Conversation
10 tasks
… add emergency exit rule - Remove github toolsets and edit tool from shared/secret-audit.md frontmatter - Add Emergency Exit Rule to prevent near-empty response retry loops - Condense technique examples from 8-bullet to 1-line-with-examples per item (~3KB savings) - Recompile secret-digger-copilot.lock.yml with gh-aw v0.66.1 - Post-process all lock files Note: max-turns:4 not added - copilot engine does not support max-turns Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/5a262b3d-b3ef-4910-9c45-598c3d00ef31 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Optimize Copilot token usage
⚡ Optimize secret-digger-copilot: remove unused tools, condense prompt, add emergency exit rule
Apr 4, 2026
Contributor
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (2 files)
Coverage comparison generated by |
This comment has been minimized.
This comment has been minimized.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR optimizes the secret-digger-copilot agentic workflow prompt/config to reduce unused tool exposure and shrink the investigation instructions, while adding an explicit “emergency exit” path to avoid near-empty outputs that can trigger costly retry loops.
Changes:
- Remove unused tool declarations from the shared secret-audit prompt component and condense “technique” sections.
- Add an “Emergency Exit Rule” instructing the agent to call
noopwith a summary instead of emitting minimal output. - Recompile and update
secret-digger-copilot.lock.ymlto newergh-awoutputs (v0.47.0 → v0.66.1), including updated activation/agent plumbing and artifact handling.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/shared/secret-audit.md | Trims declared tools, condenses technique lists, and adds an emergency noop rule to prevent empty-output retry loops. |
| .github/workflows/secret-digger-copilot.lock.yml | Regenerated workflow lockfile reflecting new prompt content and updated gh-aw compilation/runtime steps. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (5)
.github/workflows/secret-digger-copilot.lock.yml:294
github/gh-aw-actions/setupis referenced by a mutable tag (@v0.66.1). For supply-chain safety and reproducibility, pin this action to a commit SHA (most other workflows do this, e.g..github/workflows/claude-token-optimizer.lock.yml:73).
- name: Setup Scripts
uses: github/gh-aw-actions/setup@v0.66.1
with:
destination: ${{ runner.temp }}/gh-aw/actions
.github/workflows/secret-digger-copilot.lock.yml:837
github/gh-aw-actions/setupis referenced by a mutable tag (@v0.66.1). For supply-chain safety and reproducibility, pin this action to a commit SHA (most other workflows do this, e.g..github/workflows/claude-token-optimizer.lock.yml:73).
- name: Setup Scripts
uses: github/gh-aw-actions/setup@v0.66.1
with:
destination: ${{ runner.temp }}/gh-aw/actions
.github/workflows/secret-digger-copilot.lock.yml:923
github/gh-aw-actions/setupis referenced by a mutable tag (@v0.66.1). For supply-chain safety and reproducibility, pin this action to a commit SHA (most other workflows do this, e.g..github/workflows/claude-token-optimizer.lock.yml:73).
- name: Setup Scripts
uses: github/gh-aw-actions/setup@v0.66.1
with:
destination: ${{ runner.temp }}/gh-aw/actions
.github/workflows/secret-digger-copilot.lock.yml:1111
github/gh-aw-actions/setupis referenced by a mutable tag (@v0.66.1). For supply-chain safety and reproducibility, pin this action to a commit SHA (most other workflows do this, e.g..github/workflows/claude-token-optimizer.lock.yml:73).
- name: Setup Scripts
uses: github/gh-aw-actions/setup@v0.66.1
with:
destination: ${{ runner.temp }}/gh-aw/actions
.github/workflows/secret-digger-copilot.lock.yml:1174
github/gh-aw-actions/setupis referenced by a mutable tag (@v0.66.1). For supply-chain safety and reproducibility, pin this action to a commit SHA (most other workflows do this, e.g..github/workflows/claude-token-optimizer.lock.yml:73).
- name: Setup Scripts
uses: github/gh-aw-actions/setup@v0.66.1
with:
destination: ${{ runner.temp }}/gh-aw/actions
- Files reviewed: 2/2 changed files
- Comments generated: 2
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Contributor
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
|
Smoke Test Results — Claude Engine ✅ GitHub MCP: #1662 test: add missing Gemini API target test coverage | #1656 chore(deps): bump defu from 6.1.4 to 6.1.6 Overall: PASS
|
Contributor
🔥 Smoke Test Results
Overall: PASS PR: "⚡ Optimize secret-digger-copilot: remove unused tools, condense prompt, add emergency exit rule" by
|
Contributor
|
Smoke test results:
|
Contributor
Smoke Test: GitHub Actions Services Connectivity ✅All connectivity checks passed:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
secret-digger-copilotworkflow loads 22 GitHub MCP tools it never uses, carries ~300-char per-technique command sub-lists that are redundant, and has no guard against the confirmed retry-loop bug where the model emits 2 tokens and triggers 5 extra full-cost retries.Changes to
shared/secret-audit.mdgithub:toolsets — agent uses zero GitHub MCP calls; all container exploration isbash, issue filing issafeoutputs.create_issueedit:tool — loaded but never used; cache writes go throughbashnoopinstruction when investigation yields nothing substantive, breaking the near-empty-response retry loop:Lock file
Recompiled
secret-digger-copilot.lock.ymlwithgh aw compile(v0.47.0 → v0.66.1) and post-processed withpostprocess-smoke-workflows.ts.Not applied
max-turns: 4(Rec 1A) — compiler rejects it: "engine 'copilot' does not support the max-turns feature". The Emergency Exit Rule is the fallback guard.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.66.1/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.66.1 --jq .object.sha(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.66.1 --jq .object.sha d -token-usage(http block)If you need me to access, download, or install something from one of these locations, you can either: