Milestone Changelog Generator #418

Workflow file for this run

.github/workflows/milestone-changelog.lock.yml at 556d6b2

	# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"68a1d86961e5995ca058a39d0cba9b4bf742775330ca302fcb962afbff47536a","compiler_version":"v0.72.0","strict":true,"agent_id":"copilot"}
	# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/download-artifact","sha":"d3f86a106a0bac45b974a628896c90dbdf5c8093","version":"v4"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"actions/upload-artifact","sha":"ea165f8d65b6e75b540449e92b4886f43607fa02","version":"v4"},{"repo":"github/gh-aw-actions/setup","sha":"ff0525b685481744f490a0d362753d8001e4b39d","version":"v0.72.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.41"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.41"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.41"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6","digest":"sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
	# ___ _ _
	# / _ \ \| \| (_)
	# \| \|_\| \| __ _ ___ _ __ \| \|_ _ ___
	# \| _ \|/ _` \|/ _ \ '_ \\| __\| \|/ __\|
	# \| \| \| \| (_\| \| __/ \| \| \| \|_\| \| (__
	# \_\| \|_/\__, \|\___\|_\| \|_\|\__\|_\|\___\|
	# __/ \|
	# _ _ \|___/
	# \| \| \| \| / _\| \|
	# \| \| \| \| ___ _ __ _ __\| \|_\| \| _____ ____
	# \| \|/\\| \|/ _ \ '__\| \|/ /\| _\| \|/ _ \ \ /\ / / ___\|
	# \ /\ / (_) \| \| \| \| ( \| \| \| \| (_) \ V V /\__ \
	# \/ \/ \___/\|_\| \|_\|\_\\|_\| \|_\|\___/ \_/\_/ \|___/
	#
	# This file was automatically generated by gh-aw (v0.72.0). DO NOT EDIT.
	#
	# To update this file, edit the corresponding .md file and run:
	# gh aw compile
	# Not all edits will cause changes to this file.
	#
	# For more information: https://github.github.com/gh-aw/introduction/overview/
	#
	# Generates and maintains a changelog for a configured milestone by
	# analyzing merged pull requests.
	# Creates or updates a wiki page named "<milestone>-Change-log" with a list
	# of new features, improvements, and notable bug fixes. A companion GitHub issue collects
	# editorial feedback (e.g., exclude a change, rename an entry, merge entries).
	#
	# Frontmatter env variables:
	# - BATCH_SIZE: (main workflow)
	# - DOCS_REPO: (main workflow)
	# - MILESTONE: (main workflow)
	# - MILESTONE_START: (main workflow)
	# - PREVIOUS_MILESTONE: (main workflow)
	# - PRODUCT: (main workflow)
	# - RELEASE_NOTES_URL: (main workflow)
	# - REPO: (main workflow)
	#
	# Secrets used:
	# - COPILOT_GITHUB_TOKEN
	# - GH_AW_GITHUB_MCP_SERVER_TOKEN
	# - GH_AW_GITHUB_TOKEN
	# - GITHUB_TOKEN
	#
	# Custom actions used:
	# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	# - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	# - actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
	# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	# - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
	# - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	# - actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
	# - github/gh-aw-actions/setup@ff0525b685481744f490a0d362753d8001e4b39d # v0.72.0
	#
	# Container images used:
	# - ghcr.io/github/gh-aw-firewall/agent:0.25.41
	# - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.41
	# - ghcr.io/github/gh-aw-firewall/squid:0.25.41
	# - ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c
	# - ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959
	# - node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f

	name: "Milestone Changelog Generator"
	"on":
	schedule:
	- cron: "0 /2 * *"
	workflow_dispatch:
	inputs:
	aw_context:
	default: ""
	description: Agent caller context (used internally by Agentic Workflows).
	required: false
	type: string

	permissions: {}

	concurrency:
	group: "gh-aw-${{ github.workflow }}"

	run-name: "Milestone Changelog Generator"

	env:
	BATCH_SIZE: "20"
	DOCS_REPO: microsoft/aspire.dev
	MILESTONE: "13.4"
	MILESTONE_START: "2026-05-08"
	PREVIOUS_MILESTONE: "13.3"
	PRODUCT: Aspire
	RELEASE_NOTES_URL: https://aka.ms/aspire/update-latest
	REPO: microsoft/aspire

	jobs:
	activation:
	runs-on: ubuntu-slim
	permissions:
	actions: read
	contents: read
	outputs:
	comment_id: ""
	comment_repo: ""
	engine_id: ${{ steps.generate_aw_info.outputs.engine_id }}
	lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }}
	model: ${{ steps.generate_aw_info.outputs.model }}
	secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
	setup-trace-id: ${{ steps.setup.outputs.trace-id }}
	stale_lock_file_failed: ${{ steps.check-lock-file.outputs.stale_lock_file_failed == 'true' }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@ff0525b685481744f490a0d362753d8001e4b39d # v0.72.0
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Milestone Changelog Generator"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/milestone-changelog.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "1.0.40"
	- name: Generate agentic run info
	id: generate_aw_info
	env:
	GH_AW_INFO_ENGINE_ID: "copilot"
	GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
	GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT \|\| 'claude-sonnet-4.6' }}
	GH_AW_INFO_VERSION: "1.0.40"
	GH_AW_INFO_AGENT_VERSION: "1.0.40"
	GH_AW_INFO_CLI_VERSION: "v0.72.0"
	GH_AW_INFO_WORKFLOW_NAME: "Milestone Changelog Generator"
	GH_AW_INFO_EXPERIMENTAL: "false"
	GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
	GH_AW_INFO_STAGED: "false"
	GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]'
	GH_AW_INFO_FIREWALL_ENABLED: "true"
	GH_AW_INFO_AWF_VERSION: "v0.25.41"
	GH_AW_INFO_AWMG_VERSION: ""
	GH_AW_INFO_FIREWALL_TYPE: "squid"
	GH_AW_COMPILED_STRICT: "true"
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs');
	await main(core, context);
	- name: Validate COPILOT_GITHUB_TOKEN secret
	id: validate-secret
	run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh" COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
	env:
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	- name: Checkout .github and .agents folders
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	sparse-checkout: \|
	.github
	.agents
	.claude
	.codex
	.crush
	.gemini
	.opencode
	.pi
	sparse-checkout-cone-mode: true
	fetch-depth: 1
	- name: Save agent config folders for base branch restoration
	env:
	GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
	GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
	# poutine:ignore untrusted_checkout_exec
	run: bash "${RUNNER_TEMP}/gh-aw/actions/save_base_github_folders.sh"
	- name: Check workflow lock file
	id: check-lock-file
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_WORKFLOW_FILE: "milestone-changelog.lock.yml"
	GH_AW_CONTEXT_WORKFLOW_REF: "${{ github.workflow_ref }}"
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_timestamp_api.cjs');
	await main();
	- name: Check compile-agentic version
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_COMPILED_VERSION: "v0.72.0"
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/check_version_updates.cjs');
	await main();
	- name: Create prompt with built-in context
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ runner.temp }}/gh-aw/safeoutputs/outputs.jsonl
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	# poutine:ignore untrusted_checkout_exec
	run: \|
	bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
	{
	cat << 'GH_AW_PROMPT_c3827fe844ae66d5_EOF'
	<system>
	GH_AW_PROMPT_c3827fe844ae66d5_EOF
	cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
	cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
	cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
	cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
	cat << 'GH_AW_PROMPT_c3827fe844ae66d5_EOF'
	<safe-output-tools>
	Tools: missing_tool, missing_data, noop, publish
	</safe-output-tools>
	GH_AW_PROMPT_c3827fe844ae66d5_EOF
	cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
	cat << 'GH_AW_PROMPT_c3827fe844ae66d5_EOF'
	<github-context>
	The following GitHub context information is available for this workflow:
	{{#if __GH_AW_GITHUB_ACTOR__ }}
	- actor: __GH_AW_GITHUB_ACTOR__
	{{/if}}
	{{#if __GH_AW_GITHUB_REPOSITORY__ }}
	- repository: __GH_AW_GITHUB_REPOSITORY__
	{{/if}}
	{{#if __GH_AW_GITHUB_WORKSPACE__ }}
	- workspace: __GH_AW_GITHUB_WORKSPACE__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
	- issue-number: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
	- discussion-number: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
	- pull-request-number: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
	- comment-id: __GH_AW_GITHUB_EVENT_COMMENT_ID__
	{{/if}}
	{{#if __GH_AW_GITHUB_RUN_ID__ }}
	- workflow-run-id: __GH_AW_GITHUB_RUN_ID__
	{{/if}}
	</github-context>

