Skip to content

fix: add actionlint config and fix SC2129 grouped redirects#25700

Merged
pelikhan merged 2 commits intomainfrom
copilot/static-analysis-report-2026-04-10
Apr 10, 2026
Merged

fix: add actionlint config and fix SC2129 grouped redirects#25700
pelikhan merged 2 commits intomainfrom
copilot/static-analysis-report-2026-04-10

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 10, 2026
edited
Loading

Static analysis report flagged 306 actionlint errors, ~280 of which are false positives or style issues fixable in bulk.

.github/actionlint.yaml

  • Whitelist aw-gpu-runner-T4 self-hosted runner label (3 errors)
  • Suppress copilot-requests permission scope — custom GitHub scope not in actionlint's registry (95 errors)

SC2129: group consecutive redirects

generateSetRuntimePathsStep() emitted three individual >> "$GITHUB_OUTPUT" redirects, triggering SC2129 in every workflow that uses safe outputs (181/187).

# before
echo "GH_AW_SAFE_OUTPUTS=..." >> "$GITHUB_OUTPUT"
echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=..." >> "$GITHUB_OUTPUT"
echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=..." >> "$GITHUB_OUTPUT"

# after — matches pattern already used in mcp_setup_generator.go
{
  echo "GH_AW_SAFE_OUTPUTS=..."
  echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=..."
  echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=..."
} >> "$GITHUB_OUTPUT"

