[safe-output-health] 🏥 Safe Output Health Report - 2026-06-23

[github-actions[bot]]

Executive Summary

• Period: Last 24h (logs window 2026-06-23T05:15Z → 05:32Z, 12 run directories)
• Runs Analyzed: 12
• Workflows Active: 12 (a Smoke-suite batch tied to PR Add shared engine.driver field with @earendil-works/pi-agent-core built-in driver #40897 / copilot/add-sample-pi-agent-core-driver)
• Safe Output Jobs Executed (completed, non-skipped): 11
• Safe Output Jobs Failed: 1 (Changeset Generator)
• Safe Output Jobs Skipped (agent-failed, out of scope): 1
• Run-level safe_outputs success rate: 90.9% (10/11)
• Error Clusters Identified: 1 (recurrence of the patch-format: bundle branch-pin family)

⚠️ Clean streak broken after 7 days (06-16 → 06-22 were all 0-failure). This is the first non-smoke-* safe_outputs JOB hard failure since 2026-06-11 (LintMonster).

Safe Output Job Statistics

Outcome	Count	Notes
JOB success	10	full Smoke matrix + Design Decision Gate
JOB hard failure	1	Changeset Generator (push_to_pull_request_branch, bundle)
JOB skipped (agent failed)	1	Smoke Claude on Copilot — out of scope

Metrics caveat: SafeItemsCount=0 across all runs is the known metrics blind spot (bash CLI-wrapper writes are uncounted), not an absence of writes. Message-level results are not observable today — no Process Safe Outputs step logs were pre-bundled, so JOB conclusions come from run_summary.json job_details[].

Error Cluster: changeset_generator_push_to_pull_request_branch_bundle_job_hardfail

• Count: 1 run (§28003923242)
• Workflow: Changeset Generator (codex/gpt-5.4) — a production release-notes-automation workflow
• Event: pull_request (labeled), branch copilot/add-sample-pi-agent-core-driver
• Job timeline: agent SUCCESS (10.4m) → detection SUCCESS → safe_outputs FAILURE (47s) → run conclusion failure
• Actuating safe-outputs: push-to-pull-request-branch (patch-format: bundle, allowed-files: .changeset/**, protected-files: blocked) + update-pull-request(append)
• Impact: the .changeset file was not pushed to the PR branch → missing release-note entry on that PR (low-to-medium production impact)

Root cause (inferred — see data limitation)

This is the same family as the 2026-06-17 create_pull_request_branch_pin_dubious_ownership_bridge_process cluster — the patch-format: bundle / branch-pin transport path — but at a different layer:

Date	Workflow	Safe output	Layer	Outcome
06-17	jsweep	create_pull_request (bundle)	pre-buffer (in-agent bridge)	intent dropped, JOB stayed success
06-23	Changeset Generator	push_to_pull_request_branch (bundle)	downstream JOB	JOB failure

Key isolation: in the same window, Design Decision Gate (§28004370976) used push_to_pull_request_branch with the default patch-format and succeeded. This strongly implicates the bundle path specifically, not push_to_pull_request_branch in general.

The 06-17 root cause was the bundle branch-pin git step hitting fatal: detected dubious ownership because the safeoutputs bridge runs outside the container as a different user/HOME than the /home/runner/work/gh-aw/gh-aw checkout, and the agent's in-container git config --global safe.directory can't reach the bridge's gitconfig. The 06-23 JOB-layer failure is consistent with the same bundle branch-pin transport being exercised at the downstream push job.

⚠️ Data-availability limitation (why root cause is inferred, not read)

• No Process Safe Outputs step logs were pre-bundled for any run today (job_details[] gives JOB conclusions only).
• The agenticworkflows audit MCP tool (artifacts: true) did not surface the failed JOB's step stdout/stderr; its key_findings even mislabeled this as "failed before agent activation" — the failure was at safe_outputs, well after agent success.
• Consequence: the exact error string is inferred from config (patch-format: bundle + push_to_pull_request_branch) and family history, not directly read.
• Recommended follow-up: fetch the run-28003923242 Process Safe Outputs step log directly (Actions UI / gh run view) to confirm.

