Skip to content

Remove dedicated fixers, bump to v0.58.1#687

Merged
strawgate merged 4 commits intomainfrom
fix-fixer-workflows
Mar 14, 2026
Merged

Remove dedicated fixers, bump to v0.58.1#687
strawgate merged 4 commits intomainfrom
fix-fixer-workflows

Conversation

@strawgate
Copy link
Copy Markdown
Collaborator

@strawgate strawgate commented Mar 14, 2026
edited by github-actions bot
Loading

Summary

This PR shifts continuous-improvement automation to a detector-first chaining model and removes now-redundant standalone fixer workflows.

  • Adds Code Complexity Detector and replaces prior code-simplifier references/artifacts with code-complexity-detector.
  • Removes standalone fixer/simplifier workflow packs that are superseded by detector → gh-aw-create-pr-from-issue chaining:
    • bug-exterminator
    • code-duplication-fixer
    • newbie-contributor-fixer
    • test-improver
    • text-beautifier
    • code-simplifier
  • Regenerates compiled lock workflows and updates pinned setup/action references for the current gh-aw build.

Behavior and config updates

  • trigger-bug-hunter.yml, trigger-code-duplication-detector.yml, trigger-newbie-contributor-patrol.yml, and trigger-test-coverage-detector.yml now run with write permissions and include a create_pr_from_issue follow-up job when created_issue_number is present.
  • Adds trigger-code-complexity-detector.yml with scheduled and manual triggers plus the same in-run create-PR chaining pattern.
  • Updates recommended/default workflow sets in setup docs/scripts (README.md, gh-agent-workflows/README.md, scripts/quick-setup.sh) to prefer detector + chain patterns over dedicated fixer workflows.

Documentation updates

  • Adds new code-complexity workflow documentation and examples, including chained usage.
  • Reworks detector/fixer chaining guidance to center on chaining detectors directly to gh-aw-create-pr-from-issue.
  • Expands docs/upgrading.md with explicit migration guidance from removed fixer/simplifier workflows to detector chaining.
  • Removes obsolete fixer-specific docs/examples that no longer apply.

The body of this PR is automatically managed by the Trigger Update PR Body workflow.

@github-actions github-actions bot added the big_boom Large/high-risk PR blast radius; strong human review required label Mar 14, 2026
@github-actions github-actions bot mentioned this pull request Mar 14, 2026
Closed
@strawgate
Fix stale references and review issues in markdown docs
6e91104 
- Fix remaining Code Simplifier/Bug Exterminator/Test Improver references
  in blog posts (welcome, quality crew, day in factory, silence)
- Add severity-threshold and title-prefix to code-complexity-detector README
- Fix safe outputs description (expires vs auto-closes)
- Fix broken link in scheduled-fix README
- Soften "each detector" claim in chaining docs
- Use curl -fsSL for agentics-maintenance install

Made-with: Cursor
@strawgate
Merge origin/main into fix-fixer-workflows
171ddfb 
Resolve conflicts with #659 (assign-to-Copilot chaining option).
Keep our fixer-removal changes; incorporate the new "assign to Copilot"
section and Copilot row in the chaining comparison table.

Made-with: Cursor
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 14, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e85cd751-4e14-4fde-9785-50f51fa9e03b

📥 Commits

Reviewing files that changed from the base of the PR and between f1a96bb and 26e648b.

📒 Files selected for processing (80)
  • .github/aw/actions-lock.json
  • .github/workflows/agent-deep-dive.lock.yml
  • .github/workflows/agent-efficiency.lock.yml
  • .github/workflows/agentics-maintenance.yml
  • .github/workflows/gh-aw-agent-suggestions.lock.yml
  • .github/workflows/gh-aw-autonomy-atomicity-analyzer.lock.yml
  • .github/workflows/gh-aw-branch-actions-detective.lock.yml
  • .github/workflows/gh-aw-breaking-change-detect.lock.yml
  • .github/workflows/gh-aw-breaking-change-detector.lock.yml
  • .github/workflows/gh-aw-bug-hunter.lock.yml
  • .github/workflows/gh-aw-code-complexity-detector.lock.yml
  • .github/workflows/gh-aw-code-duplication-detector.lock.yml
  • .github/workflows/gh-aw-code-quality-audit.lock.yml
  • .github/workflows/gh-aw-create-pr-from-issue.lock.yml
  • .github/workflows/gh-aw-deep-research.lock.yml
  • .github/workflows/gh-aw-dependency-review.lock.yml
  • .github/workflows/gh-aw-docs-drift.lock.yml
  • .github/workflows/gh-aw-docs-patrol.lock.yml
  • .github/workflows/gh-aw-duplicate-issue-detector.lock.yml
  • .github/workflows/gh-aw-estc-actions-resource-not-accessible-detector.lock.yml
  • .github/workflows/gh-aw-estc-docs-patrol-external.lock.yml
  • .github/workflows/gh-aw-estc-docs-pr-review.lock.yml
  • .github/workflows/gh-aw-estc-downstream-health.lock.yml
  • .github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml
  • .github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml
  • .github/workflows/gh-aw-flaky-test-investigator.lock.yml
  • .github/workflows/gh-aw-framework-best-practices.lock.yml
  • .github/workflows/gh-aw-information-architecture.lock.yml
  • .github/workflows/gh-aw-internal-gemini-cli-web-search.lock.yml
  • .github/workflows/gh-aw-internal-gemini-cli.lock.yml
  • .github/workflows/gh-aw-issue-fixer.lock.yml
  • .github/workflows/gh-aw-issue-triage.lock.yml
  • .github/workflows/gh-aw-mention-in-issue-by-id.lock.yml
  • .github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml
  • .github/workflows/gh-aw-mention-in-issue.lock.yml
  • .github/workflows/gh-aw-mention-in-pr-by-id.invalid.yml
  • .github/workflows/gh-aw-mention-in-pr-by-id.lock.yml
  • .github/workflows/gh-aw-mention-in-pr-no-sandbox.invalid.yml
  • .github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml
  • .github/workflows/gh-aw-mention-in-pr.invalid.yml
  • .github/workflows/gh-aw-mention-in-pr.lock.yml
  • .github/workflows/gh-aw-newbie-contributor-patrol.lock.yml
  • .github/workflows/gh-aw-performance-profiler.lock.yml
  • .github/workflows/gh-aw-plan.lock.yml
  • .github/workflows/gh-aw-pr-actions-detective.lock.yml
  • .github/workflows/gh-aw-pr-actions-fixer.lock.yml
  • .github/workflows/gh-aw-pr-ci-detective.lock.yml
  • .github/workflows/gh-aw-pr-labeler.lock.yml
  • .github/workflows/gh-aw-pr-review-addresser.lock.yml
  • .github/workflows/gh-aw-pr-review.lock.yml
  • .github/workflows/gh-aw-product-manager-impersonator.lock.yml
  • .github/workflows/gh-aw-project-summary.lock.yml
  • .github/workflows/gh-aw-refactor-opportunist.lock.yml
  • .github/workflows/gh-aw-release-update.lock.yml
  • .github/workflows/gh-aw-scheduled-audit.lock.yml
  • .github/workflows/gh-aw-scheduled-fix.lock.yml
  • .github/workflows/gh-aw-small-problem-fixer.lock.yml
  • .github/workflows/gh-aw-stale-issues-investigator.lock.yml
  • .github/workflows/gh-aw-stale-issues-remediator.lock.yml
  • .github/workflows/gh-aw-stale-issues.lock.yml
  • .github/workflows/gh-aw-test-coverage-detector.lock.yml
  • .github/workflows/gh-aw-text-auditor.lock.yml
  • .github/workflows/gh-aw-update-pr-body.lock.yml
  • .github/workflows/gh-aw-ux-design-patrol.lock.yml
  • .github/workflows/internal-downstream-health.lock.yml
  • .github/workflows/upgrade-check.lock.yml
  • .github/workflows/workflow-patrol.lock.yml
  • Makefile
  • docs/blog/posts/a-day-in-the-factory.md
  • docs/blog/posts/meet-the-quality-crew.md
  • docs/blog/posts/silence-is-better-than-noise.md
  • docs/blog/posts/welcome-to-the-factory.md
  • docs/index.md
  • docs/upgrading.md
  • docs/workflows/detector-fixer-chaining.md
  • docs/workflows/gh-agent-workflows.md
  • docs/workflows/gh-agent-workflows/text-quality.md
  • gh-agent-workflows/code-complexity-detector/README.md
  • gh-agent-workflows/scheduled-fix/README.md
  • mkdocs.yml
📝 Walkthrough

Walkthrough

The PR introduces a computed per-run artifact prefix (artifact_prefix) propagated from activation to downstream jobs and used to dynamically name artifacts across many workflows. It standardizes safe-outputs handling (replacing some uploads with copy steps and new safe-outputs tooling/configs), adds phase/version environment signals (GH_AW_PHASE, GH_AW_VERSION, GITHUB_AW), updates many action and image pins (notably AWF 0.23.0 → 0.24.1 and setup action v0.57.0 → v0.58.1), adds cross-repo setup guidance, and removes or renames several workflow docs/workflows.

