fix(threat-detection): add retry on parse failure and elevate output format instruction

[Copilot]

The detection model intermittently omits the THREAT_DETECTION_RESULT: line, causing recurring parse failures across multiple workflows. Two complementary fixes address this.

Prompt: output format instruction moved to top

The required output format was buried at the end of a long prompt — easy for the model to deprioritize when context is long. It's now the first section after the role intro:

## ⚠️ CRITICAL: Required Output Format

**YOU MUST END YOUR RESPONSE WITH EXACTLY THIS LINE** (no other text after it):

    THREAT_DETECTION_RESULT:{"prompt_injection":false,"secret_leak":false,"malicious_patch":false,"reasons":[]}

The original ## Response Format section is kept at the end as a reminder.

Retry mechanism in the detection job

When the first engine execution doesn't produce a THREAT_DETECTION_RESULT, the detection job now retries the execution once instead of immediately failing.

New steps injected between engine execution and artifact upload:

• detection_result_check — shell step that greps the detection log and outputs retry_needed=true/false
• Execute ... (retry) (detection_agentic_execution_retry) — same engine execution, skipping reinstall, conditioned on retry_needed == 'true'

The retry step reuses the same prompt and log file. Because tee -a appends output, if the retry produces a valid result the existing parser picks it up automatically.

New retryDetectionStepCondition constant:

always() && steps.detection_guard.outputs.run_detection == 'true' && steps.detection_result_check.outputs.retry_needed == 'true'