	GH_AW_PROMPT_c3827fe844ae66d5_EOF
	cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
	cat << 'GH_AW_PROMPT_c3827fe844ae66d5_EOF'
	</system>
	{{#runtime-import .github/workflows/milestone-changelog.md}}
	GH_AW_PROMPT_c3827fe844ae66d5_EOF
	} > "$GH_AW_PROMPT"
	- name: Interpolate variables and render templates
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_ENGINE_ID: "copilot"
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs');
	await main();
	- name: Substitute placeholders
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	GH_AW_MCP_CLI_SERVERS_LIST: '- `safeoutputs` — run `safeoutputs --help` to see available tools'
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);

	const substitutePlaceholders = require('${{ runner.temp }}/gh-aw/actions/substitute_placeholders.cjs');

	// Call the substitution function
	return await substitutePlaceholders({
	file: process.env.GH_AW_PROMPT,
	substitutions: {
	GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
	GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
	GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
	GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
	GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE,
	GH_AW_MCP_CLI_SERVERS_LIST: process.env.GH_AW_MCP_CLI_SERVERS_LIST
	}
	});
	- name: Validate prompt placeholders
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	# poutine:ignore untrusted_checkout_exec
	run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_prompt_placeholders.sh"
	- name: Print prompt
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	# poutine:ignore untrusted_checkout_exec
	run: bash "${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh"
	- name: Upload activation artifact
	if: success()
	uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	with:
	name: activation
	include-hidden-files: true
	path: \|
	/tmp/gh-aw/aw_info.json
	/tmp/gh-aw/aw-prompts/prompt.txt
	/tmp/gh-aw/aw-prompts/prompt-template.txt
	/tmp/gh-aw/aw-prompts/prompt-import-tree.json
	/tmp/gh-aw/github_rate_limits.jsonl
	/tmp/gh-aw/base
	/tmp/gh-aw/.github/agents
	if-no-files-found: ignore
	retention-days: 1

	agent:
	needs:
	- activation
	- fetch-data
	if: github.repository_owner == 'microsoft' && needs.fetch-data.outputs.has-work == 'true'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	issues: read
	pull-requests: read
	concurrency:
	group: "gh-aw-copilot-${{ github.workflow }}"
	env:
	DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
	GH_AW_ASSETS_ALLOWED_EXTS: ""
	GH_AW_ASSETS_BRANCH: ""
	GH_AW_ASSETS_MAX_SIZE_KB: 0
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	GH_AW_WORKFLOW_ID_SANITIZED: milestonechangelog
	outputs:
	agentic_engine_timeout: ${{ steps.detect-copilot-errors.outputs.agentic_engine_timeout \|\| 'false' }}
	checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success \|\| 'true' }}
	effective_tokens: ${{ steps.parse-mcp-gateway.outputs.effective_tokens }}
	has_patch: ${{ steps.collect_output.outputs.has_patch }}
	inference_access_error: ${{ steps.detect-copilot-errors.outputs.inference_access_error \|\| 'false' }}
	mcp_policy_error: ${{ steps.detect-copilot-errors.outputs.mcp_policy_error \|\| 'false' }}
	model: ${{ needs.activation.outputs.model }}
	model_not_supported_error: ${{ steps.detect-copilot-errors.outputs.model_not_supported_error \|\| 'false' }}
	output: ${{ steps.collect_output.outputs.output }}
	output_types: ${{ steps.collect_output.outputs.output_types }}
	setup-trace-id: ${{ steps.setup.outputs.trace-id }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@ff0525b685481744f490a0d362753d8001e4b39d # v0.72.0
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	trace-id: ${{ needs.activation.outputs.setup-trace-id }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Milestone Changelog Generator"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/milestone-changelog.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "1.0.40"
	- name: Set runtime paths
	id: set-runtime-paths
	run: \|
	{
	echo "GH_AW_SAFE_OUTPUTS=${RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl"
	echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/config.json"
	echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/tools.json"
	} >> "$GITHUB_OUTPUT"
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- name: Create gh-aw temp directory
	run: bash "${RUNNER_TEMP}/gh-aw/actions/create_gh_aw_tmp_dir.sh"
	- name: Configure gh CLI for GitHub Enterprise
	run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh"
	env:
	GH_TOKEN: ${{ github.token }}
	- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
	with:
	name: changelog-data
	path: /tmp/gh-aw/

	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	GITHUB_TOKEN: ${{ github.token }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Checkout PR branch
	id: checkout-pr
	if: \|
	github.event.pull_request \|\| github.event.issue.pull_request
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs');
	await main();
	- name: Install GitHub Copilot CLI
	run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.40
	env:
	GH_HOST: github.com
	- name: Install AWF binary
	run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.41
	- name: Parse integrity filter lists
	id: parse-guard-vars
	env:
	GH_AW_BLOCKED_USERS_VAR: ${{ vars.GH_AW_GITHUB_BLOCKED_USERS \|\| '' }}
	GH_AW_TRUSTED_USERS_VAR: ${{ vars.GH_AW_GITHUB_TRUSTED_USERS \|\| '' }}
	GH_AW_APPROVAL_LABELS_VAR: ${{ vars.GH_AW_GITHUB_APPROVAL_LABELS \|\| '' }}
	run: bash "${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh"
	- name: Download activation artifact
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: activation
	path: /tmp/gh-aw
	- name: Restore agent config folders from base branch
	if: steps.checkout-pr.outcome == 'success'
	env:
	GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
	GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
	run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_base_github_folders.sh"
	- name: Restore inline sub-agents from activation artifact
	env:
	GH_AW_SUB_AGENT_DIR: ".github/agents"
	GH_AW_SUB_AGENT_EXT: ".agent.md"
	run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh"
	- name: Download container images
	run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.41 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.41 ghcr.io/github/gh-aw-firewall/squid:0.25.41 ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
	- name: Generate Safe Outputs Config
	run: \|
	mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
	mkdir -p /tmp/gh-aw/safeoutputs
	mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
	cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_755f2c48793d69e7_EOF'
	{"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"publish":{"description":"Publish the wiki page, push state to the memory branch, and ensure the feedback issue exists","output":"Wiki page published and memory branch updated!"},"report_incomplete":{}}
	GH_AW_SAFE_OUTPUTS_CONFIG_755f2c48793d69e7_EOF
	- name: Generate Safe Outputs Tools
	env:
	GH_AW_TOOLS_META_JSON: \|
	{
	"description_suffixes": {},
	"repo_params": {},
	"dynamic_tools": [
	{
	"description": "Publish the wiki page, push state to the memory branch, and ensure the feedback issue exists",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {},
	"type": "object"
	},
	"name": "publish"
	}
	]
	}
	GH_AW_VALIDATION_JSON: \|
	{
	"missing_data": {
	"defaultMax": 20,
	"fields": {
	"alternatives": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"context": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"data_type": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	},
	"reason": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	}
	}
	},
	"missing_tool": {
	"defaultMax": 20,
	"fields": {
	"alternatives": {
	"type": "string",
	"sanitize": true,
	"maxLength": 512
	},
	"reason": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"tool": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"noop": {
	"defaultMax": 1,
	"fields": {
	"message": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	}
	}
	},
	"report_incomplete": {
	"defaultMax": 5,
	"fields": {
	"details": {
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"reason": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 1024
	}
	}
	}
	}
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_safe_outputs_tools.cjs');
	await main();
	- name: Generate Safe Outputs MCP Server Config
	id: safe-outputs-config
	run: \|
	# Generate a secure random API key (360 bits of entropy, 40+ chars)
	# Mask immediately to prevent timing vulnerabilities
	API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${API_KEY}"

