Require detection success before running update_cache_memory#33885
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
Require detection success before update_cache_memory runs
Require detection success before running May 21, 2026
update_cache_memory
Copilot created this pull request from a session on behalf of
pelikhan
May 21, 2026 22:35
View session
Contributor
There was a problem hiding this comment.
Pull request overview
Tightens cache-memory persistence semantics so the update_cache_memory job only runs after a successful detection job (no longer when detection is skipped).
Changes:
- Updated compiler condition generation for
update_cache_memoryto requireneeds.detection.result == 'success'. - Updated integration/unit tests and fixtures to assert the new gating behavior (and explicitly reject
'skipped'). - Recompiled affected
.lock.ymlworkflows so generatedupdate_cache_memoryjobs match the new condition.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/cache.go | Switches update_cache_memory gating from “passed” (success/skipped) to “success only”. |
| pkg/workflow/expression_builder.go | Updates documentation for buildDetectionPassedCondition usage (no longer mentions update_cache_memory). |
| pkg/workflow/compiler_jobs_test.go | Adjusts job-condition assertions to require detection success and forbid skipped. |
| pkg/workflow/cache_memory_threat_detection_test.go | Updates compiled-workflow expectations for the new if: condition. |
| pkg/workflow/threat_detection_job_combinations_integration_test.go | Updates integration expectations and adds negative assertion for 'skipped' in update_cache_memory. |
| pkg/cli/workflows/test-copilot-cache-memory-threat-detection.md | Updates documentation/expectations to require detection success for cache updates. |
| pkg/cli/workflows/test-copilot-cache-memory-threat-detection-expression.md | Updates documentation/expectations for expression-controlled detection to require success. |
| .github/workflows/weekly-issue-summary.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/unbloat-docs.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/test-create-pr-error-handling.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/technical-doc-writer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/super-linter.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/step-name-alignment.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/static-analysis-report.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/stale-repo-identifier.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/spec-extractor.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/spec-enforcer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/smoke-update-cross-repo-pr.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/smoke-pi.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/smoke-gemini.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/smoke-copilot.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/smoke-copilot-arm.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/smoke-codex.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/smoke-claude.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/slide-deck-maintainer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/scout.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/schema-consistency-checker.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/safe-output-health.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/repository-quality-improver.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/repo-audit-analyzer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/refactoring-cadence.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/python-data-charts.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/prompt-clustering-analysis.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/poem-bot.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/pdf-summary.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/outcome-collector.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/org-health-report.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/mcp-inspector.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/lockfile-stats.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/linter-miner.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/jsweep.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/instructions-janitor.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/gpclean.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/go-logger.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/go-fan.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/glossary-maintainer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/github-mcp-tools-report.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/github-mcp-structural-analysis.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/firewall-escape.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/developer-docs-consolidator.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/deep-report.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/dead-code-remover.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-subagent-optimizer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-spdd-spec-planner.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-security-red-team.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-security-observability.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-safe-output-optimizer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-repo-chronicle.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-rendering-scripts-verifier.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-performance-summary.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-news.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-mcp-concurrency-analysis.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-issues-report.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-hippo-learn.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-function-namer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-firewall-report.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-fact.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-experiment-report.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-doc-updater.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-doc-healer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-compiler-quality.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-code-metrics.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-caveman-optimizer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-cache-strategy-analyzer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-aw-cross-repo-compile-check.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/daily-architecture-diagram.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/copilot-session-insights.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/copilot-pr-prompt-analysis.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/copilot-pr-nlp-analysis.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/copilot-pr-merged-report.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/copilot-opt.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/copilot-agent-analysis.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/constraint-solving-potd.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/code-scanning-fixer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/cloclo.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/cli-version-checker.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/claude-code-user-docs-review.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/ci-doctor.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/ci-coach.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/chaos-pr-bundle-fuzzer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/audit-workflows.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/api-consumption-report.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/agent-persona-explorer.lock.yml | Regenerates update_cache_memory if: to require detection success. |
| .github/workflows/ab-testing-advisor.lock.yml | Regenerates update_cache_memory if: to require detection success. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 94/94 changed files
- Comments generated: 0
Collaborator
|
@copilot merge main and recompile |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
github-actions Bot
added a commit
that referenced
this pull request
May 22, 2026
Document the threat detection rule implemented in PR #33885 that requires detection success before running update_cache_memory jobs. Changes: - Bumped spec version to 1.0.10 - Added CTR-019 to Section 5.1 core rule catalog - Added implementation mapping in Section 7.1 - Added T-CTR-019 test ID in Section 8.1 - Updated mapping audit timestamp in Section 7.2 - Added change log entry for version 1.0.10 The rule enforces cache-memory integrity by preventing cache updates when threat detection has been skipped or failed, ensuring only validated agent outputs are persisted to cache-memory. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
update_cache_memorywas running even whendetectionwas skipped because its condition explicitly allowedskipped. This change tightens cache persistence semantics so cache updates occur only after a successful detection pass.Workflow semantics
update_cache_memorygating from(success || skipped)tosuccessfor detection.always()in place so the condition is still evaluated predictably across upstream outcomes.needs.agent.result == 'success').Compiler logic
pkg/workflow/cache.goto usebuildDetectionSuccessCondition()instead ofbuildDetectionPassedCondition()forupdate_cache_memory.Generated workflow output
update_cache_memoryjobs consistently require detection success.Expectation/docs alignment
skippedacceptance forupdate_cache_memory).pr-sous-chef: automated branch update from run https://github.com/github/gh-aw/actions/runs/26259944210