Conversation
daxmobile
left a comment
daxmobile
left a comment
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
actionlint
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:18:53: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
The maintenance worker was blocked by two issues: - The sandbox proxy rejected connections to app.asana.com - No Asana credentials were available in the agent environment Add Asana MCP server via mcp-servers frontmatter key, which securely passes ASANA_ACCESS_TOKEN without leaking it to the agent container. Import duckduckgo/ddg-ai-config as an APM package so the agent gets DDG's Asana skills, formatting rules, and data protection policies. Update the prompt to use MCP tools instead of curl. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
daxmobile
left a comment
daxmobile
left a comment
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
actionlint
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
The APM step failed with "repository not found" because GITHUB_TOKEN only has access to the current repo, not the private ddg-ai-config repo. Use GitHub App authentication to mint a scoped token for the ddg-ai-config repository. Requires GH_AW_APP_ID (variable) and GH_AW_APP_PRIVATE_KEY (secret) to be configured in the repo settings. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Simplify the workflow to just the Asana MCP server with ASANA_ACCESS_TOKEN. The ddg-ai-config integration can be added later once APM auth is sorted out. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
daxmobile
left a comment
daxmobile
left a comment
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
actionlint
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
| @@ -125,19 +125,19 @@ jobs: | |||
| run: | | |||
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:1: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
Replace MCP server and curl-based Asana access with two inline mcp-scripts that run outside the sandbox: asana_get_section_tasks and asana_get_task. This avoids strict mode restrictions on passing secrets to the agent container. Remove all Asana write operations (move task, leave comments) from the workflow since mcp-scripts are read-only. The agent now fetches the task URL and details, implements the work, and opens a draft PR. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
daxmobile
left a comment
daxmobile
left a comment
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
actionlint
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| startHttpServer(configPath, { | ||
| port: port, | ||
| stateless: true, | ||
| logDir: "${RUNNER_TEMP}/gh-aw/mcp-scripts/logs" |
There was a problem hiding this comment.
API key read but never passed to server
Medium Severity
In the generated mcp-server.cjs, the apiKey variable is read from process.env.GH_AW_MCP_SCRIPTS_API_KEY but never passed to startHttpServer(). The options object only includes port, stateless, and logDir — missing the apiKey. This means the MCP scripts HTTP server likely won't validate the Authorization header on incoming requests, even though the MCP Gateway is configured to send one. Depending on the startHttpServer implementation, this could mean the server accepts unauthenticated requests from any process on the host network.
Please tell me if this was useful or not with a 👍 or 👎.
daxmobile
left a comment
daxmobile
left a comment
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
actionlint
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:10: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:104:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:10:7: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:7: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:9:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:18:53: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
When a PR is created or labeled with `agentic-maintenance`, this workflow extracts the Asana task from the PR body and moves it to the In Review section of the Agentic Backlog. Requires repo variables GH_AGENTIC_BACKLOG_PROJECT_ID and GH_AGENTIC_BACKLOG_IN_REVIEW_SECTION_ID to be configured. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
daxmobile
left a comment
daxmobile
left a comment
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
actionlint
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
The previous Step 1 relied on persistent repo memory as the primary gate, which is unreliable in CI (memory may not persist between runs or may be stale). It also lacked an explicit stop for the common case of a healthy open PR, letting the agent fall through to Step 2. Now Step 1 checks live state first: it queries the Asana In Progress section and lists open [Android Maintenance] PRs. Only if both are empty does it proceed to pick a new task. Memory is kept as a hint to locate the task/PR faster, not as the decision mechanism. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
daxmobile
left a comment
daxmobile
left a comment
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
actionlint
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
| {"create_pull_request":{"base_branch":"develop","draft":true,"github-token":"${{ secrets.GT_DAXMOBILE }}","labels":["agentic-maintenance"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"],"title_prefix":"[Android Maintenance] "},"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"}} | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_876e01d037e1f83a_EOF | ||
