chore: sync actions from gh-aw@v0.74.2 (#101)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: github-actions[bot]

setup/js/action_conclusion_otlp.cjs

@@ -44,21 +44,37 @@
 const sendOtlpSpan = require("./send_otlp_span.cjs");
 const { getActionInput } = require("./action_input_utils.cjs");
 
+/**
+ * Build the OTLP span name from an optional job name.
+ * @param {string | undefined} jobName
+ * @returns {string}
+ */
+function buildSpanName(jobName) {
+  return jobName ? `gh-aw.${jobName}.conclusion` : "gh-aw.job.conclusion";
+}
+
+/**
+ * Parse a positive finite epoch-ms value from an env var string.
+ * Returns undefined when the string is absent, non-numeric, zero, or negative.
+ * @param {string | undefined} raw
+ * @returns {number | undefined}
+ */
+function parseJobStartMs(raw) {
+  const ms = Number(raw);
+  return Number.isFinite(ms) && ms > 0 ? ms : undefined;
+}
+
 /**
  * Send the OTLP job-conclusion span.  Non-fatal: all errors are silently
  * swallowed.
  * @returns {Promise<void>}
  */
 async function run() {
   const endpoints = process.env.GH_AW_OTLP_ENDPOINTS;
-
-  const jobName = getActionInput("JOB_NAME");
-  const spanName = jobName ? `gh-aw.${jobName}.conclusion` : "gh-aw.job.conclusion";
-
-  // Read the job-start timestamp written by action_setup_otlp so the conclusion
-  // span duration covers the actual job execution window, not just this step's overhead.
-  const jobStartMs = Number(process.env.GITHUB_AW_OTEL_JOB_START_MS);
-  const startMs = Number.isFinite(jobStartMs) && jobStartMs > 0 ? jobStartMs : undefined;
+  const spanName = buildSpanName(getActionInput("JOB_NAME"));
+  // Use the job-start timestamp set by action_setup_otlp so the conclusion span
+  // duration covers the actual job execution window, not just this step's overhead.
+  const startMs = parseJobStartMs(process.env.GITHUB_AW_OTEL_JOB_START_MS);
 
   if (endpoints) {
     console.log(`[otlp] sending conclusion span "${spanName}" to configured endpoints`);
@@ -73,7 +89,7 @@ async function run() {
   }
 }
 
-module.exports = { run };
+module.exports = { run, buildSpanName, parseJobStartMs };
 
 // When invoked directly (node action_conclusion_otlp.cjs) from clean.sh,
 // run immediately.  Non-fatal: errors are silently swallowed.

setup/js/check_membership.cjs

@@ -33,16 +33,17 @@ async function main() {
   if (eventName === "workflow_dispatch") {
     const awContext = readWorkflowDispatchAwContext(context.payload);
     const commandName = typeof awContext?.command_name === "string" ? awContext.command_name.trim() : "";
+    const triggerLabel = typeof awContext?.trigger_label === "string" ? awContext.trigger_label.trim() : "";
     const propagatedActor = typeof awContext?.actor === "string" ? awContext.actor.trim() : "";
 
-    if (commandName && actor === "github-actions[bot]") {
+    if ((commandName || triggerLabel) && actor === "github-actions[bot]") {
       if (!propagatedActor) {
-        const errorMessage = "Access denied: workflow_dispatch aw_context.actor is required for centralized slash-command dispatches.";
+        const errorMessage = "Access denied: workflow_dispatch aw_context.actor is required for centralized command dispatches.";
         core.warning(errorMessage);
         core.setOutput("is_team_member", "false");
         core.setOutput("result", "config_error");
         core.setOutput("error_message", errorMessage);
-        await writeDenialSummary(errorMessage, "Ensure centralized slash-command dispatches include aw_context.actor.");
+        await writeDenialSummary(errorMessage, "Ensure centralized command dispatches include aw_context.actor.");
         return;
       }
 

setup/js/create_agent_session.cjs

@@ -7,17 +7,36 @@ const { getBaseBranch } = require("./get_base_branch.cjs");
 const { isStagedMode } = require("./safe_output_helpers.cjs");
 const { generateStagedPreview } = require("./staged_preview.cjs");
 
