fix: scanner workflows now check closed issues with state_reason-aware dedup by lpcox · Pull Request #2740 · github/gh-aw-firewall

lpcox · 2026-05-08T16:28:49Z

Problem

The refactoring-scanner, export-audit, and duplicate-code-detector workflows only checked open issues before filing new ones. When an issue was triaged and closed as "not planned" (won't fix), the scanner wouldn't see it on the next run and would re-file the exact same finding — creating an endless loop of duplicate issues.

Fix

Updated the dedup logic in all 3 scanner workflow prompts to search both open AND closed issues explicitly using state: all (or equivalent open+closed queries), and clarified how closed matches are handled:

For matching closed issues, use GitHub state_reason: auto-skip only when state_reason is not_planned. If a prior issue was closed as completed and the finding reproduces, reopen the prior issue or file a new linked issue with fresh evidence.

Files Changed

.github/workflows/refactoring-scanner.md + lock
.github/workflows/export-audit.md + lock
.github/workflows/duplicate-code-detector.md + lock

Update dedup logic in refactoring-scanner, export-audit, and duplicate-code-detector to search both open AND closed issues before filing new ones. Previously they only checked open issues, so findings that were triaged and closed as 'not planned' would be re-filed on the next scheduled run. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-05-08T16:30:08Z

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	87.48%	87.55%	📈 +0.07%
Statements	87.44%	87.51%	📈 +0.07%
Functions	82.66%	82.66%	➡️ +0.00%
Branches	79.65%	79.69%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
`src/container-lifecycle.ts`	87.1% → 88.2% (+1.14%)	87.5% → 88.6% (+1.11%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot

Pull request overview

Updates the three “scanner” agentic workflow prompts so their deduplication step considers previously closed issues (in addition to open issues), preventing scanners from re-filing findings that were already triaged and closed.

Changes:

Refactoring / Export Audit / Duplicate Code scanner prompts now instruct the agent to search open and closed issues before filing.
Adds an explicit “skip previously closed findings” rule to reduce duplicate issue churn.
Regenerates the compiled workflow lock files (which also changes the pinned awf runtime version and some cron schedules).

Show a summary per file

File	Description
`.github/workflows/refactoring-scanner.md`	Updates prompt dedup instructions to consider open + closed issues.
`.github/workflows/refactoring-scanner.lock.yml`	Regenerated compiled workflow; runtime pin and schedule changed.
`.github/workflows/export-audit.md`	Updates prompt dedup instructions to consider open + closed issues.
`.github/workflows/export-audit.lock.yml`	Regenerated compiled workflow; runtime pin changed.
`.github/workflows/duplicate-code-detector.md`	Updates prompt dedup instructions to consider open + closed issues.
`.github/workflows/duplicate-code-detector.lock.yml`	Regenerated compiled workflow; runtime pin and schedule changed.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 6/6 changed files
Comments generated: 11

+1. Search for issues (open or closed) with `[Refactoring]` prefix mentioning the same file
+2. Search for issues with labels `code-quality` or `refactoring` mentioning the same file
 3. Skip any finding that already has an open tracking issue
+4. **Skip any finding that was previously closed** — a closed issue (especially "not planned" or "won't fix") means the finding was already triaged and intentionally declined. Do NOT re-file it.



-1. Search for open issues with `[Export Audit]` prefix using the GitHub toolset
-2. Search for open issues with the `code-quality` label mentioning the same symbol or file
+1. Search for issues (open or closed) with `[Export Audit]` prefix mentioning the same symbol or file
+2. Search for issues with the `code-quality` label mentioning the same symbol or file
 3. Skip any finding that already has an open tracking issue
+4. **Skip any finding that was previously closed** — a closed issue (especially "not planned" or "won't fix") means the finding was already triaged and intentionally declined. Do NOT re-file it.



-1. Search for open issues with `[Duplicate Code]` prefix using the GitHub toolset
+1. Search for issues (open or closed) with `[Duplicate Code]` prefix using the GitHub toolset
 2. Also search for issues with labels `code-quality` or `refactoring` that describe duplication
 3. Skip any finding that already has an open tracking issue
+4. **Skip any finding that was previously closed** — a closed issue (especially "not planned" or "won't fix") means the finding was already triaged and intentionally declined. Do NOT re-file it.


