From 1b7a70a049c0992ccfbfd95d866d4bafd2735890 Mon Sep 17 00:00:00 2001 From: Aaron Powell Date: Tue, 5 May 2026 11:53:18 +1000 Subject: [PATCH] Run contributor checks from AGT scripts (#1617) * Run contributor checks from AGT scripts Fetch the pinned AGT contributor check scripts directly and execute them with Python so the workflow no longer depends on missing console entrypoints from the published package. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Log contributor check JSON outputs Dump the raw AGT JSON outputs and stderr logs in the contributor check workflow to make future debugging easier. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/contributor-check.yml | 60 +++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 4 deletions(-) diff --git a/.github/workflows/contributor-check.yml b/.github/workflows/contributor-check.yml index 3caab939..8e5f4948 100644 --- a/.github/workflows/contributor-check.yml +++ b/.github/workflows/contributor-check.yml @@ -29,8 +29,15 @@ jobs: with: python-version: "3.12" - - name: Install AGT CLI - run: pip install --quiet 'agent-governance-toolkit==3.3.0' + - name: Fetch AGT check scripts + env: + AGT_REF: v3.3.0 + run: | + mkdir -p /tmp/agt + curl -fsSL "https://raw.githubusercontent.com/microsoft/agent-governance-toolkit/${AGT_REF}/scripts/contributor_check.py" \ + -o /tmp/agt/contributor_check.py + curl -fsSL "https://raw.githubusercontent.com/microsoft/agent-governance-toolkit/${AGT_REF}/scripts/credential_audit.py" \ + -o /tmp/agt/credential_audit.py - name: Determine author id: author @@ -50,21 +57,66 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set +e - agt-contributor-check \ + python3 /tmp/agt/contributor_check.py \ --username "${{ steps.author.outputs.username }}" \ + --repo "${{ github.repository }}" \ --json > /tmp/profile.json 2>/tmp/profile.log + status=$? set -e + if [ "$status" -ne 0 ] && [ ! -s /tmp/profile.json ]; then + echo "::warning::Profile check failed" + if [ -s /tmp/profile.log ]; then + sed -n '1,120p' /tmp/profile.log + fi + fi - name: Run credential audit env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set +e - agt-credential-audit \ + python3 /tmp/agt/credential_audit.py \ --username "${{ steps.author.outputs.username }}" \ --repo "${{ github.repository }}" \ --json > /tmp/cred.json 2>/tmp/cred.log + status=$? set -e + if [ "$status" -ne 0 ] && [ ! -s /tmp/cred.json ]; then + echo "::warning::Credential audit failed" + if [ -s /tmp/cred.log ]; then + sed -n '1,120p' /tmp/cred.log + fi + fi + + - name: Dump check outputs + if: always() + run: | + dump_json() { + label="$1" + file="$2" + log_file="$3" + + echo "::group::${label} JSON" + if [ -s "$file" ]; then + if jq . "$file"; then + : + else + cat "$file" + fi + else + echo "" + fi + echo "::endgroup::" + + if [ -s "$log_file" ]; then + echo "::group::${label} stderr" + sed -n '1,120p' "$log_file" + echo "::endgroup::" + fi + } + + dump_json "Profile check" /tmp/profile.json /tmp/profile.log + dump_json "Credential audit" /tmp/cred.json /tmp/cred.log - name: Resolve check risks id: results