Use compact, terminal-safe glyphs for slog levels and switch info to dot prefix

[Copilot]

✨ Enhancement

Logger level prefixes were using heavier label-style markers in slog output. This change standardizes level markers to thin, cross-terminal glyphs and simplifies info rendering to a dot for lower visual weight.

• What does this improve?

  • Makes slog-derived logger output more compact and easier to scan.
  • Uses symbols with broad terminal compatibility.
  • Reduces visual noise for informational logs by replacing icon-style info markers with a dot.

• Why is this valuable?

  • Keeps high-signal levels (warn, error) visually distinct.
  • Makes routine info/debug logs less dominant in dense output streams.

• Implementation approach:

  • Updated slog level prefix mapping in pkg/logger/slog_adapter.go:
    • debug → ·
    • info → ·
    • warn → ⚠
    • error → ✗
  • Updated expected output in pkg/logger/slog_adapter_test.go.
  • Updated pkg/logger/README.md slog integration text to match the new prefixes.

switch r.Level {
case slog.LevelDebug:
	levelPrefix = "· "
case slog.LevelInfo:
	levelPrefix = "· "
case slog.LevelWarn:
	levelPrefix = "⚠ "
case slog.LevelError:
	levelPrefix = "✗ "
}

[Copilot]

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (11)

.github/workflows/ci-coach.lock.yml:61

• Firewall container images (gh-aw-firewall/agent, api-proxy, cli-proxy, squid at 0.25.46) are now referenced by tag only, with no @sha256: digest pin, both in the manifest header and in the download_docker_images.sh / awf-config.json invocations. The previous version pinned all of these by digest, and the other images in the same file (mcpg, github-mcp-server, node) are still digest-pinned. This is a supply-chain regression: tags are mutable, so reproducibility and the integrity guarantees previously provided by the digest pins are lost. Restore digest pinning for the firewall images.

#   - ghcr.io/github/gh-aw-firewall/agent:0.25.46
#   - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46
#   - ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.46
#   - ghcr.io/github/gh-aw-firewall/squid:0.25.46
#   - ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388

.github/workflows/ci-coach.lock.yml:886

• GH_AW_VERSION is being set to the literal string dev (here and at line 1408) in a generated .lock.yml that the header still claims is auto-generated by gh-aw. Shipping dev as the version in a production-style lock workflow defeats version tracking, makes telemetry/log filtering by version meaningless, and is inconsistent with the rest of the metadata in this file (which previously referenced v0.72.1). Verify this is intentional and not an artifact of compiling against a local dev build.

          GH_AW_VERSION: dev

.github/workflows/ci-coach.lock.yml:17

• The gh-aw-metadata header no longer contains compiler_version, and the file header comment was changed from automatically generated by gh-aw (v0.72.1) to just automatically generated by gh-aw. Combined with GH_AW_VERSION: dev further down, there is no longer any record of which compiler produced this lock file. The Check compile-agentic version step was also removed (previous lines around 188), which means staleness of compiled output relative to the source .md is no longer enforced in CI. This reduces operational debuggability when something regresses.

# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fb33cbef9f16561a838cbfc9820e7d4e1dab77f376c0602477d75fd7dcbe9f69","strict":true,"agent_id":"copilot"}
# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_GRAFANA_HEADERS","GH_AW_OTEL_SENTRY_ENDPOINT","GH_AW_OTEL_SENTRY_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.46"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.9","digest":"sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
#    ___                   _   _      
#   / _ \                 | | (_)     
#  | |_| | __ _  ___ _ __ | |_ _  ___ 
#  |  _  |/ _` |/ _ \ '_ \| __| |/ __|
#  | | | | (_| |  __/ | | | |_| | (__ 
#  \_| |_/\__, |\___|_| |_|\__|_|\___|
#          __/ |
#  _    _ |___/ 
# | |  | |                / _| |
# | |  | | ___ _ __ _  __| |_| | _____      ____
# | |/\| |/ _ \ '__| |/ /|  _| |/ _ \ \ /\ / / ___|
# \  /\  / (_) | | | | ( | | | | (_) \ V  V /\__ \
#  \/  \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
#
# This file was automatically generated by gh-aw. DO NOT EDIT.

.github/workflows/ci-coach.lock.yml:824

• The OpenTelemetry config block previously included "headers": "${OTEL_EXPORTER_OTLP_HEADERS}", which carried the Authorization header needed for the OTLP endpoint to accept exports. Removing it while keeping the endpoint will likely cause telemetry exports from MCP gateway to fail authentication silently. If this is intentional (e.g. headers are now propagated by another mechanism — note the new -e OTEL_EXPORTER_OTLP_HEADERS added to the docker command), please confirm; otherwise this will break OTEL telemetry from the gateway.

                "endpoint": "${OTEL_EXPORTER_OTLP_ENDPOINT}",
                "traceId": "${GITHUB_AW_OTEL_TRACE_ID}",
                "spanId": "${GITHUB_AW_OTEL_PARENT_SPAN_ID}"
              }

.github/workflows/ci-coach.lock.yml:119

• The Setup Scripts step previously consumed github/gh-aw-actions/setup@v0.72.1 (a pinned remote action). It now does an unpinned sparse-checkout of github/gh-aw at the default branch (no ref: specified) and runs ./actions/setup from it. This means every workflow run will pull whatever is currently on the default branch of github/gh-aw, breaking the previous SHA-pinned reproducibility and making the workflow vulnerable to upstream changes/regressions in gh-aw. Consider pinning ref: to a specific tag/SHA on all five Checkout actions folder steps (lines ~110, 419, 1112, 1265, 1470, 1572, 1717).

