codeflash-admin/codeflash-internal
1
0
Fork 0
mirror of https://github.com/codeflash-ai/codeflash-internal.git synced 2026-05-04 18:25:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: configure duplicate code detector for Azure Foundry (#2419)

Browse source 
## Summary
- Add Foundry env vars (ANTHROPIC_FOUNDRY_API_KEY,
ANTHROPIC_FOUNDRY_BASE_URL) so the workflow authenticates via Azure
Foundry
- Fix Serena language config (javascript -> typescript)
This commit is contained in:
Kevin Turcios 2026-02-14 18:29:04 -05:00 committed by GitHub
parent 9c5ad8fe06
commit ac9f7ad2b5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 85 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

111
.github/workflows/duplicate-code-detector.lock.yml generated vendored
View file

@ -25,24 +25,33 @@
#
# Source: github/gh-aw/.github/workflows/duplicate-code-detector.md@94662b1dee8ce96c876ba9f33b3ab8be32de82a4
#
# frontmatter-hash: 2b3fb7cf44d5d2b73dceac7edec97406a0222c153feafc7f75e9534f4204bb6c
# frontmatter-hash: 51463894f91af0640dcd95138dedce7da34fd0a423856af10ff91803c7bbbb56
name: "Duplicate Code Detector"
"on":
schedule:
- cron: "26 22 * * *"
# Friendly format: daily (scattered)
pull_request:
types:
- opened
- synchronize
workflow_dispatch:
permissions: {}
concurrency:
group: "gh-aw-${{ github.workflow }}"
group: "gh-aw-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}"
cancel-in-progress: true
run-name: "Duplicate Code Detector"
env:
ANTHROPIC_FOUNDRY_API_KEY: ${{ secrets.AZURE_ANTHROPIC_API_KEY }}
ANTHROPIC_FOUNDRY_BASE_URL: ${{ secrets.AZURE_ANTHROPIC_ENDPOINT }}
jobs:
activation:
needs: pre_activation
if: >
(needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id))
runs-on: ubuntu-slim
permissions:
contents: read
@ -72,8 +81,6 @@ jobs:
contents: read
issues: read
pull-requests: read
concurrency:
group: "gh-aw-codex-${{ github.workflow }}"
env:
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GH_AW_ASSETS_ALLOWED_EXTS: ""
@ -135,9 +142,9 @@ jobs:
const fs = require('fs');
const awInfo = {
engine_id: "codex",
engine_id: "claude",
engine_name: "Claude Code",
model: process.env.GH_AW_MODEL_AGENT_CODEX || "",
model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "",
version: "",
agent_version: "2.1.42",
cli_version: "v0.44.0",
@ -783,7 +790,7 @@ jobs:
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
GH_AW_ALLOWED_DOMAINS: "172.30.0.1,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_API_URL: ${{ github.api_url }}
with:
@ -969,8 +976,6 @@ jobs:
if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true'
runs-on: ubuntu-latest
permissions: {}
concurrency:
group: "gh-aw-codex-${{ github.workflow }}"
timeout-minutes: 10
outputs:
success: ${{ steps.parse_results.outputs.success }}
@ -1012,34 +1017,57 @@ jobs:
run: |
mkdir -p /tmp/gh-aw/threat-detection
touch /tmp/gh-aw/threat-detection/detection.log
- name: Validate CODEX_API_KEY or OPENAI_API_KEY secret
- name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret
id: validate-secret
run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex
run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code
env:
CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: '24'
package-manager-cache: false
- name: Install Codex
run: npm install -g --silent @openai/codex@0.101.0
- name: Run Codex
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.1.42
- name: Execute Claude Code CLI
id: agentic_execution
# Allowed tools (sorted):
# - Bash(cat)
# - Bash(grep)
# - Bash(head)
# - Bash(jq)
# - Bash(ls)
# - Bash(tail)
# - Bash(wc)
# - BashOutput
# - ExitPlanMode
# - Glob
# - Grep
# - KillBash
# - LS
# - NotebookRead
# - Read
# - Task
# - TodoWrite
timeout-minutes: 20
run: |
set -o pipefail
INSTRUCTION="$(cat "$GH_AW_PROMPT")"
mkdir -p "$CODEX_HOME/logs"
codex ${GH_AW_MODEL_DETECTION_CODEX:+-c model="$GH_AW_MODEL_DETECTION_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log
# Execute Claude Code CLI with prompt from file
claude --print --disable-slash-commands --no-chrome --allowed-tools 'Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite' --debug-file /tmp/gh-aw/threat-detection/detection.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_CLAUDE:+ --model "$GH_AW_MODEL_DETECTION_CLAUDE"} 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
env:
CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}
CODEX_HOME: /tmp/gh-aw/mcp-config
GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/config.toml
GH_AW_MODEL_DETECTION_CODEX: ${{ vars.GH_AW_MODEL_DETECTION_CODEX || '' }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
BASH_DEFAULT_TIMEOUT_MS: 60000
BASH_MAX_TIMEOUT_MS: 60000
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
DISABLE_BUG_COMMAND: 1
DISABLE_ERROR_REPORTING: 1
DISABLE_TELEMETRY: 1
GH_AW_MODEL_DETECTION_CLAUDE: ${{ vars.GH_AW_MODEL_DETECTION_CLAUDE || '' }}
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
OPENAI_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}
RUST_LOG: trace,hyper_util=info,mio=info,reqwest=info,os_info=info,codex_otel=warn,codex_core=debug,ocodex_exec=debug
GITHUB_WORKSPACE: ${{ github.workspace }}
MCP_TIMEOUT: 120000
MCP_TOOL_TIMEOUT: 60000
- name: Parse threat detection results
id: parse_results
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@ -1057,6 +1085,29 @@ jobs:
path: /tmp/gh-aw/threat-detection/detection.log
if-no-files-found: ignore
pre_activation:
if: (github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)
runs-on: ubuntu-slim
outputs:
activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
steps:
- name: Setup Scripts
uses: github/gh-aw/actions/setup@cec1ecf3b97e9a1bbffaedf490a49ce03c1071ba # v0.44.0
with:
destination: /opt/gh-aw/actions
- name: Check team membership for workflow
id: check_membership
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
GH_AW_REQUIRED_ROLES: admin,maintainer,write
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
setupGlobals(core, github, context, exec, io);
const { main } = require('/opt/gh-aw/actions/check_membership.cjs');
await main();
safe_outputs:
needs:
- agent
@ -1068,7 +1119,7 @@ jobs:
issues: write
timeout-minutes: 15
env:
GH_AW_ENGINE_ID: "codex"
GH_AW_ENGINE_ID: "claude"
GH_AW_WORKFLOW_ID: "duplicate-code-detector"
GH_AW_WORKFLOW_NAME: "Duplicate Code Detector"
GH_AW_WORKFLOW_SOURCE: "github/gh-aw/.github/workflows/duplicate-code-detector.md@94662b1dee8ce96c876ba9f33b3ab8be32de82a4"

5
.github/workflows/duplicate-code-detector.md vendored
View file

@ -10,8 +10,11 @@ permissions:
issues: read
pull-requests: read
engine: claude
env:
ANTHROPIC_FOUNDRY_API_KEY: ${{ secrets.AZURE_ANTHROPIC_API_KEY }}
ANTHROPIC_FOUNDRY_BASE_URL: ${{ secrets.AZURE_ANTHROPIC_ENDPOINT }}
tools:
serena: ["python", "javascript", "typescript"]
serena: ["python", "typescript"]
safe-outputs:
create-issue:
expires: 2d