All 187 lock files recompiled. Tests in agentic_output_test.go updated to match.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build4247406982/b063/embedcfg -pack (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw Euy04qu/WJhjIP-urev-parse (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build3873503055/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE y.s (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git 1540892357 ortcfg ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git /atomic 2XU_VxRq0 x_amd64/compile git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha GOMODCACHE l /usr/bin/git -json GO111MODULE 64/bin/go git remo�� GOMODCACHE go /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 6031123/b120/_pkg_.a g/console/accessibility.go g_.a GOINSECURE b/gh-aw/pkg/type-1 GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile env 6031123/b111/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/pkg/strirev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git 6031123/b107/_pkbash om/modelcontextp-c ache/go/1.25.8/xexport GOROOT="/tmp/TestGetNpmBinPathSetup_GorootOrdering156677616/001/go/1.25.0/x64"; export PATH="$(find "/tmp/TestGetNpmBinPathSetup_GorootOrdering156677616/001" -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH"; [ -n "$GORO OT" ] && export rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 77641996 pRaw/gwkwek_UF5vrev-parse 1/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ps /usr/bin/git t go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /TestGetNpmBinPagit go ache/node/24.14.--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha GOMODCACHE x_amd64/compile /usr/bin/git g_.a rt.go 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linux_amd64/compile /usr/bin/docker y_with_repos=pubgit GO111MODULE 64/pkg/tool/linu--show-toplevel docker (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/asm /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linuremote.upstream.url /usr/bin/git ithout_min-integgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git r-test359308388/git r-test359308388/rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git 3503055/b438/_terev-parse om/owner/repo.gi--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build4266031123/b253/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha 01 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE g/sig_other.s env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linu-extld=gcc /usr/bin/git LsRemoteWithRealgit LsRemoteWithRealrev-parse 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linuorigin /usr/bin/git y_with_repos_arrgit LvhFNvMoO 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linu/tmp/go-build3873503055/b113/vet.cfg /usr/bin/git g_.a @v1.1.3/keyset/krev-parse 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linuremote.origin.url /usr/bin/git g_.a i0dFibft1 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --all-progress-implied (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linustatus /usr/bin/git d GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 3503055/b443/_pkg_.a -q 1/x64/bin/node -c=4 b/gh-aw/pkg/timerev-parse -importcfg 1/x64/bin/node -C e: ${{ secrets.TOKEN }} config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go 3503055/b443/importcfg (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha t0 -goversion (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name 5.0/deviceauth.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 1178770445 deRMpwyMD ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE go-sdk/oauthex GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 NgK5Xenpy ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env IIAr-WTp5 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env mpiledOutput4005001591/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name 4/apic.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env g_.a sYAOo28ie x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 0/internal/format/format.go 64/pkg/tool/linux_amd64/compile GOINSECURE 5519/field 64/src/internal/bytealg/indexbyt--show-toplevel 64/pkg/tool/linux_amd64/compile env g_.a EmzJIsP8T x_amd64/compile GOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE go env ut3121575667/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name til.go 64/pkg/tool/linux_amd64/compile GOINSECURE essage abis 64/pkg/tool/linuTest User env g_.a ke8fejfLv 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 0/message/catalog/catalog.go 64/pkg/tool/linux_amd64/compile GOINSECURE iat 64/src/internal/--show-toplevel 64/pkg/tool/linux_amd64/compile env g_.a gNtEbmW0N ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE t GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linutest@example.com (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ut3121575667/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/oauthex/auth_meta.go 64/pkg/tool/linux_amd64/compile GOINSECURE tants GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE go-sdk/auth GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE l/errors abis 64/pkg/tool/linux_amd64/vet env 3923562859/.github/workflows ortcfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env mpiledOutput4005001591/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuorigin (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 1178770445 Y_7BzNNuM ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 4GDF0MOYT 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a vohS5K4mu k GOINSECURE setup/js/node_morev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE tions/setup/js/node_modules/.bin/prettier GOINSECURE GOMOD GOMODCACHE go env epOnly,Imports,ImportMap,TestImports,XTestImpor GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name 5.0/internal/doc.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 1178770445 64jHUho52 ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linu-importcfg GOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env */*.ts' '**/*.json' --ignore-path ../../../.pret-- GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/auth/auth.go 64/pkg/tool/linux_amd64/compile GOINSECURE ty.o 64/src/internal/user.name 64/pkg/tool/linuTest User env 1178770445 Bzwz7Kv-X ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE go-sdk/mcp GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-goversion (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 h1Ee82J5b 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ortcfg uKJh7UXOD 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2218/001/stability-test.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path /tmp/go-build234-p -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuremote1 env g_.a xpQFH7LFx /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE ack GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 6031123/b250/_pkgit GO111MODULE 1/x64/bin/node git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/xremote.origin.url /usr/bin/git vaScript36174392git pkg/mod/github.crev-parse /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha til.go o 64/pkg/tool/linux_amd64/compile GOINSECURE /norm GOMODCACHE 64/pkg/tool/linux_amd64/compile estl�� g_.a aTWjRYknE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE til GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build3873503055/b422/importcfg -pack /tmp/go-build3873503055/b422/_testmain.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha l 2>&1 || [ -x "$GOPATH/bin/golangci-lint" ]; then \ PATH="$GOPATH/bin:$PATH" golangci-lint rungit GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile 2086�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go 2525�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 316649803/001 316649803/002/work odules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha g_.a xpQFH7LFx /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE ack GOMODCACHE go env ortcfg Hgqea9f-D ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE _wasm.o 64/src/runtime/s--show-toplevel 64/pkg/tool/linux_amd64/vet env -json Q8gElMZ6A ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env 2218/001/stability-test.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build3873503055/b397/cli.test /tmp/go-build3873503055/b397/cli.test -test.testlogfile=/tmp/go-build3873503055/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build4266031123/b213/importcfg -pack -o /tmp/go-build234-p -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
    • Triggering command: /tmp/go-build2201892273/b397/cli.test /tmp/go-build2201892273/b397/cli.test -test.testlogfile=/tmp/go-build2201892273/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true rror git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name /tmp/go-build234-p -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 10, 2026 that may be closed by this pull request
[static-analysis] Report - 2026-04-10 #25695
Closed
6 tasks
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026

Hey @Copilot 👋 — thanks for picking up the static analysis cleanup! Suppressing the false-positive actionlint runner-label errors and eliminating ~182 SC2129 shellcheck warnings across 181 workflows is a meaningful quality improvement for the project.

A couple of things to keep in mind as you implement this:

  • No code changes yet — the PR is still a WIP draft with an empty diff. Once the planned checklist items are implemented, the diff should include the .github/actionlint.yaml file, the fix to generateSetRuntimePathsStep() in pkg/workflow/compiler_yaml_step_generation.go, and the regenerated .lock.yml files.
  • Add or update tests — the Go change in compiler_yaml_step_generation.go (grouping >> "$GITHUB_OUTPUT" redirects into a brace block) should be validated by a unit test. Check for existing tests in pkg/workflow/ (e.g. compiler_yaml_step_generation_test.go or snapshot tests) and ensure the new brace-block output is covered. The make recompile step will regenerate lock files, but an explicit test asserting the grouped redirect pattern would confirm the fix is correct.
  • PR description — the body reads as a task checklist rather than a description of why these changes are needed. Consider adding a brief summary (e.g. "This PR reduces static analysis noise by suppressing known false positives in actionlint and fixing shell script style issues in generated workflows") so reviewers have context at a glance.