	PORT=3001

	# Set outputs for next steps
	{
	echo "safe_outputs_api_key=${API_KEY}"
	echo "safe_outputs_port=${PORT}"
	} >> "$GITHUB_OUTPUT"

	echo "Safe Outputs MCP server will run on port ${PORT}"

	- name: Start Safe Outputs MCP HTTP Server
	id: safe-outputs-start
	env:
	DEBUG: '*'
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
	GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/tools.json
	GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/config.json
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	run: \|
	# Environment variables are set above to prevent template injection
	export DEBUG
	export GH_AW_SAFE_OUTPUTS
	export GH_AW_SAFE_OUTPUTS_PORT
	export GH_AW_SAFE_OUTPUTS_API_KEY
	export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
	export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
	export GH_AW_MCP_LOG_DIR

	bash "${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh"

	- name: Start MCP Gateway
	id: start-mcp-gateway
	env:
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
	GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	run: \|
	set -eo pipefail
	mkdir -p "${RUNNER_TEMP}/gh-aw/mcp-config"

	# Export gateway environment variables for MCP config and gateway script
	export MCP_GATEWAY_PORT="8080"
	export MCP_GATEWAY_DOMAIN="host.docker.internal"
	export MCP_GATEWAY_HOST_DOMAIN="localhost"
	MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${MCP_GATEWAY_API_KEY}"
	export MCP_GATEWAY_API_KEY
	export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
	mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
	export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288"
	export DEBUG="*"

	export GH_AW_ENGINE="copilot"
	MCP_GATEWAY_UID=$(id -u 2>/dev/null \|\| echo '0')
	MCP_GATEWAY_GID=$(id -g 2>/dev/null \|\| echo '0')
	DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null \|\| echo '0')
	export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.6'

