fix(workflows): recompile agentic workflow lock files to gh-aw v0.68.1#1358
fix(workflows): recompile agentic workflow lock files to gh-aw v0.68.1#1358
Conversation
- upgrade gh-aw compiler v0.65.4 to v0.68.1, AWF v0.25.6 to v0.25.18, MCP Gateway v0.2.14 to v0.2.17 - fix sparse-checkout failure from glob patterns merged into git cone-mode checkout - fix MCP servers blocked by policy preventing safe-output tool calls - bump actions/github-script v8 to v9 and gh-aw-actions/setup to v0.68.1 🔧 - Generated by Copilot
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1358 +/- ##
==========================================
- Coverage 87.66% 87.65% -0.02%
==========================================
Files 61 61
Lines 9328 9328
==========================================
- Hits 8177 8176 -1
- Misses 1151 1152 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
PR Review Summary
All initial quality checks passed. This is a clean, focused infrastructure maintenance PR.
✅ Issue Alignment
The changes directly address the two root causes described in the linked issues:
- Fixes #1261 — Sparse-checkout failure in
dependency-pr-reviewcaused by cone-mode-incompatible**glob patterns being injected intogit sparse-checkout setby the v0.65.4 compiler. - The MCP policy blocking affecting all 5 workflows (v0.25.6 / Gateway v0.2.14 incompatibility with the updated runtime) is addressed by the compiler bump.
No scope creep. The PR does exactly what the issues require.
✅ PR Template Compliance
All required sections are present and correctly completed:
- Description is thorough, with root cause analysis and a clear version table.
- Related issues are properly linked with
Fixes #. - GitHub Actions workflow is checked — appropriate since all changed files are
.github/workflows/*.lock.ymland.github/aw/actions-lock.json. - Testing section accurately describes the validation approach for generated files (
gh aw compile --strict,gh aw status). - Security Considerations section includes a helpful narrative about the action SHA being a first-party trusted source.
- AI Artifact checklist items are correctly left unchecked (N/A for this change type).
✅ Coding Standards
All 5 .lock.yml files are auto-generated by gh aw compile --strict. The gh-aw-manifest headers confirm SHA-pinned action references throughout (e.g., actions/github-script@sha:373c709c..., github/gh-aw-actions/setup@sha:2fe53acc...). This satisfies the repository's dependency pinning requirements for workflow files.
✅ Code Quality & Security
- No secrets introduced or modified; the same four tokens (
COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN) are used across all workflows as before. - The
actions/github-scriptv8 → v9 andgithub/gh-aw-actions/setupv0.65.6 → v0.68.1 bumps are routine version updates of first-party/trusted actions. - Consolidating four stale
github/gh-aw-actions/setupversion pins into a single v0.68.1 entry is a welcome cleanup.
💡 Minor Observation (non-blocking)
The actions/github-script@v8 entry in .github/aw/actions-lock.json remains after this change, while the PR description states that all generated workflow steps now use v9. If no lock file references v8 anymore, this entry is orphaned. Since the lock file is compiler-managed, this is expected behavior if the compiler retains historical entries — but it's worth confirming that gh aw compile intentionally keeps the v8 entry or whether a follow-up cleanup pass would remove it.
Overall: This PR is well-scoped, clearly described, and correctly addresses the identified runtime failures. The changes are entirely auto-generated output, validated by the compiler's strict mode.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #1357
issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none- remove orphaned actions/github-script@v8 and github/gh-aw/actions/[email protected] - add missing actions/[email protected], actions/[email protected], actions/upload-artifact@v7 🧹 - Generated by Copilot
There was a problem hiding this comment.
Advisory review — this PR is from a maintainer. Findings are informational only.
PR Review Summary
This is a clean, well-scoped infrastructure maintenance PR. All 6 changed files are auto-generated lock files produced by gh aw compile --strict. The review addresses two confirmed runtime failures. No source workflow .md files are modified.
✅ Issue Alignment
The changes directly address both linked issues:
- Fixes #1261 — Sparse-checkout failure in
dependency-pr-reviewcaused by cone-mode-incompatible**glob patterns injected by the v0.65.4 compiler. - Fixes #1357 — MCP policy blocking across all workflows due to incompatible AWF/MCP Gateway versions with the updated runtime.
No scope creep. The previous review's observation about a stale actions/github-script@v8 entry in actions-lock.json has been addressed — it is now removed.