-const fs = require("fs");
-const path = require("path");
-
 /**
  * Module-level state — populated by handleMessage(), read by the exported getters below.
  * Using module-level variables (rather than closure-only state) allows the handler
  * manager to read final output values after all messages have been processed.
- * @type {Array<{number: string, url: string, success: boolean, error?: string}>}
+ * @type {Array<{id: string, url: string, success: boolean, error?: string}>}
  */
 let _allResults = [];
 
+/**
+ * Create a dedicated GitHub client for create-agent-session operations.
+ *
+ * Token precedence:
+ *   1. config["github-token"] — per-handler PAT configured in the workflow frontmatter
+ *   2. GH_AW_AGENT_SESSION_TOKEN — agent token injected by the compiler as a step env var
+ *      (evaluates to: GH_AW_AGENT_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)
+ *   3. global github — step-level token (fallback when no agent token is available)
+ *
+ * @param {Object} config - Handler configuration
+ * @returns {Promise<Object>} Authenticated GitHub client
+ */
+async function createAgentSessionGitHubClient(config) {
+  const token = config["github-token"] || process.env.GH_AW_AGENT_SESSION_TOKEN;
+  if (!token) {
+    core.debug("No dedicated agent token configured — using step-level github client for create-agent-session operations");
+    return github;
+  }
+  core.info("Using dedicated github client for create-agent-session operations");
+  return global.getOctokit(token);
+}
+
 /**
  * Handler factory for create-agent-session safe output.
  *
@@ -41,17 +60,20 @@ async function main(config = {}) {
   core.info(`Default target repo: ${defaultTargetRepo}`);
   if (allowedRepos.size > 0) core.info(`Allowed repos: ${[...allowedRepos].join(", ")}`);
 
+  // Create a dedicated Octokit instance using the agent token
+  const githubClient = await createAgentSessionGitHubClient(config);
+
   /**
    * Process a single create_agent_session message.
    * @param {Object} message - The agent output message
-   * @returns {Promise<{success: boolean, number?: string, url?: string, error?: string, skipped?: boolean}>}
+   * @returns {Promise<{success: boolean, id?: string, url?: string, error?: string, skipped?: boolean}>}
    */
   return async function handleMessage(message) {
     const taskDescription = message.body;
 
     if (!taskDescription || taskDescription.trim() === "") {
       core.warning("Agent task description is empty, skipping");
-      _allResults.push({ number: "", url: "", success: false, error: "Empty task description" });
+      _allResults.push({ id: "", url: "", success: false, error: "Empty task description" });
       return { success: false, error: "Empty task description" };
     }
 
@@ -60,7 +82,7 @@ async function main(config = {}) {
     if (!repoResult.success) {
       const errorMsg = `E004: ${repoResult.error}`;
       core.error(errorMsg);
-      _allResults.push({ number: "", url: "", success: false, error: repoResult.error });
+      _allResults.push({ id: "", url: "", success: false, error: repoResult.error });
       return { success: false, error: repoResult.error };
     }
     const { repo: effectiveRepo, repoParts } = repoResult;
@@ -87,91 +109,50 @@ async function main(config = {}) {
     }
 
     try {
-      // Write task description to a temporary file
-      const tmpDir = "/tmp/gh-aw";
-      if (!fs.existsSync(tmpDir)) {
-        fs.mkdirSync(tmpDir, { recursive: true });
-      }
-
-      const taskIndex = _allResults.length + 1;
-      const taskFile = path.join(tmpDir, `agent-task-description-${taskIndex}.md`);
-      fs.writeFileSync(taskFile, taskDescription, "utf8");
-      core.info(`Task ${taskIndex}: Task description written to ${taskFile}`);
+      core.info(`Task ${_allResults.length + 1}: Creating agent session in ${effectiveRepo} on branch ${baseBranch}`);
+
+      // Call the GitHub REST API to start a task
+      // Reference: https://docs.github.com/en/rest/agent-tasks/agent-tasks?apiVersion=2026-03-10#start-a-task
+      const response = await githubClient.request("POST /agents/repos/{owner}/{repo}/tasks", {
+        owner: repoParts.owner,
+        repo: repoParts.repo,
+        prompt: taskDescription,
+        base_ref: baseBranch,
+        headers: { "X-GitHub-Api-Version": "2026-03-10" },
+      });
 