Refactor

buildDetectionEngineExecutionStep was refactored to extract prepareDetectionEngineAndData — shared engine-resolution and WorkflowData construction logic now used by both the first-attempt and retry builders.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw bagabas/go-udiffinfo (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw gh/go-spew/spew (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -test.paniconexi-f -test.timeout=10owner=github t.lock.yml ignore (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git 2620754024/.githgit config 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git k/gh-aw/gh-aw 64/pkg/tool/linu/opt/hostedtoolcache/node/24.14.1/x64/bin/npm ck git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linuInitial commit /usr/bin/git -json @v1.19.2/parser/rev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git ut2482774702/001node GO111MODULE 64/pkg/tool/linuinstall git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel bash /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet te 'scripts/**/*git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/compile-all-instructions-test-1846436983/.github/workflows rev-parse om/org1/repo.git -json GO111MODULE odules/npm/node_--show-toplevel infocmp -1 xterm-color go /usr/bin/gh -json GO111MODULE x_amd64/asm gh (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv conflict_test.go--workflow cycle_test.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /tmp/gh-aw-merge-765142434/new.md /usr/bin/git graphql -f cfg git rev-�� --show-toplevel /usr/bin/gh /usr/bin/git 1337-19346/test-git -f ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git-upload-pack /usr/bin/git -nilfunc sort ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 937646/b462/_pkggit rev-parse 937646/b462=> git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows/archie.md ache/go/1.25.8/x-f /usr/bin/gh l (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --objects l /usr/bin/git --exclude-hiddengit --all --quiet git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE es/.bin/sh git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp /usr/bin/git 07755416/.githubgit ache/go/1.25.8/xcommit 64/pkg/tool/linu-m git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git _.a g/semverutil/semrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git 1726-54890/test-git GO111MODULE ache/go/1.25.8/x-m git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv --noprofile -tests /opt/hostedtoolcache/uv/0.11.7/x86_64/bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv rite '**/*.cjs' '**/*.ts' '**/*.remote.origin.url --log-level me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } --log-target journal-or-kmsg ion /opt/hostedtoolc-test.v=true -V=f�� te 'scripts/**/*-test.timeout=10m0s (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/gh ithub/workflows x_amd64/vet er: String!, $na--show-toplevel gh run list --json /usr/bin/git --workflow nonexistent-workrev-parse --limit git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� mpleWorkflow1113039819/001 64/pkg/tool/linux_amd64/asm /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub/workflows/architecture-guardian.md (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git le-frontmatter.mgit x_amd64/vet me: String!) { --show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git k/gh-aw/gh-aw show me: String!) { --show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -pack /home/REDACTED/go/pkg/mod/github.com/goccy/go-yaml@v1.19.2/internal/format/format.go om/testorg/testrepo.git s/data/action_pigit GO111MODULE 64/bin/go git -C /tmp/TestGuardPolicyMinIntegrityOnlyrepos_only_without_min-integrity3803249004/001 rev-parse /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ons-test2235766479 git ow-with-reaction.lock.yml --show-toplevel (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ry=1 Y5KUpR6ZrQZn8hJV-ZkR/Y5KUpR6ZrQZn8hJV-ZkR che/go-build/79/79ed03313c318cf3596d09b706e013d452bec28025fcc88146470a4624666262-d -goversion go1.25.8 -c=4 git -C /tmp/gh-aw-test-runs/20260423-211726-54890/test-1100513892/.github/workflows remote /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv at-detection-result-parse-failure .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv h ../../../.pret.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv 35b0c6080f1ab0a055133920 ings.cjs git -m Auth cleanup fai-V=full modules/@npmcli/run-script/lib/nfeature | cat /etc/passwd forks.js k/gh�� -u st/suppress-warnings.cjs ache/node/24.14.1/x64/bin/node e/git t t st/dist/workers//home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv user.name Test User /opt/hostedtoolcache/node/24.14.1/x64/bin/node ithub/workflows x_amd64/vet ache/node/24.14.