Skip to content

fix(static-analysis): stop recreating closed RGS-* issues daily — dedup by rule+file across open and closed states#31254

Merged
pelikhan merged 3 commits into
mainfrom
copilot/fix-static-analysis-recreated-issues
May 9, 2026
Merged

fix(static-analysis): stop recreating closed RGS-* issues daily — dedup by rule+file across open and closed states#31254
pelikhan merged 3 commits into
mainfrom
copilot/fix-static-analysis-recreated-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 9, 2026
edited
Loading

The static-analysis workflow was refiling the same RGS-* runner-guard findings every day because the dedup check only searched open issues. Once an issue was closed, the next run saw no match and created a new one.

Changes

static-analysis-report.md — Phase 6 step 3 (prompt, no recompile needed)

Replaces the single open-issue check with a two-step dedup protocol per finding (keyed on rule ID + affected file):

  • Search open and closed issues — match on title containing both rule ID and affected file basename
  • If closed match → skip (already triaged; don't recreate)
  • If open match → add a comment with the new scan date/run link instead of filing a duplicate
  • If no match → create a new issue (existing behaviour)

Each new issue body now embeds a hidden fingerprint for robust matching:

<!-- static-analysis-fingerprint: RGS-004:brave.lock.yml -->

A standardised comment template is provided for recurring findings so open issues accumulate run history rather than being closed and recreated.

static-analysis-report.md — frontmatter + .lock.yml recompile

Added add-comment: max: 3 to safe-outputs so the agent is authorised to post comments on existing open issues (up to 3 per run; does not count against the new-issue cap).