-      // Build gh agent-task create command
-      const ghArgs = ["agent-task", "create", "--from-file", taskFile, "--base", baseBranch];
+      const task = response.data;
+      const taskId = task.id || "";
+      const taskUrl = task.html_url || task.url || "";
 
-      const contextRepo = `${context.repo.owner}/${context.repo.repo}`;
-      if (effectiveRepo !== contextRepo) {
-        ghArgs.push("--repo", effectiveRepo);
-      }
-
-      core.info(`Task ${taskIndex}: Creating agent session with command: gh ${ghArgs.join(" ")}`);
-
-      // Determine token: prefer per-handler token, fall back to step-level token
-      const ghToken = config["github-token"] || process.env.GH_AW_AGENT_SESSION_TOKEN || process.env.GITHUB_TOKEN || "";
-
-      // Execute gh agent-task create command
-      let taskOutput;
-      try {
-        taskOutput = await exec.getExecOutput("gh", ghArgs, {
-          silent: false,
-          ignoreReturnCode: false,
-          env: {
-            ...process.env,
-            GH_TOKEN: ghToken,
-          },
-        });
-      } catch (execError) {
-        const errorMessage = execError instanceof Error ? execError.message : String(execError);
-
-        // Check for authentication/permission errors
-        if (errorMessage.includes("authentication") || errorMessage.includes("permission") || errorMessage.includes("forbidden") || errorMessage.includes("401") || errorMessage.includes("403")) {
-          core.error(`Task ${taskIndex}: Failed to create agent session due to authentication/permission error.`);
-          core.error(`The default GITHUB_TOKEN may not have permission to create agent sessions.`);
-          core.error(`Configure a Personal Access Token (PAT) using the handler's github-token setting or GH_AW_AGENT_SESSION_TOKEN.`);
-          core.error(`See documentation: https://github.github.com/gh-aw/reference/safe-outputs/#agent-task-creation-create-agent-session`);
-        } else {
-          core.error(`Task ${taskIndex}: Failed to create agent session: ${errorMessage}`);
-        }
-        _allResults.push({ number: "", url: "", success: false, error: errorMessage });
-        return { success: false, error: errorMessage };
-      }
+      core.info(`✅ Successfully created agent session ${taskId}`);
+      _allResults.push({ id: taskId, url: taskUrl, success: true });
+      return { success: true, id: taskId, url: taskUrl };
+    } catch (error) {
+      const errorMessage = getErrorMessage(error);
 
-      // Parse the output to extract task number and URL.
-      // Expected output format from gh agent-task create is typically:
-      // https://github.com/owner/repo/issues/123
-      const output = taskOutput.stdout.trim();
-      core.info(`Task ${taskIndex}: Agent task created: ${output}`);
-
-      // Extract task number from URL
-      const urlMatch = output.match(/github\.com\/[^/]+\/[^/]+\/issues\/(\d+)/);
-      if (urlMatch) {
-        const taskNumber = urlMatch[1];
-        core.info(`✅ Successfully created agent session #${taskNumber}`);
-        _allResults.push({ number: taskNumber, url: output, success: true });
-        return { success: true, number: taskNumber, url: output };
+      // Check for authentication/permission errors
+      if (errorMessage.includes("authentication") || errorMessage.includes("permission") || errorMessage.includes("forbidden") || errorMessage.includes("401") || errorMessage.includes("403")) {
+        core.error(`Failed to create agent session due to authentication/permission error.`);
+        core.error(`The default GITHUB_TOKEN may not have permission to create agent sessions.`);
+        core.error(`Configure a Personal Access Token (PAT) using the handler's github-token setting or GH_AW_AGENT_SESSION_TOKEN.`);
+        core.error(`See documentation: https://github.github.com/gh-aw/reference/safe-outputs/#agent-task-creation-create-agent-session`);
       } else {
-        core.warning(`Task ${taskIndex}: Could not parse task number from output: ${output}`);
-        _allResults.push({ number: "", url: output, success: true });
-        return { success: true, number: "", url: output };
+        core.error(`Error creating agent session: ${errorMessage}`);
       }
-    } catch (error) {
-      const errorMessage = getErrorMessage(error);
-      core.error(`Error creating agent session: ${errorMessage}`);
-      _allResults.push({ number: "", url: "", success: false, error: errorMessage });
+      _allResults.push({ id: "", url: "", success: false, error: errorMessage });
       return { success: false, error: errorMessage };
     }
   };
 }
 