Possibly related PRs

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix-fixer-workflows
  • 🛠️ Update Documentation: Commit on current branch
  • 🛠️ Update Documentation: Create PR
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 14, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)
.github/workflows/gh-aw-framework-best-practices.lock.yml (1)

149-159: ⚠️ Potential issue | 🟠 Major

Use a real repo source before emitting the cross-repo token hint.

Line 155 references steps.resolve-host-repo.outputs.target_repo, but activation has no resolve-host-repo step. With the current failure() guard, this hint can fire after unrelated activation failures and send maintainers toward the wrong remediation. Gate it on steps.validate-secret.outcome == 'failure' and compare against an actually resolved caller/host repo.

Based on learnings, .github/workflows/*.lock.yml files are generated by gh aw compile, so this fix should be made in the corresponding source .md workflow.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-framework-best-practices.lock.yml around lines 149 -
159, The cross-repo hint currently checks failure() and references
steps.resolve-host-repo.outputs.target_repo which may not exist; change the
conditional to explicitly gate the "Cross-repo setup guidance" job on the
validate-secret step failing (e.g., if: steps.validate-secret.outcome ==
'failure') and then only compare against a resolved caller/host repo output that
is actually defined (ensure steps.resolve-host-repo exists in the source
workflow or use the correct step id that produces a target_repo output); update
the source .md workflow that generates this .lock.yml (not the compiled file) so
the compiled action includes the corrected if condition and valid step
reference.
.github/workflows/agent-deep-dive.lock.yml (1)

649-700: ⚠️ Potential issue | 🟡 Minor

Remove the create_discussion branch from this tool schema.

This workflow only exposes create_issue, missing_tool, missing_data, and noop, and the reporting prompt later requires filing an issue. Telling the model to use create_discussion creates an impossible path that can turn a real finding into a missing_tool/noop instead of the expected issue.

Based on learnings, .github/workflows/*.lock.yml files are generated by gh aw compile, so this should be fixed in the source .md and recompiled.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/agent-deep-dive.lock.yml around lines 649 - 700, The tool
schema currently includes a branch for "create_discussion" which must be removed
so the workflow only exposes "create_issue", "missing_tool", "missing_data", and
"noop"; remove the "create_discussion" entry from the tools array/schema (where
"name": "create_discussion" appears) and ensure any descriptions or prompts that
reference "create_discussion" are updated to require "create_issue" instead,
then update the original source markdown that generates this lockfile (the .md
that defines the tools) and recompile the lockfile with gh aw compile so the
generated .github/workflows/*.lock.yml no longer contains the create_discussion
branch.
.github/workflows/agent-efficiency.lock.yml (1)

1056-1075: ⚠️ Potential issue | 🟠 Major

Redact the new artifact files before uploading them.

safeoutputs.jsonl and agent_output.json are created after Line 1038's Redact secrets in logs step, then uploaded in Lines 1125-1126. Any secret that reaches those files now bypasses the job's only explicit scrub pass. Move the copy/ingest steps before redaction, or run a second redaction pass immediately before upload-artifact.

Also applies to: 1114-1126

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/agent-efficiency.lock.yml around lines 1056 - 1075, The
uploaded artifacts (safeoutputs.jsonl and agent_output.json) are created after
the "Redact secrets in logs" step, so either move the "Copy Safe Outputs" and
"Ingest agent output" steps to run before the "Redact secrets in logs" step or
add a second redaction pass immediately before the existing upload-artifact
steps (the steps that upload safeoutputs.jsonl/agent_output.json); update the
"Copy Safe Outputs" and "Ingest agent output" steps (and the collect_output
action invocation) to ensure they operate on the redacted files or invoke the
same redaction logic used by "Redact secrets in logs" so no secrets reach the
upload-artifact steps.
.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml (1)

1357-1371: ⚠️ Potential issue | 🟠 Major

The GH_AW_FAILURE_REPORT_AS_ISSUE flag should not appear only in the .lock.yml file.

The flag is present in .github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml but absent from the source .github/workflows/gh-aw-estc-pr-buildkite-detective.md file. Since .lock.yml files are compiled outputs of .md sources via gh aw compile, this configuration must be defined in the .md source file for reproducibility and maintainability.

Additionally, the source .md declares permissions: {actions: read, contents: read, issues: read, pull-requests: read} (all read-only), which lacks issues: write. If the flag triggers issue creation in the external handle_agent_failure.cjs script, the workflow will fail with insufficient permissions. Update the .md source file to include both the flag definition and the required issues: write permission.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml around lines
1357 - 1371, Add the GH_AW_FAILURE_REPORT_AS_ISSUE environment variable to the
source workflow file (gh-aw-estc-pr-buildkite-detective.md) so it is compiled
into the .lock.yml (match the name GH_AW_FAILURE_REPORT_AS_ISSUE used in the
handle_agent_failure step), and update the workflow permissions block in that
same .md file to include issues: write (in addition to the existing read
permissions) so the external handle_agent_failure.cjs can create issues when the
flag is enabled.
🟠 Major comments (16)
.github/workflows/gh-aw-create-pr-from-issue.lock.yml-1346-1352 (1)

1346-1352: ⚠️ Potential issue | 🟠 Major

Use the prefixed artifact name in the conclusion job.

Line 1351 still downloads agent, but the agent job now uploads ${{ needs.activation.outputs.artifact_prefix }}agent. When the prefix is non-empty, agent_output.json never reaches the conclusion job, so noop/failure handling loses the agent state. The same stale literal appears in the other updated workflows in this PR.

Suggested fix 
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
Based on learnings, `.github/workflows/*.lock.yml` files are generated by `gh aw compile`, so fix the source workflow/fragment and recompile.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-create-pr-from-issue.lock.yml around lines 1346 -
1352, The conclusion job currently downloads a literal artifact name "agent"
(job id download-agent-output) but the activation job uploads "${{
needs.activation.outputs.artifact_prefix }}agent", so when a prefix is set the
artifact is never found; update the artifact name in the download step to use
the same prefixed variable (e.g. set the download step's name field to use ${{
needs.activation.outputs.artifact_prefix }}agent) in the source
workflow/fragment that generates these .lock.yml files and then re-run gh aw
compile to regenerate the .github/workflows/*.lock.yml outputs so all workflows
(including the other updated workflows in this PR) use the prefixed artifact
name consistently.
.github/workflows/gh-aw-code-complexity-detector.lock.yml-1503-1515 (1)

1503-1515: ⚠️ Potential issue | 🟠 Major

Download the prefixed agent artifact here too.

Line 1344 uploads ${{ needs.activation.outputs.artifact_prefix }}agent, and Line 1644 already downloads that prefixed name in safe_outputs, but this job still requests plain agent on Line 1508. When artifact_prefix is non-empty, GH_AW_AGENT_OUTPUT never gets populated here, so noop/failure handling loses the persisted agent output.

Based on learnings, persist outcomes through safe outputs because uncaptured local state is lost after the run, and these .lock.yml files are generated from the corresponding .md sources.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-code-complexity-detector.lock.yml around lines 1503
- 1515, The download step with id download-agent-output is fetching the
hardcoded artifact name "agent" which mismatches the uploaded artifact name that
uses needs.activation.outputs.artifact_prefix; update the download action to
request the prefixed artifact name (concatenate
needs.activation.outputs.artifact_prefix with "agent") so the artifact is found
whenever a prefix is present, and ensure the subsequent Setup agent output
environment variable step still writes
GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json into $GITHUB_ENV (and preserves
the same /tmp/gh-aw/ path) so the job's safe_outputs flow receives the persisted
agent output.
.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml-1316-1328 (1)

1316-1328: ⚠️ Potential issue | 🟠 Major

Download the prefixed agent artifact in conclusion.

The agent artifact is now uploaded as ${{ needs.activation.outputs.artifact_prefix }}agent, but this step still downloads agent. That breaks the handoff of agent_output.json into the conclusion phase, so noop/failure handling runs without the agent output it expects.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml around lines
1316 - 1328, The Download agent output artifact step (id: download-agent-output)
currently requests the static artifact name "agent" but the uploader uses the
dynamic prefix from needs.activation.outputs.artifact_prefix; change the
artifact name in that step to "${{ needs.activation.outputs.artifact_prefix
}}agent" so the correct prefixed artifact is downloaded, keeping the rest of the
step (path /tmp/gh-aw/ and the follow-up step that sets GH_AW_AGENT_OUTPUT)
unchanged.
.github/workflows/gh-aw-bug-hunter.lock.yml-1382-1394 (1)

1382-1394: ⚠️ Potential issue | 🟠 Major

Download the prefixed agent artifact in conclusion.

Earlier in this workflow the agent job uploads ${{ needs.activation.outputs.artifact_prefix }}agent, and safe_outputs already downloads that name. Keeping conclusion on agent means agent_output.json never lands under /tmp/gh-aw, so noop/missing-tool/failure handling loses the agent output for this run.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-bug-hunter.lock.yml around lines 1382 - 1394, The
workflow currently downloads the hardcoded artifact name "agent" in the
"download-agent-output" step causing the prefixed upload (from
needs.activation.outputs.artifact_prefix) to be missed; update the download
step's artifact name to use the uploaded prefix (i.e. "${{
needs.activation.outputs.artifact_prefix }}agent") so the file lands in
/tmp/gh-aw/ and GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json is correctly
set; keep the step id "download-agent-output" and the subsequent env export to
ensure downstream checks (noop/missing-tool/failure handling) read the prefixed
agent_output.json.
.github/workflows/gh-aw-information-architecture.lock.yml-1380-1392 (1)

1380-1392: ⚠️ Potential issue | 🟠 Major

Download the prefixed agent artifact in conclusion.

