Improve agentic workflows: add Hack23 domains, enhance translation quality, enable repo-memory

[Copilot]

• Analyze current network allowlists, safe-outputs, prompts, and translation quality
• Add hack23.com, riksdagsmonitor.com, hack23.github.io to all 12 workflow network allowlists
• Add Hack23 domains to all 12 workflow safe-outputs allowed-domains
• Fix duplicate domains in safe-outputs (www.riksdagen.se, www.regeringen.se appeared twice)
• Enhance SHARED_PROMPT_PATTERNS.md with Hack23 Ecosystem Context section
• Enhance news-translate.md with political intelligence translation standards
• Enhance language-expertise SKILL.md with 15+ new quality items and translation principles
• Add Hack23 Ecosystem Integration to ai-driven-analysis-guide.md
• Recompile all 12 lock files with gh aw compile
• Fix review: remove embedded single quotes from repo-memory filenames (all 12 workflows)
• Fix review: use jsonc fence for JSON with comments in SHARED_PROMPT_PATTERNS.md
• Fix review round 2: fix nested backtick fences in SHARED_PROMPT_PATTERNS.md (use 4-backtick outer fence)
• Fix review round 2: remove invalid --cross-check flag from news-translate.md
• Fix review round 2: clarify Norwegian file suffix no vs BCP-47 nb in news-translate.md
• Fix review round 3: add apex riksdagen.se to all 12 workflow network + safe-outputs allowlists
• Fix review round 3: shard repo-memory files by date to prevent unbounded growth exceeding max-file-size
• Fix review round 4: align all 12 workflow repo-memory sections with date-sharded covered-documents/{YYYY-MM-DD}.json
• Fix review round 5: apply expires: 14d codemod + recompile lock files with gh-aw v0.66.1
• Note: AGENTS.md in agent-side protected_files is a gh-aw compiler design decision (handler config enforces it)
• Validation passed — Code Review ✅, CodeQL ✅

[github-actions]

🏷️ Automatic Labeling Summary

This PR has been automatically labeled based on the files changed and PR metadata.

Applied Labels: documentation,workflow,ci-cd,size-xl,news,agentic-workflow

Label Categories

• 🗳️ Content: news, dashboard, visualization, intelligence
• 💻 Technology: html-css, javascript, workflow, security
• 📊 Data: cia-data, riksdag-data, data-pipeline, schema
• 🌍 I18n: i18n, translation, rtl
• 🔒 ISMS: isms, iso-27001, nist-csf, cis-controls
• 🏗️ Infrastructure: ci-cd, deployment, performance, monitoring
• 🔄 Quality: testing, accessibility, documentation, refactor
• 🤖 AI: agent, skill, agentic-workflow

For more information, see .github/labeler.yml.

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[Copilot]

Pull request overview

This PR updates the repo’s agentic news workflows and guidance to support Hack23 ecosystem linking, tighten egress allowlists/safe-outputs, and introduce git-backed cross-run “repo-memory” state shared across workflows.

Changes:

• Add Hack23 ecosystem context/links to analysis and shared prompt pattern docs.
• Replace broad network wildcards with explicit allowlisted domains (including Hack23 domains) and expand safe-outputs allowed-domains accordingly.
• Enable repo-memory across news workflows and recompile associated .lock.yml files; add generated agentic maintenance workflow and expand translation quality standards.