 /**
- * Returns the session_number output: the number of the first successfully created session.
+ * Returns the session_number output: the ID of the first successfully created session.
  * @returns {string}
  */
 function getCreateAgentSessionNumber() {
-  const first = _allResults.find(r => r.success && r.number);
-  return first ? first.number : "";
+  const first = _allResults.find(r => r.success && r.id);
+  return first ? first.id : "";
 }
 
 /**
@@ -200,8 +181,8 @@ async function writeCreateAgentSessionSummary() {
     summaryContent += `✅ Successfully created ${successResults.length} agent session(s):\n\n`;
     summaryContent += successResults
       .map((r, i) => {
-        if (r.url && r.number) {
-          return `- [#${r.number}](${r.url})`;
+        if (r.url && r.id) {
+          return `- [${r.id}](${r.url})`;
         } else if (r.url) {
           return `- [Session ${i + 1}](${r.url})`;
         }

setup/js/create_pull_request.cjs

@@ -1265,13 +1265,33 @@ async function main(config = {}) {
       // This preserves merge commit topology and per-commit metadata (messages, authorship)
       // unlike git format-patch which flattens history and drops merge resolution content.
       core.info(`Applying changes from bundle: ${bundleFilePath}`);
-      const bundleBranchRef = originalAgentBranch || branchName;
+      let bundleBranchRef = `refs/heads/${originalAgentBranch || branchName}`;
       try {
         await ensureFullHistoryForBundle(exec);
 
         // Fetch from bundle: creates a local branch pointing to the bundle's tip commit.
-        // The bundle contains refs/heads/<bundleBranchRef> which was the agent's working branch.
-        await exec.exec("git", ["fetch", bundleFilePath, `refs/heads/${bundleBranchRef}:refs/heads/${branchName}`]);
+        // bundleBranchRef is the source ref inside the bundle (typically refs/heads/<agent-branch>).
+        try {
+          await exec.exec("git", ["fetch", bundleFilePath, `${bundleBranchRef}:refs/heads/${branchName}`]);
+        } catch (initialFetchError) {
+          // Fallback: resolve the source ref directly from the bundle contents.
+          // Some agents may emit a JSONL branch name that differs from the ref embedded in the bundle.
+          const initialFetchErrorMessage = initialFetchError instanceof Error ? initialFetchError.message : String(initialFetchError);
+          core.warning(`Bundle fetch with ${bundleBranchRef} failed: ${initialFetchErrorMessage}; resolving branch ref from bundle heads`);
+          const { stdout: bundleHeadsOutput } = await exec.getExecOutput("git", ["bundle", "list-heads", bundleFilePath]);
+          const branchRefs = bundleHeadsOutput
+            .split("\n")
+            .map(line => line.trim().split(/\s+/)[1] || "")
+            .filter(ref => /^refs\/heads\/[A-Za-z0-9._][A-Za-z0-9._/-]*$/.test(ref));
+
+          if (branchRefs.length === 1) {
+            bundleBranchRef = branchRefs[0];
+            core.info(`Resolved bundle source ref from list-heads: ${bundleBranchRef}`);
+            await exec.exec("git", ["fetch", bundleFilePath, `${bundleBranchRef}:refs/heads/${branchName}`]);
+          } else {
+            throw new Error(`Failed to resolve bundle branch ref from list-heads: expected exactly 1 refs/heads entry, found ${branchRefs.length}`, { cause: initialFetchError });
+          }
+        }
         core.info(`Created local branch ${branchName} from bundle`);
         await exec.exec("git", ["checkout", branchName]);
         core.info(`Checked out branch ${branchName} from bundle`);
@@ -1334,7 +1354,7 @@ To create a pull request with the changes:
 gh run download ${runId} -n agent -D /tmp/agent-${runId}
 
 # Fetch the bundle into a local branch
-git fetch /tmp/agent-${runId}/${artifactFileName} refs/heads/${bundleBranchRef}:refs/heads/${branchName}
+git fetch /tmp/agent-${runId}/${artifactFileName} ${bundleBranchRef}:refs/heads/${branchName}
 git checkout ${branchName}
 
 # Push the branch to origin