| - name: Write Safe Outputs Tools | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:107:6: Double quote to prevent globbing and word splitting [shellcheck]
| {"create_pull_request":{"base_branch":"develop","draft":true,"github-token":"${{ secrets.GT_DAXMOBILE }}","labels":["agentic-maintenance"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"],"title_prefix":"[Android Maintenance] "},"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"}} | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_876e01d037e1f83a_EOF | ||
| - name: Write Safe Outputs Tools | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:10:7: Double quote to prevent globbing and word splitting [shellcheck]
| {"create_pull_request":{"base_branch":"develop","draft":true,"github-token":"${{ secrets.GT_DAXMOBILE }}","labels":["agentic-maintenance"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"],"title_prefix":"[Android Maintenance] "},"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"}} | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_876e01d037e1f83a_EOF | ||
| - name: Write Safe Outputs Tools | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:7: Double quote to prevent globbing and word splitting [shellcheck]
| bash ${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh | ||
|
|
||
| - name: Setup MCP Scripts Config | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:10: Double quote to prevent globbing and word splitting [shellcheck]
| bash ${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh | ||
|
|
||
| - name: Setup MCP Scripts Config | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:2:7: Double quote to prevent globbing and word splitting [shellcheck]
| bash ${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh | ||
|
|
||
| - name: Setup MCP Scripts Config | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:53:7: Double quote to prevent globbing and word splitting [shellcheck]
| bash ${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh | ||
|
|
||
| - name: Setup MCP Scripts Config | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:68:10: Double quote to prevent globbing and word splitting [shellcheck]
| chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs | ||
|
|
||
| - name: Setup MCP Scripts Tool Files | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:17:7: Double quote to prevent globbing and word splitting [shellcheck]
| chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs | ||
|
|
||
| - name: Setup MCP Scripts Tool Files | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:7: Double quote to prevent globbing and word splitting [shellcheck]
| GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_port }} | ||
| GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_api_key }} | ||
| ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }} | ||
| run: | |
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:6:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:10: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:9:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:18:53: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
There was a problem hiding this comment.
📝 [actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:6: Double quote to prevent globbing and word splitting [shellcheck]
2 participants
Task/Issue URL: https://app.asana.com/1/137249556945/project/1174433894299346/task/1213883965463238?focus=true
Description
Updated the maintenance worker workflow (android-maintenance-worker.md) to unblock Asana access from the GitHub Actions sandbox:
app.asana.comin the network config so the agent can reach the Asana APImcp-scriptsthat expose two read-only Asana tools (asana_get_section_tasks,asana_get_task) — lighter weight and no extra dependencyddg-ai-configAPM dependency that was no longer neededddg-ai-configAPM package accessagentic-maintenanceaction-agentic-maintenance-pr.yaml) that moves the Asana task to "In Review" when a PR is opened or labeled withagentic-maintenance— this overcomes the agent's lack of Asana write permissionsSteps to test this PR
Worked in https://github.com/duckduckgo/Android/actions/runs/23839305109
UI changes
Note
Medium Risk
Modifies GitHub Actions agent sandbox/networking and introduces new Asana-integrated automation using
ASANA_ACCESS_TOKEN, which can affect CI behavior and external side effects if misconfigured.Overview
Unblocks the Android agentic maintenance worker from reading Asana by allowlisting
app.asana.comand wiring in a lightweightmcp-scriptsHTTP server that exposes two read-only Asana tools (asana_get_section_tasks,asana_get_task) through the MCP gateway.Maintenance PRs created by the worker are now automatically labeled
agentic-maintenance, and a newaction-agentic-maintenance-prworkflow reacts to that label/PR open to move the referenced Asana task to In Review usingduckduckgo/native-github-asana-sync.Updates the compiled
android-maintenance-worker.lock.ymlaccordingly (MCP scripts startup, env/secret redaction, artifact upload) and addsmicrosoft/apm-action@v1.4.1to the actions lockfile.Written by Cursor Bugbot for commit cd99791. This will update automatically on new commits. Configure here.