[copilot-agent-analysis] Daily Copilot Agent Analysis - 2026-03-17

[github-actions[bot]]

Summary

Analysis Period: Last 24 hours (2026-03-16T20:39Z – 2026-03-17T20:39Z)
Total PRs (agent_prs_total): 43 | Merged (agent_prs_merged): 35 (81%) | Closed: 3 (7%) | Open: 5 (12%) | Avg Duration: 74 min

Performance Metrics

Date	PRs	Merged	Success Rate	Avg Duration
2026-03-17 (today)	43	35	92%	74 min
2026-03-16 (yesterday)	30	26	87%	51 min
2026-03-15	44	36	82%	150 min

Trend: 📈 Success rate improving (+10% over 3 days). Avg duration within normal range.

Agent Task Texts

View All 43 PRs

PR #	Status	Task Text (first 100 chars)
#21285	Closed	The safe outputs specification had no formal definition or normative requirements for the secrecy
#21286	Merged	APM dependencies: fails for cross-org private repos because the default GITHUB_TOKEN is org-scop
#21287	Merged	The determine_automatic_lockdown.cjs runtime check previously auto-emitted lockdown=true for pub
#21288	Closed	The microsoft/apm-action was installing the apm CLI at latest with no version pinning, making
#21294	Merged	lockdown: false was explicitly set in several agentic workflows, opting out of lockdown mode. This
#21297	Merged	The compiler had no pinned version for the microsoft/APM CLI tool, so generated `microsoft/apm-act
#21298	Merged	Public repositories using GitHub MCP without explicit lockdown or min-integrity configuration no
#21301	Merged	When engine.api-target is set for a GHES instance, the compiler correctly passed `--copilot-api-ta
#21303	Merged	The default false value for GitHub MCP server lockdown mode was hardcoded as a literal in `getGitH
#21307	Merged	When both tools.github and safe-outputs are configured, the built-in prompt told the model to us
#21323	Merged	Each compiled .lock.yml was embedding a 20–50 KB filtered copy of safe_outputs_tools.json as a h
#21324	Merged	Generic names like getSecretInfo and getWorkflowStatuses are easily overlooked by AI coding agen
#21325	Merged	When checkout: false is set, the compiler correctly omits actions/checkout but still emitted "Co
#21327	Merged	The workflow consistently exhausted its 50-turn budget debugging server/Playwright issues rather tha
#21329	Merged	Several shared workflow configs had GitHub App configuration either commented out or using the wrong
#21331	Merged	audit report's downloaded_files[*].path entries were relative to the process working directory i
#21332	Merged	pkg/fileutil had tests only for ValidateAbsolutePath (~17% coverage). The remaining five exporte
#21333	Merged	The CI Optimization Coach was hard-blocked when it generated a PR touching `.github/workflows/ci.yml
#21336	Merged	Four engines (claude, gemini, copilot, codex) each duplicated the same createRenderer clos
#21339	Merged	The "Smoke Claude" workflow was failing at the "Generate GitHub App token for APM dependencies" step
#21342	Merged	When the github tool is configured without explicit repos/min-integrity, the auto-lockdown ste
#21348	Merged	The gh aw new interactive prompt offered custom as an engine choice, but custom was removed —
#21349	Merged	When GH_HOST points to a GHE instance (e.g. contoso-aw.ghe.com), add/add-wizard with a full
#21384	Merged	Long fmt.Errorf-wrapped error chains are rendered as a single hard-to-read line. Each layer of con
#21385	Merged	The docs-noob-tester workflow was failing because it instructed the agent to navigate Playwright t
#21386	Merged	GH_AW_BOT_DETECTION_TOKEN is expired, and because it evaluates to a non-empty string, the `|| secr
#21387	Closed	update_project hardcoded context.repo when resolving content_number to a GraphQL node ID, maki
#21389	Merged	Adds a daily agentic workflow to keep Astro and its ecosystem packages current in docs/, handling
#21400	Merged	Automated CLI consistency inspection found 10 inconsistencies across help text — mismatched Short/Lo
#21404	Merged	update_project hardcoded context.repo when resolving content_number to a project item node ID,
#21406	Merged	When running in GitHub Actions with runner debug mode enabled (ACTIONS_RUNNER_DEBUG=true), the CLI
#21408	Merged	On GHE Cloud data residency (*.ghe.com) instances, compiled workflows fail at the first gh CLI s
#21410	Merged	The workflow creator agent lacked guidance on how to build on-demand "command" workflows, leaving it
#21413	Merged	Every generated .lock.yml file started with a bare # line before the ASCII logo, producing unnec
#21414	Open	safe-outputs.staged: true silently broke for most handler types due to two independent bugs.
#21415	Merged	Adds a daily agentic workflow that maintains test coverage parity between the compiler's supported s
#21421	Merged	Two independent failures in the safe_outputs job caused by a missing tool definition and an incorr
#21422	Open	Hardcoded /opt/gh-aw paths throughout the compiler prevent self-hosted runners from relocating the
#21423	Merged	location.hash values were passed directly to fetch() with no origin validation, allowing an atta
#21424	Open	When a GitHub App token minting step fails (bad credentials, missing installation, wrong permissions
#21439	Merged	DDUw only scanned open documentation issues, leaving two blind spots: gaps fixed externally withou
#21440	Open	The build job in ci.yml uploads the compiled gh-aw binary as a GitHub Actions artifact and wri
#21443	Open	- [x] Analyze all /opt/gh-aw references in codebase (~50+ files) - [x] Plan implementation approac

Notable PRs

Issues ⚠️

• #21285: safe outputs secrecy field spec — closed without merge
• #21288: microsoft/apm-action version pinning — closed without merge (superseded by #21297)
• #21387: update_project cross-repo fix — closed without merge (superseded by #21404)

Open PRs ⏳

• #21414: safe-outputs.staged bug fix — open ~5h
• #21422: hardcoded /opt/gh-aw paths (partial) — open ~4h
• #21424: GitHub App auth failure surfacing — open ~4h
• #21440: CI binary artifact upload — open ~1h
• #21443: /opt/gh-aw paths refactor (WIP) — open ~0.5h

Key Insights

• All 3 closed-without-merge PRs were superseded by improved follow-up PRs (same task attempted and completed successfully), indicating agent retry behavior is working well.
• Two open PRs (refactor: replace hardcoded /opt/gh-aw paths with GH_AW_HOME constants (partial) #21422, refactor: migrate /opt/gh-aw to ${{ runner.temp }}/gh-aw for self-hosted runner compatibility #21443) both address the same /opt/gh-aw hardcoded path issue — potential duplicate effort worth reviewing.

---

Generated by Copilot Agent Analysis (Run: §23215360679)

AI generated by Copilot Agent PR Analysis · history

• expires on Mar 18, 2026, 8:44 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Copilot Agent PR Analysis.

A newer discussion is available at Discussion #21651.