Recurring Clusters Status

Cluster	Today	State
..._branch_pin_dubious_ownership_bridge_process (bundle)	RE-EXERCISED + new JOB-layer variant	occurrences 2 (06-17, 06-23) — escalate to investigate
review_path_unresolved_422 (Path variant)	not exercised (no PR-reviewers)	fix pr_review_buffer.cjs:554 UNVALIDATED 26th consecutive audit
add_comment_discussion_resource_not_accessible_by_integration	exercise-present, JOB clean	occurrences 2 (06-14/15) — encouraging, message-level unconfirmed
target_star_review_comment_no_pr_number_fallback	exercise-present, JOB clean	occurrences 2 (last 06-15) — likely latent
target_star_add_labels_no_item_number_hardfail	exercise-present (Smoke Copilot dispatch), JOB clean	occurrences 2 (06-11/14)
update_issue_target_triggering / assign_to_agent_* / hide_comment_int	not exercised	LintMonster/Issue Monster/AI Moderator absent

Positive Signals

• ✅ Full Smoke matrix (Claude / Codex / Gemini / Pi / Antigravity / Copilot + AOAI apikey & Entra / Agent Container Smoke Test) all JOB=success except the agent-failed Smoke Claude on Copilot.
• ✅ Smoke Claude (pull_request) (§28003923294) JOB clean — the workflow that hard-failed on add_comment→discussion + target_star on 06-14/06-15 did not fail its JOB today.
• ✅ Design Decision Gate push_to_pull_request_branch (default patch-format) CLEAN — isolates the failure to the bundle path.
• ✅ AOAI Entra + apikey smoke agent=success — 06-15 AOAI auth agent-failures did not recur.
• ✅ Auxiliary post-agent jobs healthy: push_experiments_state, update_cache_memory, send_slack_message, trufflehog_scan, upload_code_scanning_sarif all success.

Recommendations / Work Items

Work Item 1 — Investigate the patch-format: bundle branch-pin push path (Priority: High)

• Type: Bug Fix / Investigation
• Why now: 2nd occurrence of the branch-pin/bundle family (06-17 pre-buffer drop, 06-23 JOB-layer hard fail). No longer a one-off.
• Acceptance criteria:
  • Fetch & confirm the run-28003923242 Process Safe Outputs step error.
  • Verify the downstream push_to_pull_request_branch bundle path applies -c safe.directory=/home/runner/work/gh-aw/gh-aw (or safe.directory='*') / correct HOME/GIT_CONFIG_GLOBAL to the bridge git invocation — same fix area as 06-17.
  • Confirm default-patch-format push is unaffected (already evidenced by Design Decision Gate success).

Work Item 2 — Improve safe_outputs failure observability (Priority: Medium)

• The audit MCP tool reports a generic "failed before agent activation" for a safe_outputs-stage failure and does not bundle/surface the Process Safe Outputs step log. This blocks root-cause analysis for exactly the failures this monitor exists to triage.
• Acceptance criteria:
  • Pre-bundle (or make fetchable) the Process Safe Outputs step stdout for failed safe_outputs jobs.
  • Fix the audit key_findings so a safe_outputs-stage failure isn't labeled as a pre-activation failure.

Work Item 3 — Validate the long-standing review_path_unresolved_422 Path-variant fix (Priority: Low/Medium)

• pr_review_buffer.cjs:554 Path-variant fallback unvalidated for 26 consecutive audits (no production 422 has fired it). Carryover — no new signal today.

Next Steps

• Read the failed Process Safe Outputs step log for run 28003923242 and confirm/replace the inferred root cause.
• Apply the bundle branch-pin safe.directory fix at the downstream push path if confirmed.
• Watch the next Changeset Generator + daily jsweep runs (both patch-format: bundle) for recurrence.

References:

• §28003923242 — Changeset Generator (safe_outputs FAILURE)
• §28004370976 — Design Decision Gate (push bundle contrast, success)
• §28003923294 — Smoke Claude (target_star / discussion clusters, JOB clean)

Generated by 🔒 Safe Output Health Monitor · 533.3 AIC · ⌖ 16.8 AIC · ⊞ 9.2K · ◷

• expires on Jun 23, 2026, 9:46 PM UTC-08:00

[github-actions[bot]]

"Smoke run 28004944791 checked discussion commenting at 2026-06-23T05:48:58Z ✅"

📰 BREAKING: Report filed by Smoke Copilot · 191.4 AIC · ⌖ 15.6 AIC · ⊞ 19.9K · ◷

[github-actions[bot]]

Smoke test run initiated. ✅

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 121.3 AIC · ⌖ 14.1 AIC · ⊞ 18.1K · ◷

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-24T05:46:12.606Z.

Closed by Workflow