The agent artifact is now uploaded as ${{ needs.activation.outputs.artifact_prefix }}agent, but this step still requests agent. That leaves GH_AW_AGENT_OUTPUT unset here, so noop/failure processing no longer sees the agent output for the current run.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-information-architecture.lock.yml around lines 1380
- 1392, The download step (id: download-agent-output) currently requests the
literal artifact name "agent" but the artifact is uploaded as "${{
needs.activation.outputs.artifact_prefix }}agent", so GH_AW_AGENT_OUTPUT never
gets set; update the download-agent-output step to use the prefixed artifact
name from needs.activation.outputs.artifact_prefix (so it downloads "${{
needs.activation.outputs.artifact_prefix }}agent") and keep the subsequent Setup
agent output environment variable step that writes
GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json to GITHUB_ENV unchanged so the
environment variable is reliably populated.
.github/workflows/gh-aw-breaking-change-detector.lock.yml-1387-1399 (1)

1387-1399: ⚠️ Potential issue | 🟠 Major

Conclusion still downloads the pre-prefix artifact name.

Line 1392 requests agent, but Line 1228 uploads ${{ needs.activation.outputs.artifact_prefix }}agent, and Line 1528 already consumes the prefixed name in safe_outputs. Because this step is continue-on-error: true, the miss stays silent and GH_AW_AGENT_OUTPUT never gets set on Line 1399, so noop, missing_tool, and failure handling lose the agent output. I see the same stale literal in the other prefixed conclusion jobs in this review set, so this looks like a shared source/template miss. Please fix it in the source workflow/fragment and recompile. Based on learnings, files under .github/workflows with the .lock.yml extension are auto-generated by running gh aw compile from corresponding .md source files.

Suggested fix 
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-breaking-change-detector.lock.yml around lines 1387
- 1399, The conclusion job is downloading the hardcoded artifact name "agent"
(step id download-agent-output) instead of the prefixed name used when uploading
(${ { needs.activation.outputs.artifact_prefix } }agent), so replace the literal
artifact name with the same prefixed expression and ensure the conditional that
sets GH_AW_AGENT_OUTPUT uses the successful download step
(download-agent-output) as before; update the template/source fragment that
generates this workflow (the file that sets artifact_prefix and safe_outputs)
and re-run the generator (gh aw compile) so the compiled .lock.yml emits the
prefixed artifact name and GH_AW_AGENT_OUTPUT is correctly set when the download
succeeds.
.github/workflows/gh-aw-dependency-review.lock.yml-150-155 (1)

150-155: ⚠️ Potential issue | 🟠 Major

Don't gate this hint on an undefined step output.

activation never defines resolve-host-repo, so this if: has no real cross-repo signal and can emit the caller-secret guidance for unrelated activation failures. Restore the missing resolver or switch this check to a context that actually exists.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-dependency-review.lock.yml around lines 150 - 155,
The "Cross-repo setup guidance" step is gated on an undefined step output
(resolve-host-repo), so the hint can appear for unrelated failures; either
add/restore the missing resolver step named resolve-host-repo that emits
outputs.target_repo before this step, or change the step's if condition to use
an existing context/step (for example an existing step output or
github.repository comparison) that actually indicates a cross-repo invocation;
update the "Cross-repo setup guidance" step's if to reference the restored
resolve-host-repo outputs.target_repo or a valid existing context so the
guidance only runs for true cross-repo cases.
.github/workflows/gh-aw-code-quality-audit.lock.yml-153-158 (1)

153-158: ⚠️ Potential issue | 🟠 Major

Don't gate this hint on an undefined step output.

activation never defines resolve-host-repo, so this if: has no real cross-repo signal and can emit the caller-secret guidance for unrelated activation failures. Restore the missing resolver or switch this check to a context that actually exists.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-code-quality-audit.lock.yml around lines 153 - 158,
The conditional that gates the "Cross-repo setup guidance" uses a non-existent
step output steps.resolve-host-repo.outputs.target_repo, so the hint can appear
for unrelated failures; either restore the resolver step that produces
resolve-host-repo.outputs.target_repo (e.g., re-add the resolve-host-repo step
that sets target_repo) or change the if: expression to a valid context such as
comparing github.repository to the caller repository (for example use
github.repository != github.event.repository or another existing step/output) so
the hint only runs for true cross-repo invocations.
.github/workflows/gh-aw-internal-gemini-cli.lock.yml-1367-1376 (1)

1367-1376: ⚠️ Potential issue | 🟠 Major

Mirror the prefixed artifact name in conclusion.

Line 1205 uploads ${{ needs.activation.outputs.artifact_prefix }}agent, but Line 1369 still requests agent. That mismatch means conclusion no longer tracks the artifact produced earlier in the workflow, and a miss here leaves GH_AW_AGENT_OUTPUT unset at Line 1376.

Suggested fix 
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-internal-gemini-cli.lock.yml around lines 1367 -
1376, The workflow downloads and sets GH_AW_AGENT_OUTPUT using the hard-coded
artifact name "agent", but the upload used the prefixed name from
needs.activation.outputs.artifact_prefix; update the download-and-env step
(where steps.download-agent-output is referenced and GH_AW_AGENT_OUTPUT is set)
to request the same prefixed artifact by replacing the artifact name "agent"
with "${{ needs.activation.outputs.artifact_prefix }}agent" so the downloaded
file path and the GH_AW_AGENT_OUTPUT value point to the actual uploaded
artifact.
.github/workflows/gh-aw-code-quality-audit.lock.yml-1407-1416 (1)

1407-1416: ⚠️ Potential issue | 🟠 Major

Mirror the prefixed artifact name in conclusion.

Line 1245 uploads ${{ needs.activation.outputs.artifact_prefix }}agent, but Line 1409 still requests agent. That mismatch means this job no longer follows the new artifact naming contract, and a miss here leaves GH_AW_AGENT_OUTPUT unset at Line 1416.

Suggested fix 
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-code-quality-audit.lock.yml around lines 1407 -
1416, The download step and GH_AW_AGENT_OUTPUT should use the same prefixed
artifact name as the upload; update the download-artifact `name` value from the
literal "agent" to use the activation output prefix (i.e. "${{
needs.activation.outputs.artifact_prefix }}agent") and ensure the path and
subsequent GH_AW_AGENT_OUTPUT value reference the matching file (e.g.
/tmp/gh-aw/${{ needs.activation.outputs.artifact_prefix }}agent_output.json) so
the find and echo lines point to the correct prefixed artifact file.
.github/workflows/gh-aw-dependency-review.lock.yml-1434-1443 (1)

1434-1443: ⚠️ Potential issue | 🟠 Major

Mirror the prefixed artifact name in conclusion.

Line 1271 uploads ${{ needs.activation.outputs.artifact_prefix }}agent, but Line 1436 still requests agent. That mismatch means this step no longer follows the upload contract, and a miss here leaves GH_AW_AGENT_OUTPUT unset at Line 1443.

Suggested fix 
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-dependency-review.lock.yml around lines 1434 - 1443,
The download step and the subsequent "Setup agent output environment variable"
assume the artifact name is literally "agent", but the upload used "${{
needs.activation.outputs.artifact_prefix }}agent"; update the download step's
artifact name (used by actions/download-artifact and referenced by
steps.download-agent-output) to mirror the upload by using "${{
needs.activation.outputs.artifact_prefix }}agent", and ensure the
GH_AW_AGENT_OUTPUT environment variable (written to $GITHUB_ENV in the "Setup
agent output environment variable" step) still points to
/tmp/gh-aw/agent_output.json so the rest of the workflow reads the correct file
when the prefixed artifact is downloaded.
.github/workflows/gh-aw-internal-gemini-cli.lock.yml-159-164 (1)

159-164: ⚠️ Potential issue | 🟠 Major

This failure hint points at the wrong thing.

activation never defines resolve-host-repo, so this branch has no real cross-repo signal, and the message tells callers to set COPILOT_GITHUB_TOKEN even though Line 154 validates GEMINI_API_KEY.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-internal-gemini-cli.lock.yml around lines 159 - 164,
The failure hint references a nonexistent step id resolve-host-repo and tells
callers to set COPILOT_GITHUB_TOKEN even though activation never defines that
step and the workflow validates GEMINI_API_KEY at Line 154; update this branch
to either use the correct cross-repo signal step id (or add a resolve-host-repo
step) or change the error text to reference GEMINI_API_KEY and the actual
condition used by activation so the hint matches real validation logic (adjust
the condition, step id, or message in the Cross-repo setup guidance block
accordingly).
.github/workflows/gh-aw-deep-research.lock.yml-1345-1348 (1)

1345-1348: ⚠️ Potential issue | 🟠 Major

Use the prefixed agent artifact in conclusion.

Line 1347 still requests agent, but the agent job uploads ${{ needs.activation.outputs.artifact_prefix }}agent. That leaves GH_AW_AGENT_OUTPUT unset for the noop and failure handlers.

