chore: sync actions from gh-aw@v0.75.1#113
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Automated sync from github/gh-aw@v0.75.1, bringing in updated safe-outputs capabilities and additional observability/guardrails for agentic workflows.
Changes:
- Add
create_check_runas a new safe-outputs tool/handler and wire it into the handler manager reviewability list. - Expand protected-files handling to support a
request_reviewpolicy (new templates + PR request-changes review flow) and refine base-branch resolution behavior for side-repo workflows. - Improve runtime/ops visibility: token usage attribution in OTLP spans, richer Pi provider request/response logging, AWF reflect capture/summary enhancements, and failure-cascade rollup/labeling.
Show a summary per file
| File | Description |
|---|---|
| setup/md/threat_warning_request_changes_review.md | New template for request-changes review content when threat detection warns. |
| setup/md/manifest_protection_request_review.md | New PR-body caution template for protected-file modifications. |
| setup/md/manifest_protection_request_changes_review.md | New request-changes review template for protected-file modifications. |
| setup/js/send_otlp_span.cjs | Add runtime token-usage extraction and use it as OTLP usage fallback. |
| setup/js/safe_outputs_tools.json | Add create_check_run tool schema and minor string normalization. |
| setup/js/safe_outputs_handlers.cjs | Switch base-branch resolution hinting to local default-branch metadata. |
| setup/js/safe_output_handler_manager.cjs | Register create_check_run handler and mark it as threat-warning reviewable. |
| setup/js/push_signed_commits.cjs | Add allowGitPushFallback option to disable direct-push fallback paths. |
| setup/js/pi_provider.cjs | Add provider request/response/error logging and reflect failure diagnostics. |
| setup/js/model_multipliers.json | Update registry description and remove deprecated model registry block. |
| setup/js/messages_core.cjs | Add renderFilesList() helper for safer markdown rendering of file lists. |
| setup/js/mcp_server_core.cjs | Reject @/path-style local file reference notation in MCP tool args. |
| setup/js/manifest_file_helpers.cjs | Add request_review result mode to protected-files policy evaluation. |
| setup/js/handle_agent_failure.cjs | Add failure-cascade detection with rollup issue + labeling workflow. |
| setup/js/get_base_branch.cjs | Prefer deriving default branch via refs/remotes/origin/HEAD when requested. |
| setup/js/generate_safe_outputs_tools.cjs | Add safe-outputs exemption annotation for schema generator. |
| setup/js/generate_git_patch.cjs | Improve merge-base fallback when remote default branch ref is unavailable. |
| setup/js/create_pull_request.cjs | Default protected-files policy to request_review and post a request-changes review when triggered. |
| setup/js/create_check_run.cjs | New safe-outputs handler to create GitHub Check Runs from agent results. |
| setup/js/check_workflow_recompile_needed.cjs | Expand workflow recompile flow to optionally create/update a maintenance PR and push via signed-commit helper. |
| setup/js/check_membership.cjs | Refactor bot allowlist authorization into a helper and run it before role checks. |
| setup/js/awf_reflect.cjs | Increase /reflect timeout and return structured success/failure details. |
| setup/js/awf_reflect_summary.cjs | Expand step summary with runtime models + config model aliases when present. |
| setup/js/action_input_utils.cjs | Clarify precedence rules for underscore vs hyphen input env vars in docs. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 24/24 changed files
- Comments generated: 4
Comment on lines
+145
to
+152
| if (remoteHead) { | ||
| await fetchRemoteBranch(RECOMPILE_PR_BRANCH); | ||
| filesToCommit = await filterFilesNeedingUpdate(`refs/remotes/origin/${RECOMPILE_PR_BRANCH}`, changedFiles, workspaceDir); | ||
| baseRef = remoteHead; | ||
| } | ||
|
|
||
| core.info(`Preparing maintenance branch ${RECOMPILE_PR_BRANCH}`); | ||
| await exec.exec("git", ["checkout", "-B", RECOMPILE_PR_BRANCH]); |
Comment on lines
193
to
+243
| @@ -204,7 +205,7 @@ function checkForTopLevelDotFolders(patchContent, excludes) { | |||
