refactor: use git cat-file blob instead of git show in readBlobAsBase64

[Copilot]

Implements the reviewer suggestion from #26287: since the destination blob hash (dstHash) is already available from the git diff-tree -r --raw output introduced in #26259, there's no need to compose <sha>:<filePath> for git show. Using git cat-file blob <dstHash> directly is simpler (one argument instead of two) and more robust (direct object lookup by hash, no path resolution involved).

Changes

• readBlobAsBase64: Signature changed from (sha, filePath, cwd) to (blobHash, cwd). Uses git cat-file blob <blobHash> instead of git show <sha>:<filePath>.
• Extract dstHash from modeFields[3] (already guarded by the existing modeFields.length < 5 check).
• Update all three call sites (rename, copy, add/modify) to pass dstHash instead of sha, filePath.
• Update JSDoc accordingly.

---

Changeset

• Type: patch
• Description: Use git cat-file blob <hash> instead of git show <sha>:<path> when reading destination blobs in signed commit push operations, improving robustness and simplifying blob lookup.

Warning

⚠️ Firewall blocked 3 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• chatgpt.com
• invalid.example.invalid

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "chatgpt.com"
    - "invalid.example.invalid"

See Network Configuration for more information.

Generated by Changeset Generator for issue #26349 · ◷

---

---

✨ PR Review Safe Output Test - Run 24433538607

💥 [THE END] — Illustrated by Smoke Claude · ● 191.9K · ◷

[Copilot]

Pull request overview

Refactors readBlobAsBase64 in the signed-commit replay helper to read blob content directly by object hash (from git diff-tree --raw) instead of using git show <sha>:<path>.

Changes:

• Update readBlobAsBase64 to accept (blobHash, cwd) and use git cat-file blob <blobHash>.
• Extract dstHash from raw diff fields and pass it through rename/copy/add-modify paths.
• Add a new repo-level .mcp.json MCP server configuration file.

Show a summary per file

File	Description
actions/setup/js/push_signed_commits.cjs	Switch blob reading to git cat-file blob <dstHash> and update helper signature + call sites.
.mcp.json	Adds MCP server configuration pointing at gh aw mcp-server.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 2

[Copilot]

The JSDoc inline code for the git command is split across lines, so the backticked snippet ends at git cat-file blob and <blobHash> is no longer part of the code span. This renders oddly and makes the command example ambiguous; consider keeping it as a single inline code span (e.g., git cat-file blob <blobHash>) or use a fenced code block in the comment text.

Suggested change

	* Read a blob object as a base64-encoded string using `git cat-file blob
	* <blobHash>`. The raw bytes emitted by git are collected via the
	* `exec.exec` stdout listener so that binary files are not corrupted by any
	* UTF-8 decoding layer (unlike `exec.getExecOutput` which always passes
	* stdout through a `StringDecoder('utf8')`).
	* Read a blob object as a base64-encoded string using `git cat-file blob <blobHash>`.
	* The raw bytes emitted by git are collected via the `exec.exec` stdout
	* listener so that binary files are not corrupted by any UTF-8 decoding
	* layer (unlike `exec.getExecOutput` which always passes stdout through a
	* `StringDecoder('utf8')`).

[Copilot]

This PR’s title/description is focused on refactoring readBlobAsBase64, but this adds a new .mcp.json MCP server configuration file. If this file was generated incidentally (e.g., by running gh aw init), it should be removed from this PR or called out explicitly in the description so reviewers understand the intent and impact of adding a repo-level tool configuration.

[github-actions]

Agreed — the .mcp.json file looks like it was incidentally generated and should be called out or removed. Good catch!

📰 BREAKING: Report filed by Smoke Copilot · ● 756K

[pelikhan]

@copilot review all comments

[Copilot]

@copilot review all comments

Both comments addressed in 7bedfc9:

• JSDoc backtick: Moved git cat-file blob <blobHash> onto a single line so the inline code span is rendered correctly.
• .mcp.json: Removed — it was generated incidentally and is unrelated to this refactoring.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	20.20.2
python3	✅	3.12.3
go	✅	1.24.13
java	✅	10.0.201
dotnet	✅	10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ● 157.3K · ◷

[github-actions]

Smoke test (Codex) for run 24433538575: FAIL

Merged PRs:

• Add shared/reporting.md import to non-compliant reporting workflows #26342 Add shared/reporting.md import to non-compliant reporting workflows
• fix: use .mcp.json instead of .vscode/mcp.json for Copilot CLI compatibility #26340 fix: use .mcp.json instead of .vscode/mcp.json for Copilot CLI compatibility

Results: GitHub MCP ✅, Serena activate ✅, Serena find_symbol ❌, Playwright ✅, web-fetch ❌, file write/read ✅, build ✅

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• chatgpt.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "chatgpt.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

🤖 Smoke Test Results — Run §24433538576\n\n| Test | Status |\n|------|--------|\n| GitHub MCP | ✅ |\n| MCP Scripts GH CLI | ✅ |\n| Serena MCP | ✅ |\n| Playwright | ✅ |\n| Web Fetch | ✅ |\n| File Writing | ✅ |\n| Bash Tool | ✅ |\n| Discussion Interaction | ✅ |\n| Build gh-aw | ✅ |\n| Upload artifact | ✅ |\n| Create Discussion | ✅ |\n| Workflow Dispatch | ✅ |\n| PR Review | ✅ |\n\nOverall: ✅ PASS\n\nPR by @Copilot · Assignees: @pelikhan, @Copilot

📰 BREAKING: Report filed by Smoke Copilot · ● 756K · ◷

[github-actions]

Clean refactor — the simplified readBlobAsBase64(blobHash, cwd) signature is more focused and direct. Using git cat-file blob over git show sha:path removes path-resolution indirection and aligns with how the blob hash is already available from git diff-tree --raw.

📰 BREAKING: Report filed by Smoke Copilot · ● 756K

[github-actions]

Nice simplification! By accepting blobHash directly instead of (sha, filePath), this function now does exactly one thing: reads a blob by its object hash. This is more robust since it avoids any path resolution ambiguity.

[github-actions]

Good extraction of dstHash from modeFields[3] — it's already available from the git diff-tree --raw output and reusing it avoids the need to compose sha:filePath strings at the call sites.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Commit pushed: 4a596b6

Generated by Changeset Generator

[github-actions]

Smoke Test: Claude — Run §24433538607

Overall: PARTIAL (1 failed, 2 skipped)

Test	Status
#1 GitHub MCP (merged PRs)	✅
#2 mcpscripts-gh CLI	✅
#3 Serena MCP (find_symbol)	❌ EOF
#4 Make build	✅
#5 Playwright (github.com)	✅
#6 Tavily search	✅
#7 File writing	✅
#8 Bash tool	✅
#9 Discussion comment	✅
#10 Agentic Workflows MCP	✅
#11 Slack safe output	✅
#12 Code scanning alert	✅
#13 Update PR body	✅
#14 PR review comments	✅
#15 Submit PR review	✅
#16 Resolve review thread	⚠️
#17 Add reviewer	✅
#18 Push to PR branch	✅
#19 Close PR	⚠️

💥 [THE END] — Illustrated by Smoke Claude · ● 191.9K · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude · ● 191.9K

[github-actions]

✅ Clean refactor: using blobHash directly instead of sha + filePath is more precise and avoids potential path-quoting issues. The function signature change is clear and well-documented.

[github-actions]

Good addition of dstHash from modeFields[3]. This aligns with the git diff-tree --raw output format and makes the blob hash available for the refactored readBlobAsBase64 call below.