors and push again. You can test locally with:
```bash
gh extension install github/gh-aw
gh aw compile --validate <your-workflow-file>.md
```
See the [Agentic Workflows documentation](https://github.github.com/gh-aw) for help.
Reference in New Issue View Git Blame Copy Permalink