Based on learnings, outcomes must be persisted through safe outputs in GitHub Actions runs because local state is lost, and .lock.yml files here are generated by gh aw compile, so fix this in the source .md or shared fragment.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-deep-research.lock.yml around lines 1345 - 1348, The
workflow downloads the artifact named "agent" but the activation job uploads it
as "${{ needs.activation.outputs.artifact_prefix }}agent", which leaves
GH_AW_AGENT_OUTPUT unset for noop/failure handlers; update the download-artifact
step to use the prefixed artifact name matching the upload (i.e., replace the
static "agent" name with the same expression used by the uploader: ${ {
needs.activation.outputs.artifact_prefix } }agent) so the artifact path and
GH_AW_AGENT_OUTPUT are correctly set for all handlers and persisted via the safe
outputs mechanism.
.github/workflows/gh-aw-estc-docs-pr-review.lock.yml-1479-1482 (1)

1479-1482: ⚠️ Potential issue | 🟠 Major

Use the prefixed agent artifact in conclusion.

Line 1481 still requests agent, but the agent job now uploads ${{ needs.activation.outputs.artifact_prefix }}agent. If this misses, the later noop and failure handlers never receive agent_output.json.

Based on learnings, outcomes must be persisted through safe outputs in GitHub Actions runs because local state is lost, and .lock.yml files here are generated by gh aw compile, so fix this in the source .md or shared fragment.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-estc-docs-pr-review.lock.yml around lines 1479 -
1482, The workflow step currently downloads the unprefixed artifact name "agent"
but the activation job uploads a prefixed artifact using
needs.activation.outputs.artifact_prefix, so change the download artifact name
to use the same prefix (i.e. name: ${{ needs.activation.outputs.artifact_prefix
}}agent) and ensure subsequent steps that expect agent_output.json still read
from /tmp/gh-aw/; also update the source template/markdown or shared fragment
that generates this lockfile so the prefixed artifact name is used everywhere
(preserving the artifact_prefix reference) so noop and failure handlers receive
the correct artifact.
.github/workflows/gh-aw-duplicate-issue-detector.lock.yml-1266-1269 (1)

1266-1269: ⚠️ Potential issue | 🟠 Major

Use the prefixed agent artifact in conclusion.

Line 1268 still requests agent, but the agent job now uploads ${{ needs.activation.outputs.artifact_prefix }}agent. If this misses, the "no duplicate found" noop path and failure handling lose agent_output.json.

Based on learnings, outcomes must be persisted through safe outputs in GitHub Actions runs because local state is lost, and .lock.yml files here are generated by gh aw compile, so fix this in the source .md or shared fragment.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-duplicate-issue-detector.lock.yml around lines 1266
- 1269, Update the artifact download step that currently uses name: agent to use
the prefixed artifact name from the activation output (e.g. name: ${{
needs.activation.outputs.artifact_prefix }}agent) so the "conclusion" path
receives the correct artifact (agent_output.json); locate the
actions/download-artifact usage block and change the name value accordingly in
the source fragment or markdown that generates this .lock.yml so all branches
(noop and failure) persist the prefixed agent artifact via outputs.
.github/workflows/gh-aw-deep-research.lock.yml-162-167 (1)

162-167: ⚠️ Potential issue | 🟠 Major

Fix the Gemini cross-repo remediation path.

Line 163 references steps.resolve-host-repo.outputs.target_repo, but this job has no resolve-host-repo step. Lines 165-166 tell callers to configure COPILOT_GITHUB_TOKEN even though this workflow validates GEMINI_API_KEY, so cross-repo secret failures will point users to the wrong fix.

This .lock.yml is auto-generated by gh aw compile from its source .md file; fix in the source file or shared fragment instead.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-deep-research.lock.yml around lines 162 - 167, The
failure message block incorrectly references a non-existent step name
resolve-host-repo and directs callers to set COPILOT_GITHUB_TOKEN even though
this workflow validates GEMINI_API_KEY; update the source fragment or .md that
generates this lock file so the cross-repo remediation uses the correct outputs
and secret name: remove or replace references to
steps.resolve-host-repo.outputs.target_repo, and change the error guidance to
mention GEMINI_API_KEY (and the correct secret configuration steps for
workflow_call cross-repo), ensuring the generated .lock.yml contains the
corrected step name/condition and error messages.
🟡 Minor comments (4)
.github/workflows/agent-efficiency.lock.yml-1275-1287 (1)

1275-1287: ⚠️ Potential issue | 🟡 Minor

Guard GH_AW_AGENT_OUTPUT in both consumers.

A successful artifact download here only proves the agent artifact exists. It does not guarantee agent_output.json exists inside it, so exporting the path unconditionally can turn a missing output into a secondary handler failure.

Suggested guard for both blocks 
-          echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV"
+          if [ -f /tmp/gh-aw/agent_output.json ]; then
+            echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV"
+          fi

Also applies to: 1383-1395

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/agent-efficiency.lock.yml around lines 1275 - 1287, The
workflow currently sets GH_AW_AGENT_OUTPUT unconditionally after the
download-agent-output step, which only proves the artifact exists, not that
agent_output.json exists inside it; update the download-agent-output block (step
id download-agent-output) to check that /tmp/gh-aw/agent_output.json actually
exists before echoing GH_AW_AGENT_OUTPUT to $GITHUB_ENV, and update any consumer
steps that rely on GH_AW_AGENT_OUTPUT to first guard on the environment variable
being set and that the file exists (e.g., replace bare references to
GH_AW_AGENT_OUTPUT with a conditional if: env.GH_AW_AGENT_OUTPUT != '' &&
<file-exists-check> or an equivalent run-time check) so consumers only proceed
when the file is present.
.github/workflows/gh-aw-create-pr-from-issue.lock.yml-160-165 (1)

160-165: ⚠️ Potential issue | 🟡 Minor

Fix dangling step reference in the source workflow.

Line 161 references steps.resolve-host-repo.outputs.target_repo, but the "Cross-repo setup guidance" step lacks the required id: resolve-host-repo. This causes the condition to fail at runtime when checking repository context. Locate the source .md file or compilation template that generates this step, add the missing id, and recompile with gh aw compile.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-create-pr-from-issue.lock.yml around lines 160 -
165, The "Cross-repo setup guidance" step references
steps.resolve-host-repo.outputs.target_repo but the step generating that output
is missing the id; locate the source template or .md that emits the step which
should produce outputs.target_repo (the step referenced as resolve-host-repo),
add the missing id: resolve-host-repo to that step so the outputs are
addressable, then recompile the workflow with gh aw compile to regenerate the
YAML; ensure the id name exactly matches the referenced symbol
steps.resolve-host-repo so the if condition works at runtime.
.github/workflows/gh-aw-code-complexity-detector.lock.yml-164-169 (1)

164-169: ⚠️ Potential issue | 🟡 Minor

Use a defined step output in the cross-repo hint.

Line 165 checks steps.resolve-host-repo.outputs.target_repo, but this job never defines a step with id: resolve-host-repo. The new guidance step therefore cannot reliably distinguish cross-repo failures from local ones. Restore the missing resolver step or switch this condition to context that already exists in the workflow.

Based on learnings, files under .github/workflows/*.lock.yml are generated by gh aw compile, so this should be fixed in the source .md workflow or shared fragment.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-code-complexity-detector.lock.yml around lines 164 -
169, The conditional uses steps.resolve-host-repo.outputs.target_repo but no
step with id "resolve-host-repo" exists, so update the workflow source to either
add/restore a step with id: resolve-host-repo that sets outputs.target_repo (the
resolver that detects the calling repo) or change the if condition to rely on an
existing context/output (for example compare github.repository with
github.event.repository.full_name or another defined step output) so the
Cross-repo setup guidance step can reliably detect cross-repo calls; adjust the
source .md workflow/fragment used by gh aw compile accordingly.
.github/workflows/gh-aw-estc-docs-patrol-external.lock.yml-153-158 (1)

153-158: ⚠️ Potential issue | 🟡 Minor

resolve-host-repo step is referenced but never defined.

Line 154 references steps.resolve-host-repo.outputs.target_repo, but no step with that id exists in this job. The cross-repo guidance conditional will fail. Restore the missing step in the source workflow or replace the guard with an available output/context.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-estc-docs-patrol-external.lock.yml around lines 153
- 158, The conditional references a non-existent step id
steps.resolve-host-repo.outputs.target_repo (resolve-host-repo) so the job will
fail; either restore the missing step that sets outputs.target_repo (e.g., add
back the resolve-host-repo step that determines target_repo) or change the
conditional to use an existing output/context (for example github.repository,
github.event.repository.full_name, or the actual step id that resolves the host
repo) so the if: expression points to a valid output; update the job to ensure
the step id and output name exactly match the conditional (resolve-host-repo and
outputs.target_repo) if you choose to restore it.
🧹 Nitpick comments (1)
.github/workflows/gh-aw-code-complexity-detector.md (1)

143-146: File path handling could break with spaces.

The xargs wc -l command may fail on paths containing spaces or special characters.