	mkdir -p /home/runner/.copilot
	GH_AW_NODE=$(which node 2>/dev/null \|\| command -v node 2>/dev/null \|\| echo node)
	cat << GH_AW_MCP_CONFIG_e863f97f403870c9_EOF \| "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
	{
	"mcpServers": {
	"github": {
	"type": "stdio",
	"container": "ghcr.io/github/github-mcp-server:v1.0.3",
	"env": {
	"GITHUB_HOST": "\${GITHUB_SERVER_URL}",
	"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
	"GITHUB_READ_ONLY": "1",
	"GITHUB_TOOLSETS": "repos,issues,pull_requests,search"
	},
	"guard-policies": {
	"allow-only": {
	"approval-labels": ${{ steps.parse-guard-vars.outputs.approval_labels }},
	"blocked-users": ${{ steps.parse-guard-vars.outputs.blocked_users }},
	"min-integrity": "unapproved",
	"repos": "all",
	"trusted-users": ${{ steps.parse-guard-vars.outputs.trusted_users }}
	}
	}
	},
	"safeoutputs": {
	"type": "http",
	"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
	"headers": {
	"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
	},
	"guard-policies": {
	"write-sink": {
	"accept": [
	"*"
	]
	}
	}
	}
	},
	"gateway": {
	"port": $MCP_GATEWAY_PORT,
	"domain": "${MCP_GATEWAY_DOMAIN}",
	"apiKey": "${MCP_GATEWAY_API_KEY}",
	"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
	}
	}
	GH_AW_MCP_CONFIG_e863f97f403870c9_EOF
	- name: Mount MCP servers as CLIs
	id: mount-mcp-clis
	continue-on-error: true
	env:
	MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
	MCP_GATEWAY_DOMAIN: ${{ steps.start-mcp-gateway.outputs.gateway-domain }}
	MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/mount_mcp_as_cli.cjs');
	await main();
	- name: Clean credentials
	continue-on-error: true
	run: bash "${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials.sh"
	- name: Audit pre-agent workspace
	id: pre_agent_audit
	continue-on-error: true
	run: bash "${RUNNER_TEMP}/gh-aw/actions/audit_pre_agent_workspace.sh"
	- name: Execute GitHub Copilot CLI
	id: agentic_execution
	# Copilot CLI tool arguments (sorted):
	# --allow-tool github
	# --allow-tool safeoutputs
	# --allow-tool shell(cat)
	# --allow-tool shell(cd)
	# --allow-tool shell(cp)
	# --allow-tool shell(date)
	# --allow-tool shell(echo)
	# --allow-tool shell(gh:*)
	# --allow-tool shell(grep)
	# --allow-tool shell(head)
	# --allow-tool shell(jq)
	# --allow-tool shell(ls)
	# --allow-tool shell(mkdir)
	# --allow-tool shell(mv)
	# --allow-tool shell(pwd)
	# --allow-tool shell(python3)
	# --allow-tool shell(rm)
	# --allow-tool shell(safeoutputs:*)
	# --allow-tool shell(sort)
	# --allow-tool shell(tail)
	# --allow-tool shell(uniq)
	# --allow-tool shell(wc)
	# --allow-tool shell(xargs)
	# --allow-tool shell(xxd)
	# --allow-tool shell(yq)
	# --allow-tool write
	timeout-minutes: 30
	run: \|
	set -o pipefail
	touch /tmp/gh-aw/agent-step-summary.md
	GH_AW_NODE_BIN=$(command -v node 2>/dev/null \|\| true)
	export GH_AW_NODE_BIN
	(umask 177 && touch /tmp/gh-aw/agent-stdio.log)
	printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.41/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","github.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","ppa.launchpad.net","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","telemetry.enterprise.githubcopilot.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com","www.googleapis.com"]},"apiProxy":{"enabled":true,"models":{"auto":["large"],"deep-research":["copilot/deep-research","google/deep-research"],"gemini-flash":["copilot/gemini-flash","google/gemini-flash"],"gemini-pro":["copilot/gemini-pro","google/gemini-pro"],"gpt-4.1":["copilot/gpt-4.1","openai/gpt-4.1"],"gpt-5":["copilot/gpt-5","openai/gpt-5"],"gpt-5-codex":["copilot/gpt-5codex","openai/gpt-5codex"],"gpt-5-mini":["copilot/gpt-5mini","openai/gpt-5mini"],"gpt-5-nano":["copilot/gpt-5nano","openai/gpt-5nano"],"gpt-5-pro":["copilot/gpt-5pro","openai/gpt-5pro"],"haiku":["copilot/haiku","anthropic/haiku"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash"],"opus":["copilot/opus","anthropic/opus"],"reasoning":["copilot/o1","copilot/o3","copilot/o4","openai/o1","openai/o3","openai/o4"],"small":["mini"],"sonnet":["copilot/sonnet","anthropic/sonnet"]}},"container":{"imageTag":"0.25.41"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
	# shellcheck disable=SC1003
	sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
	-- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null \| tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" \|\| true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] \|\| [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null \|\| echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(cd)'\'' --allow-tool '\''shell(cp)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(gh:)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(mkdir)'\'' --allow-tool '\''shell(mv)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(python3)'\'' --allow-tool '\''shell(rm)'\'' --allow-tool '\''shell(safeoutputs:)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(xargs)'\'' --allow-tool '\''shell(xxd)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 \| tee -a /tmp/gh-aw/agent-stdio.log
	env:
	COPILOT_AGENT_RUNNER_TYPE: STANDALONE
	COPILOT_API_KEY: dummy-byok-key-for-offline-mode
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT \|\| 'claude-sonnet-4.6' }}
	GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
	GH_AW_PHASE: agent
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	GH_AW_VERSION: v0.72.0
	GITHUB_API_URL: ${{ github.api_url }}
	GITHUB_AW: true
	GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
	GITHUB_HEAD_REF: ${{ github.head_ref }}
	GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	GITHUB_REF_NAME: ${{ github.ref_name }}
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
	GITHUB_WORKSPACE: ${{ github.workspace }}
	GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_AUTHOR_NAME: github-actions[bot]
	GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_COMMITTER_NAME: github-actions[bot]
	XDG_CONFIG_HOME: /home/runner
	- name: Detect Copilot errors
	id: detect-copilot-errors
	if: always()
	continue-on-error: true
	run: node "${RUNNER_TEMP}/gh-aw/actions/detect_copilot_errors.cjs"
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	GITHUB_TOKEN: ${{ github.token }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Copy Copilot session state files to logs
	if: always()
	continue-on-error: true
	run: bash "${RUNNER_TEMP}/gh-aw/actions/copy_copilot_session_state.sh"
	- name: Stop MCP Gateway
	if: always()
	continue-on-error: true
	env:
	MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
	MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
	GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
	run: \|
	bash "${RUNNER_TEMP}/gh-aw/actions/stop_mcp_gateway.sh" "$GATEWAY_PID"
	- name: Redact secrets in logs
	if: always()
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/redact_secrets.cjs');
	await main();
	env:
	GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
	SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
	SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
	SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Append agent step summary
	if: always()
	run: bash "${RUNNER_TEMP}/gh-aw/actions/append_agent_step_summary.sh"
	- name: Copy Safe Outputs
	if: always()
	env:
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	run: \|
	mkdir -p /tmp/gh-aw
	cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null \|\| true
	- name: Ingest agent output
	id: collect_output
	if: always()
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
	GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_API_URL: ${{ github.api_url }}
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/collect_ndjson_output.cjs');
	await main();
	- name: Parse agent logs for step summary
	if: always()
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_copilot_log.cjs');
	await main();
	- name: Parse MCP Gateway logs for step summary
	if: always()
	id: parse-mcp-gateway
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_mcp_gateway_log.cjs');
	await main();
	- name: Print firewall logs
	if: always()
	continue-on-error: true
	env:
	AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
	run: \|
	# Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
	# AWF runs with sudo, creating files owned by root
	sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null \|\| true
	# Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
	if command -v awf &> /dev/null; then
	awf logs summary \| tee -a "$GITHUB_STEP_SUMMARY"
	else
	echo 'AWF binary not installed, skipping firewall log summary'
	fi
	- name: Parse token usage for step summary
	if: always()
	continue-on-error: true
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_token_usage.cjs');
	await main();
	- name: Print AWF reflect summary
	if: always()
	continue-on-error: true
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/awf_reflect_summary.cjs');
	await main();
	- name: Write agent output placeholder if missing
	if: always()
	run: \|
	if [ ! -f /tmp/gh-aw/agent_output.json ]; then
	echo '{"items":[]}' > /tmp/gh-aw/agent_output.json
	fi
	- name: Upload agent artifacts
	if: always()
	continue-on-error: true
	uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	with:
	name: agent
	path: \|
	/tmp/gh-aw/aw-prompts/prompt.txt
	/tmp/gh-aw/sandbox/agent/logs/
	/tmp/gh-aw/redacted-urls.log
	/tmp/gh-aw/mcp-logs/
	/tmp/gh-aw/proxy-logs/
	!/tmp/gh-aw/proxy-logs/proxy-tls/
	/tmp/gh-aw/agent_usage.json
	/tmp/gh-aw/agent-stdio.log
	/tmp/gh-aw/pre-agent-audit.txt
	/tmp/gh-aw/agent/
	/tmp/gh-aw/github_rate_limits.jsonl
	/tmp/gh-aw/safeoutputs.jsonl
	/tmp/gh-aw/agent_output.json
	/tmp/gh-aw/aw-*.patch
	/tmp/gh-aw/aw-*.bundle
	/tmp/gh-aw/awf-config.json
	/tmp/gh-aw/sandbox/firewall/logs/
	/tmp/gh-aw/sandbox/firewall/audit/
	/tmp/gh-aw/sandbox/firewall/awf-reflect.json
	if-no-files-found: ignore

	conclusion:
	needs:
	- activation
	- agent
	- detection
	- fetch-data
	- publish
	- safe_outputs
	if: >
	always() && (needs.agent.result != 'skipped' \|\| needs.activation.outputs.lockdown_check_failed == 'true' \|\|
	needs.activation.outputs.stale_lock_file_failed == 'true')
	runs-on: ubuntu-slim
	permissions: {}
	concurrency:
	group: "gh-aw-conclusion-milestone-changelog"
	cancel-in-progress: false
	outputs:
	incomplete_count: ${{ steps.report_incomplete.outputs.incomplete_count }}
	noop_message: ${{ steps.noop.outputs.noop_message }}
	tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
	total_count: ${{ steps.missing_tool.outputs.total_count }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@ff0525b685481744f490a0d362753d8001e4b39d # v0.72.0
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	trace-id: ${{ needs.activation.outputs.setup-trace-id }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Milestone Changelog Generator"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/milestone-changelog.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "1.0.40"
	- name: Download agent output artifact
	id: download-agent-output
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Setup agent output environment variable
	id: setup-agent-output-env
	if: steps.download-agent-output.outcome == 'success'
	run: \|
	mkdir -p /tmp/gh-aw/
	find "/tmp/gh-aw/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
	- name: Process no-op messages
	id: noop
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_NOOP_MAX: "1"
	GH_AW_WORKFLOW_NAME: "Milestone Changelog Generator"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_NOOP_REPORT_AS_ISSUE: "true"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs');
	await main();
	- name: Log detection run
	id: detection_runs
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Milestone Changelog Generator"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
	GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_detection_runs.cjs');
	await main();
	- name: Record missing tool
	id: missing_tool
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
	GH_AW_WORKFLOW_NAME: "Milestone Changelog Generator"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/missing_tool.cjs');
	await main();
	- name: Record incomplete
	id: report_incomplete
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
	GH_AW_WORKFLOW_NAME: "Milestone Changelog Generator"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/report_incomplete_handler.cjs');
	await main();
	- name: Handle agent failure
	id: handle_agent_failure
	if: always()
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Milestone Changelog Generator"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_WORKFLOW_ID: "milestone-changelog"
	GH_AW_ACTION_FAILURE_ISSUE_EXPIRES_HOURS: "168"
	GH_AW_ENGINE_ID: "copilot"
	GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
	GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
	GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }}
	GH_AW_MCP_POLICY_ERROR: ${{ needs.agent.outputs.mcp_policy_error }}
	GH_AW_AGENTIC_ENGINE_TIMEOUT: ${{ needs.agent.outputs.agentic_engine_timeout }}
	GH_AW_MODEL_NOT_SUPPORTED_ERROR: ${{ needs.agent.outputs.model_not_supported_error }}
	GH_AW_ENGINE_API_HOSTS: "api.enterprise.githubcopilot.com,api.githubcopilot.com,api.business.githubcopilot.com,api.individual.githubcopilot.com"
	GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }}
	GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }}
	GH_AW_GROUP_REPORTS: "false"
	GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
	GH_AW_MISSING_TOOL_REPORT_AS_FAILURE: "true"
	GH_AW_MISSING_DATA_REPORT_AS_FAILURE: "true"
	GH_AW_TIMEOUT_MINUTES: "30"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_agent_failure.cjs');
	await main();