          GH_AW_INFO_ALLOWED_DOMAINS: '["node","github"]'
          GH_AW_INFO_FIREWALL_ENABLED: "true"
-          GH_AW_INFO_AWF_VERSION: "v0.25.41"
+          GH_AW_INFO_AWF_VERSION: "v0.25.29"


 name: "Refactoring Opportunity Scanner"
 "on":
  schedule:
-  - cron: "53 14 * * *"
+  - cron: "36 13 * * *"
    # Friendly format: daily (scattered)


          GH_AW_INFO_ALLOWED_DOMAINS: '["node","github"]'
          GH_AW_INFO_FIREWALL_ENABLED: "true"
-          GH_AW_INFO_AWF_VERSION: "v0.25.41"
+          GH_AW_INFO_AWF_VERSION: "v0.25.29"


+          printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.29/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","api.npms.io","bun.sh","cdn.jsdelivr.net","codeload.github.com","deb.nodesource.com","deno.land","docs.github.com","esm.sh","get.pnpm.io","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.blog","github.com","github.githubassets.com","googleapis.deno.dev","googlechromelabs.github.io","host.docker.internal","jsr.io","lfs.github.com","nodejs.org","npm.pkg.github.com","npmjs.com","npmjs.org","objects.githubusercontent.com","raw.githubusercontent.com","registry.bower.io","registry.npmjs.com","registry.npmjs.org","registry.yarnpkg.com","repo.yarnpkg.com","skimdb.npmjs.com","storage.googleapis.com","telemetry.enterprise.githubcopilot.com","telemetry.vercel.com","www.npmjs.com","www.npmjs.org","yarnpkg.com"]},"apiProxy":{"enabled":true,"models":{"auto":["large"],"deep-research":["copilot/deep-research*","google/deep-research*"],"gemini-flash":["copilot/gemini-*flash*","google/gemini-*flash*"],"gemini-pro":["copilot/gemini-*pro*","google/gemini-*pro*"],"gpt-4.1":["copilot/gpt-4.1*","openai/gpt-4.1*"],"gpt-5":["copilot/gpt-5*","openai/gpt-5*"],"gpt-5-codex":["copilot/gpt-5*codex*","openai/gpt-5*codex*"],"gpt-5-mini":["copilot/gpt-5*mini*","openai/gpt-5*mini*"],"gpt-5-nano":["copilot/gpt-5*nano*","openai/gpt-5*nano*"],"gpt-5-pro":["copilot/gpt-5*pro*","openai/gpt-5*pro*"],"haiku":["copilot/*haiku*","anthropic/*haiku*"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash"],"opus":["copilot/*opus*","anthropic/*opus*"],"reasoning":["copilot/o1*","copilot/o3*","copilot/o4*","openai/o1*","openai/o3*","openai/o4*"],"small":["mini"],"sonnet":["copilot/*sonnet*","anthropic/*sonnet*"]}},"container":{"imageTag":"0.25.29,squid=sha256:8a71ad9e40454051672312917e51567abfb8251d7c294d086c48f63d84e4cb53,agent=sha256:e68f37e36962dcb3f3d1de680a49bc2302cefd001b941a7dc377155ec7ce42f4,agent-act=sha256:97b4cc14dc2123a45b9d5b9927489f66882dec5857de6afc0e5bab257be92ef1,api-proxy=sha256:d1219e4110684402aabbeb5a43858f26790c9d0be210581cf3f7a521bd2c87b6,cli-proxy=sha256:29917488eb90a01ff9544ffeeb5cc26434a8ea16d69ae8972f5f6be0e567e276"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
          # shellcheck disable=SC1003
          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --session-state-dir /tmp/gh-aw/sandbox/agent/session-state --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
            -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log


          GH_AW_INFO_ALLOWED_DOMAINS: '["node","github"]'
          GH_AW_INFO_FIREWALL_ENABLED: "true"
-          GH_AW_INFO_AWF_VERSION: "v0.25.41"
+          GH_AW_INFO_AWF_VERSION: "v0.25.29"


 name: "Duplicate Code Detector"
 "on":
  schedule:
-  - cron: "34 21 * * *"
+  - cron: "49 3 * * *"
    # Friendly format: daily (scattered)