🛡️ More robust alternatives

Option 1: Use null-delimited input:

printf '%s\0' $FILES | xargs -0 wc -l | sort -nr | head -200 | awk 'NR>1 {print $2}'

Option 2: Avoid xargs entirely:

echo "$FILES" | tr ' ' '\n' | while IFS= read -r f; do wc -l "$f" 2>/dev/null; done | sort -nr | head -200 | awk '{print $2}'
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-code-complexity-detector.md around lines 143 - 146,
Replace the fragile pipeline "printf '%s\n' "$FILES" | xargs wc -l | sort -nr |
head -200 | awk '{print $2}'" with a null-delimited safe variant: produce
null-separated filenames from the $FILES variable and use xargs -0 when invoking
wc -l (and adjust the awk expression to ignore the total line), or alternatively
iterate over each filename with a while IFS= read -r loop and call wc -l "$f" to
avoid xargs entirely; update the pipeline accordingly wherever the original
command appears so paths with spaces or special characters are handled safely.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gh-aw-agent-suggestions.lock.yml:
- Around line 1375-1381: The download step "download-agent-output" uses a
hardcoded artifact name "agent" but the upload used the prefixed name from
needs.activation.outputs.artifact_prefix (the upload at the "conclusion" job
used `${{ needs.activation.outputs.artifact_prefix }}agent`), causing mismatched
artifact names; update the download step's with.name to use the same prefix
expression (combine needs.activation.outputs.artifact_prefix with "agent") so
the actions/download-artifact call requests the identical artifact name produced
by the upload.

In @.github/workflows/gh-aw-docs-drift.lock.yml:
- Around line 1403-1406: The download step uses a hardcoded artifact name
"agent" but the upload uses the prefixed name `${{
needs.activation.outputs.artifact_prefix }}agent`, so update the source .md that
generates this workflow to use the same prefixed name when downloading (i.e.,
reference `${{ needs.activation.outputs.artifact_prefix }}agent` in the
download-artifact `name` field instead of `agent`) so the generated .lock.yml
contains the matching artifact name; regenerate the workflow after making the
change.
- Around line 159-164: The condition uses
steps.resolve-host-repo.outputs.target_repo but there is no step with id
"resolve-host-repo"; either add or rename a step to expose outputs.target_repo
(e.g., create a step with id: resolve-host-repo that sets output "target_repo")
or change the if condition to reference an existing step/output (for example
replace steps.resolve-host-repo.outputs.target_repo with the correct output name
from the step that resolves the host repo or compare directly to
github.repository). Update the workflow so the if: expression points to a valid
step id/output (resolve-host-repo or the actual existing step id) to ensure the
cross-repo guidance runs correctly.

In @.github/workflows/gh-aw-estc-docs-patrol-external.lock.yml:
- Around line 1397-1402: The download step with id download-agent-output uses
name: agent but the upload used ${{ needs.activation.outputs.artifact_prefix
}}agent, so when a prefix exists the download silently fails; update the
download step to use the same computed name (set name: ${{
needs.activation.outputs.artifact_prefix }}agent) so it matches the upload, and
remove or set continue-on-error to false to ensure failures surface instead of
allowing downstream steps to run without the artifact.

In @.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml:
- Around line 1337-1343: The download step with id download-agent-output is
using a hardcoded name "agent" which mismatches the upload name that includes
the prefix from needs.activation.outputs.artifact_prefix, causing silent misses;
update the step to use the prefixed artifact name "${{
needs.activation.outputs.artifact_prefix }}agent" for the with.name field (keep
path /tmp/gh/), and retain or reconsider continue-on-error behavior so failures
aren't silently ignored if you want processing to stop on missing artifacts.

In @.github/workflows/gh-aw-framework-best-practices.lock.yml:
- Around line 1445-1457: The download step "download-agent-output" is requesting
the hardcoded artifact name "agent" while the upload uses the dynamic name "${{
needs.activation.outputs.artifact_prefix }}agent", so update the download step
to request the same dynamic artifact name (use
needs.activation.outputs.artifact_prefix concatenated with "agent") and keep the
subsequent GH_AW_AGENT_OUTPUT export logic (ensure the if condition still checks
the download step outcome and sets
GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json when the artifact is present) so
handlers below receive the correct agent_output.json; the referenced step id is
download-agent-output and the output variable to mirror is
needs.activation.outputs.artifact_prefix.

---

Outside diff comments:
In @.github/workflows/agent-deep-dive.lock.yml:
- Around line 649-700: The tool schema currently includes a branch for
"create_discussion" which must be removed so the workflow only exposes
"create_issue", "missing_tool", "missing_data", and "noop"; remove the
"create_discussion" entry from the tools array/schema (where "name":
"create_discussion" appears) and ensure any descriptions or prompts that
reference "create_discussion" are updated to require "create_issue" instead,
then update the original source markdown that generates this lockfile (the .md
that defines the tools) and recompile the lockfile with gh aw compile so the
generated .github/workflows/*.lock.yml no longer contains the create_discussion
branch.

In @.github/workflows/agent-efficiency.lock.yml:
- Around line 1056-1075: The uploaded artifacts (safeoutputs.jsonl and
agent_output.json) are created after the "Redact secrets in logs" step, so
either move the "Copy Safe Outputs" and "Ingest agent output" steps to run
before the "Redact secrets in logs" step or add a second redaction pass
immediately before the existing upload-artifact steps (the steps that upload
safeoutputs.jsonl/agent_output.json); update the "Copy Safe Outputs" and "Ingest
agent output" steps (and the collect_output action invocation) to ensure they
operate on the redacted files or invoke the same redaction logic used by "Redact
secrets in logs" so no secrets reach the upload-artifact steps.

In @.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml:
- Around line 1357-1371: Add the GH_AW_FAILURE_REPORT_AS_ISSUE environment
variable to the source workflow file (gh-aw-estc-pr-buildkite-detective.md) so
it is compiled into the .lock.yml (match the name GH_AW_FAILURE_REPORT_AS_ISSUE
used in the handle_agent_failure step), and update the workflow permissions
block in that same .md file to include issues: write (in addition to the
existing read permissions) so the external handle_agent_failure.cjs can create
issues when the flag is enabled.

In @.github/workflows/gh-aw-framework-best-practices.lock.yml:
- Around line 149-159: The cross-repo hint currently checks failure() and
references steps.resolve-host-repo.outputs.target_repo which may not exist;
change the conditional to explicitly gate the "Cross-repo setup guidance" job on
the validate-secret step failing (e.g., if: steps.validate-secret.outcome ==
'failure') and then only compare against a resolved caller/host repo output that
is actually defined (ensure steps.resolve-host-repo exists in the source
workflow or use the correct step id that produces a target_repo output); update
the source .md workflow that generates this .lock.yml (not the compiled file) so
the compiled action includes the corrected if condition and valid step
reference.

---

Major comments:
In @.github/workflows/gh-aw-breaking-change-detector.lock.yml:
- Around line 1387-1399: The conclusion job is downloading the hardcoded
artifact name "agent" (step id download-agent-output) instead of the prefixed
name used when uploading (${ { needs.activation.outputs.artifact_prefix }
}agent), so replace the literal artifact name with the same prefixed expression
and ensure the conditional that sets GH_AW_AGENT_OUTPUT uses the successful
download step (download-agent-output) as before; update the template/source
fragment that generates this workflow (the file that sets artifact_prefix and
safe_outputs) and re-run the generator (gh aw compile) so the compiled .lock.yml
emits the prefixed artifact name and GH_AW_AGENT_OUTPUT is correctly set when
the download succeeds.

In @.github/workflows/gh-aw-bug-hunter.lock.yml:
- Around line 1382-1394: The workflow currently downloads the hardcoded artifact
name "agent" in the "download-agent-output" step causing the prefixed upload
(from needs.activation.outputs.artifact_prefix) to be missed; update the
download step's artifact name to use the uploaded prefix (i.e. "${{
needs.activation.outputs.artifact_prefix }}agent") so the file lands in
/tmp/gh-aw/ and GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json is correctly
set; keep the step id "download-agent-output" and the subsequent env export to
ensure downstream checks (noop/missing-tool/failure handling) read the prefixed
agent_output.json.

In @.github/workflows/gh-aw-code-complexity-detector.lock.yml:
- Around line 1503-1515: The download step with id download-agent-output is
fetching the hardcoded artifact name "agent" which mismatches the uploaded
artifact name that uses needs.activation.outputs.artifact_prefix; update the
download action to request the prefixed artifact name (concatenate
needs.activation.outputs.artifact_prefix with "agent") so the artifact is found
whenever a prefix is present, and ensure the subsequent Setup agent output
environment variable step still writes
GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json into $GITHUB_ENV (and preserves
the same /tmp/gh-aw/ path) so the job's safe_outputs flow receives the persisted
agent output.

In @.github/workflows/gh-aw-code-quality-audit.lock.yml:
- Around line 153-158: The conditional that gates the "Cross-repo setup
guidance" uses a non-existent step output
steps.resolve-host-repo.outputs.target_repo, so the hint can appear for
unrelated failures; either restore the resolver step that produces
resolve-host-repo.outputs.target_repo (e.g., re-add the resolve-host-repo step
that sets target_repo) or change the if: expression to a valid context such as
comparing github.repository to the caller repository (for example use
github.repository != github.event.repository or another existing step/output) so
the hint only runs for true cross-repo invocations.
- Around line 1407-1416: The download step and GH_AW_AGENT_OUTPUT should use the
same prefixed artifact name as the upload; update the download-artifact `name`
value from the literal "agent" to use the activation output prefix (i.e. "${{
needs.activation.outputs.artifact_prefix }}agent") and ensure the path and
subsequent GH_AW_AGENT_OUTPUT value reference the matching file (e.g.
/tmp/gh-aw/${{ needs.activation.outputs.artifact_prefix }}agent_output.json) so
the find and echo lines point to the correct prefixed artifact file.

