chore: sync actions from gh-aw@v0.65.1 (#57)

github-actions[bot] · web-flow · commit d478fe1c5f5e · 2026-03-31T08:00:34.000-07:00
Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/setup-cli/install.sh b/setup-cli/install.sh
@@ -3,11 +3,13 @@
 # Script to download and install gh-aw binary for the current OS and architecture
 # Supports: Linux, macOS (Darwin), FreeBSD, Windows (Git Bash/MSYS/Cygwin)
 # Usage: ./install-gh-aw.sh [version] [options]
-# If no version is specified, it will use "latest" (GitHub automatically resolves to the latest release)
+# If no version is specified, it will use "stable" (resolved from .github/aw/releases.json)
+# Version aliases (e.g. "stable", "latest") are resolved via .github/aw/releases.json before download.
 # Note: Checksum validation is currently skipped by default (will be enabled in future releases)
 # 
 # Examples:
-#   ./install-gh-aw.sh                           # Install latest version
+#   ./install-gh-aw.sh                           # Install stable version
+#   ./install-gh-aw.sh latest                    # Install latest version
 #   ./install-gh-aw.sh v1.0.0                    # Install specific version
 #   ./install-gh-aw.sh --skip-checksum           # Skip checksum validation
 #
@@ -224,17 +226,49 @@ fetch_release_data() {
     return 1
 }
 
-# Get version (use provided version or default to "latest")
+# Get version (use provided version or default to "stable")
 # VERSION is already set from argument parsing
 REPO="github/gh-aw"
 
 if [ -z "$VERSION" ]; then
-    print_info "No version specified, using 'latest'..."
-    VERSION="latest"
+    print_info "No version specified, using 'stable'..."
+    VERSION="stable"
 else
     print_info "Using specified version: $VERSION"
 fi
 
+# Resolve version aliases from releases.json
+RELEASES_JSON_URL="https://raw.githubusercontent.com/$REPO/main/.github/aw/releases.json"
+print_info "Resolving version alias '$VERSION' from $RELEASES_JSON_URL..."
+
+releases_json=""
+releases_json=$(curl -s -f "$RELEASES_JSON_URL" 2>/dev/null) || true
+
+if [ -n "$releases_json" ]; then
+    resolved_version=""
+    if [ "$HAS_JQ" = true ]; then
+        resolved_version=$(echo "$releases_json" | jq -r ".aliases[\"$VERSION\"] // empty" 2>/dev/null) || {
+            print_info "jq failed to parse releases.json; alias resolution skipped"
+        }
+    else
+        # Fallback: extract alias value using grep/sed
+        # Escape regex special characters in VERSION to avoid unintended matches
+        version_escaped=$(printf '%s' "$VERSION" | sed 's/[.[\*^$]/\\&/g')
+        resolved_version=$(echo "$releases_json" | grep -o "\"${version_escaped}\"[[:space:]]*:[[:space:]]*\"[^\"]*\"" | sed 's/.*:[[:space:]]*"\([^"]*\)"/\1/' | head -1) || true
+    fi
+
+    if [ -n "$resolved_version" ] && [ "$resolved_version" != "$VERSION" ]; then
+        print_info "Resolved alias '$VERSION' -> '$resolved_version'"
+        VERSION="$resolved_version"
+    elif [ -n "$resolved_version" ]; then
+        print_warning "Version '$VERSION' is an alias for itself in releases.json (no change); this may indicate a misconfiguration"
+    else
+        print_info "No alias found for '$VERSION', using it as-is"
+    fi
+else
+    print_warning "Could not fetch releases.json; proceeding with version '$VERSION' as-is"
+fi
+
 # Try gh extension install if requested (and gh is available)
 if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then
     print_info "Attempting to install gh-aw using 'gh extension install'..."
diff --git a/setup/js/add_reaction.cjs b/setup/js/add_reaction.cjs
@@ -36,98 +36,114 @@ async function main() {
   }
 