Reviewed changes

Copilot reviewed 32 out of 32 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
analysis/methodologies/ai-driven-analysis-guide.md	Adds Hack23 ecosystem integration references for analysis methodology.
.github/workflows/SHARED_PROMPT_PATTERNS.md	Adds Hack23 context + repo-memory usage patterns for workflows.
.github/workflows/news-weekly-review.md	Adds explicit allowlists/safe-outputs + repo-memory config + fuzzy schedule.
.github/workflows/news-weekly-review.lock.yml	Recompiled lock with updated domains/repo-memory/push job.
.github/workflows/news-week-ahead.md	Adds explicit allowlists/safe-outputs + repo-memory config + fuzzy schedule.
.github/workflows/news-translate.md	Adds explicit allowlists/safe-outputs + repo-memory + expanded translation standards.
.github/workflows/news-translate.lock.yml	Recompiled lock with updated domains/repo-memory/push job.
.github/workflows/news-realtime-monitor.md	Adds explicit allowlists/safe-outputs + repo-memory config.
.github/workflows/news-realtime-monitor.lock.yml	Recompiled lock with updated domains/repo-memory/push job.
.github/workflows/news-propositions.md	Adds explicit allowlists/safe-outputs + repo-memory config + fuzzy schedule.
.github/workflows/news-propositions.lock.yml	Recompiled lock with updated domains/repo-memory/push job.
.github/workflows/news-motions.md	Adds explicit allowlists/safe-outputs + repo-memory config + fuzzy schedule.
.github/workflows/news-monthly-review.md	Adds explicit allowlists/safe-outputs + repo-memory config.
.github/workflows/news-monthly-review.lock.yml	Recompiled lock with updated domains/repo-memory/push job.
.github/workflows/news-month-ahead.md	Adds explicit allowlists/safe-outputs + repo-memory config.
.github/workflows/news-month-ahead.lock.yml	Recompiled lock with updated domains/repo-memory/push job.
.github/workflows/news-interpellations.md	Adds explicit allowlists/safe-outputs + repo-memory config + fuzzy schedule.
.github/workflows/news-evening-analysis.md	Adds explicit allowlists/safe-outputs + repo-memory config.
.github/workflows/news-evening-analysis.lock.yml	Recompiled lock with updated domains/repo-memory/push job.
.github/workflows/news-committee-reports.md	Adds explicit allowlists/safe-outputs + repo-memory config + fuzzy schedule.
.github/workflows/news-committee-reports.lock.yml	Recompiled lock with updated domains/repo-memory/push job.
.github/workflows/news-article-generator.md	Adds explicit allowlists/safe-outputs + repo-memory config.
.github/workflows/news-article-generator.lock.yml	Recompiled lock with updated domains/repo-memory/push job.
.github/workflows/agentics-maintenance.yml	Adds generated maintenance workflow for expiring entities/operations.
.github/skills/language-expertise/SKILL.md	Expands translation QA checklist and principles; updates “Last Updated”.
.github/skills/gh-aw-workflow-authoring/SKILL.md	Updates scheduling guidance + adds repo-memory patterns.
.github/skills/gh-aw-mcp-configuration/SKILL.md	Updates MCP guidance to prefer repo/cache memory and skip sequential-thinking.
.github/skills/gh-aw-firewall/SKILL.md	Strengthens guidance against overly-broad wildcard allowlists.
.github/aw/actions-lock.json	Adds pinned entries for newer gh-aw setup/setup-cli actions.

[Copilot]

The example block is fenced as json but includes a // covered-documents.json comment line, which is invalid JSON and easy to copy/paste into repo-memory files. Consider either removing the comment line or switching the fence to jsonc to avoid downstream parse/validation errors.

[Copilot]

The repo-memory filename examples include embedded single quotes (e.g., last-run-'news-weekly-review'.json). This will create a different filename than the shared convention (last-run-{workflow-name}.json, e.g. last-run-news-weekly-review.json) and can break cross-workflow tooling that expects the conventional pattern.

[Copilot]

The repo-memory filename examples include embedded single quotes (e.g., last-run-'news-week-ahead'.json). This deviates from the shared last-run-{workflow-name}.json convention and may lead to inconsistent/duplicate state files. Prefer last-run-news-week-ahead.json (no embedded quotes).

Suggested change

	- Read `memory/news-generation/last-run-'news-week-ahead'.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-'news-week-ahead'.json` with date, documents analyzed, quality score
	- Read `memory/news-generation/last-run-news-week-ahead.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-week-ahead.json` with date, documents analyzed, quality score

[Copilot]

The repo-memory filename examples include embedded single quotes (e.g., last-run-'news-propositions'.json). This deviates from the shared last-run-{workflow-name}.json convention and can break scripts that rely on predictable filenames. Prefer last-run-news-propositions.json (no embedded quotes).

Suggested change

	- Read `memory/news-generation/last-run-'news-propositions'.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-'news-propositions'.json` with date, documents analyzed, quality score
	- Read `memory/news-generation/last-run-news-propositions.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-propositions.json` with date, documents analyzed, quality score

[Copilot]

The repo-memory filename examples include embedded single quotes (e.g., last-run-'news-motions'.json). This deviates from the shared last-run-{workflow-name}.json convention and may cause state to be written/read from an unexpected filename. Prefer last-run-news-motions.json (no embedded quotes).