In @.github/workflows/gh-aw-create-pr-from-issue.lock.yml:
- Around line 1346-1352: The conclusion job currently downloads a literal
artifact name "agent" (job id download-agent-output) but the activation job
uploads "${{ needs.activation.outputs.artifact_prefix }}agent", so when a prefix
is set the artifact is never found; update the artifact name in the download
step to use the same prefixed variable (e.g. set the download step's name field
to use ${{ needs.activation.outputs.artifact_prefix }}agent) in the source
workflow/fragment that generates these .lock.yml files and then re-run gh aw
compile to regenerate the .github/workflows/*.lock.yml outputs so all workflows
(including the other updated workflows in this PR) use the prefixed artifact
name consistently.

In @.github/workflows/gh-aw-deep-research.lock.yml:
- Around line 1345-1348: The workflow downloads the artifact named "agent" but
the activation job uploads it as "${{ needs.activation.outputs.artifact_prefix
}}agent", which leaves GH_AW_AGENT_OUTPUT unset for noop/failure handlers;
update the download-artifact step to use the prefixed artifact name matching the
upload (i.e., replace the static "agent" name with the same expression used by
the uploader: ${ { needs.activation.outputs.artifact_prefix } }agent) so the
artifact path and GH_AW_AGENT_OUTPUT are correctly set for all handlers and
persisted via the safe outputs mechanism.
- Around line 162-167: The failure message block incorrectly references a
non-existent step name resolve-host-repo and directs callers to set
COPILOT_GITHUB_TOKEN even though this workflow validates GEMINI_API_KEY; update
the source fragment or .md that generates this lock file so the cross-repo
remediation uses the correct outputs and secret name: remove or replace
references to steps.resolve-host-repo.outputs.target_repo, and change the error
guidance to mention GEMINI_API_KEY (and the correct secret configuration steps
for workflow_call cross-repo), ensuring the generated .lock.yml contains the
corrected step name/condition and error messages.

In @.github/workflows/gh-aw-dependency-review.lock.yml:
- Around line 150-155: The "Cross-repo setup guidance" step is gated on an
undefined step output (resolve-host-repo), so the hint can appear for unrelated
failures; either add/restore the missing resolver step named resolve-host-repo
that emits outputs.target_repo before this step, or change the step's if
condition to use an existing context/step (for example an existing step output
or github.repository comparison) that actually indicates a cross-repo
invocation; update the "Cross-repo setup guidance" step's if to reference the
restored resolve-host-repo outputs.target_repo or a valid existing context so
the guidance only runs for true cross-repo cases.
- Around line 1434-1443: The download step and the subsequent "Setup agent
output environment variable" assume the artifact name is literally "agent", but
the upload used "${{ needs.activation.outputs.artifact_prefix }}agent"; update
the download step's artifact name (used by actions/download-artifact and
referenced by steps.download-agent-output) to mirror the upload by using "${{
needs.activation.outputs.artifact_prefix }}agent", and ensure the
GH_AW_AGENT_OUTPUT environment variable (written to $GITHUB_ENV in the "Setup
agent output environment variable" step) still points to
/tmp/gh-aw/agent_output.json so the rest of the workflow reads the correct file
when the prefixed artifact is downloaded.

In @.github/workflows/gh-aw-duplicate-issue-detector.lock.yml:
- Around line 1266-1269: Update the artifact download step that currently uses
name: agent to use the prefixed artifact name from the activation output (e.g.
name: ${{ needs.activation.outputs.artifact_prefix }}agent) so the "conclusion"
path receives the correct artifact (agent_output.json); locate the
actions/download-artifact usage block and change the name value accordingly in
the source fragment or markdown that generates this .lock.yml so all branches
(noop and failure) persist the prefixed agent artifact via outputs.

In @.github/workflows/gh-aw-estc-docs-pr-review.lock.yml:
- Around line 1479-1482: The workflow step currently downloads the unprefixed
artifact name "agent" but the activation job uploads a prefixed artifact using
needs.activation.outputs.artifact_prefix, so change the download artifact name
to use the same prefix (i.e. name: ${{ needs.activation.outputs.artifact_prefix
}}agent) and ensure subsequent steps that expect agent_output.json still read
from /tmp/gh-aw/; also update the source template/markdown or shared fragment
that generates this lockfile so the prefixed artifact name is used everywhere
(preserving the artifact_prefix reference) so noop and failure handlers receive
the correct artifact.

In @.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml:
- Around line 1316-1328: The Download agent output artifact step (id:
download-agent-output) currently requests the static artifact name "agent" but
the uploader uses the dynamic prefix from
needs.activation.outputs.artifact_prefix; change the artifact name in that step
to "${{ needs.activation.outputs.artifact_prefix }}agent" so the correct
prefixed artifact is downloaded, keeping the rest of the step (path /tmp/gh-aw/
and the follow-up step that sets GH_AW_AGENT_OUTPUT) unchanged.

In @.github/workflows/gh-aw-information-architecture.lock.yml:
- Around line 1380-1392: The download step (id: download-agent-output) currently
requests the literal artifact name "agent" but the artifact is uploaded as "${{
needs.activation.outputs.artifact_prefix }}agent", so GH_AW_AGENT_OUTPUT never
gets set; update the download-agent-output step to use the prefixed artifact
name from needs.activation.outputs.artifact_prefix (so it downloads "${{
needs.activation.outputs.artifact_prefix }}agent") and keep the subsequent Setup
agent output environment variable step that writes
GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json to GITHUB_ENV unchanged so the
environment variable is reliably populated.

In @.github/workflows/gh-aw-internal-gemini-cli.lock.yml:
- Around line 1367-1376: The workflow downloads and sets GH_AW_AGENT_OUTPUT
using the hard-coded artifact name "agent", but the upload used the prefixed
name from needs.activation.outputs.artifact_prefix; update the download-and-env
step (where steps.download-agent-output is referenced and GH_AW_AGENT_OUTPUT is
set) to request the same prefixed artifact by replacing the artifact name
"agent" with "${{ needs.activation.outputs.artifact_prefix }}agent" so the
downloaded file path and the GH_AW_AGENT_OUTPUT value point to the actual
uploaded artifact.
- Around line 159-164: The failure hint references a nonexistent step id
resolve-host-repo and tells callers to set COPILOT_GITHUB_TOKEN even though
activation never defines that step and the workflow validates GEMINI_API_KEY at
Line 154; update this branch to either use the correct cross-repo signal step id
(or add a resolve-host-repo step) or change the error text to reference
GEMINI_API_KEY and the actual condition used by activation so the hint matches
real validation logic (adjust the condition, step id, or message in the
Cross-repo setup guidance block accordingly).

---

Minor comments:
In @.github/workflows/agent-efficiency.lock.yml:
- Around line 1275-1287: The workflow currently sets GH_AW_AGENT_OUTPUT
unconditionally after the download-agent-output step, which only proves the
artifact exists, not that agent_output.json exists inside it; update the
download-agent-output block (step id download-agent-output) to check that
/tmp/gh-aw/agent_output.json actually exists before echoing GH_AW_AGENT_OUTPUT
to $GITHUB_ENV, and update any consumer steps that rely on GH_AW_AGENT_OUTPUT to
first guard on the environment variable being set and that the file exists
(e.g., replace bare references to GH_AW_AGENT_OUTPUT with a conditional if:
env.GH_AW_AGENT_OUTPUT != '' && <file-exists-check> or an equivalent run-time
check) so consumers only proceed when the file is present.

In @.github/workflows/gh-aw-code-complexity-detector.lock.yml:
- Around line 164-169: The conditional uses
steps.resolve-host-repo.outputs.target_repo but no step with id
"resolve-host-repo" exists, so update the workflow source to either add/restore
a step with id: resolve-host-repo that sets outputs.target_repo (the resolver
that detects the calling repo) or change the if condition to rely on an existing
context/output (for example compare github.repository with
github.event.repository.full_name or another defined step output) so the
Cross-repo setup guidance step can reliably detect cross-repo calls; adjust the
source .md workflow/fragment used by gh aw compile accordingly.

In @.github/workflows/gh-aw-create-pr-from-issue.lock.yml:
- Around line 160-165: The "Cross-repo setup guidance" step references
steps.resolve-host-repo.outputs.target_repo but the step generating that output
is missing the id; locate the source template or .md that emits the step which
should produce outputs.target_repo (the step referenced as resolve-host-repo),
add the missing id: resolve-host-repo to that step so the outputs are
addressable, then recompile the workflow with gh aw compile to regenerate the
YAML; ensure the id name exactly matches the referenced symbol
steps.resolve-host-repo so the if condition works at runtime.

In @.github/workflows/gh-aw-estc-docs-patrol-external.lock.yml:
- Around line 153-158: The conditional references a non-existent step id
steps.resolve-host-repo.outputs.target_repo (resolve-host-repo) so the job will
fail; either restore the missing step that sets outputs.target_repo (e.g., add
back the resolve-host-repo step that determines target_repo) or change the
conditional to use an existing output/context (for example github.repository,
github.event.repository.full_name, or the actual step id that resolves the host
repo) so the if: expression points to a valid output; update the job to ensure
the step id and output name exactly match the conditional (resolve-host-repo and
outputs.target_repo) if you choose to restore it.