   // Determine the API endpoint based on the event type
-  let reactionEndpoint;
   const eventName = context.eventName;
   const owner = context.repo.owner;
   const repo = context.repo.repo;
 
-  try {
-    switch (eventName) {
-      case "issues": {
-        const issueNumber = context.payload?.issue?.number;
-        if (!issueNumber) {
-          core.setFailed(`${ERR_NOT_FOUND}: Issue number not found in event payload`);
-          return;
-        }
-        reactionEndpoint = `/repos/${owner}/${repo}/issues/${issueNumber}/reactions`;
-        break;
+  /** @type {string | undefined} */
+  let reactionEndpoint;
+
+  switch (eventName) {
+    case "issues": {
+      const issueNumber = context.payload?.issue?.number;
+      if (!issueNumber) {
+        core.setFailed(`${ERR_NOT_FOUND}: Issue number not found in event payload`);
+        return;
       }
+      reactionEndpoint = `/repos/${owner}/${repo}/issues/${issueNumber}/reactions`;
+      break;
+    }
 
-      case "issue_comment": {
-        const commentId = context.payload?.comment?.id;
-        if (!commentId) {
-          core.setFailed(`${ERR_VALIDATION}: Comment ID not found in event payload`);
-          return;
-        }
-        reactionEndpoint = `/repos/${owner}/${repo}/issues/comments/${commentId}/reactions`;
-        break;
+    case "issue_comment": {
+      const commentId = context.payload?.comment?.id;
+      if (!commentId) {
+        core.setFailed(`${ERR_VALIDATION}: Comment ID not found in event payload`);
+        return;
       }
+      reactionEndpoint = `/repos/${owner}/${repo}/issues/comments/${commentId}/reactions`;
+      break;
+    }
 
-      case "pull_request": {
-        const prNumber = context.payload?.pull_request?.number;
-        if (!prNumber) {
-          core.setFailed(`${ERR_NOT_FOUND}: Pull request number not found in event payload`);
-          return;
-        }
-        // PRs are "issues" for the reactions endpoint
-        reactionEndpoint = `/repos/${owner}/${repo}/issues/${prNumber}/reactions`;
-        break;
+    case "pull_request": {
+      const prNumber = context.payload?.pull_request?.number;
+      if (!prNumber) {
+        core.setFailed(`${ERR_NOT_FOUND}: Pull request number not found in event payload`);
+        return;
       }
+      // PRs are "issues" for the reactions endpoint
+      reactionEndpoint = `/repos/${owner}/${repo}/issues/${prNumber}/reactions`;
+      break;
+    }
 
-      case "pull_request_review_comment": {
-        const reviewCommentId = context.payload?.comment?.id;
-        if (!reviewCommentId) {
-          core.setFailed(`${ERR_VALIDATION}: Review comment ID not found in event payload`);
-          return;
-        }
-        reactionEndpoint = `/repos/${owner}/${repo}/pulls/comments/${reviewCommentId}/reactions`;
-        break;
+    case "pull_request_review_comment": {
+      const reviewCommentId = context.payload?.comment?.id;
+      if (!reviewCommentId) {
+        core.setFailed(`${ERR_VALIDATION}: Review comment ID not found in event payload`);
+        return;
       }
+      reactionEndpoint = `/repos/${owner}/${repo}/pulls/comments/${reviewCommentId}/reactions`;
+      break;
+    }
 
-      case "discussion": {
-        const discussionNumber = context.payload?.discussion?.number;
-        if (!discussionNumber) {
-          core.setFailed(`${ERR_NOT_FOUND}: Discussion number not found in event payload`);
-          return;
-        }
-        // Discussions use GraphQL API - get the node ID
+    case "discussion": {
+      const discussionNumber = context.payload?.discussion?.number;
+      if (!discussionNumber) {
+        core.setFailed(`${ERR_NOT_FOUND}: Discussion number not found in event payload`);
+        return;
+      }
+      // Discussions use GraphQL API - get the node ID
+      try {
         const discussionNodeId = await getDiscussionNodeId(owner, repo, discussionNumber);
         await addDiscussionReaction(discussionNodeId, reaction);
-        return; // Early return for discussion events
+      } catch (error) {
+        handleReactionError(error);
       }
+      return;
+    }
 
