[safe-output-health] Safe Output Health Report 2026-06-26

[github-actions[bot]]

🏥 Safe Output Health Report — 2026-06-26

Executive Summary

• Period: Last 24 hours (runs 2026-06-26 03:43Z → 05:22Z)
• Runs Analyzed: 63
• Workflows Active: ~30 distinct (engines: copilot 37, claude 11, codex 6, pi 5, gemini 1, antigravity 1)
• Run-Level Failures: 6
• Safe Output Job Hard Failures (in scope): 1 — changeset_generator_push_to_pull_request_branch_bundle_job_hardfail (RECURRED, production)
• Out-of-scope (agent-job) failures: 5

Provably complete count. A safe_outputs hard failure always forces the run conclusion to failure. All 6 run-level failures were enumerated and audited via each run's jobs[] — so exactly 1 of 63 runs had an in-scope safe_outputs JOB failure. The other 5 failed in the agent job (out of scope).

Safe Output Job Statistics

Job stage of the 6 failed runs	Count	Scope
safe_outputs JOB hard failure	1	IN SCOPE
agent JOB failure (safe_outputs = success)	5	out of scope

Run-level safe_outputs job success rate: 98.4% (62 of 63 runs reaching the stage had safe_outputs success/skip; 1 hard failure).

Error Clusters

Cluster 1: changeset_generator_push_to_pull_request_branch_bundle_job_hardfail — RECURRED (production)

• Count today: 1 occurrence — occurrence Add workflow: githubnext/agentics/weekly-research #2 of this exact signature (first seen 2026-06-23)
• Family: create_pull_request_branch_pin_dubious_ownership_bridge_process — now occurrence Add workflow: githubnext/agentics/weekly-research #3 (06-17 jsweep pre-buffer, 06-23 Changeset JOB, 06-26 Changeset JOB)
• Affected job: safe_outputs (push_to_pull_request_branch, patch-format bundle, allowed .changeset/**; + update_pull_request append)
• Affected workflow: Changeset Generator (codex) — §28215703557
• Job timeline: pre_activation ✅ · activation ✅ · agent ✅ (15.9m) · detection ✅ · safe_outputs ✗ (40s) · conclusion ✅
• Sample error: not recoverable this run — the Process Safe Outputs step log was not pre-bundled and the audit MCP downloaded_files contained no safe-output / patch / git artifact. Root cause inferred structurally from 06-17/06-23 history.
• Root cause (inferred): the safeoutputs bridge / branch-pin step runs outside the container as a different user/HOME, so the agent's in-container git config --global safe.directory doesn't reach the bridge's gitconfig → git detected dubious ownership in repository on the bundle-transport push.
• Impact: low-to-medium production impact — the .changeset release-note file was not pushed (PR copilot/fix-cli-process-hang-issue left without its changeset entry); the daily run is red in the Actions UI.

Why this is the same defect as 2026-06-23

	2026-06-23 (run-28003923242)	2026-06-26 (run-28215703557)
Workflow	Changeset Generator	Changeset Generator
Engine	codex	codex
agent / detection	success / success	success / success
safe_outputs JOB	failure (47s)	failure (40s)
Handlers	push_to_pull_request_branch (bundle) + update_pull_request	identical
Loss	.changeset not pushed	.changeset not pushed

Isolation (from 06-23): a Design Decision Gate push_to_pull_request_branch with default patch-format succeeded in the same window while Changeset's patch-format: bundle failed → bundle transport is the suspect variable. Not re-tested today (no Design Decision Gate push in window).

Out-of-scope (agent-job) failures — listed for completeness, NOT analyzed

Run	Workflow	Engine	Failed job	safe_outputs
28218968236	Test Quality Sentinel	copilot	agent	success
28215990234	Test Quality Sentinel	copilot	agent	success
28217567247	Code Simplifier	copilot	agent	success
28217478494	Go Logger Enhancement	claude	agent	success
28217439569	Daily AstroStyleLite Markdown Spellcheck	claude	agent	success

Code Simplifier is a recurring agent-job offender (failed 06-10/06-20/06-21/06-25/06-26) — flagged here only as a pointer for the agent-health monitor; out of scope for this report.