+          printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.29/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","api.npms.io","bun.sh","cdn.jsdelivr.net","codeload.github.com","deb.nodesource.com","deno.land","docs.github.com","esm.sh","get.pnpm.io","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.blog","github.com","github.githubassets.com","googleapis.deno.dev","googlechromelabs.github.io","host.docker.internal","jsr.io","lfs.github.com","nodejs.org","npm.pkg.github.com","npmjs.com","npmjs.org","objects.githubusercontent.com","raw.githubusercontent.com","registry.bower.io","registry.npmjs.com","registry.npmjs.org","registry.yarnpkg.com","repo.yarnpkg.com","skimdb.npmjs.com","storage.googleapis.com","telemetry.enterprise.githubcopilot.com","telemetry.vercel.com","www.npmjs.com","www.npmjs.org","yarnpkg.com"]},"apiProxy":{"enabled":true,"models":{"auto":["large"],"deep-research":["copilot/deep-research*","google/deep-research*"],"gemini-flash":["copilot/gemini-*flash*","google/gemini-*flash*"],"gemini-pro":["copilot/gemini-*pro*","google/gemini-*pro*"],"gpt-4.1":["copilot/gpt-4.1*","openai/gpt-4.1*"],"gpt-5":["copilot/gpt-5*","openai/gpt-5*"],"gpt-5-codex":["copilot/gpt-5*codex*","openai/gpt-5*codex*"],"gpt-5-mini":["copilot/gpt-5*mini*","openai/gpt-5*mini*"],"gpt-5-nano":["copilot/gpt-5*nano*","openai/gpt-5*nano*"],"gpt-5-pro":["copilot/gpt-5*pro*","openai/gpt-5*pro*"],"haiku":["copilot/*haiku*","anthropic/*haiku*"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash"],"opus":["copilot/*opus*","anthropic/*opus*"],"reasoning":["copilot/o1*","copilot/o3*","copilot/o4*","openai/o1*","openai/o3*","openai/o4*"],"small":["mini"],"sonnet":["copilot/*sonnet*","anthropic/*sonnet*"]}},"container":{"imageTag":"0.25.29,squid=sha256:8a71ad9e40454051672312917e51567abfb8251d7c294d086c48f63d84e4cb53,agent=sha256:e68f37e36962dcb3f3d1de680a49bc2302cefd001b941a7dc377155ec7ce42f4,agent-act=sha256:97b4cc14dc2123a45b9d5b9927489f66882dec5857de6afc0e5bab257be92ef1,api-proxy=sha256:d1219e4110684402aabbeb5a43858f26790c9d0be210581cf3f7a521bd2c87b6,cli-proxy=sha256:29917488eb90a01ff9544ffeeb5cc26434a8ea16d69ae8972f5f6be0e567e276"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
          # shellcheck disable=SC1003
          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --session-state-dir /tmp/gh-aw/sandbox/agent/session-state --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
            -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log


lpcox · 2026-05-08T16:35:06Z

@copilot address review feedback for .md files. ignore for .lock.yml files

Copilot · 2026-05-08T16:37:51Z

@copilot address review feedback for .md files. ignore for .lock.yml files

Updated the three scanner .md prompts only (no .lock.yml changes) in commit 00d1ec6. The dedup steps now explicitly use state: all for both searches and only auto-skip closed issues when closure reason is not planned/won't fix; completed/fixed closures now require reopen/new issue behavior when evidence reproduces.

github-actions · 2026-05-08T17:08:56Z

Smoke Test Results

✅ GitHub MCP: Last 2 merged PRs retrieved
✅ Playwright: github.com page title verified
✅ File Writing: Test file created successfully
✅ Bash Tool: File verification passed

Overall Status: PASS

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-05-08T17:09:11Z

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP (merged PR: "fix: remove unused exported interfaces...")	✅
GitHub.com connectivity	⚠️ pre-step data unavailable (template vars not expanded)
File write/read	⚠️ pre-step data unavailable (template vars not expanded)
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Author: @lpcox | Reviewer: @Mossaka

Overall: PASS (core BYOK path confirmed ✅)

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-05-08T17:09:16Z

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
File write/read (`smoke-test-copilot-25567455332.txt`)	✅
GitHub.com HTTP connectivity	✅

PR: fix: scanner workflows now check closed issues with state_reason-aware dedup
Author: @lpcox | Reviewer: @Mossaka

Overall: PASS ✅

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-05-08T17:09:58Z

🔮 Codex smoke: FAIL
PRs: ✅ fix: remove unused exported interfaces from services and pid-tracker; ✅ fix(api-proxy): fetch models from BYOK custom providers and fix models_url in reflect
GitHub reads: ✅
Safe Inputs GH: ❌ unavailable; queried via authenticated gh wrapper
Playwright: ✅
Tavily: ❌ no tools exposed
File/Bash/Discussion/Build: ✅
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

github-actions · 2026-05-08T17:10:51Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2740 · ● 661.2K · ◷

github-actions · 2026-05-08T17:11:50Z

Smoke Test Results

❌ Redis PING — timeout (no response from host.docker.internal:6379)
❌ PostgreSQL pg_isready — no response on port 5432
❌ PostgreSQL SELECT 1 — not attempted (pg_isready failed)

Overall: FAIL — host.docker.internal service containers are unreachable from this runner environment.

🔌 Service connectivity validated by Smoke Services

Copilot AI review requested due to automatic review settings May 8, 2026 16:28

lpcox requested a review from Mossaka as a code owner May 8, 2026 16:28

Copilot started reviewing on behalf of lpcox May 8, 2026 16:29 View session

github-actions Bot mentioned this pull request May 8, 2026

[aw] Smoke OpenCode failed #2741

Closed