	detection:
	needs:
	- activation
	- agent
	if: >
	always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' \|\| needs.agent.outputs.has_patch == 'true')
	runs-on: ubuntu-latest
	permissions:
	contents: read
	outputs:
	detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
	detection_reason: ${{ steps.detection_conclusion.outputs.reason }}
	detection_success: ${{ steps.detection_conclusion.outputs.success }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@ff0525b685481744f490a0d362753d8001e4b39d # v0.72.0
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	trace-id: ${{ needs.activation.outputs.setup-trace-id }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Milestone Changelog Generator"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/milestone-changelog.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "1.0.40"
	- name: Download agent output artifact
	id: download-agent-output
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Setup agent output environment variable
	id: setup-agent-output-env
	if: steps.download-agent-output.outcome == 'success'
	run: \|
	mkdir -p /tmp/gh-aw/
	find "/tmp/gh-aw/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
	- name: Checkout repository for patch context
	if: needs.agent.outputs.has_patch == 'true'
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	# --- Threat Detection ---
	- name: Clean stale firewall files from agent artifact
	run: \|
	rm -rf /tmp/gh-aw/sandbox/firewall/logs
	rm -rf /tmp/gh-aw/sandbox/firewall/audit
	- name: Download container images
	run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.41 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.41 ghcr.io/github/gh-aw-firewall/squid:0.25.41
	- name: Check if detection needed
	id: detection_guard
	if: always()
	env:
	OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }}
	HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
	run: \|
	if [[ -n "$OUTPUT_TYPES" \|\| "$HAS_PATCH" == "true" ]]; then
	echo "run_detection=true" >> "$GITHUB_OUTPUT"
	echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
	else
	echo "run_detection=false" >> "$GITHUB_OUTPUT"
	echo "Detection skipped: no agent outputs or patches to analyze"
	fi
	- name: Clear MCP Config for detection
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	rm -f "${RUNNER_TEMP}/gh-aw/mcp-config/mcp-servers.json"
	rm -f /home/runner/.copilot/mcp-config.json
	rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
	- name: Prepare threat detection files
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
	cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null \|\| true
	cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null \|\| true
	for f in /tmp/gh-aw/aw-*.patch; do
	[ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	done
	for f in /tmp/gh-aw/aw-*.bundle; do
	[ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	done
	echo "Prepared threat detection files:"
	ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	- name: Setup threat detection
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	WORKFLOW_NAME: "Milestone Changelog Generator"
	WORKFLOW_DESCRIPTION: "Generates and maintains a changelog for a configured milestone by\nanalyzing merged pull requests.\nCreates or updates a wiki page named \"<milestone>-Change-log\" with a list\nof new features, improvements, and notable bug fixes. A companion GitHub issue collects\neditorial feedback (e.g., exclude a change, rename an entry, merge entries)."
	HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
	with:
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/setup_threat_detection.cjs');
	await main();
	- name: Ensure threat-detection directory and log
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	mkdir -p /tmp/gh-aw/threat-detection
	touch /tmp/gh-aw/threat-detection/detection.log
	- name: Setup Node.js
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
	with:
	node-version: '24'
	package-manager-cache: false
	- name: Install GitHub Copilot CLI
	run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.40
	env:
	GH_HOST: github.com
	- name: Install AWF binary
	run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.41
	- name: Execute GitHub Copilot CLI
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	continue-on-error: true
	id: detection_agentic_execution
	# Copilot CLI tool arguments (sorted):
	timeout-minutes: 20
	run: \|
	set -o pipefail
	touch /tmp/gh-aw/agent-step-summary.md
	GH_AW_NODE_BIN=$(command -v node 2>/dev/null \|\| true)
	export GH_AW_NODE_BIN
	(umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
	printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.41/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true},"container":{"imageTag":"0.25.41"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
	# shellcheck disable=SC1003
	sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
	-- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null \| tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" \|\| true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] \|\| [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null \|\| echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 \| tee -a /tmp/gh-aw/threat-detection/detection.log
	env:
	COPILOT_AGENT_RUNNER_TYPE: STANDALONE
	COPILOT_API_KEY: dummy-byok-key-for-offline-mode
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT \|\| 'claude-sonnet-4.6' }}
	GH_AW_PHASE: detection
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_VERSION: v0.72.0
	GITHUB_API_URL: ${{ github.api_url }}
	GITHUB_AW: true
	GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
	GITHUB_HEAD_REF: ${{ github.head_ref }}
	GITHUB_REF_NAME: ${{ github.ref_name }}
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
	GITHUB_WORKSPACE: ${{ github.workspace }}
	GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_AUTHOR_NAME: github-actions[bot]
	GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
	GIT_COMMITTER_NAME: github-actions[bot]
	XDG_CONFIG_HOME: /home/runner
	- name: Upload threat detection log
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	with:
	name: detection
	path: /tmp/gh-aw/threat-detection/detection.log
	if-no-files-found: ignore
	- name: Parse and conclude threat detection
	id: detection_conclusion
	if: always()
	continue-on-error: true
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
	GH_AW_DETECTION_CONTINUE_ON_ERROR: "true"
	with:
	script: \|
	try {
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs');
	await main();
	} catch (loadErr) {
	const continueOnError = process.env.GH_AW_DETECTION_CONTINUE_ON_ERROR !== 'false';
	const msg = 'ERR_SYSTEM: \u274C Unexpected error loading threat detection module: ' + (loadErr && loadErr.message ? loadErr.message : String(loadErr));
	core.error(msg);
	core.setOutput('reason', 'parse_error');
	if (continueOnError) {
	core.warning('\u26A0\uFE0F ' + msg);
	core.setOutput('conclusion', 'warning');
	core.setOutput('success', 'false');
	} else {
	core.setOutput('conclusion', 'failure');
	core.setOutput('success', 'false');
	core.setFailed(msg);
	}
	}

	fetch-data:
	needs: activation
	runs-on: ubuntu-latest
	permissions:
	contents: read
	issues: read
	pull-requests: read

	env:
	GH_TOKEN: ${{ github.token }}
	outputs:
	has-work: ${{ steps.fetch.outputs.has_work }}
	steps:
	- name: Configure GH_HOST for enterprise compatibility
	id: ghes-host-config
	shell: bash
	run: \|
	# Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
	# GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
	GH_HOST="${GITHUB_SERVER_URL#https://}"
	GH_HOST="${GH_HOST#http://}"
	echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
	- id: fetch
	run: \|
	set -euo pipefail
	REPO="${{ github.repository }}"
	MILESTONE="${{ env.MILESTONE }}"
	BATCH_SIZE="${{ env.BATCH_SIZE }}"
	DATA_DIR="/tmp/gh-aw/pr-data"
	mkdir -p "$DATA_DIR"