---

Nitpick comments:
In @.github/workflows/gh-aw-code-complexity-detector.md:
- Around line 143-146: Replace the fragile pipeline "printf '%s\n' "$FILES" |
xargs wc -l | sort -nr | head -200 | awk '{print $2}'" with a null-delimited
safe variant: produce null-separated filenames from the $FILES variable and use
xargs -0 when invoking wc -l (and adjust the awk expression to ignore the total
line), or alternatively iterate over each filename with a while IFS= read -r
loop and call wc -l "$f" to avoid xargs entirely; update the pipeline
accordingly wherever the original command appears so paths with spaces or
special characters are handled safely.

.github/workflows/gh-aw-agent-suggestions.lock.yml
Comment on lines 1375 to +1381
- name: Download agent output artifact
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: agent-output
path: /tmp/gh-aw/safeoutputs/
name: agent
path: /tmp/gh-aw/
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's locate the workflow file
find . -name "gh-aw-agent-suggestions.lock.yml" -type f

Repository: elastic/ai-github-actions

Length of output: 121

🏁 Script executed:

# Get the total lines in the file to understand its size
wc -l .github/workflows/gh-aw-agent-suggestions.lock.yml

Repository: elastic/ai-github-actions

Length of output: 124

🏁 Script executed:

# Check line 1216 to see the upload artifact
sed -n '1210,1225p' .github/workflows/gh-aw-agent-suggestions.lock.yml

Repository: elastic/ai-github-actions

Length of output: 678

🏁 Script executed:

# Check lines 1375-1381 to verify the download snippet
sed -n '1370,1385p' .github/workflows/gh-aw-agent-suggestions.lock.yml

Repository: elastic/ai-github-actions

Length of output: 684

🏁 Script executed:

# Search for all references to artifact_prefix to understand the pattern
rg "artifact_prefix" .github/workflows/gh-aw-agent-suggestions.lock.yml -B 2 -A 2

Repository: elastic/ai-github-actions

Length of output: 1997

🏁 Script executed:

# Check what the activation outputs section defines for artifact_prefix
rg -A 10 "outputs:" .github/workflows/gh-aw-agent-suggestions.lock.yml | head -50

Repository: elastic/ai-github-actions

Length of output: 2091

🏁 Script executed:

# Verify the conclusion job structure and its dependencies
sed -n '1330,1350p' .github/workflows/gh-aw-agent-suggestions.lock.yml

Repository: elastic/ai-github-actions

Length of output: 1052

🏁 Script executed:

# Check job definitions to confirm conclusion depends on activation
rg "^\s*conclusion:" -A 5 .github/workflows/gh-aw-agent-suggestions.lock.yml

Repository: elastic/ai-github-actions

Length of output: 203

Download artifact name must use the same prefix as the upload.

The conclusion job uploads the agent artifact with a prefixed name (${{ needs.activation.outputs.artifact_prefix }}agent at line 1216) but downloads it with a hardcoded unprefixed name (agent at line 1380). When the prefix is non-empty, the download silently fails due to continue-on-error: true, skipping any downstream processing that depends on the agent output.

Fix 
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Download agent output artifact
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: agent-output
path: /tmp/gh-aw/safeoutputs/
name: agent
path: /tmp/gh-aw/
- name: Download agent output artifact
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ needs.activation.outputs.artifact_prefix }}agent
path: /tmp/gh-aw/
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-agent-suggestions.lock.yml around lines 1375 - 1381,
The download step "download-agent-output" uses a hardcoded artifact name "agent"
but the upload used the prefixed name from
needs.activation.outputs.artifact_prefix (the upload at the "conclusion" job
used `${{ needs.activation.outputs.artifact_prefix }}agent`), causing mismatched
artifact names; update the download step's with.name to use the same prefix
expression (combine needs.activation.outputs.artifact_prefix with "agent") so
the actions/download-artifact call requests the identical artifact name produced
by the upload.

.github/workflows/gh-aw-docs-drift.lock.yml
Comment on lines +159 to +164
- name: Cross-repo setup guidance
if: failure() && steps.resolve-host-repo.outputs.target_repo != github.repository
run: |
echo "::error::COPILOT_GITHUB_TOKEN must be configured in the CALLER repository's secrets."
echo "::error::For cross-repo workflow_call, secrets must be set in the repository that triggers the workflow."
echo "::error::See: https://github.github.com/gh-aw/patterns/central-repo-ops/#cross-repo-setup"
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if resolve-host-repo step exists in the workflow or related fragments
rg -n 'id:\s*resolve-host-repo' .github/workflows/

Repository: elastic/ai-github-actions

Length of output: 51

🏁 Script executed:

#!/bin/bash
# Read the workflow file to see all step IDs defined
cat -n .github/workflows/gh-aw-docs-drift.lock.yml | grep -E '(^\s*-\s+name:|id:)' | head -50

Repository: elastic/ai-github-actions

Length of output: 1288

🏁 Script executed:

#!/bin/bash
# Also check if there are any reusable workflows or imported workflows
find .github -type f -name "*.yml" -o -name "*.yaml" | head -20

Repository: elastic/ai-github-actions

Length of output: 1048

🏁 Script executed:

#!/bin/bash
# Read the specific section mentioned in the review
sed -n '150,175p' .github/workflows/gh-aw-docs-drift.lock.yml

Repository: elastic/ai-github-actions

Length of output: 1477

🏁 Script executed:

#!/bin/bash
# Check all jobs and their steps to find where resolve-host-repo should be
grep -n '^\s*jobs:\|^\s*-\s*name:\|^\s*id:' .github/workflows/gh-aw-docs-drift.lock.yml | grep -A 5 -B 5 'Cross-repo'

Repository: elastic/ai-github-actions

Length of output: 569

🏁 Script executed:

#!/bin/bash
# Look for any reference to resolve-host-repo anywhere in the file
rg -n 'resolve-host-repo' .github/workflows/gh-aw-docs-drift.lock.yml

Repository: elastic/ai-github-actions

Length of output: 162

🏁 Script executed:

#!/bin/bash
# Check if resolve-host-repo is defined in any imported/called workflow
rg -l 'resolve-host-repo' .github/

Repository: elastic/ai-github-actions

Length of output: 3182

🏁 Script executed:

#!/bin/bash
# Search for any pattern that might be creating outputs.target_repo
rg -n 'target_repo' .github/workflows/gh-aw-docs-drift.lock.yml

Repository: elastic/ai-github-actions

Length of output: 162

🏁 Script executed:

#!/bin/bash
# Check one of the workflows that contains resolve-host-repo to see how it's actually used
rg -A 3 -B 3 'id:\s*resolve-host-repo' .github/workflows/gh-aw-mention-in-issue-by-id.lock.yml | head -20

Repository: elastic/ai-github-actions

Length of output: 51

🏁 Script executed:

#!/bin/bash
# Try a simpler search without regex for resolve-host-repo in other workflows
rg 'resolve-host-repo' .github/workflows/gh-aw-mention-in-issue-by-id.lock.yml

Repository: elastic/ai-github-actions

Length of output: 158

🏁 Script executed:

#!/bin/bash
# Check what the actual step definition looks like in gh-aw-docs-drift.lock.yml around line 159-162
sed -n '159,162p' .github/workflows/gh-aw-docs-drift.lock.yml | cat -A

Repository: elastic/ai-github-actions

Length of output: 319

🏁 Script executed:

#!/bin/bash
# Check if there's a job that might call another workflow that defines resolve-host-repo
grep -n 'uses:.*workflow' .github/workflows/gh-aw-docs-drift.lock.yml

Repository: elastic/ai-github-actions

Length of output: 51

🏁 Script executed:

#!/bin/bash
# Search the entire gh-aw-docs-drift.lock.yml for all job and step definitions
grep -n '^\s*jobs:\|^\s*name:\|^\s*id:' .github/workflows/gh-aw-docs-drift.lock.yml | head -30

Repository: elastic/ai-github-actions

Length of output: 1238

🏁 Script executed:

#!/bin/bash
# Check what job this step belongs to and see if it's the activation job or another job
sed -n '108,165p' .github/workflows/gh-aw-docs-drift.lock.yml | grep -E '^\s*(jobs:|[a-z_-]+:)' | head -10

Repository: elastic/ai-github-actions

Length of output: 335

🏁 Script executed:

#!/bin/bash
# Check the pre_activation job to see if resolve-host-repo is defined there
grep -n 'pre_activation:' -A 100 .github/workflows/gh-aw-docs-drift.lock.yml | grep -E '(name:|id:)' | head -20

Repository: elastic/ai-github-actions

Length of output: 661

🏁 Script executed:

#!/bin/bash
# Search for the exact job structure - find all top-level job definitions
grep -n '^\s\s[a-z_-]*:$' .github/workflows/gh-aw-docs-drift.lock.yml | head -20

Repository: elastic/ai-github-actions

Length of output: 182

🏁 Script executed:

#!/bin/bash
# Get the pre_activation job definition to check for resolve-host-repo step
sed -n '1481,1504p' .github/workflows/gh-aw-docs-drift.lock.yml

Repository: elastic/ai-github-actions

Length of output: 1049

Remove or fix the resolve-host-repo step reference.