-      case "discussion_comment": {
-        const commentNodeId = context.payload?.comment?.node_id;
-        if (!commentNodeId) {
-          core.setFailed(`${ERR_NOT_FOUND}: Discussion comment node ID not found in event payload`);
-          return;
-        }
+    case "discussion_comment": {
+      const commentNodeId = context.payload?.comment?.node_id;
+      if (!commentNodeId) {
+        core.setFailed(`${ERR_NOT_FOUND}: Discussion comment node ID not found in event payload`);
+        return;
+      }
+      try {
         await addDiscussionReaction(commentNodeId, reaction);
-        return; // Early return for discussion comment events
+      } catch (error) {
+        handleReactionError(error);
       }
-
-      default:
-        core.setFailed(`${ERR_VALIDATION}: Unsupported event type: ${eventName}`);
-        return;
+      return;
     }
 
-    // Add reaction using REST API (for non-discussion events)
-    core.info(`Adding reaction to: ${reactionEndpoint}`);
-    await addReaction(/** @type {string} */ reactionEndpoint, reaction);
-  } catch (error) {
-    const errorMessage = getErrorMessage(error);
-
-    // Check if the error is due to a locked issue/PR/discussion
-    if (isLockedError(error)) {
-      // Silently ignore locked resource errors - just log for debugging
-      core.info(`Cannot add reaction: resource is locked (this is expected and not an error)`);
+    default:
+      core.setFailed(`${ERR_VALIDATION}: Unsupported event type: ${eventName}`);
       return;
-    }
+  }
 
-    // For other errors, fail as before
-    core.error(`Failed to add reaction: ${errorMessage}`);
-    core.setFailed(`${ERR_API}: Failed to add reaction: ${errorMessage}`);
+  // Add reaction using REST API (for non-discussion events)
+  // reactionEndpoint is always defined here - all other cases return early
+  if (!reactionEndpoint) return;
+  core.info(`Adding reaction to: ${reactionEndpoint}`);
+  try {
+    await addReaction(reactionEndpoint, reaction);
+  } catch (error) {
+    handleReactionError(error);
+  }
+}
+
+/**
+ * Handle errors from reaction API calls consistently
+ * @param {unknown} error - The error to handle
+ */
+function handleReactionError(error) {
+  if (isLockedError(error)) {
+    // Silently ignore locked resource errors - just log for debugging
+    core.info(`Cannot add reaction: resource is locked (this is expected and not an error)`);
+    return;
   }
+  const errorMessage = getErrorMessage(error);
+  core.error(`Failed to add reaction: ${errorMessage}`);
+  core.setFailed(`${ERR_API}: Failed to add reaction: ${errorMessage}`);
 }
 
 /**
diff --git a/setup/js/handle_agent_failure.cjs b/setup/js/handle_agent_failure.cjs
@@ -700,6 +700,10 @@ function buildEngineFailureContext() {
   const agentOutputFile = process.env.GH_AW_AGENT_OUTPUT;
   const stdioLogPath = agentOutputFile ? path.join(path.dirname(agentOutputFile), "agent-stdio.log") : "/tmp/gh-aw/agent-stdio.log";
 
+  // Include engine ID in failure messages when available (e.g. "copilot", "claude", "codex")
+  const engineId = process.env.GH_AW_ENGINE_ID || "";
+  const engineLabel = engineId ? ` \`${engineId}\`` : " AI";
+
   try {
     if (!fs.existsSync(stdioLogPath)) {
       core.info(`agent-stdio.log not found at ${stdioLogPath}, skipping engine failure context`);
@@ -753,7 +757,7 @@ function buildEngineFailureContext() {
     if (errorMessages.size > 0) {
       core.info(`Found ${errorMessages.size} engine error message(s) in agent-stdio.log`);
 