--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� needs.build.outputs.version /usr/bin/gh /usr/bin/git ithub/workflows er@0.32.0 /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git */*.ts' '**/*.jsgit GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/cgo /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows/agentic-optimization-kit.md config /usr/bin/git remote.origin.urgit rty es/.bin/sh git -C /tmp/gh-aw-test-runs/20260423-211337-19346/test-810583976 url /usr/bin/git te '**/*.cjs' '*git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJavaScript867596685/001/test-frontmatter-with-env-template-expressgit (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git -C /tmp/gh-aw-test-runs/20260423-211337-19346/test-810583976 l /usr/bin/git 1 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --objects l /usr/bin/git --exclude-hiddengit --all --quiet git rev-�� --show-toplevel /home/REDACTED/go/pkg/mod/golang.org/x/mod@v0.35.0/semver/semver.go /usr/bin/git 1772514255/001' 1772514255/001' 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name :latest kflows/developer-test.short=true -f owner=github -f /usr/bin/gh api 1923659255/.github/workflows -f /usr/bin/infocmp -f owner=github -f infocmp (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 64/pkg/tool/linu--write 64/pkg/tool/linux_amd64/vet l .cfg ed } } 64/pkg/tool/linux_amd64/vet -C k/gh-aw/gh-aw/.github/workflows show /usr/bin/git l --glob ache/go/1.25.8/x--git-dir git (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name g/constants/constants.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE /gc GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote2 ortc�� 1726-54890/test-4046472955/.github/workflows rg/x/text@v0.36.0/internal/format/format.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name 64/pkg/tool/linuformat:cjs me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } _QdOprojJ .cfg 64/pkg/tool/linu--show-toplevel /usr/bin/gh api 1872017071 -f 64/pkg/tool/linux_amd64/vet -f owner=github -f 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 64/pkg/tool/linu-nolocalimports kflow-call.lock.-importcfg celain --ignore-git gpg.program 64/pkg/tool/linu--show-toplevel git -C 810583976 st.go /usr/bin/gh h ../../../.pretgit .cfg DiscussionsEnabl--git-dir /usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name b-AbBFuh- 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm -has�� SameOutput2629561784/001/stability-test.md GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE 0044110/b078/ GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name 64/pkg/tool/linuformat:cjs /usr/bin/infocmp celain --ignore-/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile .cfg 64/pkg/tool/linu/tmp/go-build186937646/b472/_pkg_.a infocmp -1 1872017071 erena-mcp-servermain 64/pkg/tool/linu-lang=go1.25 tions-lock.json git .cfg DiscussionsEnabl--show-toplevel 64/pkg/tool/linu-dwarf=false (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 rev-parse ndor/bin/bash celain --ignore-git .cfg 64/pkg/tool/linux_amd64/vet git -C k/gh-aw/gh-aw rev-parse k h ../../../.pretgit ic_engine.go ed } } git (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GFI5vTWRl ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile env ortcfg GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name erena-mcp-server:latest 64/bin/go --local .cfg 64/pkg/tool/linu--show-toplevel infocmp -1 1923659255 er@0.32.0 /usr/bin/git h ../../../.pretgit (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 rev-parse 64/pkg/tool/linux_amd64/vet --local .cfg DiscussionsEnabl--show-toplevel 64/pkg/tool/linux_amd64/vet -C 3826428465/custom/workflows rev-parse kflows/org-health-report.lock.yml --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name DefaultBranchFromLsRemoteWithRealGitmaster_branch3078900481/001' ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE 0044110/b015/ GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote1 ortc�� 0044110/b090/_pkg_.a rg/x/text@v0.36.0/feature/plural/common.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE 0044110/b015/charun ache/go/1.25.8/xlist ache/go/1.25.8/x--json (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name rev-parse 64/pkg/tool/linux_amd64/compile --local .cfg 64/pkg/tool/linux_amd64/vet 64/pkg/tool/linux_amd64/compile ache�� /repos/astral-sh/setup-uv/git/re-p --jq (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 show 64/pkg/tool/linux_amd64/vet --local .cfg de 64/pkg/tool/linux_amd64/vet -C 3826428465/custom/workflows show /usr/bin/git --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuorigin ortc�� 1726-54890/test-2566100736/.github/workflows rg/x/text@v0.36.0/message/catalog.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name config 64/pkg/tool/linux_amd64/asm remote.origin.urgit .cfg modules/@npmcli/user.name 64/pkg/tool/linuTest User ache�� xterm-color 7B/pd_9gz5q2ENJiscripts/**/*.js er@0.32.0 h ../../../.pretgit (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 -f 64/pkg/tool/linux_amd64/vet -f owner=github -f 64/pkg/tool/linux_amd64/vet -C k/gh-aw/gh-aw/.github/workflows config /usr/bin/git remote.origin.urgit --glob .cfg git (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name rg/x/sys@v0.43.0/cpu/byteorder.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE /math GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url ortc�� 1726-54890/test-2566100736/.github/workflows om/santhosh-tekuri/jsonschema/v6@v6.0.2/kind/kind.