	# 0. Clone the memory branch to read existing state (prs/, changes/,
	# feedback-issue.json). The full content is copied to
	# $DATA_DIR/memory/$MILESTONE/ so the agent can read it directly.
	# This branch contains only changelog state files, so the clone
	# is lightweight even without sparse-checkout.
	MEMORY_REF="memory/milestone-changelog"
	MEMORY_DIR="$DATA_DIR/memory/$MILESTONE"
	PROCESSED_NUMBERS="[]"
	PROCESSED_DOCS_NUMBERS="[]"
	FEEDBACK_FROM_MEMORY=""
	MEMORY_TMP=$(mktemp -d)
	CLONE_ERR=$(mktemp)
	if git clone --depth 1 --branch "$MEMORY_REF" \
	"https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" \
	"$MEMORY_TMP/repo" 2>"$CLONE_ERR"; then
	SRC_DIR="$MEMORY_TMP/repo/${MILESTONE}"
	if [ -d "$SRC_DIR" ]; then
	mkdir -p "$MEMORY_DIR"
	cp -r "$SRC_DIR/." "$MEMORY_DIR/"
	echo "Copied memory branch content to $MEMORY_DIR (read)"

	# Seed the write directory with the same content so it starts
	# as a complete copy. The agent only needs to add/modify files;
	# the publish job pushes the write directory as the new state.
	WRITE_DIR="/tmp/gh-aw/agent/memory/$MILESTONE"
	mkdir -p "$WRITE_DIR"
	cp -r "$SRC_DIR/." "$WRITE_DIR/"
	echo "Seeded write directory $WRITE_DIR"
	fi

	PRS_DIR="$MEMORY_DIR/prs"
	# Since tracker files only exist for processed PRs, extract all numbers.
	# Filenames follow the pattern TIMESTAMP-NUMBER.json, so we parse the
	# PR number from the filename instead of reading every JSON file (which
	# can fail when the glob expands to hundreds of arguments).
	if [ -d "$PRS_DIR" ]; then
	PRS_LISTING=$(ls "$PRS_DIR" 2>/dev/null \
	\| sed -n 's/.-$[0-9]$\.json$/\1/p' \
	\| jq -Rs '[split("\n") \| .[] \| select(. != "") \| tonumber]')
	if echo "$PRS_LISTING" \| jq -e 'type == "array" and length > 0' >/dev/null 2>&1; then
	PROCESSED_NUMBERS="$PRS_LISTING"
	fi
	echo "Extracted $(echo "$PROCESSED_NUMBERS" \| jq length) processed PR numbers from filenames"
	fi

	DOCS_PRS_DIR="$MEMORY_DIR/prs-docs"
	if [ -d "$DOCS_PRS_DIR" ]; then
	DOCS_PRS_LISTING=$(ls "$DOCS_PRS_DIR" 2>/dev/null \
	\| sed -n 's/.-$[0-9]$\.json$/\1/p' \
	\| jq -Rs '[split("\n") \| .[] \| select(. != "") \| tonumber]')
	if echo "$DOCS_PRS_LISTING" \| jq -e 'type == "array" and length > 0' >/dev/null 2>&1; then
	PROCESSED_DOCS_NUMBERS="$DOCS_PRS_LISTING"
	fi
	echo "Extracted $(echo "$PROCESSED_DOCS_NUMBERS" \| jq length) processed docs PR numbers from filenames"
	fi

	# Also grab the feedback issue number from memory
	FEEDBACK_FILE="$MEMORY_DIR/feedback-issue.json"
	if [ -f "$FEEDBACK_FILE" ]; then
	FEEDBACK_FROM_MEMORY=$(jq -r '.number' "$FEEDBACK_FILE")
	fi
	else
	# Log the error unless it's just a missing branch
	if ! grep -qi 'not found\\|could not find' "$CLONE_ERR"; then
	echo "::warning::Memory branch clone failed: $(cat "$CLONE_ERR")"
	fi
	fi
	rm -f "$CLONE_ERR"

	# 1. Fetch ALL merged PRs in milestone, sorted by merge date ascending
	gh pr list --repo "$REPO" --state merged --limit 5000 \
	--search "milestone:$MILESTONE" \
	--json number,title,body,author,mergedBy,mergedAt,labels,additions,deletions,changedFiles \
	\| jq 'sort_by(.mergedAt)' \
	> "$DATA_DIR/all-milestone-prs.json"

	TOTAL=$(jq length "$DATA_DIR/all-milestone-prs.json")
	echo "Total merged PRs in milestone: $TOTAL"

	# 2. Determine the batch of unprocessed PRs

	# Filter all-milestone-prs to only unprocessed, take oldest BATCH_SIZE.
	# Build a lookup object from processed numbers for O(1) membership checks.
	jq --argjson processed "$PROCESSED_NUMBERS" \
	--argjson batch_size "$BATCH_SIZE" \
	'($processed \| map({(tostring): true}) \| add // {}) as $set \| [.[] \| select($set[.number \| tostring] \| not)] \| .[0:$batch_size]' \
	"$DATA_DIR/all-milestone-prs.json" \
	> "$DATA_DIR/batch-prs.json"

	BATCH_COUNT=$(jq length "$DATA_DIR/batch-prs.json")
	PROCESSED_COUNT=$(echo "$PROCESSED_NUMBERS" \| jq length)
	echo "Already processed: $PROCESSED_COUNT"
	echo "Batch PRs (oldest $BATCH_SIZE unprocessed): $BATCH_COUNT"

	rm -rf "$MEMORY_TMP"

	# 2a. Enrich batch PRs with comments, files, and authorAssociation.
	# The per-PR author_association from the REST API is unreliable
	# with GITHUB_TOKEN: org members show as CONTRIBUTOR because the
	# token lacks org-level read scope. Instead, we check each author
	# via the per-user collaborator/permission endpoint (only needs
	# metadata-read scope). Authors with write/maintain/admin are
	# MEMBER; others are CONTRIBUTOR.
	if [ "$BATCH_COUNT" -gt 0 ]; then
	echo "Enriching batch PRs with authorAssociation, comments, and files..."
	: > "$DATA_DIR/enrichment.jsonl"
	for NUM in $(jq -r '.[].number' "$DATA_DIR/batch-prs.json"); do
	VIEW=$(gh pr view "$NUM" --repo "$REPO" --json files,comments 2>/dev/null) \
	\|\| VIEW='{"files":[],"comments":[]}'
	# Determine authorAssociation via per-user permission endpoint.
	# This endpoint only requires metadata-read scope, unlike the
	# bulk collaborators list which requires push/admin access.
	AUTHOR=$(jq -r --argjson n "$NUM" '.[] \| select(.number == $n) \| .author.login' "$DATA_DIR/batch-prs.json")
	if [ -z "$AUTHOR" ] \|\| [ "$AUTHOR" = "null" ]; then
	ASSOC="UNKNOWN"
	else
	PERM=$(gh api "repos/$REPO/collaborators/$AUTHOR/permission" --jq '.permission' 2>/dev/null) \|\| PERM=""
	case "$PERM" in
	write\|maintain\|admin) ASSOC="MEMBER" ;;
	*) ASSOC="CONTRIBUTOR" ;;
	esac
	fi
	echo "$VIEW" \| jq --arg n "$NUM" --arg a "$ASSOC" '{($n): {
	authorAssociation: $a,
	comments: [(.comments // [])[] \| {author: .author.login, body: .body, createdAt: .createdAt}],
	files: [(.files // [])[] \| {path: .path, additions: .additions, deletions: .deletions, changeType: .changeType}]
	}}' >> "$DATA_DIR/enrichment.jsonl"
	done
	# Merge enrichment lookup into batch-prs.json
	jq -s 'add // {}' "$DATA_DIR/enrichment.jsonl" \
	\| jq --slurpfile prs "$DATA_DIR/batch-prs.json" '. as $lookup \| $prs[0] \| map(
	($lookup[(.number \| tostring)] // {}) as $e \|
	. + {authorAssociation: ($e.authorAssociation // "UNKNOWN"), comments: ($e.comments // []), files: ($e.files // [])}
	)' > "$DATA_DIR/batch-prs-tmp.json" \
	&& mv "$DATA_DIR/batch-prs-tmp.json" "$DATA_DIR/batch-prs.json"
	rm -f "$DATA_DIR/enrichment.jsonl"
	echo "Enriched $BATCH_COUNT batch PRs with authorAssociation, comments, and files"
	fi