This step references steps.resolve-host-repo.outputs.target_repo, but no step with id: resolve-host-repo exists in this workflow. The condition will fail to evaluate properly, and this guidance will never run on cross-repo failures. Either define the missing step or revise the condition to use an available output.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-docs-drift.lock.yml around lines 159 - 164, The
condition uses steps.resolve-host-repo.outputs.target_repo but there is no step
with id "resolve-host-repo"; either add or rename a step to expose
outputs.target_repo (e.g., create a step with id: resolve-host-repo that sets
output "target_repo") or change the if condition to reference an existing
step/output (for example replace steps.resolve-host-repo.outputs.target_repo
with the correct output name from the step that resolves the host repo or
compare directly to github.repository). Update the workflow so the if:
expression points to a valid step id/output (resolve-host-repo or the actual
existing step id) to ensure the cross-repo guidance runs correctly.

.github/workflows/gh-aw-docs-drift.lock.yml
Comment on lines +1403 to +1406
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: agent-output
path: /tmp/gh-aw/safeoutputs/
name: agent
path: /tmp/gh-aw/
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Artifact name mismatch: missing prefix in conclusion job.

The agent job uploads the artifact with ${{ needs.activation.outputs.artifact_prefix }}agent (line 1241), but this download step uses hardcoded agent. The download will fail to find the artifact.

Since this is a .lock.yml auto-generated file, the fix should be applied to the source .md file and recompiled.

Expected fix (in generated output) 
       - name: Download agent output artifact
         id: download-agent-output
         continue-on-error: true
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
           path: /tmp/gh-aw/
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-docs-drift.lock.yml around lines 1403 - 1406, The
download step uses a hardcoded artifact name "agent" but the upload uses the
prefixed name `${{ needs.activation.outputs.artifact_prefix }}agent`, so update
the source .md that generates this workflow to use the same prefixed name when
downloading (i.e., reference `${{ needs.activation.outputs.artifact_prefix
}}agent` in the download-artifact `name` field instead of `agent`) so the
generated .lock.yml contains the matching artifact name; regenerate the workflow
after making the change.

.github/workflows/gh-aw-estc-docs-patrol-external.lock.yml
Comment on lines 1397 to +1402
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: agent-output
path: /tmp/gh-aw/safeoutputs/
name: agent
path: /tmp/gh-aw/
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's get the file size and context around the relevant lines
wc -l .github/workflows/gh-aw-estc-docs-patrol-external.lock.yml

Repository: elastic/ai-github-actions

Length of output: 132

🏁 Script executed:

# Read around lines 1237 (upload artifact)
sed -n '1230,1245p' .github/workflows/gh-aw-estc-docs-patrol-external.lock.yml

Repository: elastic/ai-github-actions

Length of output: 712

🏁 Script executed:

# Read around lines 1397-1402 (download artifact)
sed -n '1390,1410p' .github/workflows/gh-aw-estc-docs-patrol-external.lock.yml

Repository: elastic/ai-github-actions

Length of output: 929

Download artifact name does not match upload artifact name when prefix is applied.

Line 1401 downloads agent, but line 1237 uploads ${{ needs.activation.outputs.artifact_prefix }}agent. When the prefix is non-empty, the download silently fails (due to continue-on-error: true on line 1398), causing downstream steps to run without the agent result.

Fix 
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: agent-output
path: /tmp/gh-aw/safeoutputs/
name: agent
path: /tmp/gh-aw/
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ needs.activation.outputs.artifact_prefix }}agent
path: /tmp/gh-aw/
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-estc-docs-patrol-external.lock.yml around lines 1397
- 1402, The download step with id download-agent-output uses name: agent but the
upload used ${{ needs.activation.outputs.artifact_prefix }}agent, so when a
prefix exists the download silently fails; update the download step to use the
same computed name (set name: ${{ needs.activation.outputs.artifact_prefix
}}agent) so it matches the upload, and remove or set continue-on-error to false
to ensure failures surface instead of allowing downstream steps to run without
the artifact.

.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml
Comment on lines 1337 to +1343
- name: Download agent output artifact
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: agent-output
path: /tmp/gh-aw/safeoutputs/
name: agent
path: /tmp/gh-aw/
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

wc -l .github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml

Repository: elastic/ai-github-actions

Length of output: 146

🏁 Script executed:

# Check the download-artifact section (lines 1337-1343)
sed -n '1337,1343p' .github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml

Repository: elastic/ai-github-actions

Length of output: 333

🏁 Script executed:

# Check the upload-artifact section around line 1178
sed -n '1170,1185p' .github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml

Repository: elastic/ai-github-actions

Length of output: 697

🏁 Script executed:

# Search for all artifact uploads with "agent" in the name to understand the pattern
rg -n 'name:.*agent' .github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml

Repository: elastic/ai-github-actions

Length of output: 739

Download action uses unprefix artifact name, causing silent misses when prefix is non-empty.

Line 1342 downloads agent, but line 1178 uploads ${{ needs.activation.outputs.artifact_prefix }}agent. When the prefix is non-empty, the download silently fails and skips processing the agent result due to continue-on-error: true on line 1339. Note that another download-artifact step at line 1478 correctly uses the prefixed name.

Fix 
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Download agent output artifact
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: agent-output
path: /tmp/gh-aw/safeoutputs/
name: agent
path: /tmp/gh-aw/
- name: Download agent output artifact
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ needs.activation.outputs.artifact_prefix }}agent
path: /tmp/gh-aw/
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml
around lines 1337 - 1343, The download step with id download-agent-output is
using a hardcoded name "agent" which mismatches the upload name that includes
the prefix from needs.activation.outputs.artifact_prefix, causing silent misses;
update the step to use the prefixed artifact name "${{
needs.activation.outputs.artifact_prefix }}agent" for the with.name field (keep
path /tmp/gh/), and retain or reconsider continue-on-error behavior so failures
aren't silently ignored if you want processing to stop on missing artifacts.

.github/workflows/gh-aw-framework-best-practices.lock.yml
Comment on lines 1445 to +1457
- name: Download agent output artifact
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: agent-output
path: /tmp/gh-aw/safeoutputs/
name: agent
path: /tmp/gh-aw/
- name: Setup agent output environment variable
if: steps.download-agent-output.outcome == 'success'
run: |
mkdir -p /tmp/gh-aw/safeoutputs/
find "/tmp/gh-aw/safeoutputs/" -type f -print
echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
mkdir -p /tmp/gh-aw/
find "/tmp/gh-aw/" -type f -print
echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV"
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Conclusion still downloads the pre-prefix agent artifact.

Line 1450 asks for agent, but Line 1286 now uploads ${{ needs.activation.outputs.artifact_prefix }}agent. Once the prefix is non-empty, download-agent-output misses the artifact, GH_AW_AGENT_OUTPUT is never set, and the noop/missing_tool/failure handlers below lose agent_output.json.

Suggested fix 
-          name: agent
+          name: ${{ needs.activation.outputs.artifact_prefix }}agent
Based on learnings, `.github/workflows/*.lock.yml` files are generated by `gh aw compile`, so this fix should be made in the corresponding source `.md` workflow.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-framework-best-practices.lock.yml around lines 1445
- 1457, The download step "download-agent-output" is requesting the hardcoded
artifact name "agent" while the upload uses the dynamic name "${{
needs.activation.outputs.artifact_prefix }}agent", so update the download step
to request the same dynamic artifact name (use
needs.activation.outputs.artifact_prefix concatenated with "agent") and keep the
subsequent GH_AW_AGENT_OUTPUT export logic (ensure the if condition still checks
the download step outcome and sets
GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json when the artifact is present) so
handlers below receive the correct agent_output.json; the referenced step id is
download-agent-output and the output variable to mirror is
needs.activation.outputs.artifact_prefix.

github-actions[bot]
github-actions bot requested changes Mar 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes: the detector table in docs/workflows/gh-agent-workflows.md now includes five broken relative links (lines 74, 76, 77, 78, 81). The referenced targets do not exist, so docs navigation will 404 for users.

Please update those links to existing pages:

  • gh-agent-workflows/bug-hunter.mdgh-agent-workflows/bugs.md
  • gh-agent-workflows/code-duplication-detector.mdgh-agent-workflows/code-duplication.md
  • gh-agent-workflows/docs-patrol.mdgh-agent-workflows/docs-patrol-overview.md
  • gh-agent-workflows/newbie-contributor-patrol.mdgh-agent-workflows/newbie-contributor.md
  • gh-agent-workflows/text-auditor.mdgh-agent-workflows/text-quality.md

What is this? | From workflow: Trigger PR Review

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@strawgate strawgate changed the title Update workflows Remove dedicated fixers, bump to v0.58.1 Mar 14, 2026
@strawgate strawgate merged commit 71e4f2d into main Mar 14, 2026
12 of 16 checks passed
@strawgate strawgate deleted the fix-fixer-workflows branch March 14, 2026 05:10
This was referenced Mar 14, 2026
Closed
Open
@coderabbitai coderabbitai bot mentioned this pull request Mar 14, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@github-actions github-actions[bot] github-actions[bot] requested changes

Assignees

No one assigned

Labels

big_boom Large/high-risk PR blast radius; strong human review required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@strawgate