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE ntio/asm/cpu/armrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name show 64/pkg/tool/linux_amd64/compile --local .cfg 64/pkg/tool/linuuser.email 64/pkg/tool/linutest@example.com ache�� _.a rev-parse er@0.32.0 h ../../../.pretnode (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 erena-mcp-server:latest 64/pkg/tool/linux_amd64/vet remote.origin.urgit core.hooksPath /node 64/pkg/tool/linux_amd64/vet -C 3826428465/custom/workflows config er: String!, $name: String!) { repository(owne-nilfunc remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name om/segmentio/asm@v1.1.3/cpu/arm/arm.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE /strconv GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuupstream ortc�� 0044110/b048/_pkg_.a edcfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE boring GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path 821066414/001' 821066414/001' son ignore (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 --format=format:init erignore /opt/hostedtoolc--initial-branch=my-default -ato�� te '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettieriggit -buildtags /usr/local/bin/bash -errorsas -ifaceassert -nilfunc bash (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 .cfg 64/pkg/tool/linu--show-toplevel infocmp -1 k/gh-aw/gh-aw/.github/workflows 64/pkg/tool/linu**/*.cjs x_amd64/link ath ../../../.prgit .cfg x_amd64/compile x_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build186937646/b404/cli.test /tmp/go-build186937646/b404/cli.test -test.testlogfile=/tmp/go-build186937646/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -errorsas -ifaceassert -nilfunc /tmp/go-build358-f tion�� -test.paniconexi-f -test.timeout=10owner=github t.lock.yml ignore (http block)
  • Triggering command: /tmp/go-build870505112/b404/cli.test /tmp/go-build870505112/b404/cli.test -test.testlogfile=/tmp/go-build870505112/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build3010044110/b189/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp /usr/bin/git 8900/001/stabiligit ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 1894246279 show /usr/bin/gh git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv ref/tags/v1.0.0 ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm sv vaScript86759668git 5Hh4AuvTv 1/x64/bin/node git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuorigin /usr/bin/git ring177846527/00ls GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnablxterm-color --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv .js' --ignore-path .prettierignogo1.25.8 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a @v1.19.2/scanner/context.go 64/pkg/tool/linux_amd64/compile GOINSECURE order GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv te 'scripts/**/*-errorsas (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv f/tags/eac588ad8-p (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env Gitmain_branch485409241/001' Gitmain_branch485409241/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv te 'scripts/**/*-test.timeout=10m0s (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm 0789�� -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows show /usr/bin/git om/stretchr/testgit om/stretchr/testrev-parse DiscussionsEnabl--show-toplevel git -C /home/REDACTED/work/gh-aw/gh-aw show er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl-L js/**/*.json' --gh 3956761/b005/vetrun 64/pkg/tool/linuview infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion i/install.sh .go x_amd64/compile 64/pkg/tool/linux_amd64/vet imag�� k/gh-aw/gh-aw/.github/workflows ghcr.io/github/serena-mcp-server:latest (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOSUMDB GOWORK 0044110/b047/sym--show-toplevel ache/go/1.25.8/x64/src/math/floor_wasm.s -c 1726-54890/test-438206398/custom/workflows SK0W/BJGJRDpSI4wKt0zQSK0W /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile "prettier" --wri/usr/bin/git go 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -importcfg /tmp/go-build186937646/b419/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go --no�� rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -importcfg /tmp/go-build186937646/b423/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/gitutil/gitutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/gitutil/gitutil_test.go --no�� rite '**/*.cjs' '**/*.ts' '**/*.remote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state x_amd64/compile h ../../../.pretgit .cfg x_amd64/compile x_amd64/compile api k/gh-aw/gh-aw/.github/workflows -f /usr/bin/gh -f owner=github -f /usr/bin/gh (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build186937646/b410/importcfg -pack /tmp/go-build186937646/b410/_testmain.go --no�� rite '**/*.cjs' -f (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE lled. Run 'make -buildtags (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 3826428465/custom/workflows config er: String!, $name: String!) { repository(owne-nilfunc remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� --local --get ode_modules/.bin/git cal/bin/git git /git git add . git tions/setup/node_modules/.bin/git -M main bin/git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Hey @Copilot 👋 — great work tackling the recurring THREAT_DETECTION_RESULT parse failure! The planned retry logic with buildDetectionResultCheckStep and buildRetryDetectionEngineExecutionStep looks like a solid approach to making detection jobs more resilient.