Suggested change

	- Read `memory/news-generation/last-run-'news-motions'.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-'news-motions'.json` with date, documents analyzed, quality score
	- Read `memory/news-generation/last-run-news-motions.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-motions.json` with date, documents analyzed, quality score

[Copilot]

The repo-memory filename examples include embedded single quotes (e.g., last-run-'news-translate'.json). This deviates from the shared last-run-{workflow-name}.json convention and can make cross-workflow state harder to consume reliably. Prefer last-run-news-translate.json (no embedded quotes).

Suggested change

	- Read `memory/news-generation/last-run-'news-translate'.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-'news-translate'.json` with date, documents analyzed, quality score
	- Read `memory/news-generation/last-run-news-translate.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-translate.json` with date, documents analyzed, quality score

[Copilot]

The repo-memory filename examples include embedded single quotes (e.g., last-run-'news-article-generator'.json). This deviates from the shared last-run-{workflow-name}.json convention and may lead to writing state under unexpected filenames. Prefer last-run-news-article-generator.json (no embedded quotes).

Suggested change

	- Read `memory/news-generation/last-run-'news-article-generator'.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-'news-article-generator'.json` with date, documents analyzed, quality score
	- Read `memory/news-generation/last-run-news-article-generator.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-article-generator.json` with date, documents analyzed, quality score

[Copilot]

This guidance says to skip @modelcontextprotocol/server-sequential-thinking, but the PR title/description indicate sequential-thinking MCP servers are being added to all workflows. Please align the PR messaging and the repo guidance (either add the server everywhere as described, or update the PR title/description to reflect that sequential-thinking is intentionally not used).

[Copilot]

This newly added workflow runs with elevated write permissions in multiple jobs but does not include the repo’s standard hardening step (step-security/harden-runner) that is present in other workflows (e.g. .github/workflows/compile-agentic-workflows.yml). Consider adding a Harden Runner step at the start of each job to keep the workflow security baseline consistent.

[Copilot]

The repo-memory filename examples include embedded single quotes (e.g., last-run-'news-committee-reports'.json). This deviates from the shared last-run-{workflow-name}.json convention and can lead to inconsistent state file naming across workflows. Prefer last-run-news-committee-reports.json (no embedded quotes).

Suggested change

	- Read `memory/news-generation/last-run-'news-committee-reports'.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-'news-committee-reports'.json` with date, documents analyzed, quality score
	- Read `memory/news-generation/last-run-news-committee-reports.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-committee-reports.json` with date, documents analyzed, quality score

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 13 comments.

[Copilot]

safe-outputs.allowed-domains whitelists www.riksdagen.se but not the apex riksdagen.se. Existing generated articles in this repo link to https://riksdagen.se/..., and since this PR removes the *.se wildcard from the firewall/allowlists, those links (and any fetches to the apex host) will be blocked. Add riksdagen.se to both network: and safe-outputs.allowed-domains: (then recompile lockfiles).

[Copilot]

safe-outputs.allowed-domains whitelists www.riksdagen.se but not riksdagen.se. Since this PR removes the *.se wildcard, links/fetches to https://riksdagen.se/... (currently present in generated news content) will be blocked. Add riksdagen.se to both network: and safe-outputs.allowed-domains:.

[Copilot]

safe-outputs.allowed-domains includes www.riksdagen.se but not the apex riksdagen.se. With the removal of *.se wildcards, any generated links to https://riksdagen.se/... (which the repo already contains) will now violate allowlists. Add riksdagen.se to both network: and safe-outputs.allowed-domains:.

[Copilot]

safe-outputs.allowed-domains whitelists www.riksdagen.se but not riksdagen.se. Now that the *.se wildcard is removed, links/fetches to the apex host (already used by existing generated articles) will be blocked. Add riksdagen.se to both network: and safe-outputs.allowed-domains:.

[Copilot]

The guidance to continuously append to a single memory/news-generation/covered-documents.json (and other cumulative JSON files) will grow unbounded over time and is likely to exceed the configured repo-memory.max-file-size (50 KB) or hit patch-size limits, causing pushes to start failing. Consider sharding by date (e.g., covered-documents/2026-04-04.json) and/or pruning to a rolling window when writing.