-      let context = "\n**⚠️ Engine Failure**: The AI engine terminated before producing output.\n\n**Error details:**\n";
+      let context = `\n**⚠️ Engine Failure**: The${engineLabel} engine terminated before producing output.\n\n**Error details:**\n`;
       for (const message of errorMessages) {
         context += `- ${message}\n`;
       }
@@ -772,7 +776,7 @@ function buildEngineFailureContext() {
     const tailLines = nonEmptyLines.slice(-TAIL_LINES);
     core.info(`No specific error patterns found; including last ${tailLines.length} line(s) of agent-stdio.log as fallback`);
 
-    let context = "\n**⚠️ Engine Failure**: The AI engine terminated unexpectedly.\n\n**Last agent output:**\n```\n";
+    let context = `\n**⚠️ Engine Failure**: The${engineLabel} engine terminated unexpectedly.\n\n**Last agent output:**\n\`\`\`\n`;
     context += tailLines.join("\n");
     context += "\n```\n\n";
     return context;
diff --git a/setup/js/sanitize_content_core.cjs b/setup/js/sanitize_content_core.cjs
@@ -931,8 +931,10 @@ function hardenUnicodeText(text) {
 
   // Step 3: Strip invisible zero-width characters that can hide content
   // These include: zero-width space, zero-width non-joiner, zero-width joiner,
+  // left-to-right mark (U+200E), right-to-left mark (U+200F),
+  // soft hyphen (U+00AD), combining grapheme joiner (U+034F),
   // word joiner, and byte order mark
-  result = result.replace(/[\u200B\u200C\u200D\u2060\uFEFF]/g, "");
+  result = result.replace(/[\u00AD\u034F\u200B\u200C\u200D\u200E\u200F\u2060\uFEFF]/g, "");
 
   // Step 4: Remove bidirectional text override controls
   // These can be used to reverse text direction and create visual spoofs
diff --git a/setup/md/manifest_protection_create_pr_fallback.md b/setup/md/manifest_protection_create_pr_fallback.md
@@ -8,13 +8,13 @@
 > This was originally intended as a pull request, but the patch modifies protected files. These files may affect project dependencies, CI/CD pipelines, or agent behaviour. **Please review the changes carefully** before creating the pull request.
 >
 > **[Click here to create the pull request once you have reviewed the changes]({create_pr_url})**
-
-<details>
-<summary>Protected files</summary>
-
-{files}
-
-</details>
+>
+> <details>
+> <summary>Protected files</summary>
+>
+> {files}
+>
+> </details>
 
 To route changes like this to a review issue instead of blocking, configure `protected-files: fallback-to-issue` in your workflow configuration.
 
diff --git a/setup/md/manifest_protection_push_failed_fallback.md b/setup/md/manifest_protection_push_failed_fallback.md
@@ -6,15 +6,15 @@
 > **Protected Files — Push Permission Denied**
 >
 > This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.
-
-<details>
-<summary>Protected files</summary>
-
-{files}
-
-The push was rejected because GitHub Actions does not have `workflows` permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.
-
-</details>
+>
+> <details>
+> <summary>Protected files</summary>
+>
+> {files}
+>
+> The push was rejected because GitHub Actions does not have `workflows` permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.
+>
+> </details>
 
 <details>
 <summary><b>Create the pull request manually</b></summary>
diff --git a/setup/md/manifest_protection_push_to_pr_fallback.md b/setup/md/manifest_protection_push_to_pr_fallback.md
@@ -6,13 +6,13 @@
 > **Target Pull Request:** [#{pull_number}]({pr_url})
 >
 > **Please review the changes carefully** before pushing them to the pull request branch. These files may affect project dependencies, CI/CD pipelines, or agent behaviour.
-
-<details>
-<summary>Protected files</summary>
-
-{files}
-
-</details>
+>
+> <details>
+> <summary>Protected files</summary>
+>
+> {files}
+>
+> </details>
 
 ---
 