A couple of things to address before this is ready for review:

• Tests are still pending — the checklist item "Add tests for the new retry steps" is unchecked.
• No code changes yet — the PR is still a draft with an empty diff. Once the implementation lands, make sure all checklist items are checked off.

Here's a prompt you can assign to your coding agent to get this across the finish line:

You are implementing PR #28161 in github/gh-aw — fixing recurring THREAT_DETECTION_RESULT parse failures with retry logic.

Steps:
1. Implement `buildDetectionResultCheckStep` in the threat detection compiler — a step that checks whether THREAT_DETECTION_RESULT was set and retries if not.
2. Implement `buildRetryDetectionEngineExecutionStep` — a retry wrapper around the engine execution step.
3. Wire both steps into the detection job builder.
4. Add unit tests covering:
   - Successful detection on first attempt
   - Retry triggered on missing THREAT_DETECTION_RESULT
   - Failure after max retries
5. Run `make agent-finish` to validate all checks pass.
6. Push changes and mark the PR ready for review.

Generated by Contribution Check · ● 1.8M · ◷

[github-actions]

✅ Smoke CI completed successfully!

[github-actions]

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (24860540690)

Generated by Smoke CI for issue #28161 · ◷

[github-actions]

Comment Memory

`````` CI lights the path\nGreen checks bloom at dawn\nQuiet bots still sing ``````

Note

This comment is managed by comment memory.

What this comment does

It stores persistent context for this thread in the <gh-aw-comment-memory> block at the top of this comment.
Edit only the text in that block; workflow metadata and the footer are regenerated automatically.

Generated by Smoke CI for issue #28161 · ◷

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 97/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	4
✅ Design tests (behavioral contracts)	4 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	4 (100%)
Duplicate test clusters	0
Test inflation detected	No (1.55:1 ratio)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Notes
TestBuildDetectionResultCheckStep	pkg/workflow/threat_detection_test.go:1619	✅ Design	Verifies generated step ID, grep target, and both retry_needed outputs
TestBuildRetryDetectionEngineExecutionStep	pkg/workflow/threat_detection_test.go:1660	✅ Design	Verifies retry condition, unique step ID, and "(retry)" name suffix
TestBuildRetryDetectionEngineExecutionStepDisabled	pkg/workflow/threat_detection_test.go:1706	✅ Design	Negative/edge case: disabled engine produces no steps
TestDetectionJobStepsIncludeRetry	pkg/workflow/threat_detection_test.go:1727	✅ Design	Verifies full step ordering contract: first exec → check → retry → upload → conclude

---

Build Tag & Convention Checks

• ✅ //go:build !integration present on line 1
• ✅ No mock libraries (gomock, testify/mock, .EXPECT()) used
• ✅ All assertions include descriptive messages (t.Error("..."), t.Errorf("..."))
• ✅ require.* / assert.* (testify) not used — stdlib t.Error/t.Fatal used throughout, consistent with the test file's existing style

---

Test Inflation Check

File	Lines Added (Test)	Lines Added (Prod)	Ratio
threat_detection_test.go vs threat_detection.go	163	105	1.55:1 ✅

Ratio is well under the 2:1 threshold.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 4 tests — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All four tests verify observable behavioral contracts of the threat-detection compiler: generated step content, retry mechanics, disabled-engine edge case, and end-to-end step ordering.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24860540847

🧪 Test quality analysis by Test Quality Sentinel · ● 645.3K · ◷

[github-actions]

✅ Test Quality Sentinel: 97/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 4 new tests verify behavioral contracts of the threat-detection compiler with good edge case coverage and no guideline violations.

[github-actions]

Commit pushed: a56b100

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (281 new lines in business logic directories) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/28161-check-then-retry-resilience-for-threat-detection-structured-output.md

What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff
2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and list real alternatives you considered
3. Commit the finalized ADR to docs/adr/ on your branch
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-28161: Check-Then-Retry Resilience Pattern for Threat Detection Structured Output

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 28161-check-then-retry-resilience-for-threat-detection-structured-output.md for PR #28161).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §24860540810

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 189.8K · ◷

[Copilot]

Pull request overview

Improves threat-detection reliability by making the required output marker harder for the model to miss and by retrying the detection execution once when the marker is absent.

Changes:

• Moved the required THREAT_DETECTION_RESULT: output-format instruction to the top of the threat-detection prompt (while keeping a reminder at the end).
• Added a “result present?” check step plus a conditional single retry of the detection engine execution when the marker is missing.
• Refactored threat-detection workflow step generation to share engine/data preparation between first attempt and retry, with added unit tests.

Show a summary per file

File	Description
pkg/workflow/prompts/threat_detection.md	Elevates required output format instructions to the top of the prompt; keeps end reminder.
actions/setup/md/threat_detection.md	Same prompt update for the setup action copy.
pkg/workflow/threat_detection.go	Adds result-check step, retry condition constant, and retry-step generation/refactor.
pkg/workflow/threat_detection_test.go	Adds/updates tests to validate retry-step generation and conditions.
.github/workflows/workflow-normalizer.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/workflow-health-manager.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/workflow-generator.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/video-analyzer.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/update-astro.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/tidy.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/test-quality-sentinel.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/test-project-url-default.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/test-dispatcher.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/super-linter.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/spec-librarian.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/spec-extractor.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/smoke-project.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/smoke-opencode.lock.yml	Adds detection result check + conditional retry execution steps for OpenCode path.
.github/workflows/smoke-gemini.lock.yml	Adds detection result check + conditional retry execution steps for Gemini path.
.github/workflows/smoke-crush.lock.yml	Adds detection result check + conditional retry execution steps for Crush path.
.github/workflows/security-review.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/security-compliance.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/research.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/repo-tree-map.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/refiner.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/refactoring-cadence.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/q.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/python-data-charts.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/poem-bot.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/plan.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/pdf-summary.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/org-health-report.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/mergefest.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/mcp-inspector.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/layout-spec-maintainer.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/jsweep.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/issue-monster.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/gpclean.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/firewall-escape.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/draft-pr-cleanup.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/docs-noob-tester.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/discussion-task-miner.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/dev.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/dev-hawk.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/delight.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/daily-team-status.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/daily-regulatory.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/daily-performance-summary.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/daily-news.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/daily-community-attribution.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/daily-cli-performance.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/craft.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/brave.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/auto-triage-issues.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/artifacts-summary.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/architecture-guardian.lock.yml	Adds detection result check + conditional retry execution step.
.github/workflows/archie.lock.yml	Adds detection result check + conditional retry execution step.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 192/192 changed files
• Comments generated: 1

[Copilot]

retryDetectionStepCondition (and the detection_result_check step) will trigger a retry any time the first execution fails in a way that prevents writing THREAT_DETECTION_RESULT: (e.g., CLI crash, sandbox failure), not just when the model omits the result line. This can hide real failures and waste 20 minutes on a second run. Consider additionally gating the check/retry on the first execution step succeeding (e.g., steps.detection_agentic_execution.outcome == 'success') so retries only happen for successful-but-unparseable outputs.