github · pelikhan · Apr 5, 2026 · Apr 5, 2026
diff --git a/pkg/workflow/compiler_yaml_step_conversion.go b/pkg/workflow/compiler_yaml_step_conversion.go
@@ -53,6 +53,7 @@ func ConvertStepToYAML(stepMap map[string]any) (string, error) {
 // This is needed because the YAML marshaller quotes strings containing #, but GitHub Actions
 // expects unquoted uses values with inline comments.
 func unquoteUsesWithComments(yamlStr string) string {
+	stepConversionLog.Printf("Post-processing YAML to unquote uses-with-comments: %d chars", len(yamlStr))
 	lines := strings.Split(yamlStr, "\n")
 	for i, line := range lines {
 		// Look for uses: followed by a quoted string containing a # comment

diff --git a/pkg/workflow/compiler_yaml_step_generation.go b/pkg/workflow/compiler_yaml_step_generation.go
@@ -89,6 +89,7 @@ func (c *Compiler) generateCheckoutActionsFolder(data *WorkflowData) []string {
 //
 // Returns the YAML for the step as a single string (for inclusion in a []string steps slice).
 func (c *Compiler) generateRestoreActionsSetupStep() string {
+	compilerYamlStepGenerationLog.Print("Generating restore actions setup step")
 	var step strings.Builder
 	step.WriteString("      - name: Restore actions folder\n")
 	step.WriteString("        if: always()\n")
@@ -135,6 +136,7 @@ func (c *Compiler) generateSetupStep(setupActionRef string, destination string,
 	}
 
 	// Dev/Release mode: use the setup action
+	compilerYamlStepGenerationLog.Printf("Generating setup step: ref=%s, destination=%s, customTokens=%t, traceID=%q", setupActionRef, destination, enableCustomTokens, traceID)
 	lines := []string{
 		"      - name: Setup Scripts\n",
 		"        id: setup\n",
@@ -157,6 +159,7 @@ func (c *Compiler) generateSetupStep(setupActionRef string, destination string,
 // is not available there (only in step-level env: and run: blocks).
 // The step ID "set-runtime-paths" is referenced by downstream steps that consume these outputs.
 func (c *Compiler) generateSetRuntimePathsStep() []string {
+	compilerYamlStepGenerationLog.Print("Generating set-runtime-paths step")
 	return []string{
 		"      - name: Set runtime paths\n",
 		"        id: set-runtime-paths\n",

diff --git a/pkg/workflow/glob_validation.go b/pkg/workflow/glob_validation.go
@@ -211,6 +211,9 @@ func runGlobValidation(pat string, isRef bool) []invalidGlobPattern {
 	v := globValidator{}
 	v.isRef = isRef
 	v.validate(pat)
+	if len(v.errs) > 0 {
+		globValidationLog.Printf("Glob validation found %d error(s) for pattern %q (isRef=%t)", len(v.errs), pat, isRef)
+	}
 	return v.errs
 }
 
@@ -240,6 +243,7 @@ func validatePathGlob(pat string) []invalidGlobPattern {
 	// Reject '.', '..', './<path>', and '../<path>' (#521 in actionlint)
 	stripped := strings.TrimPrefix(p, "!")
 	if stripped == "." || stripped == ".." || strings.HasPrefix(stripped, "./") || strings.HasPrefix(stripped, "../") {
+		globValidationLog.Printf("Path glob rejected due to invalid prefix: %s", stripped)
 		errs = append(errs, invalidGlobPattern{"'.', '..', and paths starting with './' or '../' are not allowed in glob path", 0})
 	}
 

diff --git a/pkg/workflow/mcp_config_playwright_renderer.go b/pkg/workflow/mcp_config_playwright_renderer.go
@@ -156,6 +156,7 @@ func renderPlaywrightMCPConfigWithOptions(yaml *strings.Builder, playwrightConfi
 
 	// Add volume mounts
 	// When guard policies follow, mounts is not the last field (add trailing comma)
+	mcpPlaywrightLog.Printf("Adding volume mounts: guard_policies=%d", len(guardPolicies))
 	if len(guardPolicies) > 0 {
 		yaml.WriteString("                \"mounts\": [\"/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw\"],\n")
 		renderGuardPoliciesJSON(yaml, guardPolicies, "                ")
@@ -171,4 +172,5 @@ func renderPlaywrightMCPConfigWithOptions(yaml *strings.Builder, playwrightConfi
 	} else {
 		yaml.WriteString("              },\n")
 	}
+	mcpPlaywrightLog.Printf("Playwright MCP config rendered: is_last=%t, entrypoint_args=%d", isLast, len(entrypointArgs))
 }
diff --git a/pkg/workflow/permissions.go b/pkg/workflow/permissions.go
@@ -266,7 +266,11 @@ func GetAllGitHubAppOnlyScopes() []PermissionScope {
 // IsGitHubAppOnlyScope returns true if the scope is a GitHub App-only permission
 // (not supported by GITHUB_TOKEN). These scopes require a GitHub App to exercise.
 func IsGitHubAppOnlyScope(scope PermissionScope) bool {
-	return slices.Contains(GetAllGitHubAppOnlyScopes(), scope)
+	isAppOnly := slices.Contains(GetAllGitHubAppOnlyScopes(), scope)
+	if isAppOnly {
+		permissionsLog.Printf("Scope %q requires GitHub App (not supported by GITHUB_TOKEN)", scope)
+	}
+	return isAppOnly
 }
 
 // Permissions represents GitHub Actions permissions