Recommendations

Critical / High — Escalate the Changeset bundle push failure

• Priority: High (production, reproduced twice in 3 days)
• Root cause: git detected dubious ownership in the out-of-container safeoutputs bridge for push_to_pull_request_branch with patch-format: bundle.
• Recommended actions:
  1. Fix: add git config --global --add safe.directory <repo> in the safeoutputs bridge HOME context (the same dubious-ownership fix the in-container agent already has), and/or align the bridge user + HOME with the container.
  2. Observability: pre-bundle the Process Safe Outputs step log on failure (or surface it via the audit MCP tool) so the exact error is recoverable — this signature has now failed twice with the error never captured.
  3. Resilience: add a graceful retry/skip so a bundle-transport failure doesn't red the daily run when the only loss is a missing changeset entry.
• Affected: Changeset Generator; any push_to_pull_request_branch consumer using patch-format: bundle.

Standing gap (carried forward)

• review_path_unresolved_422 Path-variant fallback (pr_review_buffer.cjs:554) remains UNVALIDATED for the 29th consecutive audit — PR-reviewer workflows ran today but emitted no 422 to fire the fallback. No action beyond awaiting a natural Path-variant 422.

Work Item Plan

Work Item 1: Fix push_to_pull_request_branch bundle transport git ownership failure

• Type: Bug Fix
• Priority: High
• Description: The safeoutputs bridge fails git operations with detected dubious ownership when pushing a patch-format: bundle to a PR branch, because it runs as a different user/HOME than the in-container agent. Reproduced on Changeset Generator 2026-06-23 and 2026-06-26.
• Acceptance Criteria:
  • Bridge HOME gitconfig includes safe.directory for the workspace (or bridge runs as the same user/HOME as the container).
  • Changeset Generator pushes its .changeset/** file successfully on a pull_request event.
  • The Process Safe Outputs step log is captured/pre-bundled on failure.
• Technical Approach: add git config --global --add safe.directory to bridge setup; verify against a Changeset Generator re-run; bundle the step log artifact on non-zero exit.
• Estimated Effort: Small–Medium

Historical Context

• Trend: Production safe_outputs JOB streak was clean 06-16 → 06-22 (7 days), broke on 06-23 (this same Changeset bundle defect), recovered 06-25, and the same defect recurred today. The intervening smoke-only target/context family (06-24) did not reproduce today (no workflow_dispatch Smoke in window).
• Most reliable in-scope production failure signature in audit history is now push_to_pull_request_branch with patch-format: bundle (Changeset Generator), 2 of 2 attempts failing.

Metrics

• Overall safe_outputs run-level success rate: 98.4% (62/63)
• Most problematic handler: push_to_pull_request_branch (patch-format: bundle) — 1/1 failed today, 2/2 over 3 days
• Most reliable: all other handlers (add_comment, create_issue, create_discussion, create_pull_request, update_pull_request, add_labels, submit_pull_request_review) — no in-scope failures observed in window

Next Steps

• Open/Update a tracking issue for the Changeset bundle git-ownership fix (High).
• Add Process-Safe-Outputs step-log capture on failure so the exact error is recoverable next time.
• Re-audit tomorrow; confirm whether the fix (if applied) clears the Changeset Generator path.
• Continue watching for a natural review_path_unresolved_422 Path-variant 422 to validate pr_review_buffer.cjs:554.

References:

• §28215703557 — Changeset Generator (today's in-scope failure)
• §28003923242 — Changeset Generator (2026-06-23 first occurrence)
• §28218968236 — Test Quality Sentinel (out-of-scope agent fail, sampled)

Generated by 🔒 Safe Output Health Monitor · 404.9 AIC · ⌖ 8.82 AIC · ⊞ 9.3K · ◷

• expires on Jun 26, 2026, 9:54 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Safe Output Health Monitor.

A newer discussion is available at Discussion #41853.