Suggested change

	2. Read `memory/news-generation/covered-documents.json` to avoid re-analyzing documents already covered today
	3. Read `memory/news-generation/quality-scores.json` to track improvement trends
	**When to WRITE memory (end of every run):**
	1. Update `memory/news-generation/last-run-{workflow-name}.json` with:
	- `date`, `article_type`, `documents_analyzed` (array of dok_ids), `articles_generated` (count), `quality_score`
	2. Append to `memory/news-generation/covered-documents.json`:
	- Each dok_id processed today with article_type and timestamp
	3. Update `memory/news-generation/quality-scores.json` with cumulative quality metrics
	**File naming convention:**
	- `last-run-{workflow-name}.json` — per-workflow state (e.g., `last-run-news-propositions.json`)
	- `covered-documents.json` — cross-workflow deduplication index
	- `quality-scores.json` — quality tracking across all workflows
	- `translation-status.json` — tracks which articles need translation (used by news-translate)
	**Example: Deduplication across workflows**
	```jsonc
	// covered-documents.json
	{
	"2026-04-04": {
	"H901FiU1": { "workflow": "news-committee-reports", "timestamp": "2026-04-04T06:15:00Z" },
	"H902Prop45": { "workflow": "news-propositions", "timestamp": "2026-04-04T07:30:00Z" }
	}
	2. Read `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for today (and optionally yesterday) to avoid re-analyzing documents already covered recently
	3. Read `memory/news-generation/quality-scores-summary.json` for rolling trends, and `memory/news-generation/quality-scores/{YYYY-MM-DD}.json` only when you need same-day detailed metrics
	**When to WRITE memory (end of every run):**
	1. Update `memory/news-generation/last-run-{workflow-name}.json` with:
	- `date`, `article_type`, `documents_analyzed` (array of dok_ids), `articles_generated` (count), `quality_score`
	2. Write today's processed documents to `memory/news-generation/covered-documents/{YYYY-MM-DD}.json`:
	- Each dok_id processed today with article_type and timestamp
	- Keep this sharded by date instead of appending forever to a single file; retain only a rolling window of recent shards needed for deduplication
	3. Write detailed quality metrics to `memory/news-generation/quality-scores/{YYYY-MM-DD}.json` and update `memory/news-generation/quality-scores-summary.json` with compact rolling aggregates only
	- Do not store unbounded cumulative history in a single JSON file; prune old shards based on the retention window your workflow needs
	**File naming convention:**
	- `last-run-{workflow-name}.json` — per-workflow state (e.g., `last-run-news-propositions.json`)
	- `covered-documents/{YYYY-MM-DD}.json` — cross-workflow deduplication index, sharded by date
	- `quality-scores/{YYYY-MM-DD}.json` — detailed quality tracking, sharded by date
	- `quality-scores-summary.json` — bounded rolling summary across workflows
	- `translation-status.json` — tracks which articles need translation (used by news-translate)
	**Example: Deduplication across workflows**
	```jsonc
	// covered-documents/2026-04-04.json
	{
	"H901FiU1": { "workflow": "news-committee-reports", "timestamp": "2026-04-04T06:15:00Z" },
	"H902Prop45": { "workflow": "news-propositions", "timestamp": "2026-04-04T07:30:00Z" }

[Copilot]

Only www.riksdagen.se is allowlisted (not riksdagen.se) in network.allowed and safe-outputs.allowed-domains. With *.se removed, existing https://riksdagen.se/... links will now fail allowlist validation. Add riksdagen.se to both allowlists and recompile.

[Copilot]

network.allowed / safe-outputs.allowed-domains list www.riksdagen.se but not riksdagen.se. Since the PR removes *.se, any https://riksdagen.se/... URLs (present in existing generated articles) will be blocked. Add riksdagen.se to both allowlists and recompile.

[Copilot]

The allowlists include www.riksdagen.se but not the apex riksdagen.se. With the removal of *.se, generated links to https://riksdagen.se/... (already used in repo content) will be rejected/blocked. Add riksdagen.se to both network.allowed and safe-outputs.allowed-domains and recompile.

[Copilot]

www.riksdagen.se is allowlisted but the apex riksdagen.se is not. After removing *.se, any use of https://riksdagen.se/... (seen in existing generated news pages) will fail allowlist validation. Add riksdagen.se to both network.allowed and safe-outputs.allowed-domains, then recompile.