If you'd like a hand, you can assign this prompt to your coding agent:

In the repository github/gh-aw, implement the static analysis improvements on branch copilot/static-analysis-report-2026-04-10:

1. Create `.github/actionlint.yaml` with:
   - `self-hosted-runner.labels` entry adding `aw-gpu-runner-T4`
   - An ignore pattern for the `copilot-requests` unknown permission error

2. Fix SC2129 in `pkg/workflow/compiler_yaml_step_generation.go`:
   - In `generateSetRuntimePathsStep()`, group all consecutive `>> "$GITHUB_OUTPUT"` redirects into a single brace block to eliminate shellcheck SC2129 warnings.

3. Add or update a unit test in `pkg/workflow/` (look for existing `*_test.go` files near `compiler_yaml_step_generation.go`) to assert that `generateSetRuntimePathsStep()` emits the grouped brace-block redirect form.

4. Run `make recompile` to regenerate all `.lock.yml` files with the fix applied.

5. Run `make agent-finish` to validate build, tests, lint, and formatting all pass.

6. Update the PR body to include a one-paragraph summary of why these changes are needed, in addition to the implementation checklist.

Generated by Contribution Check · ● 2.3M ·

@github-actions github-actions bot mentioned this pull request Apr 10, 2026
Closed
@pelikhan
fix: add actionlint config and fix SC2129 grouped redirects
d53e0d2 
- Create .github/actionlint.yaml to whitelist aw-gpu-runner-T4 runner
  label and suppress copilot-requests permission false positives
- Group consecutive >> "$GITHUB_OUTPUT" redirects in
  generateSetRuntimePathsStep() into a brace block to satisfy SC2129
- Update tests to match new grouped redirect pattern
- Recompile all 187 workflow lock files

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/56e42877-ab5a-4534-a69a-9f36001a3796

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update static analysis report for 2026-04-10 fix: add actionlint config and fix SC2129 grouped redirects Apr 10, 2026
Copilot AI requested a review from pelikhan April 10, 2026 21:28
@pelikhan pelikhan marked this pull request as ready for review April 10, 2026 21:30
Copilot AI review requested due to automatic review settings April 10, 2026 21:30
@pelikhan pelikhan merged commit b99e10c into main Apr 10, 2026
54 checks passed
@pelikhan pelikhan deleted the copilot/static-analysis-report-2026-04-10 branch April 10, 2026 21:30
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds repository-level configuration to reduce noisy actionlint findings and updates the workflow compiler output to address shellcheck SC2129 by grouping consecutive >> "$GITHUB_OUTPUT" redirects.

Changes:

  • Added .github/actionlint.yaml to whitelist a custom self-hosted runner label and suppress a known false-positive permission scope warning.
  • Updated generateSetRuntimePathsStep() to use a single grouped redirect to $GITHUB_OUTPUT (fixing SC2129 across generated workflows).
  • Recompiled affected workflow .lock.yml files and adjusted tests to match the new emitted script.
Show a summary per file
File Description
pkg/workflow/compiler_yaml_step_generation.go Emits grouped { ... } >> "$GITHUB_OUTPUT" for runtime-path outputs to satisfy SC2129.
pkg/workflow/agentic_output_test.go Updates assertions to match new emitted echo lines in generated lockfiles.
.github/actionlint.yaml Configures actionlint to recognize a custom self-hosted runner label and suppress a specific permission-scope warning.
.github/workflows/*.lock.yml (many files) Regenerated lockfiles to reflect the grouped redirect change in the “Set runtime paths” step.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

pkg/workflow/agentic_output_test.go:177

  • Same as above: this check no longer confirms the outputs are appended to $GITHUB_OUTPUT. Please strengthen the test to assert the grouped redirect (e.g., } >> "$GITHUB_OUTPUT") in addition to the echo "GH_AW_SAFE_OUTPUTS=..." line so it actually guards the intended behavior.
  • Files reviewed: 184/184 changed files
  • Comments generated: 1

pkg/workflow/agentic_output_test.go
Comment on lines 64 to 67
// Verify GH_AW_SAFE_OUTPUTS is set via the "Set runtime paths" step (not job-level env,
// because runner context is unavailable in job-level env: blocks).
if !strings.Contains(lockContent, `echo "GH_AW_SAFE_OUTPUTS=${RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl" >> "$GITHUB_OUTPUT"`) {
if !strings.Contains(lockContent, `echo "GH_AW_SAFE_OUTPUTS=${RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl"`) {
t.Error("Expected GH_AW_SAFE_OUTPUTS to be set via 'Set runtime paths' step using $GITHUB_OUTPUT")
Copy link