| * | |||
| * @param {string} patchContent - The git patch content | |||
| * @param {HandlerConfig} config | |||
| * @returns {{ action: 'allow' } | { action: 'deny', source: 'allowlist'|'protected', files: string[] } | { action: 'fallback', files: string[] }} | |||
| * @returns {{ action: 'allow' } | { action: 'deny', source: 'allowlist'|'protected', files: string[] } | { action: 'fallback', files: string[] } | { action: 'request_review', files: string[] }} | |||
| */ | |||
| function checkFileProtection(patchContent, config) { | |||
| // Step 1: allowlist check (if configured) | |||
| @@ -233,7 +234,13 @@ function checkFileProtection(patchContent, config) { | |||
| return { action: "allow" }; | |||
| } | |||
|
|
|||
| return config.protected_files_policy === "fallback-to-issue" ? { action: "fallback", files: allFound } : { action: "deny", source: "protected", files: allFound }; | |||
| if (config.protected_files_policy === "fallback-to-issue") { | |||
| return { action: "fallback", files: allFound }; | |||
| } | |||
| if (config.protected_files_policy === "request_review") { | |||
| return { action: "request_review", files: allFound }; | |||
| } | |||
| return { action: "deny", source: "protected", files: allFound }; | |||
| if (manifestProtectionRequestReview && manifestProtectionRequestReview.length > 0) { | ||
| const protectedFilesNoticeTemplatePath = getPromptPath("manifest_protection_request_review.md"); | ||
| const protectedFilesNotice = renderTemplateFromFile(protectedFilesNoticeTemplatePath, { | ||
| files: renderFilesList(manifestProtectionRequestReview.join(", ")), |
Comment on lines
+34
to
+75
| const configuredName = config.name || ""; | ||
| const maxCount = config.max != null ? Number(config.max) : 1; | ||
| const githubClient = await createAuthenticatedGitHubClient(config); | ||
| const isStaged = isStagedMode(config); | ||
|
|
||
| // Optional config-level output defaults (sanitized at startup so we pay the cost once) | ||
| const configOutputTitle = config.output_title ? sanitizeContent(String(config.output_title), MAX_TITLE_LENGTH) : ""; | ||
| const configOutputSummary = config.output_summary ? sanitizeContent(String(config.output_summary), MAX_CONTENT_LENGTH) : ""; | ||
|
|
||
| // Resolve the check run name: config > workflow name env var > fallback. | ||
| // Auto-deduplicate: if the resolved name equals the workflow name, GitHub's UI | ||
| // may collapse the programmatic check run into the workflow's own check suite | ||
| // entry, hiding it in compact/mobile views. Appending "(Result)" ensures a | ||
| // distinct name so the check run remains visible on all GitHub UI surfaces. | ||
| const workflowName = process.env.GITHUB_WORKFLOW || ""; | ||
| let defaultName = configuredName || workflowName || "Agent Check"; | ||
| if (defaultName === workflowName && workflowName) { | ||
| defaultName = `${defaultName} (Result)`; | ||
| } | ||
|
|
||
| core.info(`Create check run configuration: name="${defaultName}", max=${maxCount}`); | ||
| if (configOutputTitle) core.info(`Config output.title fallback set (${configOutputTitle.length} chars)`); | ||
| if (configOutputSummary) core.info(`Config output.summary fallback set (${configOutputSummary.length} chars)`); | ||
|
|
||
| // Track how many check runs we've created for max limit enforcement | ||
| let processedCount = 0; | ||
|
|
||
| /** | ||
| * Message handler function that processes a single create_check_run message | ||
| * @param {Object} message - The create_check_run message to process | ||
| * @param {Object} _resolvedTemporaryIds - Map of temporary IDs (unused for check runs) | ||
| * @returns {Promise<Object>} Result with success/error status | ||
| */ | ||
| return async function handleCreateCheckRun(message, _resolvedTemporaryIds) { | ||
| // Check if we've hit the max limit | ||
| if (processedCount >= maxCount) { | ||
| core.warning(`Skipping create_check_run: max count of ${maxCount} reached`); | ||
| return { | ||
| success: false, | ||
| error: `Max count of ${maxCount} reached`, | ||
| }; | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated sync of actions from gh-aw at
v0.75.1.