[Copilot]

network.allowed / safe-outputs.allowed-domains allow www.riksdagen.se but not riksdagen.se. With *.se removed, any generated https://riksdagen.se/... links will be blocked (these already exist in repo news pages). Add riksdagen.se to both allowlists and recompile the lockfile.

[pethers]

@copilot apply changes based on the comments in this thread

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[Copilot]

@copilot apply changes based on the comments in this thread

All 13 review comments addressed in 9c604eb:

1. Apex riksdagen.se (all 12 workflows): Added riksdagen.se to both network: and safe-outputs.allowed-domains: alongside the existing www.riksdagen.se and data.riksdagen.se.
2. Repo-memory unbounded growth (SHARED_PROMPT_PATTERNS.md): Sharded covered-documents.json → covered-documents/{YYYY-MM-DD}.json and quality-scores.json → quality-scores/{YYYY-MM-DD}.json + quality-scores-summary.json for compact rolling aggregates. Retains only last 7 days for deduplication.

All 12 lock files recompiled. Code Review ✅, CodeQL ✅.

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 24 comments.

[Copilot]

The repo-memory guidance here points to memory/news-generation/covered-documents.json, but SHARED_PROMPT_PATTERNS defines the dedup index as sharded by date (covered-documents/{YYYY-MM-DD}.json) to avoid unbounded growth and exceeding repo-memory max-file-size/max-patch-size. Update the referenced path to the sharded file (and align the “today/yesterday” lookup with that convention).

[Copilot]

This end-of-run instruction appends to memory/news-generation/covered-documents.json, which contradicts the PR’s sharded repo-memory design (covered-documents/{YYYY-MM-DD}.json) and can cause the file to grow until pushes fail the 50KB size/patch limits. Write to the date shard and include a retention/prune note consistent with SHARED_PROMPT_PATTERNS.

[Copilot]

The repo-memory guidance here points to memory/news-generation/covered-documents.json, but SHARED_PROMPT_PATTERNS defines the dedup index as sharded by date (covered-documents/{YYYY-MM-DD}.json) to keep repo-memory bounded. Update the read path to the date shard (today and optionally yesterday).

Suggested change

	- Read `memory/news-generation/covered-documents.json` to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-week-ahead.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-week-ahead.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents.json`
	- Read `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for today to check which dok_ids were already analyzed
	- Optionally also read yesterday's shard `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` when needed to avoid overlap across day boundaries
	- Read `memory/news-generation/last-run-news-week-ahead.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-week-ahead.json` with date, documents analyzed, quality score
	- Append processed dok_ids to today's shard: `memory/news-generation/covered-documents/{YYYY-MM-DD}.json`

[Copilot]

This end-of-run instruction appends to memory/news-generation/covered-documents.json, but the shared repo-memory spec in SHARED_PROMPT_PATTERNS uses date-sharded files (covered-documents/{YYYY-MM-DD}.json) to prevent unbounded growth and repo-memory push failures. Update the write path accordingly (and retain/prune shards).

Suggested change

	- Read `memory/news-generation/covered-documents.json` to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-week-ahead.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-week-ahead.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents.json`
	- Read today's shard `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` (using the effective article date for this run) to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-week-ahead.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-week-ahead.json` with date, documents analyzed, quality score
	- Append processed dok_ids to today's shard `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` instead of a shared append-only file
	- Retain/prune dated `covered-documents/` shards according to the shared repo-memory policy so repo-memory stays bounded

[Copilot]

The repo-memory read guidance references memory/news-generation/covered-documents.json, but the shared repo-memory contract in SHARED_PROMPT_PATTERNS expects date-sharded dedup files (covered-documents/{YYYY-MM-DD}.json). Align this workflow’s instructions to read the date shard(s) instead of a single ever-growing file.

Suggested change

	- Read `memory/news-generation/covered-documents.json` to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-translate.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-translate.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents.json`
	- Read the relevant date shard(s) under `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` to check which dok_ids were already analyzed for the article date/run date
	- Read `memory/news-generation/last-run-news-translate.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-translate.json` with date, documents analyzed, quality score
	- Append processed dok_ids to the current run date shard at `memory/news-generation/covered-documents/{YYYY-MM-DD}.json`

[Copilot]

The end-of-run instructions append to memory/news-generation/covered-documents.json, but the repo-memory pattern in SHARED_PROMPT_PATTERNS is sharded by date (covered-documents/{YYYY-MM-DD}.json) to keep pushes within limits. Update the write target to the date shard and include retention/pruning guidance.