Copilot AI Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These assertions no longer verify that the value is written via $GITHUB_OUTPUT (the redirect was removed from the searched substring). This makes the test pass even if the compiler regresses to writing via $GITHUB_ENV or stdout only. Consider asserting both that the echo "GH_AW_SAFE_OUTPUTS=..." line exists and that the step contains the grouped redirect >> "$GITHUB_OUTPUT" (or the closing } >> "$GITHUB_OUTPUT").

This issue also appears on line 174 of the same file.

Copilot uses AI. Check for mistakes.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

Excellent test quality

Metric Value
New/modified tests analyzed 3
✅ Design tests (behavioral contracts) 3 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 2 (67%)
Duplicate test clusters 0
Test inflation detected No
🚨 Coding-guideline violations None

i️ actions/setup/js/resolve_host_repo.test.cjs was deleted in this PR (459 lines removed). Deleted tests are outside scope for scoring, but this represents a net loss of JavaScript test coverage for the resolve_host_repo.cjs module. Ensure the module is still exercised through integration or other means.

Test Classification Details

Test File Classification Notes
TestAgenticOutputCollection (modified assertion) pkg/workflow/agentic_output_test.go:66 ✅ Design Relaxes redirect-syntax match to accommodate SC2129 grouped-redirect fix; still verifies GH_AW_SAFE_OUTPUTS echo is present
TestCodexEngineWithOutputSteps (modified assertion) pkg/workflow/agentic_output_test.go:176 ✅ Design Same relaxation as above for Codex engine path; surrounding t.Error calls cover multiple absence/presence conditions
TestGenerateResolveHostRepoStep (assertions swapped) pkg/workflow/compiler_activation_job_test.go:231 ✅ Design Old negative-assertions (NotContains for broken expressions) replaced with positive-assertions verifying new job.workflow_repository / job.workflow_sha env vars

Flagged Tests — Requires Review

No tests flagged for significant issues. Minor observations below:

i️ TestGenerateResolveHostRepoStep — edge case coverage opportunity

Classification: Design test
Observation: The modified section now only has assert.Contains assertions (positive presence checks). The previous version included assert.NotContains guards against regressing to the old broken expression patterns; those guards were removed. While the new assertions verify the correct approach, adding one assert.NotContains for the old github.event_name == 'workflow_call' pattern would provide a regression guard at near-zero cost.
Suggested improvement: Re-add assert.NotContains(t, result, "github.event_name == 'workflow_call'", ...) as a defence-in-depth guard, alongside the new positive assertions.

i️ TestAgenticOutputCollection / TestCodexEngineWithOutputSteps — assertion relaxation

Classification: Design test
Observation: The assertions now check for echo "GH_AW_SAFE_OUTPUTS=..." without the redirect suffix >> "$GITHUB_OUTPUT". This is correct given the SC2129 grouped-redirect fix, but the test no longer verifies that the value is actually written to $GITHUB_OUTPUT. If the grouped redirect block were accidentally removed, this test would still pass.
Suggested improvement: Low priority — the CI compilation test (make recompile) would catch a missing redirect, and the PR's intent is clearly correct. Acceptable as-is.

Language Support

Tests analyzed:

  • 🐹 Go (*_test.go): 3 modified test functions — unit (//go:build !integration) ✅ build tags present on all files
  • 🟨 JavaScript (*.test.cjs): 1 file deleted (not scored)

Verdict

Check passed. 0% of modified tests are implementation tests (threshold: 30%). All three modified test assertions verify observable behavioral contracts (compiler output content). No coding-guideline violations detected.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls (mocking internals)
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

🧪 Test quality analysis by Test Quality Sentinel · ● 1.1M ·

github-actions[bot]
github-actions bot approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of modified tests are implementation tests (threshold: 30%). All three modified test assertions verify behavioral contracts in the compiler output. No coding-guideline violations (build tags present, no mock libraries). See the detailed comment for minor improvement suggestions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

needs-work

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[static-analysis] Report - 2026-04-10

3 participants

@pelikhan