	# 2b. Fetch docs PRs from DOCS_REPO merged after milestone start date.
	# Cap the date range to the most recently merged PR in the current
	# batch so that docs PRs are only evaluated once their corresponding
	# product PRs have been processed. When the batch is smaller than
	# BATCH_SIZE, all product PRs are caught up and no cap is needed.
	DOCS_REPO="${{ env.DOCS_REPO }}"
	MILESTONE_START="${{ env.MILESTONE_START }}"
	DOCS_MERGED_RANGE="merged:>=${MILESTONE_START}"
	if [ "$BATCH_COUNT" -ge "$BATCH_SIZE" ]; then
	BATCH_CUTOFF=$(jq -r '.[-1].mergedAt' "$DATA_DIR/batch-prs.json")
	DOCS_MERGED_RANGE="merged:${MILESTONE_START}..${BATCH_CUTOFF}"
	echo "Capping docs PRs to merged on or before $BATCH_CUTOFF (batch is full)"
	fi
	gh pr list --repo "$DOCS_REPO" --state merged --limit 5000 \
	--search "$DOCS_MERGED_RANGE" \
	--json number,title,body,author,mergedBy,mergedAt,labels,additions,deletions,changedFiles,files \
	\| jq 'sort_by(.mergedAt)' \
	> "$DATA_DIR/all-docs-prs.json"

	DOCS_TOTAL=$(jq length "$DATA_DIR/all-docs-prs.json")
	echo "Total docs PRs merged since $MILESTONE_START: $DOCS_TOTAL"

	jq --argjson processed "$PROCESSED_DOCS_NUMBERS" \
	--argjson batch_size "$BATCH_SIZE" \
	'($processed \| map({(tostring): true}) \| add // {}) as $set \| [.[] \| select($set[.number \| tostring] \| not)] \| .[0:$batch_size]' \
	"$DATA_DIR/all-docs-prs.json" \
	> "$DATA_DIR/batch-docs-prs.json"

	DOCS_BATCH_COUNT=$(jq length "$DATA_DIR/batch-docs-prs.json")
	DOCS_PROCESSED_COUNT=$(echo "$PROCESSED_DOCS_NUMBERS" \| jq length)
	echo "Docs PRs already processed: $DOCS_PROCESSED_COUNT"
	echo "Docs PRs batch (oldest $BATCH_SIZE unprocessed): $DOCS_BATCH_COUNT"

	# 3. Check if there is work to do (unprocessed PRs, unprocessed docs PRs, or updated feedback)
	HAS_WORK="false"
	if [ "$BATCH_COUNT" -gt 0 ]; then
	echo "Has $BATCH_COUNT unprocessed PRs"
	HAS_WORK="true"
	fi
	if [ "$DOCS_BATCH_COUNT" -gt 0 ]; then
	echo "Has $DOCS_BATCH_COUNT unprocessed docs PRs"
	HAS_WORK="true"
	fi

	# 4. Find the feedback issue number (check memory branch first, fallback to search)
	FEEDBACK_TITLE="[${MILESTONE}] Changelog feedback"
	FEEDBACK_NUM="${FEEDBACK_FROM_MEMORY:-}"
	if [ -n "$FEEDBACK_NUM" ]; then
	echo "Feedback issue from memory branch: #$FEEDBACK_NUM"
	fi

	if [ -z "$FEEDBACK_NUM" ]; then
	FEEDBACK_NUM=$(gh issue list --repo "$REPO" --state open --limit 5 \
	--search "in:title \"$FEEDBACK_TITLE\"" \
	--json number,title \
	--jq '.[] \| select(.title == "'"$FEEDBACK_TITLE"'") \| .number' \
	2>/dev/null \|\| true)
	fi

	if [ -n "$FEEDBACK_NUM" ]; then
	FEEDBACK_UPDATED_AT=$(gh api "repos/$REPO/issues/$FEEDBACK_NUM" --jq '.updated_at' 2>/dev/null \|\| true)
	jq -n --argjson num "$FEEDBACK_NUM" --arg updatedAt "${FEEDBACK_UPDATED_AT:-}" \
	'{number: $num, updatedAt: $updatedAt}' > "$DATA_DIR/feedback-issue.json"
	echo "Feedback issue: #$FEEDBACK_NUM (updated: $FEEDBACK_UPDATED_AT)"

	# If no unprocessed PRs, check if feedback has new comments since
	# the last run by comparing the current updatedAt against the value
	# stored on the memory branch. This avoids re-triggering indefinitely
	# once feedback is newer than the latest PR merge.
	if [ "$HAS_WORK" = "false" ] && [ -n "$FEEDBACK_UPDATED_AT" ]; then
	SAVED_UPDATED_AT=""
	if [ -f "$MEMORY_DIR/feedback-issue.json" ]; then
	SAVED_UPDATED_AT=$(jq -r '.updatedAt // empty' "$MEMORY_DIR/feedback-issue.json")
	fi
	if [ -z "$SAVED_UPDATED_AT" ] \|\| [[ "$FEEDBACK_UPDATED_AT" > "$SAVED_UPDATED_AT" ]]; then
	echo "Feedback updated since last run (saved: ${SAVED_UPDATED_AT:-none}, current: $FEEDBACK_UPDATED_AT)"
	HAS_WORK="true"
	fi
	fi
	else
	echo "No feedback issue found"
	fi

	# 5. Fetch existing changelog body from wiki page (avoids storing it in the memory branch)
	PAGE_NAME="${MILESTONE}-Change-log"
	WIKI_TMP=$(mktemp -d)
	if git clone --depth 1 "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.wiki.git" "$WIKI_TMP/wiki" 2>/dev/null; then
	if [ -f "$WIKI_TMP/wiki/${PAGE_NAME}.md" ]; then
	cp "$WIKI_TMP/wiki/${PAGE_NAME}.md" "$DATA_DIR/existing-body.md"
	BODY_SIZE=$(wc -c < "$DATA_DIR/existing-body.md")
	echo "Fetched existing wiki page: ${BODY_SIZE} bytes"
	else
	echo "No existing wiki page found"
	fi
	else
	echo "Could not clone wiki repo (may not exist yet)"
	fi
	rm -rf "$WIKI_TMP"

	echo "has_work=$HAS_WORK" >> "$GITHUB_OUTPUT"
	- if: steps.fetch.outputs.has_work == 'true'
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
	with:
	name: changelog-data
	path: /tmp/gh-aw/

	publish:
	needs:
	- agent
	- detection
	if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'publish')
	runs-on: ubuntu-latest
	permissions:
	contents: write
	issues: write
	steps:
	- name: Download agent output artifact
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: ${{ runner.temp }}/gh-aw/safe-jobs/
	- name: Configure Safe Outputs Job Environment Variables
	id: setup-safe-job-env
	run: \|
	find "${RUNNER_TEMP}/gh-aw/safe-jobs/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=${RUNNER_TEMP}/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_OUTPUT"
	echo "GH_TOKEN=${{ github.token }}" >> "$GITHUB_OUTPUT"
	- name: Publish changelog and update memory branch
	run: \|
	set -euo pipefail