Suggested change

	- Read `memory/news-generation/covered-documents.json` to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-evening-analysis.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-evening-analysis.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents.json`
	- Update `memory/news-generation/translation-status.json` with new articles needing translation
	- Read `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for the effective article date (use `article_date` when provided, otherwise today's run date) to check which dok_ids were already analyzed for that day
	- Read `memory/news-generation/last-run-news-evening-analysis.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-evening-analysis.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for the effective article date (create the shard if missing)
	- Update `memory/news-generation/translation-status.json` with new articles needing translation
	- Retention/pruning: keep covered-document memory sharded by date, avoid rewriting older shards unnecessarily, and prune/expire old daily shards according to the shared repo-memory retention policy so pushes stay within size limits

[Copilot]

Repo-memory dedup is described in SHARED_PROMPT_PATTERNS as covered-documents/{YYYY-MM-DD}.json (date-sharded). This workflow still instructs reading covered-documents.json, which will diverge from the shared convention and risks unbounded growth. Update the read path to the date shard(s).

Suggested change

	- Read `memory/news-generation/covered-documents.json` to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-committee-reports.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-committee-reports.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents.json`
	- Read `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for the effective article date of this run to check which dok_ids were already analyzed that day
	- Read `memory/news-generation/last-run-news-committee-reports.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-committee-reports.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for the effective article date of this run

[Copilot]

The end-of-run guidance appends to memory/news-generation/covered-documents.json, but the shared repo-memory design uses date shards (covered-documents/{YYYY-MM-DD}.json) to stay within repo-memory max-file-size/max-patch-size. Update this instruction to write to the date shard and prune old shards.

Suggested change

	- Read `memory/news-generation/covered-documents.json` to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-committee-reports.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-committee-reports.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents.json`
	- Read `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for the run/article date to check which dok_ids were already analyzed that day
	- Read `memory/news-generation/last-run-news-committee-reports.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-committee-reports.json` with date, documents analyzed, quality score
	- Update `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for the run/article date with processed dok_ids
	- Prune old `memory/news-generation/covered-documents/*.json` date shards according to the shared repo-memory retention policy to keep file sizes and patch sizes bounded

[Copilot]

Repo-memory dedup is defined in SHARED_PROMPT_PATTERNS as date-sharded (covered-documents/{YYYY-MM-DD}.json). This workflow still tells the agent to read covered-documents.json, which conflicts with the shared contract and can lead to unbounded growth. Update the read path to the date shard(s).

Suggested change

	- Read `memory/news-generation/covered-documents.json` to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-article-generator.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-article-generator.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents.json`
	- Read `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for the current run date to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-article-generator.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-article-generator.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` for the current run date

[Copilot]

This workflow instruction appends to memory/news-generation/covered-documents.json, but SHARED_PROMPT_PATTERNS specifies date-sharded dedup files (covered-documents/{YYYY-MM-DD}.json) to keep repo-memory within the 50KB file/patch limits. Update the write instruction to target the date shard and prune old shards per retention.

Suggested change

	- Read `memory/news-generation/covered-documents.json` to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-article-generator.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-article-generator.json` with date, documents analyzed, quality score
	- Append processed dok_ids to `memory/news-generation/covered-documents.json`
	- Read today's shard `memory/news-generation/covered-documents/{YYYY-MM-DD}.json` to check which dok_ids were already analyzed today
	- Read `memory/news-generation/last-run-news-article-generator.json` for previous run metadata
	- Skip documents already covered by another workflow to avoid duplicate analysis
	**At run END — write context:**
	- Update `memory/news-generation/last-run-news-article-generator.json` with date, documents analyzed, quality score
	- Append processed dok_ids to today's shard `memory/news-generation/covered-documents/{YYYY-MM-DD}.json`
	- Prune old `memory/news-generation/covered-documents/` date shards according to repo-memory retention policy

[pethers]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

All 24 covered-documents.json references across 12 workflows updated to date-sharded covered-documents/{YYYY-MM-DD}.json in b9781ce, matching the SHARED_PROMPT_PATTERNS.md contract:

• READ: covered-documents/{YYYY-MM-DD}.json for today (and optionally yesterday) for deduplication
• WRITE: covered-documents/{YYYY-MM-DD}.json sharded by date; retain last 7 days

The remaining comments about agentics-maintenance.yml (auto-generated by gh aw compile, cannot add harden-runner manually) and sequential-thinking SKILL.md (intentionally excluded — Claude Opus 4.6 has native CoT) were already addressed in earlier rounds.

