Fix agentic workflow lock file hash mismatch#107
Conversation
…t hash - Downloaded and installed gh-aw v0.43.5 binary - Compiled news-article-generator.md to update lock file - Hash updated: abd33c7303ff... -> ca7bc476d1e4... - Added compile-agentic-workflows.yml for future automation Co-authored-by: pethers <[email protected]>
- Created AGENTIC_WORKFLOWS.md with complete compilation guide - Documented manual and automatic compilation methods - Added troubleshooting section - Included hash verification details - Security and best practices sections Co-authored-by: pethers <[email protected]>
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
There was a problem hiding this comment.
Pull request overview
Fixes agentic workflow activation failures caused by a stale lock-file hash, and adds automation + documentation to keep workflow markdown sources and compiled lock files in sync.
Changes:
- Recompiled
news-article-generator.lock.ymlto update the storedfrontmatter-hash. - Added a GitHub Actions workflow to auto-compile
.github/workflows/*.mdinto.lock.ymland push updates. - Added documentation describing compilation, hash verification, and troubleshooting.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
docs/AGENTIC_WORKFLOWS.md |
Documents how agentic workflow sources compile to lock files and how hash verification works. |
.github/workflows/news-article-generator.lock.yml |
Updates the frontmatter-hash to match the current markdown frontmatter. |
.github/workflows/compile-agentic-workflows.yml |
Adds CI automation to compile .md workflows into .lock.yml and commit results. |
|
|
||
| # Set output to indicate manual action needed | ||
| echo "needs_manual_compile=true" >> $GITHUB_OUTPUT | ||
| exit 1 |
There was a problem hiding this comment.
The compile step exits with status 1 when gh-aw isn't available, which will stop the job and prevent the later 'Create issue for manual compilation' step from running. Make the compile step continue-on-error: true (or restructure so the job continues), and gate the issue creation with if: always() && steps.compile.outputs.needs_manual_compile == 'true' so the issue can be created reliably.
| exit 1 | |
| break |
| git push | ||
|
|
||
| - name: Create issue for manual compilation | ||
| if: steps.compile.outputs.needs_manual_compile == 'true' |
There was a problem hiding this comment.
The compile step exits with status 1 when gh-aw isn't available, which will stop the job and prevent the later 'Create issue for manual compilation' step from running. Make the compile step continue-on-error: true (or restructure so the job continues), and gate the issue creation with if: always() && steps.compile.outputs.needs_manual_compile == 'true' so the issue can be created reliably.
| if: steps.compile.outputs.needs_manual_compile == 'true' | |
| if: always() && steps.compile.outputs.needs_manual_compile == 'true' |
| # Try to install the GitHub CLI extension | ||
| # Note: This may require authentication | ||
| if gh auth status 2>/dev/null; then | ||
| gh extension install github/gh-aw || echo "Failed to install gh-aw extension" | ||
| else | ||
| echo "⚠️ GitHub CLI not authenticated" | ||
| echo "Skipping gh-aw installation" | ||
| fi |
There was a problem hiding this comment.
The install logic skips installing the gh-aw extension unless gh auth status succeeds, which can cause the next step to fail even though GH_TOKEN is provided. Consider installing the extension unconditionally (and/or explicitly authenticating gh using the token), or download/use the gh-aw binary directly so compilation doesn't depend on extension state.
| # Try to install the GitHub CLI extension | |
| # Note: This may require authentication | |
| if gh auth status 2>/dev/null; then | |
| gh extension install github/gh-aw || echo "Failed to install gh-aw extension" | |
| else | |
| echo "⚠️ GitHub CLI not authenticated" | |
| echo "Skipping gh-aw installation" | |
| fi | |
| # Ensure GitHub CLI is available | |
| if ! command -v gh >/dev/null 2>&1; then | |
| echo "❌ GitHub CLI (gh) is not installed on this runner." | |
| exit 1 | |
| fi | |
| # Authenticate gh using the provided GH_TOKEN, if possible | |
| if [ -n "${GH_TOKEN:-}" ]; then | |
| echo "$GH_TOKEN" | gh auth login --with-token >/dev/null 2>&1 || { | |
| echo "⚠️ Failed to authenticate gh with GH_TOKEN; continuing anyway." | |
| } | |
| else | |
| echo "⚠️ GH_TOKEN is not set; attempting to install gh-aw without authentication." | |
| fi | |
| # Install the GitHub CLI extension unconditionally | |
| gh extension install github/gh-aw >/dev/null 2>&1 || { | |
| echo "⚠️ Failed to install gh-aw extension. gh aw may not be available." | |
| } |
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write |
There was a problem hiding this comment.
This workflow calls github.rest.issues.create(...) but the job permissions do not include issues: write, so issue creation will fail on repositories with restricted default permissions. Add issues: write to permissions: (and consider dropping pull-requests: write unless you actually update PRs) to align with the API calls being made.
| pull-requests: write | |
| pull-requests: write | |
| issues: write |
| - name: Create issue for manual compilation | ||
| if: steps.compile.outputs.needs_manual_compile == 'true' | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | ||
| with: | ||
| script: | | ||
| const issue = await github.rest.issues.create({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, |
There was a problem hiding this comment.
This workflow calls github.rest.issues.create(...) but the job permissions do not include issues: write, so issue creation will fail on repositories with restricted default permissions. Add issues: write to permissions: (and consider dropping pull-requests: write unless you actually update PRs) to align with the API calls being made.
|
|
||
| ## Hash Verification | ||
|
|
||
| Lock files include a SHA256 hash of the markdown frontmatter: |
There was a problem hiding this comment.
The doc states this is a 'SHA256 hash of the markdown frontmatter', but the PR description notes gh-aw uses a proprietary hash computation (not a raw frontmatter SHA256). Update the wording to avoid misleading readers (e.g., describe it as a gh-aw-computed frontmatter hash used for sync verification).
| Lock files include a SHA256 hash of the markdown frontmatter: | |
| Lock files include a `gh-aw`-computed hash of the markdown frontmatter: |
| - name: Setup Node.js | ||
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 | ||
| with: | ||
| node-version: '24' |
There was a problem hiding this comment.
Node.js is set up but the workflow doesn't appear to run any Node-based tooling afterward. Removing this step would reduce job time and surface area unless gh-aw compilation truly depends on Node in your environment.
| - name: Setup Node.js | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 | |
| with: | |
| node-version: '24' |
The News Article Generator workflow failed activation due to stale lock file. GitHub Agentic Workflows compile markdown sources to YAML, with hash verification to ensure sync.
Problem
Changes
Core Fix
gh-aw v0.43.5toolAutomation
compile-agentic-workflows.ymlto auto-compile on markdown changes.github/workflows/*.mdDocumentation
docs/AGENTIC_WORKFLOWS.mdcovering:Technical Notes
The gh-aw tool uses proprietary hash computation (not raw frontmatter SHA256). Binary available at
github.com/github/gh-aw/releases.Lock file structure preserved (1133 lines), only hash line modified.
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.