safe-outputs:
  create-issue:
    ...
  add-comment:       # new
    max: 3

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login &#43; &#34;/&#34; &#43; .name k/_temp/uv-python-dir/git (http block)
    • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login &#43; &#34;/&#34; &#43; .name 64/pkg/tool/linux_amd64/vet ./../.prettieriggit (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • https://api.github.com/orgs/owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/owner/actions/secrets --jq .secrets[].name --local --get ode_modules/.bin-nilfunc (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name on&#39; --ignore-path ../../../.prettierignore --get 64/bin/sh .&#34; (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv 830598/b424/_pkg_.a /tmp/go-build818830598/b289/vet.cfg Name,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle js/**/*.json&#39; --infocmp b/gh-aw/pkg/file-1 t (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv 3585509473/custom/workflows 830598/b051/vet.cfg cfg ignore-path ../.infocmp (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 1056836732/.github/workflows format:pkg-json 64/pkg/tool/linux_amd64/link rkflow/js/**/*.j/usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 786430249/001 -buildtags epo.git -errorsas -ifaceassert -nilfunc 830598/b425/importcfg -ato�� 0112-15112/test-1302054463 k/gh-aw/gh-aw/pkg/gitutil/gitutil_test.go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.8/x--jq (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260509-180112-15112/test-2184448887/.github/workflows never /opt/hostedtoolcache/node/24.14.1/x64/bin/node go1.25.8 -c=4 ed } } node /tmp�� /ref/tags/v9 /tmp/go-build818830598/b444/_testmain.go sv ic-analysis-recrinfocmp /deps.go x_amd64/compile infocmp (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 9050/001/stability-test.md on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettiergit erignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv &#34;prettier&#34; --wri--workflow on tartedAt,updated--limit /../../.prettierinfocmp erignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 830598/b481/_pkg_.a pkg/agentdrain/anomaly.go tartedAt,updatedAt,event,headBranch,headSha,displayTitle (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv /tmp/go-build818830598/b400/agentdrain.test -importcfg test -s -w -buildmode=exe test Enve�� git-upload-pack &#39;/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmain_branch2073076075/001&#39; git-upload-pack &#39;/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmain_branch2073076075/001&#39; 830598/b461/vet.cfg -dirty&#34; -o gh-awinfocmp --global layTitle git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv ../pkg/workflow/js/**/*.json&#39; --cmd/gh-aw/capitalization_test.go r _modules/.bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv cli/install.sh..-errorsas (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv ../pkg/workflow/-p r k/_temp/ghcca-no-lang=go1.25 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv ../pkg/workflow/js/**/*.json&#39; --ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv epository g/jsonutil/json_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv _.a 830598/b010/vet.cfg cfg ./../.prettierig/usr/libexec/docker/cli-plugins/docker-compose ole (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv Onlyrepos_only_without_min-integrity3821038119/001 pkg/mod/github.com/aymanbagabas/go-udiff@v0.4.1/-nolocalimports r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build818830598/b240/vet.owner=github ache/node/24.14.1/x64/bin/node h ../../../.pretinfocmp /&#34; &#43; .name n-dir/git /opt/hostedtoolcache/go/1.25.8/x--jq t-17�� bility_SameInputSameOutput3236319050/001/stability-test.md -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv &#34;prettier&#34; --wri--workflow on 64/pkg/tool/linu--limit /../../.prettiergit erignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ormatted successfully&#34; (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 9050/001/stability-test.md pkg/workflow/secure_markdown_rendering_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub/workflows cfg er.test (http block)
  • https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 83952791 resolved$ cfg h ../../../.pretinfocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv runs/20260509-180112-15112/test-3232175040/.github/workflows /tmp/go-build818830598/b264/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/link l (http block)
  • https://api.github.com/repos/azure/login/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv == &#39;true&#39; &amp;&amp; &#39;full-sweep (enforce_all)&#39; || &#39;round-robin&#39; tmain.go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet l (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv == &#39;true&#39; &amp;&amp; &#39;full-sweep (enforce_all)&#39; /tmp/go-build818830598/b252/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile h ../../../.pretnode (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv vaScript1289307265/001/test-frontmatter-with-nested-objects.md g/fileutil/tar.go 64/pkg/tool/linux_amd64/compile rror (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 9050/001/stability-test.md 830598/b021/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet ./../.prettieriginfocmp ../../../.pretti-1 n-dir/git ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -c U8pZ7vPbP (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv se 830598/b023/vet.cfg ache/go/1.25.8/x64/pkg/tool/linu--limit ./../.prettieriginfocmp ../../../.pretti-1 (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created &gt;=2026-05-02 r (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created &gt;=2026-04-09 r (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created &gt;=2026-02-08 (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet nore erignore (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 cfg 64/pkg/tool/linux_amd64/vet nore erignore (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name origin 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 cfg At,event,headBranch,headSha,displayTitle (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
    • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, on&#39; --ignore-path ../../../.pret.prettierignore --local rgo/bin/git credential.helpe/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name origin 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet nore erignore (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 cfg 64/pkg/tool/linu-importcfg nore erignore (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet nore erignore -main/ebpf/in-painputs.version 64/pkg/tool/linux_amd64/vet -c te &#39;**/*.cjs&#39; &#39;**/*.ts&#39; &#39;**/*.js-c=4 cfg 64/pkg/tool/linux_amd64/vet ata/action_pins.git (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 cfg 64/pkg/tool/linu-importcfg nore (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet nore erignore REDACTED VS/dsGzY_NuHCCcpconfig -c (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 cfg 64/pkg/tool/linux_amd64/vet nore (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linu--limit nore erignore -q 64/pkg/tool/linuremote -c te &#39;**/*.cjs&#39; &#39;**/*.ts&#39; &#39;**/*.json&#39; --ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 cfg 64/pkg/tool/linux_amd64/vet nore (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build818830598/b436/importcfg -embedcfg /tmp/go-build818830598/b436/embedcfg -pack conf�� ./../pkg/workflo-errorsas --local x_amd64/vet gpg.program (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 set (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build818830598/b405/cli.test /tmp/go-build818830598/b405/cli.test -test.testlogfile=/tmp/go-build818830598/b405/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv -bool 830598/b405/_testmain.go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.8/x--jq -o runs/20260509-180112-15112/test-3736397289/.github/workflows -importcfg /usr/lib/git-core/git -s -w -buildmode=exe /usr/lib/git-core/git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv itcustom_branch1--detach itcustom_branch1560321802/002/work 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -c=4 -nolocalimports -importcfg /tmp/go-build818830598/b464/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/spec_test.go x_amd64/vet 3076�� */*.ts&#39; &#39;**/*.json&#39; --ignore-path ../../../.pret.prettierignore origin x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv --local pull.rebase x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build818830598/b462/importcfg -pack /tmp/go-build818830598/b462/_testmain.go tion�� --abbrev-ref HEAD x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv --local pull.rebase x_amd64/vet (http block)
  • https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv 83952791 l ache/go/1.25.8/x64/pkg/tool/linu-f h ../../../.pretnode (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv &#34;prettier&#34; --write &#39;**/*.cjs&#39; &#39;*remote.origin.url (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion ./../.prettieriggit %H %ct %D (http block)
  • https://api.github.com/repos/owner/repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/owner/repo/actions/secrets --jq .secrets[].name --local --get bin/git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build818830598/b441/importcfg -pack /tmp/go-build818830598/b441/_testmain.go conf�� ./../pkg/workflo-errorsas --local x_amd64/vet gpg.program (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo om/github/gh-aw (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name on&#39; --ignore-path ../../../.prettierignore --get es/.bin/sh tion_pins.json../opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch LsRemoteWithRealGitmain_branch2073076075/001&#39; LsRemoteWithRealGitmain_branch2073076075/001&#39; 64/pkg/tool/linux_amd64/vet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue May 9, 2026 that may be closed by this pull request
[deep-report] Static-analysis RGS-* security issues recreated daily after closure (no dedup-by-rule) #31043
Closed
Copilot AI and others added 2 commits May 9, 2026 17:59
@gh-aw-bot
chore: initial plan for static-analysis dedup fix
2debf05 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f778ce03-88fd-4480-861c-ae837b30ff93