      - name: Checkout actions folder
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: github/gh-aw
          sparse-checkout: |
            actions
          persist-credentials: false
      - name: Setup Scripts
        id: setup
        uses: ./actions/setup

.github/workflows/ci-coach.lock.yml:51

• Line 50 and 51 both render the same step actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 / # v9.0.0 (source v9) consecutively in the "Pinned action versions" comment block. This looks like a templating bug in the generator (one entry was kept and a new differently-labeled duplicate was appended instead of replaced). It's a comment-only artifact, but it signals that the regeneration is not clean.

#   - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
#   - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9)

.github/workflows/ci-coach.lock.yml:281

• The new if expressions inside the heredoc prompt (e.g. {{#if github.actor}}, {{#if github.event.issue.number || (github.aw.context.item_type == 'issue' && github.aw.context.item_number)}}) reference templating variables, but the heredoc is then expanded by the shell/agent with __GH_AW_GITHUB_ACTOR__ etc. style placeholders elsewhere on the same lines. Verify the templating engine that consumes this prompt actually supports dotted-path expressions like github.event.issue.number and short-circuiting || inside {{#if ...}}; the previous form used simple flat __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ flags which are more clearly supported. If the templating engine does not evaluate these dotted expressions, the {{#if ...}} will either be always-true or always-false, silently breaking the conditional rendering of the github-context block.

          {{#if github.actor}}
          - **actor**: __GH_AW_GITHUB_ACTOR__
          {{/if}}
          {{#if github.repository}}
          - **repository**: __GH_AW_GITHUB_REPOSITORY__
          {{/if}}
          {{#if github.workspace}}
          - **workspace**: __GH_AW_GITHUB_WORKSPACE__
          {{/if}}
          {{#if github.event.issue.number || (github.aw.context.item_type == 'issue' && github.aw.context.item_number)}}
          - **issue-number**: #__GH_AW_EXPR_802A9F6A__
          {{/if}}
          {{#if github.event.discussion.number || (github.aw.context.item_type == 'discussion' && github.aw.context.item_number)}}
          - **discussion-number**: #__GH_AW_EXPR_1A3A194A__
          {{/if}}
          {{#if github.event.pull_request.number || (github.aw.context.item_type == 'pull_request' && github.aw.context.item_number)}}
          - **pull-request-number**: #__GH_AW_EXPR_463A214A__
          {{/if}}
          {{#if github.event.comment.id || github.aw.context.comment_id}}
          - **comment-id**: __GH_AW_EXPR_FF1D34CE__
          {{/if}}
          {{#if github.run_id}}

.github/workflows/ci-coach.lock.yml:1105

• queue: max is being added under concurrency: alongside group: and cancel-in-progress:. The standard GitHub Actions concurrency schema only supports group, cancel-in-progress, and (recently) cancel-in-progress with patterns — queue is not a documented field. Unless this is a feature added since GitHub Actions documentation I'm aware of, this key will be silently ignored by the runner, which means the intent (presumably to queue rather than cancel/skip) is not actually being enforced. Please confirm queue: is supported by the Actions runtime, or remove it.

    concurrency:
      group: "gh-aw-conclusion-ci-coach"
      cancel-in-progress: false
      queue: max

.github/workflows/ci-coach.lock.yml:784

• The line echo 'GH_AW_MCP_CLI_SERVERS=["safeoutputs"]' >> "$GITHUB_ENV" (fully single-quoted, value literal) was replaced with echo GH_AW_MCP_CLI_SERVERS='["safeoutputs"]' >> "$GITHUB_ENV". The new form leaves GH_AW_MCP_CLI_SERVERS= unquoted: if any shell glob/whitespace handling differs, the resulting line written to $GITHUB_ENV could be subtly different (e.g. the = could be word-split or globbed). The previous fully-quoted form was safer and produced a deterministic literal. Recommend reverting to the single-quoted whole-argument form.

          echo GH_AW_MCP_CLI_SERVERS='["safeoutputs"]' >> "$GITHUB_ENV"

.github/workflows/ci-coach.lock.yml:874

• GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS is interpolated unquoted into the awf command line (... --mount ... ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all ...). When DOCKER_HOST does not start with tcp://, the variable expands to an empty string and produces a stray empty argument position — usually fine, but it relies on shell word-splitting to drop it. Prefer building the args as an array or using ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS:+...} to avoid accidental empty-token issues, especially since the same pattern is repeated in the detection job at line ~1398.

          GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS=""
          if [[ "${DOCKER_HOST:-}" =~ ^tcp:// ]]; then
            GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="--docker-host-path-prefix /tmp/gh-aw"
          fi
          # shellcheck disable=SC1003
          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GH_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull --difc-proxy-host host.docker.internal:18443 --difc-proxy-ca-cert /tmp/gh-aw/difc-proxy-tls/ca.crt \

.github/workflows/ci-coach.lock.yml:1713

• The update_cache_memory job's permissions were changed from permissions: {} (no permissions, principle of least privilege) to permissions: contents: read. The diff does not show a corresponding step in this job that newly requires contents: read (the added Checkout actions folder step is checking out a different repo github/gh-aw, not the current one — for which persist-credentials: false is set and a token isn't strictly required for a public repo). Verify this elevation is actually needed; if not, revert to permissions: {} to keep least-privilege.

    permissions:
      contents: read

• Files reviewed: 4/4 changed files
• Comments generated: 2