[q] fix(daily-mcp-concurrency-analysis): add jq and git log to bash allowlist (#23852)

[github-actions]

Q Workflow Optimization Report

Issue Found (from live run #23841684641)

Workflow: daily-mcp-concurrency-analysis
Run: https://github.com/github/gh-aw/actions/runs/23841684641
Symptom: ⚠️ No Safe Outputs Generated — safe_outputs job was skipped

Root Cause

The agent ran for 39 minutes (near the 45-minute timeout) because jq and git log were not in the bash allowlist. The workflow prompt explicitly uses both:

# Step 2 — listed in the prompt but blocked
cat pkg/workflow/js/safe_outputs_tools.json | jq -r '.[].name' | sort

# Step 3 — listed in the prompt but blocked  
git log -1 --format="%ai" -- actions/setup/js/<tool_name>.cjs
```

Without these tools, the agent spent **~12 extra turns** trying workarounds (Python, `grep`, glob), going from 8 turns (baseline run 23790134363) to **20 turns** this run. By the time the analysis completed, the safe-outputs MCP session had expired and every `noop` call failed with `session not found`.

#### Evidence from agent log

```
✗ Get all tool names from safe_outputs_tools.json (shell)
  cat .../safe_outputs_tools.json | jq -r '.[].name' | sort
  └ Permission denied and could not request permission from user

✗ Get tool names via python (shell)
  └ Permission denied ...

✗ Get non-test CJS tool names (shell)
  │ ls .../actions/setup/js/*.cjs | grep -v '\.test\.cjs' | sed ...
  └ Permission denied ...

✗ noop
  └ MCP server 'safeoutputs': Error: session not found

Change Made

File: .github/workflows/daily-mcp-concurrency-analysis.md

Added three bash command patterns to the allowlist:

- "jq -r '.[].name' pkg/workflow/js/safe_outputs_tools.json"
- "git log -1 --format='%ai' -- actions/setup/js/*.cjs"
- "git log -3 --format='%ai %s' -- actions/setup/js/*.cjs"

Expected Improvement

• Agent completes tool-list extraction in 1 turn instead of 5–6 turns
• Agent completes git-history check in 1 turn instead of timing out
• Total turns should return to ~8 (matching baseline), well within the session timeout window
• noop call will succeed and the failure issue will not be re-created

Validation

Compiled successfully:

• ✅ daily-mcp-concurrency-analysis

Note: .lock.yml is included in this PR as it was regenerated by the compile step.

References

• Failing run: https://github.com/github/gh-aw/actions/runs/23841684641

• Baseline run: 23790134363 (8 turns, success)

• Issue: [aw] Daily MCP Tool Concurrency Analysis failed #23852

• Fixes [aw] Daily MCP Tool Concurrency Analysis failed #23852

---

Warning

Protected Files — Push Permission Denied

This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.

Protected files

• .github/workflows/daily-mcp-concurrency-analysis.lock.yml

• .github/workflows/daily-mcp-concurrency-analysis.md

The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.

Create the pull request manually

# Download the patch from the workflow run
gh run download 23847051219 -n agent -D /tmp/agent-23847051219

# Create a new branch
git checkout -b q/fix-mcp-concurrency-jq-allowlist-a78150ac37b0eaa1 main

# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-23847051219/aw-q-fix-mcp-concurrency-jq-allowlist.patch

# Push the branch and create the pull request
git push origin q/fix-mcp-concurrency-jq-allowlist-a78150ac37b0eaa1
gh pr create --title '[q] fix(daily-mcp-concurrency-analysis): add jq and git log to bash allowlist (#23852)' --base main --head q/fix-mcp-concurrency-jq-allowlist-a78150ac37b0eaa1 --repo github/gh-aw

🎩 Equipped by Q · ◷

• expires on Apr 3, 2026, 12:04 PM UTC