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 12 comments.

[Copilot]

In the generated safe-outputs config JSON, create_pull_request.protected_files does not include AGENTS.md, but later in the workflow GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG does list AGENTS.md as protected. This inconsistency can allow the agent-side safe-outputs tool to think edits to AGENTS.md are permitted (or cause late-stage failures when the handler rejects them). Align these configs by adding AGENTS.md to the protected_files list in the generated config (and re-compile lock files if needed).

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[Copilot]

In the generated safe-outputs config JSON, create_pull_request.protected_files does not include AGENTS.md, but GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG later treats it as protected. This mismatch can lead to agent-side tools permitting (or attempting) edits that will be rejected during safe-outputs handling. Add AGENTS.md to the protected_files list in the generated config and recompile.

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[Copilot]

The generated safe-outputs config JSON omits AGENTS.md from create_pull_request.protected_files, while the handler config later includes it. This inconsistency can cause agent-side safe outputs to allow edits that will be rejected at replay time (or create confusing failures). Ensure AGENTS.md is included in the protected_files list in the generated config and recompile.

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","translation"],"max":1,"max_patch_size":2048,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","translation"],"max":1,"max_patch_size":2048,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[Copilot]

The safe-outputs config JSON written for the agent run does not list AGENTS.md in create_pull_request.protected_files, but the later GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG does. This mismatch can allow agent-side attempts to modify AGENTS.md that then fail during safe-outputs handling. Align the protected_files lists (add AGENTS.md to the generated config) and recompile.

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[Copilot]

The generated safe-outputs config JSON omits AGENTS.md from create_pull_request.protected_files, while the later handler configuration includes it. This inconsistency can lead to agent-side edits that are rejected during safe-outputs replay/handling. Add AGENTS.md to the protected_files list in the generated config and recompile.

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[Copilot]

The agent-run safe-outputs config JSON does not list AGENTS.md under create_pull_request.protected_files, while the later handler config does. This mismatch can result in edits being permitted/attempted during the run but rejected during safe-outputs handling. Add AGENTS.md to the protected_files list in the generated config and recompile.

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[Copilot]

The generated safe-outputs config JSON omits AGENTS.md from create_pull_request.protected_files, but the handler config later includes it. This inconsistency can cause agent-side safe outputs to behave differently than the handler, leading to late failures. Align by adding AGENTS.md to the protected_files list in the generated config and recompile.

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[Copilot]

The safe-outputs config JSON written for the agent run omits AGENTS.md from create_pull_request.protected_files, while the later handler config includes it. This mismatch can allow agent-side edits that will be rejected during safe-outputs replay/handling. Add AGENTS.md to the protected_files list in the generated config and recompile.

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[Copilot]

The generated safe-outputs config JSON omits AGENTS.md from create_pull_request.protected_files, but the later handler configuration includes it. This inconsistency can lead to agent-side changes being accepted during the run and rejected later. Align by adding AGENTS.md to the protected_files list in the generated config and recompile.

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[Copilot]

The agent-side safe-outputs config JSON omits AGENTS.md from create_pull_request.protected_files, but GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG later includes it. This mismatch can cause late-stage safe-outputs handling failures or allow unexpected edits. Add AGENTS.md to the protected_files list in the generated config and recompile.

Suggested change

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

{"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md"],"protected_path_prefixes":[".github/",".agents/"]},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]}}

[pethers]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied in f2c7ad0:

1. expires: 14d codemod — Applied gh aw compile --fix across all 12 workflows, converting expires: 14 (integer) to expires: 14d (explicit day string per gh-aw schema). Recompiled all 12 lock files.

2. AGENTS.md in protected_files — This is a gh aw compiler design decision that cannot be overridden from workflow source files. The agent-side config (line ~418 in lock files) intentionally omits AGENTS.md, while the handler config GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG (line ~1362) — which is the actual enforcement point — correctly includes it. Even if the agent attempts to edit AGENTS.md, the handler will reject the change. The protected-files key in create-pull-request: frontmatter only accepts policy values (blocked/allowed/fallback-to-issue), not file lists. I tested with both array and string formats — the compiler rejects them.

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json