⚠️ PR Template Compliance — Minor Finding
The Bug fix checkbox under Type of Change is unchecked. The commit title (fix(workflows): ...) and the description explicitly describe two runtime failures being fixed. Checking Bug fix alongside GitHub Actions workflow would more accurately reflect the intent of this PR and align with the conventional commit type in the title.
No other template compliance issues. Description, testing notes, security considerations, and checklist sections are all well-completed.
✅ Coding Standards
All uses: references across all 5 lock files are SHA-pinned with inline version comments (e.g., github/gh-aw-actions/setup@2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc # v0.68.1), satisfying the repository's dependency pinning requirements.
Informational — pre-existing state: None of the lock files contain a top-level permissions: block. The Test-WorkflowPermissions.ps1 script currently only excludes copilot-setup-steps.yml by name, so lock files are technically in scope for that check. However, this is a pre-existing condition (the prior lock files compiled with v0.65.4 also lacked top-level permissions blocks) and is a limitation of the auto-generated format — not something this PR introduced or can address without an upstream change to the gh-aw compiler.
Informational — two SHAs for actions/github-script@v9: The gh-aw-manifest header in each lock file explicitly documents two distinct SHAs resolving to v9 (373c709c... used in setup/manifest steps, 3a2844b7... used in runtime steps). This is transparent compiler behavior — not a hidden inconsistency — and is consistent across all 5 generated files.
✅ Code Quality & Security
- No new secrets introduced. The same four tokens (
COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN) are used unchanged. actions/github-scriptv8 → v9 andgithub/gh-aw-actions/setupv0.65.6 → v0.68.1 are routine version bumps of first-party/trusted actions.- Consolidating four stale
github/gh-aw-actions/setupversion pins into a single v0.68.1 entry is a welcome cleanup. - The
gh-aw-manifestheaders added to each lock file improve transparency for security reviews.
Overall: Well-executed infrastructure upgrade. The only actionable suggestion is checking the Bug fix checkbox in the Type of Change section to align with the PR's conventional commit type and description.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #1357
issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none
|
Closing as this will be fixed in a new upcoming PR. |
3 participants
Description
Recompiled all 5 agentic workflow lock files from gh-aw v0.65.4 to v0.68.1, resolving two distinct runtime failures that caused repeated "No Safe Outputs Generated" errors across 20+ workflow runs.
Root Causes Fixed
The sparse-checkout failure in dependency-pr-review occurred because the v0.65.4 compiler merged
on.pull_request.pathsglob patterns (**/requirements.txt,**/pyproject.toml) into thegit sparse-checkout setcommand. Git cone-mode rejects**glob patterns withfatal: specify directories rather than patterns.The MCP policy blocking affected all workflows. Lock files compiled with AWF v0.25.6 and MCP Gateway v0.2.14 were incompatible with the updated runtime's stricter MCP server policies, causing
2 MCP servers were blocked by policy: 'github', 'safeoutputs'. The agent completed reviews but could not submit results through safe-output tools.Version Upgrades
All lock files updated to the same component versions:
actions/github-scriptgithub/gh-aw-actions/setupThe actions-lock.json consolidated 4 stale
github/gh-aw-actions/setupversion pins (v0.63.1, v0.65.4, v0.65.6, v0.67.1) into a single v0.68.1 entry.Related Issue(s)
Fixes #1261
Fixes #1357
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Sample Prompts (for AI Artifact Contributions)
Testing
gh aw compile --strictpassed with 0 errors (5 warnings for the newgithub/gh-aw-actions/setupaction SHA, expected for version upgrades)gh aw statusconfirmed all 5 workflows as compiled and active.mdfiles were modified — only auto-generated lock files changedChecklist
Required Checks
AI Artifact Contributions
/prompt-analyzeto review contributionprompt-builderreviewRequired Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generatenpm run docs:testSecurity Considerations
Security review of new action: The
github/gh-aw-actions/setup@2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc(v0.68.1) is the official gh-aw setup action from GitHub, replacing the previous SHA536ea1ba(v0.65.6). This is a routine version bump of an existing first-party trusted action. No new secrets are introduced; the same set is used across all workflows:COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN.Additional Notes
gh-aw-manifestheaders listing all secrets and actions used, improving transparency for security reviews.actions/github-scriptupgrade from v8 to v9 was part of the gh-aw compiler's dependency updates and applies to all generated workflow steps.