Add support for safe-inputs front matter section (#5090)

Author: Copilot

.github/workflows/dev.lock.yml

@@ -5,19 +5,62 @@ name: Dev
 description: Test workflow for development and experimentation purposes
 timeout-minutes: 5
 strict: false
-# Using experimental Claude engine for testing
-engine: claude
+# Using Codex engine for better error messages
+engine: codex
 permissions:
   contents: read
   issues: read
   pull-requests: read
   discussions: read
+imports:
+  - shared/pr-data-safe-input.md
 tools:
   bash: ["*"]
   edit:
   github:
     toolsets: [default, repos, issues, discussions]
 safe-outputs:
   assign-to-agent:
+safe-inputs:
+  test-js-math:
+    description: "Test JavaScript math operations"
+    inputs:
+      a:
+        type: number
+        description: "First number"
+        required: true
+      b:
+        type: number
+        description: "Second number"
+        required: true
+    script: |
+      // Users can write simple code without exports
+      const sum = a + b;
+      const product = a * b;
+      return { sum, product, inputs: { a, b } };
+  test-js-string:
+    description: "Test JavaScript string operations"
+    inputs:
+      text:
+        type: string
+        description: "Input text"
+        required: true
+    script: |
+      // Simple string manipulation
+      return {
+        original: text,
+        uppercase: text.toUpperCase(),
+        length: text.length
+      };
 ---
-Assign the most recent unassigned issue to the agent.
+Use the `fetch-pr-data` tool to fetch Copilot agent PRs from this repository using `search: "head:copilot/"`. Then compute basic PR statistics:
+- Total number of Copilot PRs in the last 30 days
+- Number of merged vs closed vs open PRs
+- Average time from PR creation to merge (for merged PRs)
+- Most active day of the week for PR creation
+
+Also test the JavaScript safe-inputs tools:
+1. Call `test-js-math` with a=5 and b=3 to verify math operations work
+2. Call `test-js-string` with text="Hello World" to verify string operations work
+
+Present the statistics and test results in a clear summary.

.github/workflows/dev.md

@@ -0,0 +1,87 @@
+---
+safe-inputs:
+  fetch-pr-data:
+    description: "Fetches pull request data from GitHub using gh CLI. Returns JSON array of PRs with fields: number, title, author, headRefName, createdAt, state, url, body, labels, updatedAt, closedAt, mergedAt"
+    inputs:
+      repo:
+        type: string
+        description: "Repository in owner/repo format (defaults to current repository)"
+        required: false
+      search:
+        type: string
+        description: "Search query for filtering PRs (e.g., 'head:copilot/' for Copilot PRs)"
+        required: false
+      state:
+        type: string
+        description: "PR state filter: open, closed, merged, or all (default: all)"
+        default: "all"
+      limit:
+        type: number
+        description: "Maximum number of PRs to fetch (default: 100)"
+        default: 100
+      days:
+        type: number
+        description: "Number of days to look back (default: 30)"
+        default: 30
+    run: |
+      # Fetch PR data using gh CLI
+      REPO="${INPUT_REPO:-$GITHUB_REPOSITORY}"
+      STATE="${INPUT_STATE:-all}"
+      LIMIT="${INPUT_LIMIT:-100}"
+      DAYS="${INPUT_DAYS:-30}"
+      SEARCH="${INPUT_SEARCH:-}"
+      
+      # Calculate date N days ago (cross-platform)
+      DATE_AGO=$(date -d "${DAYS} days ago" '+%Y-%m-%d' 2>/dev/null || date -v-${DAYS}d '+%Y-%m-%d')
+      
+      # Build search query
+      QUERY="created:>=${DATE_AGO}"
+      if [ -n "$SEARCH" ]; then
+        QUERY="${SEARCH} ${QUERY}"
+      fi
+      
+      # Fetch PRs
+      gh pr list --repo "$REPO" \
+        --search "$QUERY" \
+        --state "$STATE" \
+        --json number,title,author,headRefName,createdAt,state,url,body,labels,updatedAt,closedAt,mergedAt \
+        --limit "$LIMIT"
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+---
+<!--
+## PR Data Fetch Safe Input Tool
+
+This shared workflow provides a `fetch-pr-data` safe-input tool that fetches pull request data from GitHub.
+
+### Usage
+
+Import this shared workflow to get access to the `fetch-pr-data` tool:
+
+```yaml
+imports:
+  - shared/pr-data-safe-input.md
+```
+
+The agent can then use the tool to fetch PR data:
+- `fetch-pr-data` with no arguments returns PRs from the last 30 days
+- `fetch-pr-data` with `search: "head:copilot/"` returns Copilot agent PRs
+- `fetch-pr-data` with `state: "merged"` returns only merged PRs
+
+### Parameters
+
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| repo | string | current repo | Repository in owner/repo format |
+| search | string | - | Search query (e.g., "head:copilot/") |
+| state | string | all | PR state: open, closed, merged, all |
+| limit | number | 100 | Maximum PRs to return |
+| days | number | 30 | Days to look back |
+
+### Output
+
+Returns JSON array with PR objects containing:
+- number, title, author, headRefName
+- createdAt, updatedAt, closedAt, mergedAt
+- state, url, body, labels
+-->

.github/workflows/shared/pr-data-safe-input.md

@@ -2444,6 +2444,14 @@ roles: []
 # (optional)
 strict: true
 
+# Safe inputs configuration for defining custom lightweight MCP tools as
+# JavaScript or shell scripts. Tools are mounted in an MCP server and have access
+# to secrets specified by the user. Only one of 'script' (JavaScript) or 'run'
+# (shell) must be specified per tool.
+# (optional)
+safe-inputs:
+  {}
+
 # Runtime environment version overrides. Allows customizing runtime versions
 # (e.g., Node.js, Python) or defining new runtimes. Runtimes from imported shared
 # workflows are also merged.