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
@gh-aw-bot
fix: deduplicate static-analysis RGS-* issues by checking closed issu…
e231d5a 
…es and adding fingerprint

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f778ce03-88fd-4480-861c-ae837b30ff93

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix static-analysis workflow to prevent refiled security issues fix(static-analysis): stop recreating closed RGS-* issues daily — dedup by rule+file across open and closed states May 9, 2026
Copilot AI requested a review from gh-aw-bot May 9, 2026 18:07
@pelikhan pelikhan marked this pull request as ready for review May 9, 2026 18:09
Copilot AI review requested due to automatic review settings May 9, 2026 18:09
@pelikhan pelikhan merged commit 07ba915 into main May 9, 2026
@pelikhan pelikhan deleted the copilot/fix-static-analysis-recreated-issues branch May 9, 2026 18:10
Copilot AI reviewed May 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the static-analysis reporting workflow instructions to deduplicate runner-guard findings across open and closed issues (by rule + affected file) and to comment on existing open issues instead of recreating duplicates, plus a repo-wide workflow lock recompile that tightens runtime/env setup.

Changes:

  • Extend runner-guard issue deduplication to search open + closed issues and add a stable fingerprint marker to new issue bodies.
  • Authorize the workflow to add comments to existing open issues (within configured safe-output limits).
  • Recompiled multiple *.lock.yml workflows, updating Node runtime resolution/failure behavior and standardizing how GH_AW_MCP_CLI_SERVERS is written to $GITHUB_ENV.
Show a summary per file
File Description
.github/workflows/workflow-normalizer.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/video-analyzer.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/test-workflow.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/test-project-url-default.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/test-dispatcher.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/super-linter.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/static-analysis-report.md Adds add-comment safe-output and updates runner-guard issue dedup/commenting protocol + fingerprinting.
.github/workflows/smoke-update-cross-repo-pr.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/smoke-service-ports.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/smoke-project.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/smoke-pi.lock.yml Standardizes env export to $GITHUB_ENV.
.github/workflows/smoke-create-cross-repo-pr.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/smoke-ci.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/repo-tree-map.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/release.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/pdf-summary.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/notion-issue-summary.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/jsweep.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/issue-triage-agent.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/hippo-embed.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/gpclean.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/github-remote-mcp-auth-test.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/firewall.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/example-permissions-warning.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/dev.lock.yml Standardizes env export to $GITHUB_ENV.
.github/workflows/dependabot-burner.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/daily-team-status.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/daily-skill-optimizer.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/daily-semgrep-scan.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/daily-malicious-code-scan.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/daily-fact.lock.yml Standardizes env export to $GITHUB_ENV and updates generated MCP config heredoc markers.
.github/workflows/daily-cli-tools-tester.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/copilot-token-optimizer.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/copilot-token-audit.lock.yml Improves Node runtime detection/handling in the compiled workflow harness.
.github/workflows/codex-github-remote-mcp-test.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/code-simplifier.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/changeset.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/brave.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/bot-detection.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/ai-moderator.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.
.github/workflows/ace-editor.lock.yml Standardizes env export to $GITHUB_ENV and improves Node runtime detection in harness.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 99/216 changed files
  • Comments generated: 2

Comment thread .github/workflows/static-analysis-report.md
Comment on lines +24 to +25
add-comment:
max: 3
Comment thread .github/workflows/static-analysis-report.md
Comment on lines +420 to +423
**Step B — Decide what to do based on search results**:
- If a **closed** issue exists for the same rule ID + affected file → **skip** (do not recreate it; the finding was already reviewed and closed)
- If an **open** issue exists for the same rule ID + affected file → **add a comment** to the existing issue with the latest scan date and run link instead of creating a duplicate
- If **no issue** (open or closed) exists for the same rule ID + affected file → **create a new issue**
@github-actions github-actions Bot mentioned this pull request May 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gh-aw-bot gh-aw-bot Awaiting requested review from gh-aw-bot

Assignees

Copilot code review Copilot

@gh-aw-bot gh-aw-bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[deep-report] Static-analysis RGS-* security issues recreated daily after closure (no dedup-by-rule)

4 participants

@pelikhan @gh-aw-bot