Skip to content
Strands Command Handler

--authorizer-type AWS_IAM rejected by agentcore add gateway but selectable in interactive TUI #721

Sign in to view logs

--authorizer-type AWS_IAM rejected by agentcore add gateway but selectable in interactive TUI

--authorizer-type AWS_IAM rejected by agentcore add gateway but selectable in interactive TUI #721

Workflow file for this run

.github/workflows/strands-command.yml at e64e8e2
name: Strands Command Handler
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
workflow_dispatch:
inputs:
issue_id:
description: 'Issue ID to process (can be issue or PR number)'
required: true
type: string
command:
description: 'Strands command to execute'
required: false
type: string
default: ''
session_id:
description: 'Optional session ID to use'
required: false
type: string
default: ''
permissions:
id-token: write
contents: write
pull-requests: write
issues: write
jobs:
strands-agent:
if: startsWith(github.event.comment.body, '/strands') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- name: Check authorization
uses: actions/github-script@v8
with:
script: |
// Skip auth check for workflow_dispatch (manual runs)
if (context.eventName === 'workflow_dispatch') {
console.log('✅ Manual workflow dispatch - authorized');
return;
}
// Check collaborator permissions for comment triggers
try {
const permissionResponse = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: context.payload.comment.user.login,
});
const permission = permissionResponse.data.permission;
const hasWriteAccess = ['write', 'admin'].includes(permission);
if (!hasWriteAccess) {
console.log(`❌ User ${context.payload.comment.user.login} does not have write access (permission: ${permission})`);
throw new Error('Insufficient permissions');
}
console.log(`✅ User ${context.payload.comment.user.login} has write access`);
} catch (error) {
console.log(`❌ Authorization failed: ${error.message}`);
throw error;
}
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Add strands-running label
uses: actions/github-script@v8
with:
script: |
const issueNumber = ${{ inputs.issue_id || github.event.issue.number || github.event.pull_request.number }};
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issueNumber,
labels: ['strands-running']
});
- name: Process inputs and build prompts
id: process-inputs
uses: actions/github-script@v8
with:
script: |
const processInputs = require('./.github/scripts/javascript/process-inputs.cjs');
const inputs = {
issue_id: '${{ inputs.issue_id }}',
command: '${{ inputs.command }}',
session_id: '${{ inputs.session_id }}'
};
await processInputs(context, github, core, inputs);
- name: Run Strands Agent
uses: ./.github/actions/strands-action
with:
prompt: ${{ steps.process-inputs.outputs.prompt }}
system_prompt: ${{ steps.process-inputs.outputs.system_prompt }}
provider: 'bedrock'
model: 'us.anthropic.claude-sonnet-4-5-20250929-v1:0'
tools: 'strands_tools:shell,retrieve'
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region: 'us-west-2'
pat_token: ${{ secrets.GITHUB_TOKEN }}
env:
SESSION_ID: ${{ steps.process-inputs.outputs.session_id }}
S3_SESSION_BUCKET: ${{ secrets.AGENT_SESSIONS_BUCKET }}
BRANCH_NAME: ${{ steps.process-inputs.outputs.branch_name }}
- name: Remove strands-running label
if: always()
uses: actions/github-script@v8
with:
script: |
try {
const issueNumber = ${{ inputs.issue_id || github.event.issue.number || github.event.pull_request.number }};
await github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issueNumber,
name: 'strands-running'
});
} catch (error) {
console.log('Label removal failed (may not exist):', error.message);
}