	OUTPUT_FILE="$GH_AW_AGENT_OUTPUT"
	if [ -z "$OUTPUT_FILE" ]; then
	echo "::error::No GH_AW_AGENT_OUTPUT environment variable found"
	exit 1
	fi

	ARTIFACT_DIR=$(dirname "$OUTPUT_FILE")
	BODY_FILE="$ARTIFACT_DIR/agent/new-body.md"
	if [ ! -f "$BODY_FILE" ]; then
	echo "::error::Changelog body not found at $BODY_FILE"
	exit 1
	fi
	BODY_SIZE=$(wc -c < "$BODY_FILE")
	if [ "$BODY_SIZE" -eq 0 ]; then
	echo "::error::Changelog body file is empty"
	exit 1
	fi
	echo "Changelog body: $BODY_SIZE bytes"

	REPO="${{ github.repository }}"
	MILESTONE="${{ env.MILESTONE }}"
	PAGE_NAME="${MILESTONE}-Change-log"
	FEEDBACK_TITLE="[${MILESTONE}] Changelog feedback"
	MEMORY_BRANCH="memory/milestone-changelog"

	# ── 1. Publish wiki page ──
	if ! git clone --depth 1 \
	"https://x-access-token:${GH_TOKEN}@github.com/${REPO}.wiki.git" \
	wiki-repo 2>/dev/null; then
	# Wiki doesn't exist yet — initialize an empty repo
	git init wiki-repo
	git -C wiki-repo remote add origin \
	"https://x-access-token:${GH_TOKEN}@github.com/${REPO}.wiki.git"
	fi
	cp "$BODY_FILE" "wiki-repo/${PAGE_NAME}.md"
	git -C wiki-repo config user.name "github-actions[bot]"
	git -C wiki-repo config user.email "github-actions[bot]@users.noreply.github.com"
	git -C wiki-repo add "${PAGE_NAME}.md"

	if git -C wiki-repo diff --cached --quiet; then
	echo "No changes to wiki page"
	else
	git -C wiki-repo commit -m "Update ${PAGE_NAME}"
	git -C wiki-repo push
	echo "Wiki page ${PAGE_NAME} updated"
	fi

	# ── 2. Push state to memory branch ──
	MEMORY_DIR="$ARTIFACT_DIR/agent/memory/$MILESTONE"
	if [ -d "$MEMORY_DIR" ]; then
	if ! git clone --depth 1 --branch "$MEMORY_BRANCH" \
	"https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" \
	memory-repo 2>/dev/null; then
	echo "Memory branch does not exist yet, creating orphan branch"
	git init memory-repo
	git -C memory-repo checkout --orphan "$MEMORY_BRANCH"
	git -C memory-repo remote add origin \
	"https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git"
	fi
	git -C memory-repo config user.name "github-actions[bot]"
	git -C memory-repo config user.email "github-actions[bot]@users.noreply.github.com"

	# Copy agent memory files into the memory repo
	mkdir -p "memory-repo/$MILESTONE"
	cp -r "$MEMORY_DIR/." "memory-repo/$MILESTONE/"

	git -C memory-repo add -A
	if git -C memory-repo diff --cached --quiet; then
	echo "No changes to memory branch"
	else
	RUN_ID="${GITHUB_RUN_ID:-unknown}"
	git -C memory-repo commit -m "Update repo memory from workflow run $RUN_ID"
	git -C memory-repo push origin "HEAD:$MEMORY_BRANCH"
	echo "Memory branch updated"
	fi
	else
	echo "No memory directory in agent artifact, skipping memory update"
	fi

	# ── 3. Ensure companion feedback issue exists ──
	EXISTING=$(gh issue list --repo "$REPO" --state open --limit 5 \
	--search "in:title \"$FEEDBACK_TITLE\"" \
	--json number,title \
	--jq ".[] \| select(.title == \"$FEEDBACK_TITLE\") \| .number" \
	2>/dev/null \|\| true)

	if [ -z "$EXISTING" ]; then
	WIKI_URL="https://github.com/${REPO}/wiki/${PAGE_NAME}"
	ISSUE_BODY=$(printf 'Post comments on this issue to provide editorial feedback for the [%s wiki page](%s).\n\nExamples: "Exclude PR #1234", "Rename: X → Y", "Merge PRs #1234 and #5678".' "$PAGE_NAME" "$WIKI_URL")
	gh issue create --repo "$REPO" \
	--title "$FEEDBACK_TITLE" \
	--label "changelog" \
	--body "$ISSUE_BODY"
	echo "Created feedback issue: $FEEDBACK_TITLE"
	fi
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-safe-job-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_TOKEN: ${{ steps.setup-safe-job-env.outputs.GH_TOKEN }}

	safe_outputs:
	needs:
	- activation
	- agent
	- detection
	if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
	runs-on: ubuntu-slim
	permissions: {}
	timeout-minutes: 15
	env:
	GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/milestone-changelog"
	GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
	GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
	GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens }}
	GH_AW_ENGINE_ID: "copilot"
	GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
	GH_AW_ENGINE_VERSION: "1.0.40"
	GH_AW_WORKFLOW_ID: "milestone-changelog"
	GH_AW_WORKFLOW_NAME: "Milestone Changelog Generator"
	outputs:
	code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
	code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
	create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
	create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
	process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
	process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
	steps:
	- name: Setup Scripts
	id: setup
	uses: github/gh-aw-actions/setup@ff0525b685481744f490a0d362753d8001e4b39d # v0.72.0
	with:
	destination: ${{ runner.temp }}/gh-aw/actions
	job-name: ${{ github.job }}
	trace-id: ${{ needs.activation.outputs.setup-trace-id }}
	env:
	GH_AW_SETUP_WORKFLOW_NAME: "Milestone Changelog Generator"
	GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/milestone-changelog.lock.yml@${{ github.ref }}
	GH_AW_INFO_VERSION: "1.0.40"
	- name: Download agent output artifact
	id: download-agent-output
	continue-on-error: true
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: agent
	path: /tmp/gh-aw/
	- name: Setup agent output environment variable
	id: setup-agent-output-env
	if: steps.download-agent-output.outcome == 'success'
	run: \|
	mkdir -p /tmp/gh-aw/
	find "/tmp/gh-aw/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
	- name: Configure GH_HOST for enterprise compatibility
	id: ghes-host-config
	shell: bash
	run: \|
	# Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
	# GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
	GH_HOST="${GITHUB_SERVER_URL#https://}"
	GH_HOST="${GH_HOST#http://}"
	echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
	- name: Process Safe Outputs
	id: process_safe_outputs
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	env:
	GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
	GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_API_URL: ${{ github.api_url }}
	GH_AW_SAFE_OUTPUT_JOBS: "{\"publish\":\"\"}"
	GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io, getOctokit);
	const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs');
	await main();
	- name: Upload Safe Outputs Items
	if: always()
	uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
	with:
	name: safe-outputs-items
	path: \|
	/tmp/gh-aw/safe-output-items.jsonl
	/tmp/gh-aw/temporary-id-map.json
	if-no-files-found: ignore

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Milestone Changelog Generator #418

Workflow file

Milestone Changelog Generator #418

Uh oh!

Workflow file for this run