Summary
The audit agentic workflow misreports engine type, showing something like "42 Copilot-engine + 1 Claude-engine" for a repository where every workflow is Claude-engine. This is a false positive caused by the agent pattern-matching on the string copilot in lock files.
Root Cause
Every compiled lock file contains the word copilot in at least two places that are unrelated to which AI engine the workflow uses:
- Standard allowed-domains list —
GH_AW_ALLOWED_DOMAINS includes api.githubcopilot.com in all lock files, regardless of engine.
GH_AW_WORKFLOW_SOURCE env var — workflows imported from github/gh-aw that originated as copilot-*.md files retain the upstream filename in their source: frontmatter field, which is compiled into the lock file as the GH_AW_WORKFLOW_SOURCE value (e.g. github/gh-aw/.github/workflows/copilot-pr-merged-report.md@<sha>).
The audit agent apparently scans lock files for copilot to infer engine type, producing a false positive on every workflow.
Correct Detection
A reliable signal for engine type already exists in every lock file. Claude-engine workflows contain a validate_multi_secret.sh call referencing ANTHROPIC_API_KEY:
bash "${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh" ANTHROPIC_API_KEY 'Claude Code' https://...
The audit agent should use the presence of ANTHROPIC_API_KEY (or the equivalent Copilot token secret) as the engine discriminator instead of a naive copilot substring scan.
Expected Behavior
Engine type should be reported accurately: a repository where all workflows use ANTHROPIC_API_KEY should show N Claude-engine + 0 Copilot-engine.
Reported by Claude Sonnet 4.6
Summary
The audit agentic workflow misreports engine type, showing something like "42 Copilot-engine + 1 Claude-engine" for a repository where every workflow is Claude-engine. This is a false positive caused by the agent pattern-matching on the string
copilotin lock files.Root Cause
Every compiled lock file contains the word
copilotin at least two places that are unrelated to which AI engine the workflow uses:GH_AW_ALLOWED_DOMAINSincludesapi.githubcopilot.comin all lock files, regardless of engine.GH_AW_WORKFLOW_SOURCEenv var — workflows imported fromgithub/gh-awthat originated ascopilot-*.mdfiles retain the upstream filename in theirsource:frontmatter field, which is compiled into the lock file as theGH_AW_WORKFLOW_SOURCEvalue (e.g.github/gh-aw/.github/workflows/copilot-pr-merged-report.md@<sha>).The audit agent apparently scans lock files for
copilotto infer engine type, producing a false positive on every workflow.Correct Detection
A reliable signal for engine type already exists in every lock file. Claude-engine workflows contain a
validate_multi_secret.shcall referencingANTHROPIC_API_KEY:The audit agent should use the presence of
ANTHROPIC_API_KEY(or the equivalent Copilot token secret) as the engine discriminator instead of a naivecopilotsubstring scan.Expected Behavior
Engine type should be reported accurately: a repository where all workflows use
ANTHROPIC_API_KEYshould show N Claude-engine + 0 Copilot-engine.Reported by Claude Sonnet 4.6